EdgeRouter 6P – 12. 自宅と実家を L2 VPN で一体化する ( L2TPv3 Bridging )

遂にやりました。

VPN ファンの誰もが憧れる2拠点のレイヤー2接続による同一 LAN 化を、ソフトイーサを使わずに EdgeRouter だけで達成しました。足掛け3年にも及ぶ試行錯誤の結果、ついに EdgeRouter だけで地デジがリアルタイムで観られるようになりました。いやー、よくやった俺。レイヤー2での拠点間通信なので、 Bonjour = mDNS / DLNA = SDDP 等々もきっちり両拠点間を通して動作しております。

ソフトイーサすごい

安全確実にレイヤー2 VPN を実現するなら、最強のレイヤー2対応 VPN 、ソフトイーサを使うのが最も簡単で成功率が高いです。ソフトイーサを動作させられる PC が自宅と実家にあるなら、それでカスケード接続しちゃえばあっけなく動きます。しかし、漢ならルーター一貫で設定したいもの。と思って EdgeRouter だけでの設定に挑戦し、気がついたらほぼ1年経ってました。

ソフトイーサ導入(と Mac mini 2台)で地デジが観られることを確認したものの、そこから EdgeRouter だけで2拠点レイヤー2接続してみてもなかなか思うように Ethernet フレームが行き来しません。ソフトイーサは完全にスイッチングハブをエミュレートしているのに対し、 EdgeRouter のブリッジは細かな挙動がスイッチと違っており、そこをコツコツ調べてようやく動くようになりました。

でもソフトイーサ無しで実現したい

というわけで、設定例を記したいと思います。ただこの記事をわざわざわ読みに来るような人はある程度ルーターに詳しい人でしょうし、あまりにも設定が多岐にわたるので、ともかく設定ファイルを載せてしまおうと思います。パスワードやプライベート IP アドレスはボカしてありますが、流れはつかめるかと思います。

設定の概要

自宅 実家
機種 EdgeRouter 6P EdgeRouter 6P
ファームウェア 1.10.0 1.10.0
プロバイダー Comcast nifty
DDNS XXX1.duckdns.org XXX2.duckdns.org
WAN 側 ポート eth0 pppoe0
WAN 側 MTU 1500 1454 (PPPoE)
WAN 側 IP アドレス ダイナミック / DHCP ダイナミック / PPPoE
LAN 側 ポート eth2 eth2
LAN 側 IP アドレス 10.0.XX1.1 10.0.XX2.1
LAN 側 ネットワーク 10.0.XX1.0/22 10.0.XX2.0/22
L2TPv3 用ブリッジ br0 br0
ブリッジ用 Ethernet ポート eth3 eth3
br0 用 IPv4 Firwall DHCP を遮断 DHCP を遮断
br0 用 IPv6 Firewall IPv6 パケットを遮断 IPv6 パケットを遮断
GRE 用ループバックアドレス 192.168.111.1/32 192.168.111.2/32
GRE トンネル IP アドレス 192.168.121.1/30 192.168.121.2/30
GRE トンネル MTU 1366 1366
L2TPv3 用ループバックアドレス 192.168.112.1/32 192.168.112.2/32
L2TPv3 トンネル IP アドレス ブリッジなので無し ブリッジなので無し
L2TPv3 ベースプロトコル udp udp
L2TPv3 UDP 送信元ポート [l2tpv3-port-1] [l2tpv3-port-2]
L2TPv3 UDP 宛先ポート [l2tpv3-port-2] [l2tpv3-port-1]
L2TPv3 トンネル MTU 1300 1300
L2TPv3 トンネル MSS 1240 1240
IPsec トンネル1 (GRE) 192.168.111.1 – 192.168.111.2 (Site-to-Site)
IPsec トンネル2 (L2TPv3) 192.168.112.1 – 192.168.112.2 (Site-to-Site)
QoS Smart Queue Smart Queue
QoS WAN eth0 pppoe0
QoS Upload 10 Mbps 70 Mbps
QoS Download 250 Mbps 70 Mbps
Offload オフ オフ
DNS 1 [comcast-dns-1] [nifty-dns-1]
DNS 2 [comcast-dns-2] [nifty-dns-2]
バックアップ DNS 1 [public-dns-1] [public-dns-1]
バックアップ DNS 2 [public-dns-2] [public-dns-2]

