Community discussions

MikroTik App
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

OSPF over GRE, another one...

Thu Jul 14, 2022 6:31 pm

Hi Guys (and Girls),

I think I have a boo-boo in my config. I am trying to get OSPFv2 working over a GRE tunnel.

The tunnel works just fine between 2 locations and static routes:
172.20.0.0/16 ---R1--- GRE=172.30.2.1/30=========172.30.2.2/30---R2---172.18.0.0/16

OSPF is configured correctly (I think), no authentication (for the time being), local networks and GRE IP's are advertised, OSPF is configured as PTP link on the GRE interface, and router ID's are lookbacks:
R1:172.20.0.1
R2:172.18.0.1

I see in the logs that both routers are sending out hello packets through all interfaces including the GRE, but I get no incoming packets on the other side. Here an example on R1:, but R2 has similar entries in the logs:
instance { version: 2 vrf: 0 router-id: 172.20.0.1 } area { 0.0.0.0 } interface { p2p gre-tunnel2 172.30.2.1 } send hello


from other posts, especially this one (viewtopic.php?t=172373) I think there might be something missing/wrong in my routing filters, maybe NAT also?... On the FW, I have temporarily allowed 172.16.0.0/12 on both sides on fwd, input and output chains, just to be sure the FW does not intercept any hello packets.

Before digging onto the config, do you have some hints that I could already check?

Cheers
Denis
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: OSPF over GRE, another one...

Tue Jul 19, 2022 3:35 am

Hi fellahs,
any idea on this matter?
cheers
Denis
 
AlexDF
Trainer
Trainer
Posts: 16
Joined: Tue Jan 09, 2018 11:39 pm

Re: OSPF over GRE, another one...

Wed Jul 20, 2022 11:49 pm

You can start including a top rule in firewall which permits ospf protocol on gre input interface, input chain, on both sides.
I implemented many times ospf over gre and it should work, even with different brands.
Ptp avoids dr/bdr election but protocol still needs multicast.
Are you using bfd too?
What about a ping from 172.30.2.1 to 172.30.2.2 and vice versa ?
Alex
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 3:34 pm

Hi Alex, thanks for your hints.

I already had such rules on both ends for debugging, and I have no incoming OSPF packets originating from the other side.
I even have an output rule for OSPF, and the funny thing is that I don't see any outgoing packets as well. From that perspective, it is logical that OSPF adjacencies don't come up, therefore I suspect the traffic being dropped or uncorrectly forwarded to I don't know where, but not into the gre tunnel...

Is there a specific rule I should add to ensure the gre traffic enters the gre?

I don't use bdf, do you think this could help? I should at least be able to see outgoing packets, even without bfd.

Ping between both location work perfectly, I have static routing in place for now and it's working perfectly. It's really only OSPF that I can't get working (yet)

cheers,
Denis
 
AlexDF
Trainer
Trainer
Posts: 16
Joined: Tue Jan 09, 2018 11:39 pm

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 4:19 pm

Ok, so I suspect the problem is some ospf settings, not the gre interface or firewall. Is it possible for you to export the configuration excluding sensitive datas?
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 6:49 pm

sure, no problem.

