Community discussions

MikroTik App
just joined
Topic Author
Posts: 14
Joined: Thu Jun 15, 2017 6:33 pm

Port forwarding a Natted Gre Tunnel?

Mon Jul 24, 2017 4:09 am

How do I terminate a Gre tunnel (that's on a 10.x network) to my Nat

The backstory: I'm using a Mikrotik Router Cloud Switch to connect to a cable modem (not router) in which Mikrotik picks up the public IP.

The current topology thus far is:
ether-WAN: 71.X.X.X (picked up by DHCP)
gre-tunnel: 10.x.x.71 (Provider's side: gateway: 10.x.x.70; Public IP: 103.x.x.2)

So far, I have port forwarding and masquerading working like a charm, packets inside can transverse the nat and get outside and vice-versa on 71.x.x.x. Then, after a few days I started to get hit by a DNS Amplification DDOS attack. I forced a DHCP update by changing the MAC on ether-WAN -- the ip changes class C and I'm good for a few days. Then again, I'm hit.

After 8 attacks over 2 weeks, I decided to purchase DDOS protection for the network which uses a GRE or IPIP tunnel (by hiding the real public IP or not using it and tx/rx traffic over the new public IP from the provider which can take a 800Gbps attack and filter it before it hits my router).

I got the gre tunnel terminated on the Mikrotik router -- I can see packets going in and out, the problem is, how does one go about having the NAT (or portions thereof) use it?

My provider has assigned me a 10.x.x.x/30 network, which means I can assign a single IP to the GRE tunnel interface.

Here is what I've tried:

Marked Routing -- I setup a mangle rule to mark the route for source IP's (web server and such) and set the router mark on the GRE gateway in the IP > Routes table.
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Filtered Mangle Routing" disabled=no \
    new-routing-mark=Filtered passthrough=no src-address-list=FilteredIPs
/ip route
add disabled=no distance=1 dst-address= gateway=10.x.x.70 routing-mark=Filtered scope=30 target-scope=10
This did not work, even though I could see more traffic I think this method was trying to extend my network into my provider's nat. In this scenario, I could ping the 10.x gateway, but not the router's assigned 10.x IP on the Gre interface.

Specified src-nat rules -- I setup a src-nat rule to direct the webserver to 10.x.x.71 (ip assigned to gre interface) and a rule under that to direct to 71.x.x.x (ISP's interface).
add chain=srcnat src-address-list=FilteredIPs action=src-nat to-addresses=10.x.x.71
add chain=srcnat src-address= action=src-nat to-addresses=71.x.x.x
This did not work, in fact when I tried this method all incoming traffic over Gre stopped. I could see my packets leaving but my provider never saw the packets. In this scenario, I could ping both the 10.x gateway and the 10x IP on the gre interface.

Does anyone happen to know what I may be doing wrong here, or if I'm missing something? During all of this, every other computer on the nat works perfectly, just getting traffic to route over the gre interface from the nat based on a single (or multiple) LAN IP's seems to be virtually impossible :( But then again, tunneling is something entirely new to me, I can do VLANs, Meshes, etc, but toss in a tunnel condition and I'm absolutely lost :(

Here is my optimistic setup (what I currently have combined with what we need)

Last edited by ChipP on Tue Jul 25, 2017 8:34 am, edited 1 time in total.
just joined
Topic Author
Posts: 14
Joined: Thu Jun 15, 2017 6:33 pm

Re: GRE + NAT = WUT?

Tue Jul 25, 2017 8:32 am

I was able to get the nat to work by disabling RP Filtering (having it set to lose or strict causes some issues)

I'm still unable to use port forwarding. Does anyone have any ideas?

I can port forward from ISP Public IP to but I cannot port forward from 10.x to I see the packets coming in on the gre interface through torch but the nat simply doesn't send the packets over :(

So far, I was able to get this working with a route mark, as just masquerading based on origin IP didn't seem to send anything out the GRE tunnel.

So under Mangle I added a rule to mark the route if the source ip was to "filtered". And under gateways I set the -> 10.x to the filtered routing mark.

Then I set a masquerading rule that masquerades based on that routing mark.

This began to work, I can view websites (some) though dns seems to fail trying to transverse the nat.

Who is online

Users browsing this forum: santyx32, tts001 and 83 guests