OpenBSD manual page server

Manual Page Search Parameters
EOIP(4) Device Drivers Manual EOIP(4)

eoipMikroTik Ethernet over IP tunnel network device

pseudo-device gre

The eoip interface provides tunnelling of Ethernet frames across IPv4 and IPv6 networks using the MikroTik Ethernet over IP (EoIP) encapsulation protocol.

The protocol is based on the Generic Routing and Encapsulation (GRE) protocol. GRE datagrams (IP protocol number 47) consist of a GRE header and an outer IP header for encapsulating another protocol's datagram. The GRE header specifies a version and the type of the encapsulated datagram, allowing for the tunnelling of multiple protocols. EoIP uses GRE version 1, its own protocol identifier (0x6400) for Ethernet, and has its own keepalive semantics, making it distinct from the Ethernet over GRE version 0 protocol supported by egre(4). However, it is implemented as part of the same driver providing egre(4).

Different tunnels between the same endpoints are distinguished by a 16-bit tunnel identifier field in the header.

All GRE packet processing in the system is allowed or denied by setting the net.inet.gre.allow sysctl(8) variable. To allow GRE packet processing, set net.inet.gre.allow to 1.

eoip interfaces can be created at runtime using the ifconfig eoipN create command or by setting up a hostname.if(5) configuration file for netstart(8).

For correct operation, encapsulated traffic must not be routed over the interface itself. This can be implemented by adding a distinct or a more specific route to the tunnel destination than the hosts or networks routed via the tunnel interface. Alternatively, the tunnel traffic may be configured in a separate routing table to the encapsulated traffic.

eoip interfaces support the following ioctl(2) calls for configuring tunnel options:

struct if_laddrreq *
Set the unicast IPv4 or IPv6 addresses for the encapsulating IP packets. The addresses may only be configured while the interface is down.
struct if_laddrreq *
Get the addresses used for the encapsulating IP packets.
struct ifreq *
Clear the addresses used for the encapsulating IP packets. The addresses may only be cleared while the interface is down.
struct ifreq *
Configure a virtual network identifier for use as the Tunnel Identifier. The virtual network identifier may only be configured while the interface is down. The Tunnel Identifier is a 16-bit value.
struct ifreq *
Get the virtual network identifier used in the GRE Key header.
struct ifreq *
Set the routing table the tunnel traffic operates in. The routing table may only be configured while the interface is down.
struct ifreq *
Get the routing table the tunnel traffic operates in.
struct ifreq *
Set the Time-To-Live field in IPv4 encapsulation headers, or the Hop Limit field in IPv6 encapsulation headers.
struct ifreq *
Get the value used in the Time-To-Live field in an IPv4 encapsulation header or the Hop Limit field in an IPv6 encapsulation header.
struct ifreq *
Configure whether the tunnel traffic sent by the interface can be fragmented or not. This sets the Don't Fragment (DF) bit on IPv4 packets, and disables fragmentation of IPv6 packets.
struct ifreq *
Get whether the tunnel traffic sent by the interface can be fragmented or not.
struct ifreq *
Set the priority value used in the Type of Service field in IPv4 headers, or the Traffic Class field in IPv6 headers. Values may be from 0 to 7, or IF_HDRPRIO_PACKET to specify that the current priority of a packet should be used.
struct ifreq *
Get the priority value used in the Type of Service field in IPv4 headers, or the Traffic Class field in IPv6 headers.
struct ifkalivereq *
Enable the transmission of keepalive packets to detect tunnel failure. Keepalives may only be configured while the interface is down.

Setting the keepalive period or count to 0 disables keepalives on the tunnel.

struct ifkalivereq *
Get the configuration of keepalive packets.

EoIP does not provide any integrated security features. It should only be deployed on trusted private networks, or protected with IPsec to add authentication and encryption for confidentiality. IPsec is especially recommended when transporting EoIP over the public internet.

The Packet Filter pf(4) can be used to filter tunnel traffic with endpoint policies pf.conf(5).

The Time-to-Live (TTL) value of a tunnel can be set to 1 or a low value to restrict the traffic to the local network:

# ifconfig eoipN tunnelttl 1

Host X ---- Host A ------------ tunnel ----------- MikroTik D --- Host E
               \                                      /
                \                                    /
                 +------ Host B ------ Host C ------+

On Host A (OpenBSD):

# route add default B
# ifconfig eoipN create
# ifconfig eoipN tunnel A D
# ifconfig eoipN up
# route add E D

On Host D (MikroTik):

[admin@MikroTik] > interface eoip
[admin@MikroTik] /interface eoip> add name="eoipN" \
\... local-address=D remote-address=A
[admin@MikroTik] /interface eoip> enable eoipN

egre(4), inet(4), ip(4), netintro(4), options(4), hostname.if(5), protocols(5), ifconfig(8), netstart(8), sysctl(8)

S. Hanks, T. Li, D. Farinacci, and P. Traina, Generic Routing Encapsulation (GRE), RFC 1701, October 1994.

David Gwynne <‍dlg@openbsd.org>

December 5, 2020 OpenBSD-current