here's the HQ config:
# jul/22/2022 17:19:03 by RouterOS 7.4
# software id = GTSP-YUM6
#
# model = RB3011UiAS
# serial number = <HIDDEN>
/interface bridge
add name=loopback0
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether4 ] name="eth4 - Transit LAG 10"
set [ find default-name=ether5 ] name="eth5 - Transit LAG 10"
set [ find default-name=ether10 ] name="eth10 - MGT" poe-out=off
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes mac-address=08:55:31:D2:37:0A
set [ find default-name=sfp1 ] disabled=yes loop-protect=off loop-protect-disable-time=1s loop-protect-send-interval=1s
/interface gre
add allow-fast-path=no mtu=1300 name=gre-tunnel1 remote-address=1.1.1.1
add !keepalive local-address=172.20.0.1 name=gre-tunnel2 remote-address=172.18.0.1
add allow-fast-path=no mtu=1300 name=gre-tunnel10 remote-address=3.3.3.3
add disabled=yes !keepalive name=gre-tunnel30 remote-address=DNS_Site_T
/interface vlan
add interface="eth10 - MGT" name="vlan2 - MGT" vlan-id=2
add interface=ether8 name="vlan51 - VLAN0051" vlan-id=51
add interface=eth1-WAN loop-protect=off name="vlan4001 - ISP WAN" vlan-id=4001
/interface bonding
add arp-ip-targets=0.0.0.0 lacp-rate=1sec mode=802.3ad name=LAG10 slaves="eth4 - Transit LAG 10,eth5 - Transit LAG 10"
/interface pppoe-client
add add-default-route=yes allow=chap disabled=no interface="vlan4001 - ISP WAN" name=pppoe-WAN user=<HIDDEN>
/interface vlan
add interface=LAG10 name="vlan10 - SERVER-PRIVATE" vlan-id=10
add interface=LAG10 name="vlan15 - SERVER-PUBLIC" vlan-id=15
add interface=LAG10 name="vlan20 - WORKSTATIONS" vlan-id=20
add interface=LAG10 name="vlan30 - IPTEL" vlan-id=30
add interface=LAG10 name="vlan40 - PRINTERS" vlan-id=40
add interface=LAG10 name="vlan50 - LAB" vlan-id=50
add interface=LAG10 name="vlan60 - WLAN" vlan-id=60
add interface=LAG10 name="vlan100 - TRANSIT" vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=TRANSIT name=TRANSIT
add comment="Out-of-Band Management" name=MGT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=vendor-class-identifier value=<HIDDEN>
add code=77 name=userclass value=<HIDDEN>
add code=90 name=authsend value=<HIDDEN>
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no prf-algorithm=sha256 proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=Profile_Site_B prf-algorithm=sha256 proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 lifetime=1h name=Profile_Site_P nat-traversal=no proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 lifetime=1h name=Profile_Site_T nat-traversal=no proposal-check=strict
add dh-group=ecp521 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1h name=Profile_Site_H prf-algorithm=sha512 proposal-check=strict
/ip ipsec peer
add address=DNS_Site_B comment="VPN to B" disabled=yes exchange-mode=ike2 local-address=<local_WAN_IP> name=Peer_Site_B profile=Profile_Site_B
add address=DNS_Site_T comment="VPN to T" disabled=yes local-address=<local_WAN_IP> name=Peer_Site_T profile=Profile_Site_T
add address=1.1.1.1/32 comment="VPN to P" local-address=<local_WAN_IP> name=Peer_Site_P profile=Profile_Site_P
add comment="VPN to H" exchange-mode=ike2 local-address=<local_WAN_IP> name=Peer_Site_H passive=yes profile=Profile_Site_H send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_P pfs-group=modp1536
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_B pfs-group=modp1536
add disabled=yes enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_T pfs-group=modp1536
add auth-algorithms=sha256 enc-algorithms=aes-256-ctr lifetime=1h name=Proposal_H pfs-group=ecp521
/ip pool
add name=dhcp_pool0 ranges=172.20.60.11-172.20.60.200
add name=dhcp_pool1 ranges=172.20.20.11-172.20.20.200
add name=dhcp_pool2 ranges=172.20.30.11-172.20.30.200
add name=dhcp_pool3 ranges=172.20.40.11-172.20.40.200
add name=dhcp_pool4 ranges=172.20.50.11-172.20.50.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="vlan60 - WLAN" lease-time=4h name=dhcp_VLAN60
add address-pool=dhcp_pool1 interface="vlan20 - WORKSTATIONS" lease-time=4h name=dhcp_VLAN20
add address-pool=dhcp_pool2 interface="vlan30 - IPTEL" lease-time=8h name=dhcp_VLAN30
add address-pool=dhcp_pool3 interface="vlan40 - PRINTERS" lease-time=8h name=dhcp_VLAN40 relay=172.20.40.1
add address-pool=dhcp_pool4 interface="vlan50 - LAB" lease-time=8h name=dhcp_VLAN50 relay=172.20.40.1
/ipv6 pool
add name=Pool_WAN_dhcpPool prefix-length=48
/port
set 0 name=serial0
/queue interface
set sfp1 queue=ethernet-default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing id
add comment=OSPF_ID disabled=no id=10.0.0.1 name=OSPF_ID select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-instance-1 originate-default=always router-id=OSPF_ID
