Can't ping past Vlan over GRE!

nbeacham · September 17, 2015, 2:34pm

I have a setup where I’m managing some devices behind a GRE IPSEC tunnel. I can ping the VLAN interface itself, but anything behind it I can’t ping. I’ve pasted in my scrubbed config below. Any assistance would help.

set [ find default-name=ether1 ] comment="Springs @ Estero"
set [ find default-name=ether3 ] comment="WAN to T3"
/interface gre
add !keepalive local-address=68.x.x.6 name=gre-tun1-sae remote-address=\
    207.x.x.9
/ip neighbor discovery
set ether1 comment="LAN"
set ether3 comment="WAN"
/interface vlan
add comment=S@E-Management interface=ether1 l2mtu=1576 name=VID10 vlan-id=10
add comment=S@E-Customer-Hotspot interface=ether1 l2mtu=1576 name=VID100 \
    vlan-id=100
add comment=S@E-Clubhouse interface=ether1 l2mtu=1576 name=VID200 vlan-id=200
/ip neighbor discovery
set VID10 comment=S@E-Management
set VID100 comment=S@E-Customer-Hotspot
set VID200 comment=S@E-Clubhouse
/ip hotspot profile
set [ find default=yes ] login-by=mac
/ip hotspot user profile
add name=10/10 rate-limit=10240K/10240K
add name=20/20 rate-limit=20480K/20480K
add name=5/5 rate-limit=5120K/5120K
add name=15/15 rate-limit=15360K/15360K
add name=50/20 rate-limit=20480K/50000K
add name=100/50 rate-limit=50000K/100000K
/ip pool
add name=S@E ranges=10.0.100.2-10.0.101.254
add name=S@E-Clubhouse ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=S@E disabled=no interface=VID100 lease-time=1h name=S@E
add address-pool=S@E-Clubhouse disabled=no interface=VID200 lease-time=3d name=\
    S@E-Clubhouse
/ip hotspot
add address-pool=S@E addresses-per-mac=1 disabled=no interface=VID100 name=S@E
/port
set 0 name=serial0
set 1 name=serial1
/queue type
add kind=pcq name=PCQ_Download pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=100M pcq-src-address6-mask=64
add kind=pcq name=PCQ_Upload pcq-classifier=src-address,dst-address \
    pcq-dst-address6-mask=64 pcq-rate=100M pcq-src-address6-mask=64
/queue simple
add name=queue1 queue=PCQ_Upload/PCQ_Download target=192.168.20.0/24
/snmp community
set [ find default=yes ] name=lookatit write-access=yes
/ip address
add address=68.x.x.6/30 comment=WAN interface=ether3 network=68.x.x.4
add address=68.x.x.1/27 comment="S@E NAT" interface=ether3 network=\
    68.68.213.0
add address=10.0.100.1/23 comment="S@E Customer" interface=VID100 network=\
    10.0.100.0
add address=192.168.20.1/24 comment="S@E CLubhouse" interface=VID200 network=\
    192.168.20.0
add address=172.17.255.253/30 interface=gre-tun1-sae network=172.17.255.252
add address=172.17.0.1/24 interface=VID10 network=172.17.0.0
/ip dhcp-server network
add address=10.0.100.0/23 comment="hotspot network" gateway=10.0.100.1
add address=192.168.20.0/24 gateway=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=207.x.x.0 list=Support
add address=172.17.0.0/16 list=Support
add address=207.x.x.3 comment=CDG list=Support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogon
add address=207.x.x.9 list=Support
add address=207.x.x.5 comment=Observium list=support
add address=207.x.x.5 list=Support
/ip firewall filter
add chain=input src-address-list=Support
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
    connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=\
    Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
    tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
    Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to \
    support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
    \_ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
    3h chain=forward comment="Add Spammers to the list for 3 hours" \
    connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add chain=input comment="Accept to established connections" connection-state=\
    established
add chain=input comment="Accept to related connections" connection-state=\
    related
add chain=input comment="Full access to SUPPORT address list" src-address-list=\
    support
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 \
    limit=1,5 protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RU\
    LE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\
    icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=src-nat chain=srcnat comment="S@E NAT" src-address=10.0.100.0/23 \
    to-addresses=68.x.x.0/27
/ip hotspot user
add name=admin
/ip ipsec peer
add address=207.x.x.9/32 enc-algorithm=aes-128 nat-traversal=no
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.17.255.254/32 sa-dst-address=207.x.x.9 sa-src-address=\
    68.x.x.6 src-address=172.17.255.253/32 tunnel=yes
/ip route
add distance=1 gateway=68.x.x.5
add distance=1 dst-address=207.x.x.0/32 gateway=172.17.255.254
/romon port
add disabled=no
/snmp
set enabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=FTMFLCCR01
/system leds
set 0 type=interface-speed
set 2 type=interface-speed
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR protected-routerboot=\
    disabled
/tool sniffer
set file-name=GRE filter-interface=gre-tun1-sae memory-limit=1000KiB

