Community discussions

MikroTik App
just joined
Topic Author
Posts: 5
Joined: Mon Jan 19, 2015 7:43 am

CHR on OpenStack, EOIP Tunnel cannot running

Fri Oct 18, 2019 2:25 pm


I have 2 Openstack environment, IceHouse version and Newton version.

When use CHR and running PPTP and EOIP tunnel service in IceHouse version, it running well, but have problem when use CHR on Newton version, VPN PPTP can running well, but EOIP tunnel, the tunnel cannot running.

I ask, openstack support, they says like this :

we found the reason why EoIP is not working in our v5 environment:

GRE Packet Header has a 'Protocol Type', check ... apsulation :
this can be 0x0800 Internet Protocol version 4 (IPv4), 0x0806 Address Resolution Protocol (ARP) and others, check

EOIP is a proprietary ethernet over IP tunneling protocol introduced
by MikroTik's commercial product RouterOS. It uses GRE as protocol id, and it's 'Protocol Type' is 0x6400

NAT is Network Address Translation, and neutron floatingip use it. NAT rely on conntrack in linux.
conntrack has different implementation for different protocol in linux.
For example, TCP or UDP, use 5-tuple (source IP, dest IP, source port, dest port, protocol type) to do NAT.
GRE is special, it has no same concept like source port and dest port. To do GRE NAT, it need use information in inernal protocol.
like PPTP(GRE+PPP), there is nf_conntrack_pptp module in kernel to do PPTP conntrack which rely on nf_conntrack_proto_gre module.

EoIP is GRE+EoIP, and kernel has no conntrack module for it. so our v5 environemnt( kernel version is and upstream community openstack enviroment (Ubuntu 16.04.3 LTS with kernel 4.4.0-151-generic ) we installed don't support EoIP when using floatingip.

But icehouse enviroment with kernel 3.11.0-18-generic can do EoIP using floatingip.
After checked conntrack in icehouse environment, we can see gre conntrack as follows:

the srckey and dstkey is 0. this is weird because it cannot distinguish diffrent connections on the same source ip and dest ip. this has security issue.
After searched, we found there is a security patch in kernel fixed in 3.12,
And we backported this security patch to our V5.

This patch disabled GRE conntrack in conntrack generic module because it has security issues, please check CVE-2014-8160
The icehouse enviroment don't contain this patch. so the EoIP is working but it has security issue.

Because EoIP is a proprietary protocol, I think MikroTik should provide EoIP conntrack module to let EoIP working in NAT mode in linux.

Anyone can help me to solved this Issue, about this MikroTik should provide EoIP conntrack module to let EoIP working in NAT mode in linux

Thank You

Who is online

Users browsing this forum: No registered users and 6 guests