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-0
/interface bridge filter
add action=set-priority chain=output disabled=yes dst-port=67 ip-protocol=udp log=yes log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 out-interface=*D passthrough=yes
/interface bridge port
add bridge=*E ingress-filtering=no interface=*D
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment="WAN - Public Fiber" interface=eth1-WAN list=WAN
add comment="Management Interface" interface="eth10 - MGT" list=MGT
add comment=Transit interface=LAG10 list=TRANSIT
add comment="WAN - Public Fiber" interface="vlan4001 - ISP WAN" list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.20.2.10/24 comment=Management interface="eth10 - MGT" network=172.20.2.0
add address=172.20.100.254/24 comment="Transit vlan 100" interface="vlan100 - TRANSIT" network=172.20.100.0
add address=172.20.10.1/24 comment=SERVER-PRIVATE interface="vlan10 - SERVER-PRIVATE" network=172.20.10.0
add address=172.20.20.1/24 comment=WORKSTATIONS interface="vlan20 - WORKSTATIONS" network=172.20.20.0
add address=172.20.30.1/24 comment=IPTEL interface="vlan30 - IPTEL" network=172.20.30.0
add address=172.20.40.1/24 comment=PRINTER interface="vlan40 - PRINTERS" network=172.20.40.0
add address=172.20.50.1/24 comment=LAB interface="vlan50 - LAB" network=172.20.50.0
add address=172.20.60.1/24 comment=WLAN interface="vlan60 - WLAN" network=172.20.60.0
add address=172.30.1.1/30 comment="GRE Tunnel1 - P" interface=gre-tunnel1 network=172.30.1.0
add address=10.10.10.2/30 comment="GRE Tunnel10 - B" interface=gre-tunnel10 network=10.10.10.0
add address=10.10.30.2/30 comment="GRE Tunnel30 - T" interface=gre-tunnel30 network=10.10.30.0
add address=172.30.2.1/30 interface=gre-tunnel2 network=172.30.2.0
add address=172.20.0.1 interface=loopback0 network=172.20.0.1
/ip cloud
set update-time=no
/ip dhcp-client
add !dhcp-options interface=eth1-WAN use-peer-ntp=no
/ip dhcp-server network
add address=172.20.20.0/24 dns-server=172.16.10.20,172.20.20.2 gateway=172.20.20.1 netmask=24
add address=172.20.30.0/24 dns-server=172.16.10.20 gateway=172.20.30.1 netmask=24
add address=172.20.40.0/24 dns-server=172.16.20.2 gateway=172.20.40.1 netmask=24
add address=172.20.50.0/24 dns-server=172.20.50.1,172.16.10.20 gateway=172.20.50.1 netmask=24
add address=172.20.60.0/24 dns-server=8.8.8.8,172.20.60.1,172.16.20.2 gateway=172.20.60.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=130.117.11.11,172.16.10.20
/ip dns static
add address=172.20.2.10 comment=defconf name=<HIDDEN>
add address=130.117.11.11 comment="WAN DNS Server" name=WAN
/ip firewall address-list
add address=172.20.20.0/24 list=NAT
add address=172.20.60.0/24 list=NAT
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=input comment="DROP INVALID PACKETS" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop incoming DNS requests from Internet (DDoS)" dst-port=53 in-interface=pppoe-WAN log=yes protocol=udp
add action=drop chain=input dst-port=22,80,443 in-interface=pppoe-WAN log=yes protocol=tcp
add action=accept chain=forward dst-address=172.20.2.0/24 log=yes out-interface="eth10 - MGT" src-address=172.16.0.0/12
add action=accept chain=forward dst-address=172.16.0.0/12 in-interface="eth10 - MGT" log=yes src-address=172.20.2.0/24
add action=accept chain=input dst-address=172.20.0.0/16 src-address=172.16.0.0/16
add action=accept chain=output dst-address=172.16.0.0/16 src-address=172.20.0.0/16
add action=accept chain=input comment=MANAGEMENT dst-address=172.20.2.10 dst-port=80,443,22 protocol=tcp src-address=172.16.0.0/12
add action=accept chain=forward dst-address=172.20.2.15 log=yes src-address=172.16.0.0/12
add action=accept chain=input comment="Allow internal networks to ping GW" dst-address=172.20.0.0/16 log=yes protocol=icmp src-address=172.16.0.0/12
add action=accept chain=input comment="OSPF debug" dst-address=172.16.0.0/12 in-interface=gre-tunnel2 protocol=ospf src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 protocol=ospf src-address=172.16.0.0/12
add action=accept chain=input disabled=yes src-address=10.0.0.0/30
add action=accept chain=input comment="VPN P" dst-address=<local_WAN_IP> protocol=ipsec-esp src-address=1.1.1.1
add action=accept chain=output dst-address=1.1.1.1 protocol=ipsec-esp src-address=<local_WAN_IP>
add action=accept chain=input dst-address=<local_WAN_IP> dst-port=500 protocol=udp src-address=1.1.1.1 src-port=500
add action=accept chain=output dst-address=1.1.1.1 dst-port=500 protocol=udp src-address=<local_WAN_IP> src-port=500
add action=accept chain=input dst-address=<local_WAN_IP> log=yes protocol=gre src-address=1.1.1.1
