GRE tunnel question

jbeez

Trying to wrap my head around this, so hoping someone can help. I'm trying to setup a GRE OR GIF tunnel between a pfsense firewall and a few other remote locations. I'm not sure what to use for local and remote tunnel address. Let me explain the layout and then what I'm trying to do.

First I have a pfsense fw acting as a headend of sorts of terminating wireguard VPN tunnels for site to site vpns. These are working great, I have about 4 remote sites connecting in, I'm using /31 PTP links, all the routing is in place. 1 is a unifi usg3, 3 of the others are edgerouter lites.

They are all on residential ISPs with dynamic public IP addresses. The main pfsense has a dynamic dns entry that is updated. Wireguard works well with this, some of the unifi products do not like using a hostname for a remote ipsec ptp tunnel endpoint, plus I believe wg to be more performant.

PFSense LAN(172.22.1.1/24 ixl3)
usg3 LAN(10.33.14.1/24 eth1)
edgerouter1 LAN(172.21.91.1/24 eth1)
for sake of berevity i'll only include one of each type of device.
PFSense tun_wg4(opt13) 10.150.0.2/31 -> usg3 10.150.0.3/31 wg0
PFSense tun_wg6(opt15) 10.150.0.0/31 -> erl 10.150.0.1/31 wg0

My ultimate goal? I have a few HDHomeRun devices on my local network here, actually one on my LAN 172.22.1.50 and one on another vlan 172.22.6.6. I can see them all locally using UDPBroadcastRelay package. I would like to be able to open the HDHomeRun native client on an appleTV device or Nvidia Shield, FireStick, etc on one of the remote networks and access these. The client opens and sends out a broadcast/multicast discovery packet to udp 65001. Those packets on the remote networks never make it over, I'm trying to fix that.

A workaround that is functioning, channels app works, it lets you specify the remote IP which is great. The problem is some of the channels are DRM encoded and the only way I know of to view those is using the native app. Also the native app is free. Channels is $25. CHannels DVR also works, but has a monthly fee. The Channels DVR is nice because you can also integrate TVE but I'm trying to do this using all the native apps and as little extra infrastructure as possible.

So would I be able to leverage a GRE tunnel that would "see" those broadcast/multicast packets hitting something like 10.33.14.255:65001 or 255.255.255.255:65001 and re-broadcast them out on my local subnet(s) on the pfsense side?

The fact that channels app works tells me the TTL on the packets is not an issue.

sparky3387

Just want to reply here my discoveries, to save people the hassle of attempting this to find out it does not work, there are two types of GRE tunnels, GRETAP and GRETUN, one supports layer 2 features such as broadcast/multicast and one does not, the PFSense implementation appears to use the later which does not support this feature, please see the following article to show the difference

https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels#:~:text=While%20GRE%20tunnels%20operate%20at,header%20in%20the%20inner%20header.

You would need a local UDP relay instead (on the client side) to instead allow the client to relay these broadcast message as unicast to a specific host, I struggled with this for Windows File Sharing (WS-Discovery) broadcast packets and ended up resorting to a script that auto maps all network drives on successful client connection, perhaps someone could get this working with a L2TP on top of Wireguard?

https://github.com/sparky3387/automapwireguard - Shameless plug of the automap script if someone else also needs this.........