L2TPv3 の MTU は計算してみたところ 1336 以下となりました。ただここではより保守的に 1300 に、そして MSS はさらに保守的に 1240 に設定しています。

自宅側 ( Comcast )

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group google-clients {
            address 10.0.XX1.XX
        }
        address-group hulu-ipset {
            description hulu.jp
        }
        address-group psstore-ipset {
            description store.playstation.com
        }
        address-group radiko-ipset {
        }
        address-group tver-ipset {
            description tver.jp
        }
    }
    ipv6-name L2v6 {
        default-action drop
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow ICMPv6"
            protocol ipv6-icmp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 50 {
            action accept
            description "Allow DHCPv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
        rule 70 {
            action accept
            description "Allow IPv6 ICMP"
            protocol ipv6-icmp
        }
        rule 500 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify route_tunnel {
        rule 10 {
            action modify
            description radiko.jp
            destination {
                group {
                    address-group radiko-ipset
                }
            }
            modify {
                table 1
            }
        }
        rule 110 {
            action modify
            modify {
                table 1
            }
            source {
                group {
                    address-group google-clients
                }
            }
        }
        rule 520 {
            action modify
            description tver-ipset
            destination {
                group {
                    address-group tver-ipset
                }
            }
            modify {
                table 1
            }
        }
        rule 530 {
            action modify
            description psstore-ipset
            destination {
                group {
                    address-group psstore-ipset
                }
            }
            modify {
                table 1
            }
        }
        rule 550 {
            action modify
            description hulu-ipset
            destination {
                group {
                    address-group hulu-ipset
                }
            }
            modify {
                table 1
            }
        }
    }
    name L2 {
        default-action accept
        description L2_filter
        rule 1 {
            action drop
            description "Drop DHCP"
            destination {
                port 67-68
            }
            log disable
            protocol udp
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow GRE"
            log disable
            protocol gre
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500,[l2tpv3-port-1],[l2tpv3-port-2]
            }
            log disable
            protocol tcp_udp
        }
        rule 40 {
            action accept
            description "Allow ESP"
            log disable
            protocol esp
        }
        rule 50 {
            action accept
            description "Allow GRE"
            log disable
            protocol gre
        }
        rule 60 {
            action accept
            description "Allow ICMP"
            log disable
            protocol igmp
        }
        rule 70 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1240
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        aging 300
        bridged-conntrack disable
        description Bridge
        firewall {
            in {
                ipv6-name L2v6
                name L2
            }
        }
        hello-time 2
        max-age 20
        multicast enable
        priority 32768
        promiscuous enable
        stp false
    }
    ethernet eth0 {
        address dhcp
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        dhcpv6-pd {
            pd 0 {
                interface eth1 {
                    host-address ::1
                    prefix-id :1
                    service slaac
                }
                prefix-length /60
            }
            rapid-commit enable
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 10.1.X1.1/24
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        address 10.0.XX1.1/22
        description Local
        duplex auto
        firewall {
            in {
                modify route_tunnel
            }
        }
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        bridge-group {
            bridge br0
        }
        description Local
        duplex auto
        ip {
            enable-proxy-arp
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    l2tpv3 l2tpeth0 {
        bridge-group {
            bridge br0
        }
        description "L2 Tunnel"
        destination-port [l2tpv3-port-2]
        encapsulation udp
        local-ip 192.168.112.1
        mtu 1300
        peer-session-id 200
        peer-tunnel-id 200
        remote-ip 192.168.112.2
        session-id 100
        source-port [l2tpv3-port-1]
        tunnel-id 100
    }
    loopback lo {
        address 192.168.111.1/32
        address 192.168.112.1/32
    }
    tunnel tun0 {
        address 192.168.121.1/30
        description "L3 Tunnel"
        encapsulation gre
        local-ip 192.168.111.1
        mtu 1366
        multicast enable
        remote-ip 192.168.111.2
        ttl 255
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    lan-interface eth2
    rule 4 {
        description UNMS
        forward-to {
            address 10.0.XX1.XX
            port XXXXX
        }
        original-port XXXXX
        protocol tcp_udp
    }
    rule 5 {
        description UniFi
        forward-to {
            address 10.0.XX1.XX
            port XXXX
        }
        original-port XXXX
        protocol tcp_udp
    }
    rule 7 {
        description SoftEther
        forward-to {
            address 10.1.X1.101
            port XXXX
        }
        original-port XXXX
        protocol tcp_udp
    }
    wan-interface eth0
}
protocols {
    static {
        interface-route 10.1.X2.0/24 {
            next-hop-interface tun0 {
            }
        }
        table 1 {
            interface-route 0.0.0.0/0 {
                next-hop-interface tun0 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Config {
            authoritative disable
            subnet 10.1.X1.0/24 {
                default-router 10.1.X1.1
                dns-server 10.1.X1.1
                lease 86400
                start 10.1.X1.11 {
                    stop 10.1.X1.30
                }
                static-mapping Mac-mini-LAN {
                    ip-address 10.1.X1.101
                    mac-address XX:XX:XX:XX:XX:XX
                }
            }
        }
        shared-network-name LAN {
            authoritative enable
            subnet 10.0.XX1.0/22 {
                default-router 10.0.XX1.1
                dns-server 10.0.XX1.1
                lease 86400
                start 10.0.XX1.11 {
                    stop 10.0.XX1.30
                }
                static-mapping Mac {
                    ip-address 10.0.XX1.XX
                    mac-address XX:XX:XX:XX:XX:XX
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth0 {
                service custom-duckdns {
                    host-name XXX1
                    login nouser
                    password XXXXXXXX
                    protocol dyndns2
                    server www.duckdns.org
                }
            }
        }
        forwarding {
            cache-size 500
            except-interface eth0
            name-server [comcast-dns-1]
            name-server [comcast-dns-2]
            name-server [public-dns-1]
            name-server [public-dns-2]
            options strict-order
            options ipset=/tver.jp/ntv.co.jp/tv-asahi.co.jp/tbs.co.jp/fujitv.co.jp/presentcast.co.jp/brightcove.com/brightcove.net/streamhub.tv/streamhub.io/stream.ne.jp/durasite.net/ad-v.jp/interactive-circle.jp/ntvmov-elb-1535922568.ap-northeast-1.elb.amazonaws.com/tver-api-data.s3.amazonaws.com/s3-ap-northeast-1-w.amazonaws.com/e7164.g.akamaiedge.net/tver-ipset
            options server=/tver.jp/ntv.co.jp/tv-asahi.co.jp/tbs.co.jp/fujitv.co.jp/presentcast.co.jp/brightcove.com/brightcove.net/streamhub.tv/streamhub.io/stream.ne.jp/durasite.net/ad-v.jp/interactive-circle.jp/ntvmov-elb-1535922568.ap-northeast-1.elb.amazonaws.com/tver-api-data.s3.amazonaws.com/s3-ap-northeast-1-w.amazonaws.com/e7164.g.akamaiedge.net/[nifty-dns-1]
            options ipset=/playstation.com/playstation.com.edgekey.net/playstation.net.edgekey.net/playstation.net/playstation.net.edgesuite.net/d1bzh9wdftmzm0.cloudfront.net/sonycoment-1.hs.llnwd.net/us-p1-np-sn-623478034.us-west-1.elb.amazonaws.com/us-p1-np-event-844572407.us-west-1.elb.amazonaws.com/us-p1-np-commerce-1073095297.us-west-1.elb.amazonaws.com/us-p1-np-regcam-2129210197.us-west-1.elb.amazonaws.com/sonynetworkentertainment.112.2o7.net/psstore-ipset
            options server=/playstation.com/playstation.com.edgekey.net/playstation.net.edgekey.net/playstation.net/playstation.net.edgesuite.net/d1bzh9wdftmzm0.cloudfront.net/sonycoment-1.hs.llnwd.net/us-p1-np-sn-623478034.us-west-1.elb.amazonaws.com/us-p1-np-event-844572407.us-west-1.elb.amazonaws.com/us-p1-np-commerce-1073095297.us-west-1.elb.amazonaws.com/us-p1-np-regcam-2129210197.us-west-1.elb.amazonaws.com/sonynetworkentertainment.112.2o7.net/[nifty-dns-1]
