I’ve been struggling to get this to work, and hope you can offer some help.
I have a single Ethernet cable with two L3 VLANs defined, and I have confirmed layer2/3 is working as expected. I define a GRE tunnel by remote IP address, and I have created a static route for the GRE Remote via the second VLAN’s next hop address.
What I want to do is have a default route via the GRE tunnel, only there is no next-hop address for the tunnel. My provider will let me set whatever source address I like, but there’s no IP I can target within the tunnel. So I have to use interface=GRE_Tunnel as my route. Only thing is, the route is marked as unreachable in the table and nothing flows down the tunnel.
Any ideas how I can get this to work? Thanks much.
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.0.4/23 192.168.0.0 vlan20
1 192.168.31.2/24 192.168.31.0 vlan31
2 192.168.32.2/24 192.168.32.0 vlan32
3 172.16.1.1/30 172.16.1.0 GRE_Tunnel
/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 S dst-address=0.0.0.0/0 gateway=GRE_Tunnel gateway-status=GRE_Tunnel unreachable distance=10 scope=30 target-scope=10
1 A S dst-address=<**GRE-REMOTE-IP**> gateway=192.168.32.1 gateway-status=192.168.32.1 reachable via vlan32 distance=1 scope=30 target-scope=10
2 DC dst-address=172.16.1.0/30 pref-src=172.16.1.1 gateway=GRE_Tunnel gateway-status=GRE_Tunnel unreachable distance=255 scope=10
3 A S dst-address=192.168.0.0/16 gateway=192.168.31.1 gateway-status=192.168.31.1 reachable via vlan31 distance=1 scope=30 target-scope=10
4 ADC dst-address=192.168.0.0/23 pref-src=192.168.0.4 gateway=vlan20 gateway-status=vlan20 reachable distance=0 scope=10
5 ADC dst-address=192.168.31.0/24 pref-src=192.168.31.2 gateway=vlan31 gateway-status=vlan31 reachable distance=0 scope=10
6 ADC dst-address=192.168.32.0/24 pref-src=192.168.32.2 gateway=vlan32 gateway-status=vlan32 reachable distance=0 scope=10
I cannot ping anything inside of the tunnel. Only TCP/UDP traffic is accepted. I am seeing GRE keepalives being exchanged with the far end, I just can’t figure out how to make traffic flow with an unreachable route. A colleague suggested that I look into FW/Mangle + Routing Marks to somehow skirt the unreachability. Other ideas?
Is the tunnel shown as running in /interface gre print? Because I can see no other reason why the route with GRE_Tunnel as gateway should be down (gateway unreachable).
Please explain a bit better how that GRE tunnel comes into play. You are talking about “my provider” but is that the internet provider that transports the tunnel packets for you, or do you have some other service provider where your GRE tunnel ends?
Anyway, it should not matter what the IP on the tunnel is.
You could even setup some completely random subnet e.g. 10.0.0.1/30 on your tunnel endpoint and then route your packets via gateway 10.0.0.2 (i.e. the other address in that same /30 subnet).
This should make the router send the packets into the tunnel, where apparently the other side will pick them up. As there is no address resolution protocol across a GRE tunnel, that should work.
But first, make sure you understand that the addresses you enter on the tunnel interface (local and remote) have nothing to do with the IP address assigned to the tunnel endpoint.
Yes I can see the interface using /interface gre print, please see below for output.
When I bind an IP address to the GRE interface, and then go to IP \ Routes, the connected network for the GRE shows as unreachable. I used 172.16.1.3/30 for the local interface. I defined a default route via 172.16.1.2, and it too shows as unreachable. My understanding of the Mikrotik forwarding behaviour is that it will not consider unreachable routes as viable destinations, and drop the packet instead.
> /interface gre print
Flags: X - disabled, R - running
0 name="GRE-Tunnel" mtu=1476 actual-mtu=1476 local-address=0.0.0.0 remote-address=111.116.130.222 keepalive=5s,3 dscp=inherit
clamp-tcp-mss=yes dont-fragment=inherit allow-fast-path=yes
> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.0.4/23 192.168.0.0 vlan20
1 192.168.31.2/24 192.168.31.0 vlan31
2 192.168.32.2/24 192.168.32.0 vlan32
3 172.16.1.3/30 172.16.1.0 GRE-Tunnel
> /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 S dst-address=0.0.0.0/0 gateway=172.16.1.2 gateway-status=172.16.1.2 unreachable check-gateway=ping distance=1 scope=30 target-scope=10
1 A S dst-address=111.116.0.0/16 gateway=192.168.32.1 gateway-status=192.168.32.1 reachable via vlan32 distance=1 scope=30 target-scope=10
2 DC dst-address=172.16.1.0/30 pref-src=172.16.1.3 gateway=GRE-Tunnel gateway-status=GRE-Tunnel unreachable distance=255 scope=10
3 A S dst-address=192.168.0.0/16 gateway=192.168.31.1 gateway-status=192.168.31.1 reachable via vlan31 distance=1 scope=30 target-scope=10
4 ADC dst-address=192.168.0.0/23 pref-src=192.168.0.4 gateway=vlan20 gateway-status=vlan20 reachable distance=0 scope=10
5 ADC dst-address=192.168.31.0/24 pref-src=192.168.31.2 gateway=vlan31 gateway-status=vlan31 reachable distance=0 scope=10
6 ADC dst-address=192.168.32.0/24 pref-src=192.168.32.2 gateway=vlan32 gateway-status=vlan32 reachable distance=0 scope=10
The output shows that RouterOS considers the tunnel interface to be down. When keepalive is activated, the tunnel interface is considered down if it receives no packets for a certain period of time.
More precisely, unreachable routes are ignored, so the packet is only dropped if there is no other route matching the packet’s destination. Which is the case here where the unreachable route is the default one.
What is important here is that none of the own IP addresses of the router is a public one, so there must be a NAT between your Mikrotik and the remote GRE peer. GRE doesn’t support the notion of ports, so some NATs cannot handle GRE well, so the keepalive “responses” from the GRE peer may never reach your Mikrotik.