add action=accept chain=output dst-address=1.1.1.1 log=yes protocol=gre src-address=<local_WAN_IP>
add action=accept chain=input dst-address=172.30.1.0/30 in-interface=gre-tunnel1 protocol=icmp src-address=172.30.1.0/30
add action=accept chain=input comment="VPN H" dst-address=<local_WAN_IP> dst-port=500,4500 protocol=udp src-address=213.248.108.128/25
add action=accept chain=output dst-address=213.248.108.128/25 protocol=udp src-address=<local_WAN_IP> src-port=500,4500
add action=accept chain=input dst-address=172.20.0.1 protocol=gre src-address=172.18.0.1
add action=accept chain=output dst-address=172.18.0.1 protocol=gre src-address=172.20.0.1
add action=accept chain=input dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=input comment="VPN B" dst-address=<local_WAN_IP> protocol=ipsec-esp src-address=3.3.3.3
add action=accept chain=output dst-address=3.3.3.3 protocol=ipsec-esp src-address=<local_WAN_IP>
add action=accept chain=input dst-address=<local_WAN_IP> protocol=gre src-address=3.3.3.3
add action=accept chain=output dst-address=3.3.3.3 protocol=gre src-address=<local_WAN_IP>
add action=accept chain=input dst-address=10.10.10.0/30 in-interface=gre-tunnel10 protocol=icmp src-address=10.10.10.0/30
add action=accept chain=forward comment="Allow traffic between P and H (temp)" dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=input comment=NTP dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=194.0.5.123 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=82.64.42.185 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=92.222.209.69 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=162.159.200.123 src-port=123
add action=accept chain=input dst-port=123 protocol=udp src-address=172.16.0.0/12
add action=drop chain=input comment="STEALTH RULE 1: DROP ALL PACKETS NOT EXPLICITLY ALLOWED ABOVE (INPUT CHAIN)" log=yes
add action=accept chain=forward comment="OUTBOUND INTERNET TRAFFIC" connection-nat-state=srcnat in-interface="vlan100 - TRANSIT" src-address=172.20.0.0/16
add action=accept chain=forward comment="Accept trafic to LAB vlan" dst-address=172.20.50.0/24 src-address=172.20.0.0/16
add action=accept chain=forward dst-address=172.20.0.0/16 src-address=172.20.50.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="CLEANUP RULE - DROP ALL PACKETS COMING FROM WAN (FWD CHAIN)" in-interface=pppoe-WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!172.16.0.0/12 out-interface=pppoe-WAN src-address=172.20.0.0/16
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add comment=P peer=Peer_Site_P
add comment=B disabled=yes my-id=fqdn:DNS_Site-HQ peer=Peer_Site_B remote-id=fqdn:DNS_Site-B
add comment=T disabled=yes peer=Peer_Site_T
add comment="H" my-id=fqdn:DNS_Site-HQ peer=Peer_Site_H remote-id=fqdn:DNS_Site-H
/ip ipsec policy
set 0 disabled=yes proposal=Proposal_P
add disabled=yes dst-address=3.3.3.3/32 peer=Peer_Site_B proposal=Proposal_B protocol=gre src-address=<local_WAN_IP>/32 tunnel=yes
add dst-address=1.1.1.1/32 peer=Peer_Site_P proposal=Proposal_P protocol=gre src-address=<local_WAN_IP>/32 tunnel=yes
add disabled=yes dst-address=82.65.173.123/32 peer=Peer_Site_T proposal=Proposal_T protocol=gre src-address=<local_WAN_IP>/32 tunnel=yes
add dst-address=172.18.0.1/32 peer=Peer_Site_H proposal=Proposal_H protocol=gre src-address=172.20.0.1/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=172.16.0.0/16 gateway=gre-tunnel1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.127.0/24 gateway=gre-tunnel1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=172.18.0.0/16 gateway=gre-tunnel2 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=8192 strong-crypto=yes
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-WAN pool-name=WAN_dhcpPool pool-prefix-length=48 rapid-commit=no request=prefix
/lcd
set backlight-timeout=never default-screen=interfaces
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set "eth4 - Transit LAG 10" disabled=yes
set "eth5 - Transit LAG 10" disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set "eth10 - MGT" disabled=yes
/lcd screen
set 1 disabled=yes
set 2 disabled=yes
set 5 disabled=yes
/routing ospf interface-template
add area=ospf-area-0 disabled=no networks=172.30.2.0/30,172.20.0.0/16,10.0.0.0/30 type=ptp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Paris
/system identity
set name=router-HQ
/system logging
set 0 disabled=yes
add disabled=yes topics=ipsec
add topics=ospf
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=194.0.5.123
add address=82.64.42.185
add address=92.222.209.69
add address=162.159.200.123
/tool mac-server
set allowed-interface-list=TRANSIT
/tool mac-server mac-winbox
set allowed-interface-list=TRANSIT


