problem with IPIP interface

mcblady · June 9, 2011, 10:45am

Hello, I have set up IPIP interface in testing environment and everything worked just fine, i have followed http://wiki.mikrotik.com/wiki/Manual:Interface/IPIP manual. Now when i have set it up on live system, it doesn’t work and i cannot find the reason why.

R1
/ip address
add address=1.2.3.4/24 interface=ether1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.2.3.254 scope=30 target-scope=10
/interface ipip
add comment="" disabled=no local-address=1.2.3.4 mtu=1480 name=ipip1 remote-address=4.3.2.1
/ip address
add address=10.0.0.1/24 interface=ipip1
R2
/interface ipip
add comment="" disabled=no local-address=4.3.2.1 mtu=1480 name=ipip1 remote-address=1.2.3.4
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=4.3.2.254 scope=30 target-scope=10
/ip address
add address=4.3.2.1/24 interface=ether1
/ip address
add address=10.0.0.2/24 interface=ipip1

I have enabled firewall, but i have allowed all input output and forward from IP 4.3.2.1 , but ping doesn’t work. I can ping the public IPs, not the private ones.

When i monitor the ipip interface, I get

R2
  rx-packets-per-second: 0
    rx-drops-per-second: 0
   rx-errors-per-second: 0
     rx-bits-per-second: 0bps
  tx-packets-per-second: 1
    tx-drops-per-second: 0
   tx-errors-per-second: 0
     tx-bits-per-second: 665bps
R1
  rx-packets-per-second: 0
    rx-drops-per-second: 0
   rx-errors-per-second: 0
     rx-bits-per-second: 0bps
  tx-packets-per-second: 0
    tx-drops-per-second: 0
   tx-errors-per-second: 1
     tx-bits-per-second: 0bps

I see the tx error, but not sure how to debug it, When i have monitored the traffic i was getting following

R1
ping remote ip
11:18:42 firewall,info output: in:(none) out:ipip1, proto ICMP (type 8, code 0), 10.0.0.1->10.0.0.2, len 44 
11:18:42 firewall,info output: in:(none) out:(unknown), proto ICMP (type 3, code 1), 10.0.0.1->10.0.0.1, len 72 
11:18:43 firewall,info output: in:(none) out:ipip1, proto ICMP (type 8, code 0), 10.0.0.1->10.0.0.2, len 44 
11:18:43 firewall,info output: in:(none) out:(unknown), proto ICMP (type 3, code 1), 10.0.0.1->10.0.0.1, len 72 
11:18:44 firewall,info output: in:(none) out:ipip1, proto ICMP (type 8, code 0), 10.0.0.1->10.0.0.2, len 44

ping local ip

11:18:44 firewall,info output: in:(none) out:(unknown), proto ICMP (type 3, code 1), 10.0.0.1->10.0.0.1, len 72 
11:19:26 firewall,info output: in:(none) out:(unknown), proto ICMP (type 8, code 0), 10.0.0.1->10.0.0.1, len 44 
11:19:26 firewall,info output: in:(none) out:(unknown), proto ICMP (type 0, code 0), 10.0.0.1->10.0.0.1, len 44 
11:19:27 firewall,info output: in:(none) out:(unknown), proto ICMP (type 8, code 0), 10.0.0.1->10.0.0.1, len 44 
11:19:27 firewall,info output: in:(none) out:(unknown), proto ICMP (type 0, code 0), 10.0.0.1->10.0.0.1, len 44

ping local ip works.

Not sure what else could cause the problem. Nat , firewall, ISP ? firewall i have monitored, not getting any drops, cant find any rule which could cause any problems to this and ISP ? the connection between public ips exist, all traffic in and out works just find, only trough IPIP it doesn’t, any idea please? I got stuck at one place.

mcblady · June 9, 2011, 3:08pm

Possible explanation, protocol 4 being filtered by ISP, this is based on logs from mikrotik firewall, where one of two routers was never reached by test hping -0 --ipproto 4 from a server away from any of these routers.