            options ipset=/hulu.jp/happyon.jp/happyon.jp.edgekey.net/huluim.com/hulu.com.akadns.net/hulu.com.edgekey.net/a268.b.akamai.net/e8297.e12.akamaiedge.net/e7963.b.akamaiedge.net/e9436.b.akamaiedge.net/hulu-ipset
            options server=/hulu.jp/happyon.jp/happyon.jp.edgekey.net/huluim.com/hulu.com.akadns.net/hulu.com.edgekey.net/a268.b.akamai.net/e8297.e12.akamaiedge.net/e7963.b.akamaiedge.net/e9436.b.akamaiedge.net/[nifty-dns-1]
            options ipset=/radiko.jp/f-radiko.smartstream.ne.jp/appsflyer.com/e4805.a.akamaiedge.net/appsflyer-web-1810875176.eu-west-1.elb.amazonaws.com/appsflyer-web-2-1926050047.eu-west-1.elb.amazonaws.com/sessionstat-999713689.eu-west-1.elb.amazonaws.com/radiko-ipset
            options server=/radiko.jp/f-radiko.smartstream.ne.jp/appsflyer.com/e4805.a.akamaiedge.net/appsflyer-web-1810875176.eu-west-1.elb.amazonaws.com/appsflyer-web-2-1926050047.eu-west-1.elb.amazonaws.com/sessionstat-999713689.eu-west-1.elb.amazonaws.com/[nifty-dns-1]
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description masquerade-for-WAN
            outbound-interface eth0
            type masquerade
        }
        rule 5011 {
            description masquerade-for-tun0
            destination {
                address !224.0.0.0-239.255.255.255
                group {
                }
            }
            log disable
            outbound-interface tun0
            protocol tcp_udp
            source {
                address 10.0.XX1.0/24
            }
            type masquerade
        }
    }
    ssh {
        allow-root
        port 22
        protocol-version v2
    }
    unms {
        connection wss://10.0.XX1.XX:XXXXX
    }
    upnp2 {
        acl {
            rule 10 {
                action deny
                description Block-port-4500
                external-port 4500
                local-port 4500
                subnet 10.0.XX1.0/22
            }
        }
        listen-on eth1
        listen-on eth2
        nat-pmp enable
        secure-mode enable
        wan eth0
    }
}
system {
    host-name router1
    login {
        user XXXXX {
            authentication {
                encrypted-password XXXXXXXX
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 1.ubnt.pool.ntp.org {
        }
    }
    options {
        reboot-on-panic true
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue QoS {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 250mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 10mbit
        }
        wan-interface eth0
    }
}
vpn {
    ipsec {
        auto-update 3600
        auto-firewall-nat-exclude enable
        esp-group ESP-1 {
            compression disable
            lifetime 1800
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
            proposal 2 {
                encryption 3des
                hash md5
            }
        }
        ike-group IKE-1 {
            ikev2-reauth no
            key-exchange ikev2
            lifetime 3600
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
            proposal 2 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
                exclude 10.0.XX1.0/22
            }
        }
        nat-traversal enable
        site-to-site {
            peer XXX2.duckdns.org {
                authentication {
                    id XXX1.duckdns.org
                    mode pre-shared-secret
                    pre-shared-secret XXXXXXXX
                    remote-id XXX2.duckdns.org
                }
                connection-type initiate
                default-esp-group ESP-1
                dhcp-interface eth0
                ike-group IKE-1
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 192.168.111.1/32
                    }
                    remote {
                        prefix 192.168.111.2/32
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 192.168.112.1/32
                    }
                    remote {
                        prefix 192.168.112.2/32
                    }
                }
            }
        }
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username XXXXX {
                        password XXXXXXXX
                }
                mode local
            }
            client-ip-pool {
                start 10.0.XX1.141
                stop 10.0.XX1.150
            }
            dhcp-interface eth0
            dns-servers {
                server-1 10.0.XX1.1
                server-2 [comcast-dns-1]
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret XXXXXXXX
                }
                ike-lifetime 3600
                lifetime 3600
            }
            mtu 1280
        }
    }
}

