Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

Gre tunnel for extra IP

Post Reply
 
ginojo
just joined
Topic Author
Posts: 6
Joined: Mon Aug 06, 2018 5:42 pm

Gre tunnel for extra IP

Mon Aug 06, 2018 5:55 pm

Hi there,

I'm trying to setup a GRE tunnel to get some extra static public ipv4-adressen in my network. (Provider: ExtraIP)

But I can't access my IP from outside my network. When I access a new public IP from within my network, it works fine (of course, IP is bound to the CCR) but when I try to access the IP from WAN, nothing special happens. :(

The provider told me to use the following config:
Code: Select all
/interface gre
add name=ExtraIP remote-address=85.12.12.12

/ip address
add address=XXX.XXX.XXX.XXX/YY interface=ether2

/ip route
add distance=1 gateway=ExtraIP
add distance=1 dst-address=85.12.12.12/32 gateway=<-- gateway -->
But this is to forward the IPs to the ether2 int. I want to NAT the IPs to be more flexible in how to utilise the IPs.

I have added the GRE tunnel, and it shows up as running/not-slave. Afterwards I bound one of the new IPs to the tunnel int. When accessing the IP from LAN it works, WAN it doesn't.


I'm not very familiar in those Gre tunnels, so I hope one of you could help me out.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Gre tunnel for extra IP

Mon Aug 06, 2018 9:43 pm

GRE is just a tunnel, it appears as another interface and you can work with it as such. With your config, you won't get "extra" addresses, as in "in addition to other ones you already have", but only the new ones. If you already have some and would like to add new ones, it would require different config, it would be basically like dual-WAN setup.

What you posted, this creates the tunnel:
Code: Select all
/interface gre add name=ExtraIP remote-address=85.12.12.12
This is specific route to remote endpoint:
Code: Select all
/ip route add distance=1 dst-address=85.12.12.12/32 gateway=<your original gateway>
And this makes the tunnel a default gateway, all traffic from your network will go there and it can only use your new addresses, nothing else will work:
Code: Select all
/ip route add distance=1 gateway=ExtraIP
This is basic config, assign the subnet to ether2 and anything you connect there (and assign correct addresses from new subnet to it) will just work with new addresses:
Code: Select all
/ip address add address=XXX.XXX.XXX.XXX/YY interface=ether2
But since the subnet is routed, you can also route these new addresses further in your network, either as whole subnet, smaller subnets, or individual addresses.

Or if you want NAT, you can simply assign these addresses to router itself (e.g. to tunnel interface).

Even before you start assigning new addresses anywhere and replace default gateway, you can use Tools->Torch on tunnel interface, try to connect from outside to any these new addresses and you should see incoming packets. If not, there's some trouble with the tunnel.
Top
 
ginojo
just joined
Topic Author
Posts: 6
Joined: Mon Aug 06, 2018 5:42 pm

Re: Gre tunnel for extra IP

Tue Aug 07, 2018 9:58 am

Alright! Thanks for your help so far. I think I'm getting somewhere.

One problem was the gre-server address. Docs were outdated.

I have added the
Code: Select all
/ip route add distance=1 dst-address=37.148.192.**/32 gateway=<your original gateway>
rule (with the new GRE-server address), cause I don't care about outgoing traffic through the tunnel or other interface... Or should I? Just inbound traffic is important for us.

By torching the tunnel I can see some packages passing. I also added a accept input rule on the tunnel-interface and see the counter increasing.
Code: Select all
input: in:ExtraIP out:(unknown 0), proto TCP (SYN), <SourceIp>:47244-><ANewExtraIp>:80, len 60
But as you can see, I'm trying to open the port80 on the mikrotik (for testing purposes only :) ) from my LTE phone connection. But the page keeps on loading. Also using NAT to forward the packages to a webserver does nothing. I also tried to add a masquerade rule, no result.
Do I have to create a src-nat rule?

It feels like I am almost there...
Top
 
ginojo
just joined
Topic Author
Posts: 6
Joined: Mon Aug 06, 2018 5:42 pm

Re: Gre tunnel for extra IP

Thu Aug 09, 2018 1:00 pm

I think I finally solved it. Turned out I did need to care about outgoing traffic.

As soon as I added a static route for the LTE connection to go through the GRE tunnel, I started working. So I added a mangle for incoming packets and marking connection if the from-sub1 mark has been set.
This post helped my a lot: viewtopic.php?t=82761#p414129

Will test a bit more later today, but it is looking good.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Gre tunnel for extra IP

Thu Aug 09, 2018 2:16 pm

Sorry, I missed your previous reply. And you're right, you do need to care about where returning traffic goes. If you send it somewhere else (different ISP), it will be blocked on the way, because to them it will look as spoofed packets.
Top
 
ginojo
just joined
Topic Author
Posts: 6
Joined: Mon Aug 06, 2018 5:42 pm

Re: Gre tunnel for extra IP

Sat Aug 11, 2018 1:04 am

Thank you! :)

One last problem with this setup. When I setup a host and NAT port 8443 (just an example) to that port, I cannot connect from that host to the wan-ip on port 8443.

I have setup a masquerade for output interfaces WAN (to my ISP) and ExtraIP (for the ipv4-subnet). But no results...

Do you have any suggestions?

Extra info about my config:
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - wan"
/interface gre
add !keepalive name=ExtraIP remote-address=37.xx.xx.xx
/interface vlan
add interface="ether3 - management" name="vlan24 - internal" vlan-id=24
/interface list
add name=WAN
add name=locals
/interface list member
add interface="ether1 - wan" list=WAN
add interface="vlan24 - internal" list=locals
add interface=ExtraIP list=WAN
/ip address
add address=192.168.3.8/24 interface="ether1 - wan" network=192.168.3.0
add address=10.84.0.1/16 interface="vlan24 - internal" network=10.84.0.0
add address=185.xx.xx.xx interface=ExtraIP network=185.xx.xx.0
/ip firewall mangle
add action=change-mss chain=forward new-mss=1400 passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ExtraIP log=yes new-connection-mark=from-sub1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-sub1 in-interface-list=locals new-routing-mark=route-sub1 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=185.xx.xx.xx dst-port=8443 protocol=tcp to-addresses=10.84.78.144 to-ports=443
/ip route
add distance=1 gateway=ExtraIP routing-mark=route-sub1
add distance=1 gateway=192.168.3.1
add distance=1 dst-address=37.xx.xx.xx/32 gateway=192.168.3.1
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Gre tunnel for extra IP

Sat Aug 11, 2018 1:34 am

Do you mean connecting from 10.84.78.144 back to itsef via 185.xx.xx.xx:8443? If so, there's some suggested reading:

http://wiki.mikrotik.com/wiki/Hairpin_NAT
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 45 guests
  4. RouterOS
  5. Forwarding Protocols