GRE VPNs weird behavior

rbuserdl · February 26, 2020, 7:49pm

Hello,

I have many GRE VPNs between many sites, I have the following issue just with one VPN.
In all the sites we have 2 WAN and we make 2 VPNs for each needed, example Site1 WAN1 ↔ Site2 WAN1 and Site1 WAN2 ↔ Site2 WAN2
When I create the VPN, I allways do the following:

Create the VPN as in the GRE manual
Create a route to each VPN to use the correct out-interface
Create a rule to allow VPN connection and VPN needed traffic
Create a rule to avoid that VPN1 goes out through WAN2, and VPN2 goes out through WAN1, as these:

/ip firewall filter
add action=drop chain=output dst-address-list="VPNs WAN1" out-interface=WAN2 protocol=gre
add action=drop chain=output dst-address-list="VPNs WAN2" out-interface=WAN1 protocol=gre

In this case, the VPN is without IPsec, and the GRE between WAN2 ↔ WAN2 isnt created yet (I need to create this but first I wanted to ensure that each VPN cant use the incorrect WAN)
So, I have created the rules to avoid that each VPN goes out through the incorrect WAN
With these rules, I cant reach anything through the VPN, when I disabled the first rule, I can reach anything
I checked in “IP → Firewall → Connections” and I am sure that the VPN is using the correct WAN (WAN1 in each site)
I also checked that the address list have the correct public IPs
I could not understand why I can use the VPN just disabling the following rule:

/ip firewall filter
add action=drop chain=output dst-address-list="VPNs WAN1" out-interface=WAN2 protocol=gre

Any idea?
Thanks in advance
Regards,
Damián

idlemind · February 29, 2020, 1:44am

/export hide-sensitive

I wonder if you have something incorrect in the address lists or routes.

pe1chl · February 29, 2020, 9:23am

You are probably better off by setting the source-address of each GRE tunnel and making generic output rules that block all traffic with the wrong source address outgoing on some WAN.
(because you will require that anyway, also for other traffic)

Other than that, in the last couple of RouterOS versions there have been weird problems with GRE in the firewall. It appears that some bug was noticed (or maybe even analyzed wrongly) and from then on, GRE traffic did not match established/related anymore, which it used to do before.
Maybe this issue also affects what you are trying to do here. (although you are not using established/related here…)

rbuserdl · March 2, 2020, 1:14pm

Thank you all for your responses

I just created the redundant VPN and now I can enable this filter rule.
I dont know why but with the second VPN, this rules does not drop the traffic between both sites
Also I make a ping and checked that icmp was using the main GRE (Which was already created at the beginning)

You are probably better off by setting the source-address of each GRE tunnel and making generic output rules that block all traffic with the wrong source address outgoing on some WAN.
(because you will require that anyway, also for other traffic)

Pe1chl, not sure about what you mean with generic output rules
Also, what could change by removing the local-address of each interface?

Anyway, everything is working now.
Regards,
Damián

pe1chl · March 2, 2020, 1:49pm

What I mean: make rules for output and forward that block all packets that do not have the correct (source) address for each of the ISPs.
E.g. when you have address 11.22.33.44 for the ISP connected to WAN1, make an output rule that blocks !11.22.33.44 (not the ! meaning NOT) on WAN1.

rbuserdl · March 2, 2020, 2:17pm

Hmmm, could be nice
Anyway, now it is working, I wont change it so far

Regards