Network layout:
Site_A
WAN - 1.1.1.1
LAN - 10.10.0.0/16
GRE (A2B) - 10.99.99.1/30
Site_B
WAN - 2.2.2.2
LAN - 10.20.0.0/16
GRE (B2A) - 10.99.99.2/30
Routing:
Site_A
10.99.99.0/30 > A2B
10.20.0.0/16 > A2B
No Mangle or NAT
Site_B
10.99.99.0/30 > B2A
10.10.0.0/16 > B2A
No Mangle or NAT
Problem:
When a connection goes across the tunnel and comes out on the other end, it shows the source as the GRE address, 10.99.99.X, not the actual address of the device that sent the connection. This is mainly effecting the VOIP Phones and logging.
Question:
What do I need to change to see the actual origin of the connections across the tunnels?
Remove the NAT that you are doing on the tunnel traffic. I.e. make sure the NAT rule you have does correctly check the outgoing interface to be the internet interface and not the tunnel.
Earlier you said you were not using NAT… I have plenty of routers that do not do any NAT, and they do not have this issue.
The default NAT rule also does not have this issue as it specifies the output interface list (WAN).
You should not make your tunnel interfaces member of that interface list!
Correct, nothing is done via NAT. The default masq rule didnt have anything listed as an output interface. Once I set the output interface to the WAN port all worked properly.
Default masq rule has “output-interface-list=NAT”.
When you do nothing with NAT, you can disable/remove the masq rule.
But I guess you mean “I’m doing nothing with NAT except what ‘everyone’ does with NAT” and in that case of course you need it, and it should be restricted in such a way that it does not NAT the tunnel traffic.
(in my case I often run routers that really do only tunneling and other direct routing, so truely no NAT anywhere in the whole box)