and here's the remote site "H" I am connected to via gre tunnel2:
# jul/22/2022 17:20:14 by RouterOS 7.4
# software id = S1K6-QPTS
#
# model = RBLDFR
# serial number = <HIDDEN>
/interface bridge
add name=Loopback0
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off
/interface gre
add allow-fast-path=no local-address=172.18.0.1 mtu=1300 name=gre-tunnel2 remote-address=172.20.0.1
/interface vlan
add interface=ether1 name="vlan2 - MGT" vlan-id=2
add interface=ether1 name="vlan20 - PC" vlan-id=20
add interface=ether1 name="vlan30 - IPTEL" vlan-id=30
add interface=ether1 name="vlan31 - CCTV" vlan-id=31
add interface=ether1 name="vlan60 - WLAN" vlan-id=60
/interface ethernet switch port
set 0 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=fallback
/interface list
add name=WAN
add name=LAN
/interface lte apn
add apn=<HIDDEN> ip-type=ipv4 name=<HIDDEN> use-network-apn=yes
/interface lte
set [ find ] allow-roaming=no apn-profiles=<HIDDEN> band=1,3,7,20 name=lte1 network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1h name=Profile_H prf-algorithm=sha512 proposal-check=strict
/ip ipsec peer
add address=HQ_IP/32 comment="VPN to H" exchange-mode=ike2 name=Peer_H profile=Profile_H
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-ctr lifetime=1h name=Proposal_H pfs-group=ecp521
/ip pool
add name=dhcp_pool_VLAN20 ranges=172.18.20.11-172.18.20.200
add name=dhcp_pool_VLAN30 ranges=172.18.30.11-172.18.30.200
add name=dhcp_pool_VLAN31 ranges=172.18.31.11-172.18.31.200
add name=dhcp_pool_VLAN60 ranges=172.18.60.11-172.18.60.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN20 interface="vlan20 - PC" lease-time=8h name=dhcp_VLAN20
add address-pool=dhcp_pool_VLAN30 interface="vlan30 - IPTEL" lease-time=8h name=dhcp_VLAN30
add address-pool=dhcp_pool_VLAN31 interface="vlan31 - CCTV" lease-time=8h name=dhcp_VLAN31
add address-pool=dhcp_pool_VLAN60 interface="vlan60 - WLAN" lease-time=8h name=dhcp_VLAN60
/routing id
add comment=Lookpack0 disabled=yes id=172.18.0.1 name=Lookpack0 select-dynamic-id=only-loopback
add comment=OSPF_ID disabled=no id=10.0.0.2 name=OSPF_ID select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-instance-1 originate-default=always router-id=OSPF_ID
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment="LTE - Mobile Network" interface=lte1 list=WAN
add comment=LAN interface=ether1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.18.2.1/24 comment=Management interface="vlan2 - MGT" network=172.18.2.0
add address=172.18.30.1/24 comment=IPTEL interface="vlan30 - IPTEL" network=172.18.30.0
add address=172.18.20.1/24 comment=PC interface="vlan20 - PC" network=172.18.20.0
add address=172.18.31.1/24 comment=CCTV interface="vlan31 - CCTV" network=172.18.31.0
add address=172.18.60.1/24 comment=WLAN interface="vlan60 - WLAN" network=172.18.60.0
add address=172.30.2.2/30 interface=gre-tunnel2 network=172.30.2.0
add address=172.18.0.1 interface=Loopback0 network=172.18.0.1
/ip cloud
set ddns-update-interval=10m update-time=no
/ip dhcp-server network
add address=172.18.20.0/24 dns-server=8.8.8.8 gateway=172.18.20.1 netmask=24
add address=172.18.30.0/24 dns-server=172.16.10.20 gateway=172.18.30.1 netmask=24
add address=172.18.31.0/24 dns-server=172.16.10.20 gateway=172.18.31.1 netmask=24
add address=172.18.60.0/24 dns-server=8.8.8.8,172.16.10.20 gateway=172.18.60.1 netmask=24
/ip firewall address-list
add address=172.18.20.0/24 list=NAT
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=input comment="DROP INVALID PACKETS" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop incoming DNS requests from Internet (DDoS)" dst-port=53 in-interface=lte1 log=yes protocol=udp
add action=drop chain=input dst-port=22,80,443 in-interface=lte1 log=yes protocol=tcp
add action=accept chain=forward dst-address=172.18.2.0/24 out-interface="vlan2 - MGT" src-address=172.16.0.0/12
add action=accept chain=forward dst-address=172.16.0.0/12 in-interface="vlan2 - MGT" src-address=172.18.2.0/24
add action=accept chain=input comment=MANAGEMENT dst-address=172.18.2.1 dst-port=22,80,443 protocol=tcp src-address=172.16.0.0/12
add action=accept chain=input dst-address=172.18.31.1 protocol=udp src-address=172.18.31.0/24 src-port=123
add action=accept chain=input comment="Allow internal networks to ping GW" dst-address=172.18.0.0/16 protocol=icmp src-address=172.16.0.0/12
add action=accept chain=input comment="OSPF debug" dst-address=172.16.0.0/12 in-interface=gre-tunnel2 protocol=ospf src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 protocol=ospf src-address=172.16.0.0/12
add action=accept chain=input src-address=10.0.0.0/30
add action=drop chain=input comment="Droping traffic not originating from internal networks" dst-address=172.18.2.0/24 in-interface="vlan2 - MGT" src-address=!172.16.0.0/12
add action=drop chain=forward dst-address=!172.16.0.0/12 in-interface="vlan30 - IPTEL" src-address=172.18.30.0/24
add action=drop chain=forward dst-address=!172.16.0.0/12 in-interface="vlan31 - CCTV" src-address=172.18.31.0/24
add action=accept chain=input comment="VPN H" in-interface=lte1 protocol=udp src-address=HQ_IP src-port=500,4500
add action=accept chain=output dst-address=HQ_IP dst-port=500,4500 out-interface=lte1 protocol=udp
add action=accept chain=input dst-address=172.18.0.1 protocol=gre src-address=172.20.0.1
add action=accept chain=output dst-address=172.20.0.1 protocol=gre src-address=172.18.0.1
add action=accept chain=input dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=forward comment="Internet access vlan 20" dst-address=!172.16.0.0/12 in-interface="vlan20 - PC" out-interface=lte1 src-address=172.18.20.0/24
add action=accept chain=forward connection-state=established,related dst-address=172.18.20.0/24 in-interface=lte1 out-interface="vlan20 - PC" src-address=!172.16.0.0/12
add action=accept chain=input comment=NTP dst-port=123 in-interface=lte1 protocol=udp src-address=194.0.5.123 src-port=123
add action=accept chain=input dst-port=123 in-interface=lte1 protocol=udp src-address=82.64.42.185 src-port=123
add action=accept chain=input dst-port=123 in-interface=lte1 protocol=udp src-address=92.222.209.69 src-port=123
add action=accept chain=input dst-port=123 in-interface=lte1 protocol=udp src-address=162.159.200.123 src-port=123
add action=accept chain=input dst-address=172.18.0.0/16 protocol=udp src-address=172.16.0.0/12
add action=accept chain=forward comment="Zoneminder => Camera" dst-address=172.18.31.200 src-address=172.18.20.0/24
add action=accept chain=forward comment="camera => Zoneminder" dst-address=172.18.20.0/24 src-address=172.18.31.200
add action=drop chain=input comment="STEALTH RULE 1: DROP ALL PACKETS NOT EXPLICITLY ALLOWED ABOVE (INPUT CHAIN)"
add action=drop chain=forward comment="CLEANUP RULE - DROP ALL PACKETS COMING FROM WAN (FWD CHAIN)" in-interface=lte1 log=yes
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=172.20.0.1
add action=masquerade chain=srcnat dst-address=!172.16.0.0/12 out-interface=lte1 src-address=172.18.0.0/16
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add comment=H my-id=fqdn:<local_site_DNS> peer=Peer_H remote-id=fqdn:<HQ_DNS>
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.20.0.1/32 peer=Peer_H proposal=Proposal_H protocol=gre src-address=172.18.0.1/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=172.20.0.0/16 gateway=gre-tunnel2 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=172.16.0.0/16 gateway=gre-tunnel2 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/routing ospf interface-template
add area=ospf-area-0 disabled=no networks=172.30.2.0/30,172.18.0.0/16,10.0.0.0/30 type=ptp
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=remote_Site
/system logging
set 0 disabled=yes
add disabled=yes topics=ipsec
add topics=script
add topics=ospf
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=194.0.5.123
add address=82.64.42.185
add address=92.222.209.69
add address=162.159.200.123
/system scheduler
add comment="scheduler for OVH Dynamic DNS Updates" interval=15m name=OVHDynDNS on-event="/system script run ovhddns" policy=read,write,test start-time=startup
/system script
add comment="Dynamic OVH DNS updates" dont-require-permissions=no name=ovhddns owner=admin policy=read,write,test source=":local ovhddnsuser <HIDDEN>
 //...
 //script to update DDNS omitted here...
 //...
 /system watchdog
set watchdog-timer=no


I've tried several things on the ospf config, this is the current setup.
Quite of the FW rules will need to be removed after tshoot, but the most important ones for this matter is the OSPF-related ones, which are basically 100% permissive.


You can ignore all other VPN's on the main site, we are just focusing on the HQ-SiteH VPN (tunnel gre2)
thanks a lot for your input,

cheers

Denis
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 7:07 pm

Edited your post a little bit to use proper html tags: "code" instead of "quote"
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 7:11 pm

Oh sorry my bad, I was too quick. Thx for the editing!
 
AlexDF
Trainer
Trainer
Posts: 16
Joined: Tue Jan 09, 2018 11:39 pm

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 8:32 pm

At both sites which is the counter of the following firewall rule ?

add action=accept chain=input comment="OSPF debug" dst-address=172.16.0.0/12 in-interface=gre-tunnel2 protocol=ospf src-address=172.16.0.0/12

Firewall rules seem ok, I haven't experience with ROS7.4, is it possible to try on different devices with ROS 6.48.6 ?

Ospf traffic in gre_tunnel2 involves ip 172.30.2.1 & 172.30.2.2 toward 225.0.0.5, so can you "torch" on gre-tunnel2 interface at both sites and see if there are packets involving these ips ?

Alex
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 9:21 pm

On both sides, the FW counters for the input as well as for the output chains for OSPF are 0 packets. That means that the OSPF packets not only don't reach the other router, but they don't even leave the local router. (At least, as a tiny consolation, it seems logical that the packets never reach the other end...)

On the other hand, the logs say (here an example taken from the remote router, but the HQ router shows the same):
instance { version: 2 vrf: 0 router-id: 10.0.0.2 } area { 0.0.0.0 } interface { p2p gre-tunnel2 172.30.2.2 } send hello
So to me, that means that the OSPF process is running fine. At least it would be plausible that if the process is able to log such events, it generated these packets as well.

the torch results over a period of 10 min on the gre-tunnel2 interface of both routers show absolutely nothing (0 packets) with a source filter=172.30.2.0/30 of and dst filter=225.0.0.5:
Total Tx: 0 bps Total Rx: 0 bps Total Tx Packet: 0 Total Rx Packet: 0

This is what makes me think that the ospf traffic never reaches the gre interface. Either it is discarded by some internal process, or it is not routed to the gre interface at all for whatever reason)

I upgraded to 7.4 yesterday evening with the hope that it might be solved as there were a few OSPF-related fixes on that new release, Up until yesterday I was running 7.3 for several weeks. I can try with 6.48.6 but I need to first check what drawbacks I would have (as this is production environment). I don't have spare devices at hand as they are backordered as a consequence of the current shortage on electronics, and I'm waiting for my pair of spares for weeks...
 
AlexDF
Trainer
Trainer
Posts: 16
Joined: Tue Jan 09, 2018 11:39 pm

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 11:38 pm

Ok, I agree.

I cannot understand from your answer if ospf over gre in 7.3 was correctly operating or it was down as well.

Looking in general to the configuration my impression is that there aren't relevant parts which cannot be backported to 6.48.6, but please do a review to the configuration because there are dirty parts (please see at bridge sections for examples, or mismatches for gre keepalive, etc.) not related to ospf problem.

I suggest you to recreate the environment with a couple of CHR vms (plus one in the middle to emulate internet providers) and see if you can replicate the problem. If yes you can restart from scratch on 6.48.6 and see again if it is ok or not.

Than for real devices you can netinstall 6.48.6 and import the configuration from the above lab into these devices (of course the configs need some manual fixes) to minimize the downtime (assuming you can have downtime and reach both sites).

Alex
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: OSPF over GRE, another one...

Fri Jul 22, 2022 11:51 pm

I implemented the OSPF setup while running 7.3, and it didnt work either. After an upgrade to 7.4 (current situation) as we could see it, it still doesn't work.

When I was running 6.x (which was long ago), I didn't have any OSPF config yet, so I have no experience to share on this release.

I will try to downgrade to 6.48 during the night, I will keep you posted tomorrow if I could do it and what the results are.
 
AlexDF
Trainer
Trainer
Posts: 16
Joined: Tue Jan 09, 2018 11:39 pm

Re: OSPF over GRE, another one...

Sat Jul 23, 2022 12:44 am

Ok, be careful because a downgrade from V7 to v6 is not trivial, sometimes it is better to proceed on netinstall and restart from scratch. Alex
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: OSPF over GRE, another one...

Sat Jul 23, 2022 3:07 pm

Indeed, as you say it's not that straightforward. I think it might be better I try to replicate the config in a lab.
Gimme a few days to put that together.
Cheers

Denis
 
AlexDF
Trainer
Trainer
Posts: 16
Joined: Tue Jan 09, 2018 11:39 pm

Re: OSPF over GRE, another one...  [SOLVED]

Sat Jul 23, 2022 8:16 pm

Hi Denis

I recreated in lab your environment, 7.4 version, the problem is related to the following firewall rule:

add action=accept chain=input comment="OSPF debug" dst-address=172.16.0.0/12 in-interface=gre-tunnel2 protocol=ospf src-address=172.16.0.0/12

please change to

add action=accept chain=input comment="OSPF debug" in-interface=gre-tunnel2 protocol=ospf src-address=172.16.0.0/12

because, as already reported, ospf packets on PTP interfaces are multicast and not unicast.

Then it should work.

Furthermore I suggest to include as second rules after "drop invalid":

add action=accept chain=input comment="ACCEPT ESTEBLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=forward connection-state=established,related

Alex
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: OSPF over GRE, another one...

Sun Jul 24, 2022 1:08 pm

But of course! Multicast! How could I have overlooked that?! As mentioned in the beginning of this topic, I made a boo-boo...

I just corrected the FW rule and the adjacency came up almost immediately (actually, I still had to do a small correction on the MTU size of the GRE interface for the state to switch to FULL, but that was fixed in 5 seconds). Authentication is also in place now, and the timers were also modified.

Regarding the rule you advised me to also integrate, I have implemented it along with others as well. But as said, the FW rules are not in a definitive state yet, there are still a few traffic flows that I need to track down, then I will optimise all the rules.

Thanks a lot for your support, Alex, and especially for having taken the time to rebuild my config in your own lab - I wasn't expecting you to do that much for helping me! Much appreciated!

Note for others who want to debug OSPF adjacencies not coming up: Check your FW rules, use torching on the interfaces, and don't forget that OSPF uses MULTICAST!!!

Cheers
Denis

Who is online

Users browsing this forum: Google [Bot] and 17 guests