実家側 ( フレッツのコラボ光 )

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name L2v6 {
        default-action drop
    }
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow IPv6 ICMP"
            protocol ipv6-icmp
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 50 {
            action accept
            description "Allow DHCPv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
        rule 70 {
            action accept
            description "Allow IPv6 ICMP"
            protocol ipv6-icmp
        }
        rule 500 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name L2 {
        default-action accept
        description L2_filter
        rule 1 {
            action drop
            description "Drop DHCP"
            log disable
            protocol udp
            source {
                port 67-68
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow GRE"
            log disable
            protocol gre
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500,[l2tpv3-port-1],[l2tpv3-port-2]
            }
            log disable
            protocol tcp_udp
        }
        rule 40 {
            action accept
            description "Allow ESP"
            log disable
            protocol esp
        }
        rule 50 {
            action accept
            description "Allow GRE"
            log disable
            protocol gre
        }
        rule 60 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
        }
        rule 70 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1240
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        aging 300
        bridged-conntrack disable
        description Bridge
        firewall {
            in {
                ipv6-name L2v6
                name L2
            }
        }
        hello-time 2
        max-age 20
        multicast enable
        priority 32768
        promiscuous enable
        stp false
    }
    ethernet eth0 {
        description Internet
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
            }
            local {
                ipv6-name WANv6_LOCAL
            }
        }
        ipv6 {
            address {
                autoconf
            }
            dup-addr-detect-transmits 1
        }
        poe {
            output off
        }
        pppoe 0 {
            default-route auto
            description ISP
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1454
            name-server none
            password XXXXXXXXX
            user-id XXXXX
        }
        speed auto
    }
    ethernet eth1 {
        address 10.1.X2.1/24
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        address 10.0.XX2.1/22
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth3 {
        bridge-group {
            bridge br0
        }
        description Local
        duplex auto
        ip {
            enable-proxy-arp
        }
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    l2tpv3 l2tpeth0 {
        bridge-group {
            bridge br0
        }
        description "L2 Tunnel"
        destination-port [l2tpv3-port-1]
        encapsulation udp
        local-ip 192.168.112.2
        mtu 1300
        peer-session-id 100
        peer-tunnel-id 100
        remote-ip 192.168.112.1
        session-id 200
        source-port [l2tpv3-port-2]
        tunnel-id 200
    }
    loopback lo {
        address 192.168.111.2/32
        address 192.168.112.2/32
    }
    tunnel tun0 {
        address 192.168.121.2/30
        description "L3 Tunnel"
        encapsulation gre
        local-ip 192.168.111.2
        mtu 1366
        multicast enable
        remote-ip 192.168.111.1
        ttl 255
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    lan-interface eth2
    rule 4 {
        description SoftEther
        forward-to {
            address 10.0.XX2.104
            port XXXX
        }
        original-port XXXX
        protocol tcp_udp
    }
    wan-interface pppoe0
}
protocols {
    static {
        interface-route 10.1.X1.0/24 {
            next-hop-interface tun0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Config {
            authoritative disable
            subnet 10.1.X2.0/24 {
                default-router 10.1.X2.1
                dns-server 10.1.X2.1
                lease 86400
                start 10.1.X2.11 {
                    stop 10.1.X2.30
                }
            }
        }
        shared-network-name LAN {
            authoritative disable
            subnet 10.0.XX2.0/22 {
                default-router 10.0.XX2.1
                dns-server 10.0.XX2.1
                lease 86400
                start 10.0.XX2.11 {
                    stop 10.0.XX2.30
                }
                static-mapping Mac-mini-LAN {
                    ip-address 10.0.XX2.104
                    mac-address XX:XX:XX:XX:XX:XX
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface pppoe0 {
