summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/_static/images/sticky-connections.jpgbin0 -> 22252 bytes
-rw-r--r--docs/interfaces/tunnel.rst41
-rw-r--r--docs/load-balancing.rst6
3 files changed, 47 insertions, 0 deletions
diff --git a/docs/_static/images/sticky-connections.jpg b/docs/_static/images/sticky-connections.jpg
new file mode 100644
index 00000000..25fd72a9
--- /dev/null
+++ b/docs/_static/images/sticky-connections.jpg
Binary files differ
diff --git a/docs/interfaces/tunnel.rst b/docs/interfaces/tunnel.rst
index da452a8b..43c217a0 100644
--- a/docs/interfaces/tunnel.rst
+++ b/docs/interfaces/tunnel.rst
@@ -112,6 +112,47 @@ The Cisco router defaults to 'gre ip' otherwise it would have to be configured a
tunnel source 203.0.113.10
tunnel destination 198.51.100.2
+
+Tunnel keys
+^^^^^^^^^^^
+
+GRE is also the only classic protocol that allows creating multiple tunnels with the same source and destination due to its support for tunnel keys. Despite its name, this feature has nothing to do with security: it's simply an identifier that allows routers to tell one tunnel from another.
+
+An example:
+
+.. code-block:: none
+
+ set interfaces tunnel tun0 local-ip 192.0.2.10
+ set interfaces tunnel tun0 remote-ip 192.0.2.20
+ set interfaces tunnel tun0 address 10.40.50.60/24
+ set interfaces tunnel tun0 parameters ip key 10
+
+.. code-block:: none
+
+ set interfaces tunnel tun0 local-ip 192.0.2.10
+ set interfaces tunnel tun0 remote-ip 192.0.2.20
+ set interfaces tunnel tun0 address 172.16.17.18/24
+ set interfaces tunnel tun0 parameters ip key 20
+
+
+GRE-Bridge
+^^^^^^^^^^
+While normal GRE is for layer 3, GRE-Bridge is for layer 2. GRE-Bridge can encapsulate Ethernet frames, thus it can be bridged with other interfaces to create datalink layer segments that span multiple remote sites.
+
+Layer 2 GRE example:
+
+.. code-block:: none
+
+ set interfaces bridge br0
+ set interfaces tunnel tun0 encapsulation gre-bridge
+ set interfaces tunnel tun0 local-ip 192.0.2.10
+ set interfaces tunnel tun0 remote-ip 192.0.2.20
+ set interfaces tunnel tun0 parameters ip bridge-group bridge br0
+ set interfaces ethernet eth1 bridge-group br0
+
+As you can see, the bridge-group option for tunnels is in a rather unusual place, different from all other interfaces.
+
+
Troubleshooting
^^^^^^^^^^^^^^^
diff --git a/docs/load-balancing.rst b/docs/load-balancing.rst
index 0149ac76..cae2f6a5 100644
--- a/docs/load-balancing.rst
+++ b/docs/load-balancing.rst
@@ -159,6 +159,12 @@ This works through automatically generated source NAT (SNAT) rules, these rules
Sticky Connections
------------------
+Inbound connections to a WAN interface can be improperly handled when the reply is sent back to the client.
+
+.. image:: /_static/images/sticky-connections.jpg
+ :width: 80%
+ :align: center
+
Upon reception of an incoming packet, when a response is sent, it might be desired to ensure that it leaves from the same interface as the inbound one.
This can be achieved by enabling sticky connections in the load balancing: