Hi all!
I have Mikrotik RB2011.
I have a strange problem. I create GRE tunnel as is manual:
On Mikrotik:
0 R name="gre-tunnel1" mtu=1476 actual-mtu=1476 local-address=HOME_IP_WAN
remote-address=OFFICE_IP_WAN dscp=0 clamp-tcp-mss=yes
dont-fragment=no
# ADDRESS NETWORK INTERFACE
0 192.168.2.1/24 192.168.2.0 GLAN1
1 172.16.10.1/30 172.16.10.0 gre-tunnel1
2 D 10.60.64.84/21 10.60.64.0 WAN1
3 D HOME_IP_WAN/32 192.168.255.254 Beeline
On FreeBSD:
gre0: flags=9051<UP,POINTOPOINT,RUNNING,LINK0,MULTICAST> metric 0 mtu 1476
tunnel inet OFFICE_IP_WAN --> HOME_IP_WAN
inet 172.16.10.2 --> 172.16.10.1 netmask 0xfffffffc
Of course, i add route to network:
On Mirotik:
26 A S 192.168.18.0/24 172.16.10.2 1
On FreeBSD:
192.168.2.0 172.16.10.1 UGS 0 22 gre0
Ping going to both sides, but anything else only from FreeBSD network to Mikrotik!
[drema@MikroTik] > /ping 192.168.18.2
SEQ HOST SIZE TTL TIME STATUS
0 192.168.18.2 56 127 3ms
1 192.168.18.2 56 127 3ms
2 192.168.18.2 56 127 3ms
sent=3 received=3 packet-loss=0% min-rtt=3ms avg-rtt=3ms max-rtt=3ms
[root@mx:~]# ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
64 bytes from 192.168.2.2: icmp_seq=0 ttl=63 time=2.898 ms
64 bytes from 192.168.2.2: icmp_seq=1 ttl=63 time=2.802 ms
64 bytes from 192.168.2.2: icmp_seq=2 ttl=63 time=2.836 ms
64 bytes from 192.168.2.2: icmp_seq=3 ttl=63 time=2.851 ms
But:
From FreeBSD network:
[root@mx:~]# telnet 192.168.2.2 80
Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.
GET /
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
Connection closed by foreign host.
From Mikrotik network:
root@home:~ # telnet 192.168.18.1 80
Trying 192.168.18.1...
Mikrotik connect to Internet through L2TP:
[drema@MikroTik] /interface l2tp-client> pr
Flags: X - disabled, R - running
0 R name="Beeline" max-mtu=1460 max-mru=1500 mrru=disabled
connect-to=tp.internet.beeline.ru user="login" password="pass"
profile=Beeline keepalive-timeout=60 add-default-route=yes
default-route-distance=1 dial-on-demand=no allow=chap
[drema@MikroTik] /ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=WAN1 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=Beeline log=no log-prefix=">
2 ;;; ssh Freebsd
chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=22
protocol=tcp dst-address=HOME_IP_WAN dst-port=1024 log=no
log-prefix=""
3 ;;; WEB server
chain=dstnat action=dst-nat to-addresses=192.168.2.2 to-ports=80
protocol=tcp dst-address= HOME_IP_WAN dst-port=80 log=no log-prefix=""
4 chain=srcnat action=src-nat to-addresses=HOME_IP_WAN protocol=tcp
src-address=192.168.2.0/24 log=no log-prefix=""
5 X chain=dstnat action=dst-nat to-addresses=192.168.2.31 protocol=udp
dst-address= HOME_IP_WAN dst-port=3074 log=no log-prefix=""
6 X chain=dstnat action=dst-nat to-addresses=192.168.2.31 protocol=tcp
dst-address= HOME_IP_WAN dst-port=3074 log=no log-prefix=""
7 X chain=dstnat action=dst-nat to-addresses=192.168.2.31 protocol=udp
dst-address= HOME_IP_WAN dst-port=88 log=no log-prefix=""
[drema@MikroTik] /ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=change-mss new-mss=1420 passthrough=yes
tcp-flags=syn protocol=tcp out-interface=Beeline tcp-mss=1421-65535
log=no log-prefix=""
1 chain=forward action=change-mss new-mss=1420 passthrough=yes
tcp-flags=syn protocol=tcp in-interface=Beeline tcp-mss=1421-65535
log=no log-prefix=""
[drema@MikroTik] /ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Beeline IPTV
chain=input action=accept protocol=igmp in-interface=WAN1 log=no
log-prefix=""
1 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=""
2 ;;; Allow Established connections
chain=input action=accept connection-state=established log=no
log-prefix=""