But then again, I think a lot of things, and most people think I need medication… so who knows. It’s been so long since I’ve had routed public IP space, I don’t remember…
I am fortunate enough to still have an Internic assigned IP block. It’s small so most ISPs won’t route it, but I found one that is willing to. They will announce the block via my ASN, and tunnel the address space back to me over a GRE, GIF, IPIP, etc. tunnel. Not the most efficient, but who can complain these days?
Let’s assume my public block is 191.192.193.0/24 and the ISP has a set up a tunnel between myself at 11.12.13.1 and their 12.13.14.1.
I am assuming that my LAN space can now have addresses in the 191.192.193.0/24 range. And the default gateway for these address is 12.13.14.1 (assume we have source routing policy here)
Therefore outbound packets in the 191.192.193.0/24 source range, should default route to the far tunnel endpoint of 11.12.13.1, and inbound packets just “fall into” normal routing since they arrive on the tunnel interface.
This seem right? It doesn’t fell right – I keep wondering if I need a gateway address somewhere.
You mean you have to give away one address from the 191.192.193.0/24 range to get the packets for this range to be delivered to you? No, you don’t, the ISP will use the GRE tunnel (or the IP address of your end of the tunnel) as a route. So you only need to write off 191.192.193.0, 191.192.193.gw and 191.192.193.255 if you make them a local LAN subnet, or even more addresses if you split that range into more subnets. To prevent spending 4 addresses per client (Mikrotik doesn’t support /31 the way other equipment does), you have to use point-to-point settings - either PPPoE or simply assigning a /32 address to the client and indicating a non-conflicting private address at your end as a gateway. How to set this on Ethernet differs by operating system.
So I’ve almost got it. Let’s assume I have a physical tunnel endpoint on my end of 12.13.14.1 and the ISP has 11.12.13.1. The GRE tunnel is 11.12.13.1 ↔ 12.13.14.1.
My gateway rule for 191.192.193.0/24 is: 191.192.193.0/24 via gw 12.13.14.1. Probe 11.12.13.1 to make sure that gateway is up. At that point, assuming I don’t subnet, I have 191.192.193.1-254 for internal use.
A few more questions if I may:
I can use a GRE, GIF, IPSEC, IPIP etc. tunnel. I don’t need encryption, so if I want to minimize the work on the ISP, and they can do all, if I want to tunnel both IPv4 and IPv6, should I ask for separate GRE tunnels (one for V4, and one for V6) or can GRE or GIF carry both? And, should it be GRE or GIF?
Assume the ISP sets up TWO redundant routers and I do as well. Now I can have TWO default routes. I remember I can just install two static defaults, but since the tunnels are static, how does a LAN node know which default route to use? (It’s been so long for all of this… if I only were back in 1983… wait! With our stay-at-home orders, I’m almost there – I have big hair now, I ate take out food, just a little more and I’ll be back in college on a vax!)
Even better, if you don’t subnet, you even have 191.192.193.0 and 191.192.193.255 for internal use.
Do we still stay in the Mikrotik context? I don’t know how to set up a GIF tunnel on Mikrotik.
But yes, you can use a single GRE tunnel for both IPv6 and IPv4. Indicating the tunnel interface rather than the IP address of the remote end of the tunnel saves you some subnets in IPv4; in IPv6 I’m not sure how whether link-local addresses will be sufficient. You can set up the GRE tunnel using any of the two address families, and in both cases you can encapsulate both types of packets into the same tunnel.
While at Mikrotik side you can use scripting and other techniques to choose between the two tunnels, the ISP may not be willing to use these rudimentary tools and might prefer some dynamic routing protocol, so agreeing on one with the ISP should be the least painful method. But in this case, you’ll definitely need IP addresses to be assigned to tunnel ends.
My bad – I think in MT world, we call it a sit interface – typically one uses it for things like Hurricane Electric Ipv6 in V4 tunnels.
It may just be easier to have a single “virtual” router rather than the pair where I’d have to run BGP for no real reason.