Newly created GRE tunnel is not running

inna · August 16, 2024, 12:14am

Hello,
I have a problem which is the newly created GRE tunnel is not in R state. The state column is empty.

MT1 ==> /interface/gre/add remote-address=2.2.2.2
MT1 ==> /ip/address/add address=10.10.74.1/30 interface=gre-tunnel1 network=10.10.74.0

MT2 ==> /interface/gre/add remote-address=1.1.1.1
MT2 ==> /ip/address/add address=10.10.74.2/30 interface=gre-tunnel1 network=10.10.74.0

And I see the following routes are created automatically in both MTs:

[admin@MikroTik] > /ip/route/print 
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS      GATEWAY       DISTANCE
  DIcH 10.10.74.0/30    gre-tunnel1          0

Would you please help me where’s the issue? I googled and some websites told to add static route manually, but it’s done automatically.

sindy · August 16, 2024, 6:27am

In ROS 6, there used to be a firewall issue with GRE, and in ROS 7, there used to be some issues with the keepalive. As the first step, post the export of your configuration.

inna · August 16, 2024, 8:11am

Thanks, it’s ROS7.

This is the full configuration:

[admin@MikroTik] > export 
# aug/16/2024 08:08:14 by RouterOS 7.6
# software id = 
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface gre
add name=gre-tunnel1 remote-address=home_ip
/interface 6to4
add !keepalive name=6to4-tunnel1 remote-address=office_ip
add !keepalive name=6to4-tunnel2 remote-address=home_ip
/interface wireguard
add listen-port=14035 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=office_ip endpoint-port=14373 interface=wireguard1 public-key="Vbhh6WAfz0yrU29Tn6qsmKRSXj45AYPLLXu9UXzbBCU="
add allowed-address=0.0.0.0/0 endpoint-address=home_ip endpoint-port=14035 interface=wireguard1 public-key="OJgnIiM1ZZkqwUChBH4VtntlBo9FnMcAZLmuGto0iAY="
/ip address
add address=server_ip interface=ether1 network=server_gateway
add address=10.10.73.1/28 interface=wireguard1 network=10.10.73.0
add address=10.10.74.1/28 interface=gre-tunnel1 network=10.10.74.0
add address=10.10.75.1/24 interface=6to4-tunnel2 network=10.10.75.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add dst-address=0.0.0.0/0 gateway=server_gateway
/ipv6 route
add disabled=no dst-address=::/128 gateway=ether1 routing-table=main
/ipv6 address
add address=fc00::1 advertise=no interface=6to4-tunnel2
/ipv6 firewall nat
add action=masquerade chain=srcnat

sindy · August 16, 2024, 8:39am

the firewall is not the reason why GRE does not work as it is basically nonexistent on this router (NAT doesn’t filter incoming traffic, so your internal addresses are still reachable via the WAN, and if they are global, the IPv6 ones are reachable from anywhere)
the ROS version is 7.6 so it may be the reason
as you deemed it necessary to substitute the remote-address, I suppose it is a public one, which opens a new can of worms:
some ISPs do not let GRE through
- most NATs have problems to handle GRE

So what is the overall topology, does this router have a public IP directly on itself or it is behind another NAT? Same question for the one at home.

inna · August 16, 2024, 9:08am

Thanks, I disabled the keepalive and the GRE tunnel is now running.

I can ping both private IPs from both home and the server (office is not important now).
My home internet is behind the NAT and I don’t have a static IP. I think if required, I can request to obtain a static one.

I tried running a Wireguard between home and server. It works. I created a new WiFi interface to route all traffic via the interface and that interface routes all traffic via WG interface.
The above line works and when I connect my mobile to new WiFi (let’s call it home-bridge) and I google my ip, it says it is WG’s IP.
If I connect to my default home WiFi (it’s home-repeater) and I google my IP, it says my ISP’s IP.

Now when I disable WG, then enable WG, then change the route from WG to GRE, my mobile does not have any internet access. But as soon as I change route to WG, I have internet access.

This is my home configuration:

# aug/16/2024 12:34:38 by RouterOS 7.8
# software id =
#
# model = 
# serial number =
/interface bridge
add admin-mac=78:9A:18:2C:9E:D2 auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=home-repeater2g \
    disabled=no name="wifi 2g" security.authentication-types=wpa-psk,wpa2-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=home-repeater5g \
    disabled=no name="wifi 5g" security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=saeed-bridge disabled=no mac-address=\
    7A:9A:18:2C:9E:D6 master-interface="wifi 5g" name=wifi1 \
    security.authentication-types=""
/interface gre
add !keepalive mtu=1492 name=gre-tunnel1 remote-address=server1_ip
/interface 6to4
add disabled=yes !keepalive name=6to4-tunnel1 remote-address=server2_ip
/interface wireguard
add listen-port=14035 mtu=1420 name=wireguard1
/interface vlan
add disabled=yes interface=ether1 mtu=1492 name=vlan1 vlan-id=801
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="wireless interfaces" name=wireless
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool3 ranges=192.168.73.2-192.168.73.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool3 interface=wifi1 name=dhcp1
/routing table
add disabled=no fib name=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface="wifi 5g"
add bridge=bridge comment=defconf interface="wifi 2g"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="wifi 2g" list=wireless
add interface="wifi 5g" list=wireless
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.73.3/28 interface=wireguard1 network=10.10.73.0
add address=192.168.73.1/24 interface=wifi1 network=192.168.73.0
add address=10.10.75.3/24 interface=6to4-tunnel1 network=10.10.75.0
add address=10.10.74.3/24 interface=gre-tunnel1 network=10.10.74.0
/ip dhcp-server network
add address=192.168.73.0/24 gateway=192.168.73.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes \
    src-address=192.168.73.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=vpn scope=30 suppress-hw-offload=no target-scope=10
/ipv6 address
add address=fc00::2 advertise=no interface=6to4-tunnel1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Tehran
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set memory-scroll=no

I’m so sorry if that’s a lot and that’s not clean:(

sindy · August 16, 2024, 4:09pm

Since you can (apparently, please confirm) ping 10.10.74.1 from 10.10.74.2 and vice versa, that sounds like the issue of early versions of ROS 7 I’ve mentioned. So upgrading both ends to the latest version should allow you to re-enable the keepalive. With keepalive disabled, the tunnel interfaces stay active regardless whether the network path between them is working or not.

The issue with GRE and NAT is that the device that doesn’t have a public address must keep sending some payload packets (or the keepalive must be enabled) so that the NAT would keep the pinhole (tracked connection) open - if that device is silent for minutes, the NAT device will remove the pinhole and drop the GRE packets coming from the server as it will not know where to send them at the private/CGNAT side. Plus there are additional issues with this even if you keep the pinhole alive one way or the other.

GRE tunnel itself is stateless and has no authentication or encryption, so given your environment, think twice before using it for any data.

You have to either change the route at both devices (home & server) or you have to use src-nat at home also for traffic leaving through the GRE tunnel so that the server saw everything as coming from the address assigned to the home end of the tunnel and hence did not need a manually added route.