V7.0.3 Routing

PsYcH · August 18, 2021, 7:06pm

Hi all,

Just bought D53G-5HacD2HnD (Chateau series) LTE Router and I really love it, speed over LTE with mANT LTE antenna is more than great. Now trying to get GRE tunnel working on it, but it seems that there is some changes in routing rules, could anyone explain what I did wrong? Used this TUT https://help.mikrotik.com/docs/display/ROS/GRE

PsYcH · August 20, 2021, 6:09am

Anyone guys?

Kindis · August 20, 2021, 6:32am

Do an /export hide-sensitive and post here (remember to clean out stuff you don’t want on internet.

PsYcH · August 20, 2021, 4:28pm

Actually it`s default config, with custom dhcp and GRE tunnel

/interface bridge
add admin-mac=2C:C8:1B:CE:03:87 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-CE038C wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-CE038D wireless-protocol=802.11
/interface gre
add allow-fast-path=no local-address=***.***.***.*** name=EimantasNamaiTEST \
    remote-address=***.***.***.***
add allow-fast-path=no local-address=***.***.***.*** name=Sandelis<->HeadOffice \
    remote-address=***.***.***.***
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=static.tele2.lt ip-type=ipv4
/interface lte
set [ find ] allow-roaming=no apn-profiles=static.tele2.lt name=lte1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface lte settings
set external-antenna=both
/ip address
add address=192.168.2.254/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=172.16.2.1/30 interface=Sandelis<->HeadOffice network=172.16.2.0
add address=172.16.1.2/30 interface=EimantasNamaiTEST network=172.16.1.0
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=172.16.2.2@main \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=172.16.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=172.16.1.0/30 table=\
    main
/system clock
set time-zone-name=Europe/Vilnius
/system routerboard settings
set cpu-frequency=auto
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LA

PsYcH · August 22, 2021, 6:43am

Any clues?

nescafe2002 · August 22, 2021, 7:16am

Tested on beta, seems that the GRE interface is not running when keepalive is active.

Disabling keepalive on the GRE interface enables the routes.

Note that ROSv7 is still in beta; 7.0.3 is a one-time-build for Chateau but can still contain bugs.

PsYcH · August 22, 2021, 10:32pm

But my config says:

/interface gre
add [b]allow-fast-path=no[/b] local-address=***.***.***.*** name=EimantasNamaiTEST \
    remote-address=***.***.***.***
add [b]allow-fast-path=no[/b] local-address=***.***.***.*** name=Sandelis<->HeadOffice \

nescafe2002 · August 23, 2021, 4:14pm

But.. have you tried disabling keepalive?

pe1chl · August 23, 2021, 4:17pm

The /interface gre lines should show this: !keepalive
You can set that via commandline, or in winbox you need to collapse the keepalive setting.

PsYcH · August 24, 2021, 9:47am

Oh, been late when written my reply, really, turned off keepalive and magic happened. Thank you guys!

mrz · August 24, 2021, 11:36am

Keepalive is fixed in 7.1rc1

pe1chl · August 24, 2021, 12:44pm

This topic is from someone running the stock 7.0.3 on a D53G-5HacD2HnD (Chateau series) LTE Router.
Would you advise him to upgrade to 7.1rc1 ?

mrz · August 24, 2021, 12:49pm

Yes, 7.1rc with the latest fixes is better than 7.0.3

PsYcH · August 26, 2021, 5:46pm

Thank you very much, I`ll try to upgrade