doneware · September 17, 2015, 4:05pm

Hi,
i am just guessing from your configuration what could be on the other side of the GRE.

/ip route
add distance=1 dst-address=207.x.x.0/32 gateway=172.17.255.254

you config says, that there is only the 207.x.x.0/32 (a single host) on the other side of the GRE.
[you could have used gateway=GRE as well]

i guess there should be a lot more hosts on the other end of the GRE tunnel. so this could be one source of the problem.

you use a GRE tunnel and you use IPSEC tunnel-mode. this is not efficient. if you configure a GRE tunnel, you should use IPSEC transport mode, but not inside the tunnel, but outside, like this:

/ip ipsec policy
disable 1 //this disables your previous policy
add dst-address=207.x.x.9 sa-dst-address=207.x.x.9 sa-src-address=
68.x.x.6 src-address=68.x.x.6 tunnel=no protocol=gre

(encrypt all GRE traffic between the tunnel source and tunnel end)

the upper rule will encrypt your tunnel from the outside (e.g. all GRE encapsulated packets will receive an IPSEC encryption). then you can use simple /ip route statements to direct traffic through the tunnel as you’d do with any normal interface.

just some addition to this rule in your firewall filters:

add chain=input comment=“Accept DNS - UDP” port=53 protocol=udp
add chain=input comment=“Accept DNS - TCP” port=53 protocol=tcp
if you accidentally enable “accept remote queries” in DNS, you will be an open resolver. use input-interface checking for accepts like these. normally your DNS requests will create a connection, so the replies will be safely pass the FW if you have a permit established rule at the 1st place of the input chain.
also, UDP/123 (a.k.a NTP) can be a PITA nowadays, so unless your drop everything what’s was not permitted before, pay attention to filter incoming NTP packets. your NTP requests are however safely handled by the accept established rule.

nbeacham · September 17, 2015, 4:53pm

I changed the Tunnel but that didn’t seem to do it. I’ll have a look around, it might be in my firewall rules.

Here is one end

src-address=207.x.x.29/32 src-port=any dst-address=68.x.x.226/32 dst-port=any protocol=gre action=encrypt 
       level=require ipsec-protocols=esp tunnel=no sa-src-address=207.x.x.29 sa-dst-address=68.x.x.226 proposal=Florida 
       priority=0

And here is the other

src-address=68.x.x.226/32 src-port=any dst-address=207.x.x.29/32 dst-port=any 
       protocol=gre action=encrypt level=require ipsec-protocols=esp tunnel=no 
       sa-src-address=68.x.x.226 sa-dst-address=207.x.x.29 proposal=default priority=0

w0lt · September 17, 2015, 9:59pm

Have you tried using an EoIP connection instead of a GRE?

nbeacham · September 18, 2015, 1:26pm

While I’ve considered it, It’s not the technology we want to implement in this case.

I don’t think it’s the GRE causing the problem, I think it’s a problem with my routing or firewall. I can ping the IP address of the VLAN 10 interface, but I cannot ping PAST that. So I can ping 172.17.0.1 but I can’t ping 172.17.0.2, .1 is local to the router, .2 is a switch in VLAN 10 directly connected to Ether 1.

I know .2 is alive because I can telnet to it from the Mikrotik.