Community discussions

MikroTik App
 
pe1chl
Forum Guru
Forum Guru
Topic Author
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

GRE6 tunnel without local-address does not come up after reboot

Tue Jun 15, 2021 3:07 pm

I configured a GRE6 tunnel on a MikroTik router and entered only the remote address of the tunnel. local-address was left unconfigured.
The tunnel came up and worked fine. Then as a final step I updated RouterOS and rebooted. The tunnel now refused to work.
I tried lots of things including disabling the tunnel for a while. The MikroTik router is behind an ISP-provided Fritz!box router and I have
seen funny happenings with their firewall, especially when using IPsec. However, in this case that was not the cause.

The problem was that the MikroTik obtains a routable /62 IPv6 prefix from the Fritz!box and assigns an address from that pool to its local bridge,
and this is the address to be used as source for the GRE6 tunnel. This works when the tunnel is configured in a running router where
the IPv6 address is already present, but when the router is rebooted the tunnel apparently starts before the DHCPv6 sequence has
completed and it ends up without a routable local address. It then fails to work even when it is disabled/enabled. I found that it can be forced
to work by entering an IPsec secret and then immediately remove that again. Apparently that is a major reconfiguration that causes
it to check for an available local address again.

Also, when the IPv4 address assigned to the inside of the tunnel is pinged from the remote end, ping replies are being received!
But when the remote IPv4 address is pinged from the local router, no replies are received. It kind of looks like the ping reply to remote pings
is somehow optimized and uses the tunnel destination from the incoming tunnel packet? But for new outgoing packets the address is
not looked up and probably an fe80:: address is used as the source (maybe I should try to confirm that using a trace).

I have now configured the address obtained from the Fritz!box as the local-address, but of course that is not guaranteed to be static
so I tried to avoid that. It would have to be scripted to be really future-proof.

Who is online

Users browsing this forum: phascogale and 65 guests