                service custom-duckdns {
                    host-name XXX2
                    login nouser
                    password XXXXXXXX
                    protocol dyndns2
                    server www.duckdns.org
                }
            }
        }
        forwarding {
            cache-size 500
            except-interface eth0
            name-server [nifty-dns-1]
            name-server [nifty-dns-2]
            name-server [public-dns-1]
            name-server [public-dns-2]
            options strict-order
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5002 {
            description masquerade-for-WAN
            log disable
            outbound-interface pppoe0
            protocol all
            source {
            }
            type masquerade
        }
        rule 5003 {
            description masquerade-for-tun0
            destination {
                address !224.0.0.0-239.255.255.255
            }
            log disable
            outbound-interface tun0
            protocol tcp_udp
            source {
                address 10.0.XX2.0/24
            }
            type masquerade
        }
    }
    ssh {
        allow-root
        port 22
        protocol-version v2
    }
    unms {
        connection wss://XXX1.duckdns.org:XXXXX
    }
    upnp2 {
        acl {
            rule 10 {
                action deny
                description "Block port 4500"
                external-port 4500
                local-port 4500
                subnet 10.0.XX2.0/22
            }
        }
        listen-on eth1
        listen-on eth2
        nat-pmp enable
        secure-mode enable
        wan pppoe0
    }
}
system {
    host-name ER6-Y01
    login {
        user XXXXX {
            authentication {
                encrypted-password XXXXXXXX
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 1.ubnt.pool.ntp.org {
        }
    }
    options {
        reboot-on-panic true
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Asia/Tokyo
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue QoS {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 70mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 70mbit
        }
        wan-interface pppoe0
    }
}
vpn {
    ipsec {
        auto-update 3600
        auto-firewall-nat-exclude enable
        esp-group ESP-1 {
            compression disable
            lifetime 1800
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
            proposal 2 {
                encryption 3des
                hash md5
            }
        }
        ike-group IKE-1 {
            ikev2-reauth no
            key-exchange ikev2
            lifetime 3600
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
            proposal 2 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
                exclude 10.0.XX2.0/22
            }
        }
        nat-traversal enable
        site-to-site {
            peer XXX1.duckdns.org {
                authentication {
                    id XXX2.duckdns.org
                    mode pre-shared-secret
                    pre-shared-secret XXXXXXXX
                    remote-id XXX1.duckdns.org
                }
                connection-type initiate
                default-esp-group ESP-1
                ike-group IKE-1
                ikev2-reauth inherit
                local-address 0.0.0.0
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 192.168.111.2/32
                    }
                    remote {
                        prefix 192.168.111.1/32
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    local {
                        prefix 192.168.112.2/32
                    }
                    remote {
                        prefix 192.168.112.1/32
                    }
                }
            }
        }
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username XXXXX {
                        password XXXXXXXX
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.XX2.141
                stop 10.0.XX2.150
            }
            dns-servers {
                server-1 10.0.XX2.1
                server-2 [nifty-dns-1]
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret apple888
                }
                ike-lifetime 3600
                lifetime 3600
            }
            mtu 1280
            outside-address 0.0.0.0
        }
    }
}

さらに両方の拠点のブリッジ ( br0 ) で IGMP Snooping を無効にします。

# SSH で EdgeRouter にログインして下記コマンドを入力
sudo echo 0 > /sys/devices/virtual/net/br0/bridge/multicast_snooping

さらに再起動後にもこのコマンドが実行されるよう、下記の内容のスクリプトを /config/scripts/post-config.d/ フォルダー内に適当なファイル名で保存します。

#!/bin/bash
sudo echo 0 > /sys/devices/virtual/net/br0/bridge/multicast_snooping

これで2拠点が常時レイヤー2接続されることになります。・・しかし手間もかかるしミスを犯す可能性もかなり高いので・・やはりおすすめはソフトイーサかなと思います。


Home » Gadgets » EdgeRouter 6P – 12. 自宅と実家を L2 VPN で一体化する ( L2TPv3 Bridging )