Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ETHERIP(4)	       FreeBSD Kernel Interfaces Manual		    ETHERIP(4)

     etherip --	EtherIP	tunnel interface

     pseudo-device etherip

     The etherip interface is a	pseudo-device for tunnelling Ethernet frames
     across IP[46] networks using RFC 3378 EtherIP encapsulation.

     An	etherip	interface can be created using the ifconfig etheripN create
     command or	by setting up a	hostname.if(5) configuration file for
     netstart(8).  It must be configured with the addresses used for the outer
     header.  This can be done using ifconfig(8)'s tunnel command (which uses
     the SIOCSLIFPHYADDR ioctl).

     The etherip interface must	be made	a member of a bridge(4).  The
     sysctl(2) variable	net.inet.etherip.allow must be set to 1, unless
     ipsec(4) is being used to protect the traffic.  Ethernet frames are then
     encapsulated and sent across the network to another bridge(4), which de-
     capsulates	the datagram and processes the resulting Ethernet frame	as if
     it	had originated on a normal Ethernet interface.	This effectively al-
     lows a layer 2 network to be extended from	one point to another, possibly
     through the Internet.  This mechanism may be used in conjunction with
     IPsec by specifying the appropriate IPsec flows between the two bridges.
     To	only protect the bridge	traffic	between	the two	bridges, the transport
     protocol 97 (etherip) selector may	be used	in ipsec.conf(5).  Otherwise,
     the Ethernet frames will be sent in the clear between the two bridges.

     Given two physically separate Ethernet networks, a	bridge can be used as
     follows to	make them appear as the	same local area	network.  If bridge1
     on	network1 has the external IP address on	em0, bridge2 on	net-
     work2 has the external IP address on em0, and both	bridges	have
     em1 on their internal network (network1 and network2, respectively), the
     following configuration can be used to bridge network1 and	network2.

     First create the bridge interface,	adding the encapsulation interface and
     internal Ethernet interface to the	bridge interface:

	   # ifconfig bridge0 add etherip0 add em1

     Create and	configure the etherip0 interface:

	   (on bridge 1) # ifconfig etherip0 tunnel
	   (on bridge 2) # ifconfig etherip0 tunnel

     Create Security Associations (SAs)	between	the external IP	address	of
     each bridge and matching ingress flows by using the following
     ipsec.conf(5) file	on bridge1:

	   esp from to spi 0x4242:0x4243 \
		   authkey file	"auth1:auth2" enckey file "enc1:enc2"
	   flow	esp proto etherip from to

     Now load these rules into the kernel by issuing the ipsecctl(8) command:

	   # ipsecctl -f ipsec.conf

     Appropriate ipsec.conf(5) for bridge2:

	   esp from to spi 0x4243:0x4242 \
		   authkey file	"auth2:auth1" enckey file "enc2:enc1"
	   flow	esp proto etherip from to

     And load them:

	   # ipsecctl -f ipsec.conf

     To	use dynamic (as	opposed	to static) keying, use this ipsec.conf(5) on

	   ike esp proto etherip from to

     And on bridge2:

	   ike esp proto etherip from to

     Bring up the internal interface (if not already up) and encapsulation in-

	   # ifconfig em1 up
	   # ifconfig etherip0 up

     Finally, bring the	bridge interface up and	allow it to start processing

	   # ifconfig bridge0 up

     The internal interface on each bridge need	not have an IP address:	the
     bridge can	function without it.

     Note:  It is possible to put the above commands in	the hostname.if(5)
     files, using the `!' operator.

     sysctl(2),	bridge(4), inet(4), inet6(4), ipsec(4),	hostname.if(5),
     ifconfig(8), netstart(8)

     R.	Housley	and S. Hollenbeck, EtherIP: Tunneling Ethernet Frames in IP
     Datagrams,	RFC 3378, September 2002.

     The etherip device	first appeared in OpenBSD 5.9.

     The etherip driver	was written by Kazuya Goda <>.

FreeBSD	13.0		       January 12, 2018			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help