On Fri, 19 Jul 2019, Ruben ON3RVH wrote:
The ease of the IPIP tunnels using a modified RIP daemon that can easily be downloaded makes the current setup so easy to deploy and get online. Also seeing that a lot of questions coming in are from users complaining that they are not reachable to/from the internet (when they haven't set up reverse DNS) shows that even reading the wiki is too hard for some of them.
The difficulty is that one has to remind firewall vendors and open-source developers that protocols like IPIP even exist and just how large a community of potential users they are eliminating from using their software by simply not making an option available on a drop-down box (e.g. pfSense). Another way our options are limited is by not loading a kernel module in certain environments or not distributing a kernel module that supports the technology.
There is no way to "port forward" GRE or IPIP. It terminates on the edge, or it doesn't. That can be complex in today's provider networks thanks to the use of PPPoE, 802.1x, or Customer Premises Equipment (CPE) which heavily favors TCP and UDP communications into or out of a designated "DMZ" and throws away everything else. On the other hand, it's still possible to setup a VPN to a remote host and interface with the IPIP mesh there. It's not idea, but it's a solution. As long as all the nearby sites have a route over VPN, it can work. By tuning the VPN parameters, latency can be kept down.
This may not be the time to re-engineer everything, but start the ideas now and something should be possible to start in six months.
-- Kris Kirby, KE4AHR Disinformation Architect, Systems Mangler, & Network Mismanager