Nating and GRE

brownjl · March 12, 2012, 10:32am

Hello,

I have my router connected to three networks (three vlans) and also have one gre tunnel. One of the vlans connects to the internet and and traffic is natted out of this interface. Traffic generated on my internet subnets is correctly natted through out to the internet however traffic coming in through the gre tunnel is not.

Does the router support natting of gre traffic? I see the traffic come in (connection tracking) but it doesnt seem to go anywhere. The routing table looks correct - it routes the traffic from the other subnets out.

Any advice would be appriciated,

James

vik1988 · March 15, 2012, 4:05am

what are the nat rules configured ? have you defined remote pool (Connected thru gre) in Natting. Are you able to ping Local Lan to Remote LAN.

brownjl · April 25, 2012, 11:26pm

Nope, I still cant get this to work. I have been messing about a lot since I originally asked so I will try and explain better.

I have one wired interface with two vlans with tags 100 and 200. Vlan100 is an external network and vlan200 is an internal network. I also have a gre tunnel coming in over vlan100. I would like all traffic leaving the external vlan100 to be natted.

I have setup a srcnat with masquerade on external vlan100. With this rule, any traffic coming into the router on vlan200, destined for external, is being correctly natted onto the external address going out of vlan100. However any traffic coming in over the gre tunnel destined for external is routed out of vlan100 but does not get natted. I see the traffic from gre->vlan100 on the FORWARD chain (with a log) and I see the traffic leaving vlan100 with a sniffer, but it has the internal address it originated from, an address from the other side of the gre tunnel and is not natted on to the external ip.

I can route fine from vlan200 to and from the network on the other side of the gre tunnel.

Any help would be appreciated.

James

vik1988 · April 26, 2012, 4:02am

do one thing…

Suppose your remote pool behind GRE is 10.0.0.0/24 and ip on vlan 100 is 1.1.1.1 and LAN pool is 192.168.1.0/24.

So start with the below code and remove your exisiting masquerading rules

/ip firewall address-list add list=grepool address=10.0.0.0/24
/ip firewall nat add src-address=192.168.1.0/24 dst-address-list=!grepool action=src-nat to-addresses=1.1.1.1

That’s it anything else plz let me know