Hi All,
I’m wondering if anyone else has this issue.
Setup:
Transit A -----------> GRE Tunnel --------> Mikrotik Router ---------> Transit B
I have a BGP setup over the GRE tunnel and am advertising a block out of transit A on a BGP session over the GRE tunnels. Inbound traffic is traversing transit A, hitting the GRE tunnel and outbound traffic is going out transit B. I have a couple of networks behind the mikrotik (Network A and networkB) these are the advertised ranges. An http service running on the advertised range. When I advertise out this way instead of symmetrically via transit B only, the ping and http tcp session breaks on the routed block. If I advertise outbound traffic via the transit A gre tunnel symmetrically everything works. Interesting enough, if I advertise the range out transit B and keep outbound traffic going to transit A it works. So it works asymmetrically from transit B through GRE tunnel outbound, but not from Inbound on Transit A through transit B as outbound.
Don’t ask why I need this setup, I just do as I don’t want to be limited to just symmetric traffic. Has anyone else have this issue? This is what I had to do to get it to work symmetrically over the tunnel.
ip route add gateway=GRE-route routing-mark=TransitB-Route
ip route rule add dst-address=x.x.x.0/24 action=lookup table=main
ip route rule add routing-mark=GRE-route action=lookup table=GRE-route
ip route rule add src-address=x.x.x.0/24 action=lookup table=GRE-route
ip firewall mangle add chain=prerouting src-address=x.x.x.0/24 action=mark-routing new-routing-mark=GRE-route passthrough=no
Oh and side note,
it isn’t an mss issue (ping would still work) and I am setting tcp-mss-adjust on the outbound interface of transit B. SYN ACK packets coming back into the GRE tunnel are adjusted down to mss 1436 so there should be no overhead issues on the GRE tunnel.
I have also tried disabling fast-track as I read somewhere that fast-track essentially bypasses firewall settings. Still same issue with or without it enabled on the GRE interface
Another note,
During troubleshooting I added captures at each one of the major network conversion points. Saw hits at each one of the points (Transit A terminal, GRE out, GRE in transit B terminal out) Since I couldn’t get full tcpdump or capture visibility from the mikrotik I depended on firewall hits based on IP address. I noticed the hits were not sourced from the networks behind the mikrotik and I don’t have any NAT enabled on the router. Is mikrotik replacing an IP address by default or something with the interface address outbound? That would def cause the session to break. It isn’t happening over the gre tunnel outbound from transit B so GRE tunnel interfaces are the exception? I’m pretty much at a stand still, weird behavior from mikrotik, I have used Juniper, Cisco, Brocade routers with this exact same setup and they all work seamlessly. Mikrotik has been my only issue.
