Hello everyone and thank you for trying to help me
I have an issue with a GRE Tunneling scenario. Here is the scenario:
We have 2 RouterOSes on site A and Site B.
Router A has an Valid Static IP: 218.219.1.1/30 And Router B has a Valid Static IP: 218.219.1.2/30
We have some people who will connect to Router A via PPTP/L2TP VPN.
We want this people to gain access to internet using an interface from Router B.
Now we want to do this via GRE Tunnel.
We make a GRE tunnel between Router A and Router B.
We are working with Winbox here.
In router "B" We just need to do this:
Interfaces => GRE Tunnel => Add =>
Name: GRE
Remote Address: 218.219.1.1
=
IP => Addresses => Add
192.168.100.2/30
Interface: GRE
=
IP => Firewall => NAT => Add
Chain: srcnat
Action: masquerade
=================
In router "A" we wil go this ways step by step:
Interfaces => GRE Tunnel => Add =>
Name: GRE
Remote Address: 218.219.1.2
==
Now we add an IP to GRE Interface that we created to create a local network between 2 GRE interfaces:
IP => Addresses => Add
192.168.100.1/30
Interface: GRE
======
Now we ping 192.168.100.2 from Router "A" and ping 192.16.100.1 from Router "B" and both are successful. It means the GRE communication is established successfully.
=======
VPN Configurations:
We activated PPTP Server on Router "A" and we can connect to it... So no problem on VPN Protocol.
We have an IP Pool named "vpn" with addresses of: 192.168.5.5-192.168.5.254 .
We used profile named "default-encryption" for PPTP Server and We sated up this setting on profile:
Local Address: 192.168.5.1
Remote Address: "vpn"
===
Add NAT rules:
IP => Firewall => NAT => Add
Chain: srcnat
Action: masquerade
=
IP => Firewall => Mangle => Add
Chain: prerouting
Src. Address: 192.168.5.0/24
Action: mark routing
New Routing Mark: Tunnel
Passthrough checked.
===
Now we need to add a static route to send all traffics that coming from VPN Clients to the GRE tunnel.
So:
IP => Routes => Add
Dst. Address: 0.0.0.0/0
Gateway: 192.168.100.2
Routing Mark: Tunnel

Now we create a PPP Secret (Username and password) To make a VPN connection to Router "A" and we connect it on Host.
Connection passed!
But now I can't establish a connection!
I can ping 4.2.2.4 from the Host but I can't open any website , I can't create a RDP session completely (It starts to securing the connection but after a few Milliseconds it stops working.
I also can establish a FTP session but I can't transfer any file!
It seems it will drop the connection after a few bytes sent! Something like "MTU limitation" or something!

Could anyone help me through that ? I'm going crazy about that! And i thing this problem is from NAT/Routing....
Note that i checked firewall rules on both Routers... not from that!
Router A OS Version: 6.6 Level 6
Router B OS Version: 5.26 Level 6
PN: Is the version even matter!?


Thanks...

i agree this sounds like a mtu problem. you loose some bytes due to the gre tunnel. you should get an ICMP(fragmentation needed) responses once the traffic tries to go through the tunnel.

i experienced issues with icmp fragmentation needed if NAT is used "in front" of the tunnel.

Like:
Router A <=> Router B <=NAT=> Internet

i have such a case in my network. Packets with ICMP(fragmentation needed) leaving ROuter B towards the internet but they get ignored by most systems. I think they ignore them due to the fact that Source of the ICMP packet is the IP as the destination which is claimed as not reachable because of "fragmentation is needed".

the only way i found to fix it is with TCP MSS clamping/rewrite for the tunnel-traffic.

Hello jaykay2342 And thank you for answering me.
Actually I'm not a pro on network mikrotik.
You mentioned on "TCP MSS clamping". How can i do that?
Or as i can see , you said this is because of "GRE" protocol.
If i use IPIP or Ethernet Over IP it will be fixed?
Do you have any solutions that might be helpful to me?
Thank you.

Every Tunnel add additional headers to the Packet which reduce the actual payload size. So using IPIP or EoIP will not fix your problem.

I just notice that your Router A and Router B have a direct link.
if it is a ethernet link with is capable to handle bigger frames you could raise the MTU of the interfaces on that link. that could be the easiest fix.


Ok the other way:

Lets assume:
you have only ethernet links with a max MTU of 1500.
your tunnel intefaces are named gre-tunnel0


You build a GRE tunnel between your routers and you want to manipulate the MSS of your TCP-Connections.

First we need to calculate the Maximum Segment Size

The blue part are the additional headers from the outer packet (the gre tunnel) .

1500 (MTU)
-20 (IP-Header)
-4 (GRE-Header)
-20 (IP-Header)
-20 (TCP-Header)
------------
1436 ( Left for payload )



To lower the MSS just for traffic which goes through the gre tunnel, this rule should help

Hello and than you so much for your help. I really appreciate this.
Actually i don't know your exact mean for "direct link". If you are saying there is a link that is directly connected , NO there isn't.
These are both connected to internet and i created a GRE tunnel between them and gave invalid private IPs to each GRE interface to can have local access to them.
I used the way you told me.
I configured MTU of GRE interface (In Router A of curse! All the setting must be done on Router A I suppose...) to 1500.
And used your Firewall Mangle rule. Not working...
Default MTU value of GRE was 1476 and I subtracted 64 of it and add the rule as below: It didn't work too!

And one more thing that might be helpful is that I made this scenario happen in another project and it's still working fine!
But here , no success!
Thank you again.

Now i also configured another Router "A" From another Data Center and it seems better...
It sends packets a litter bigger... Header of website loaded...
But still the problem is here!
Thanks

As the static IP of both rotuers are belong to the same subnet i assumed they have a direct connection

Not really their not.
Do you have any other suggestions about this scenario?
Anybody else?

Any other ways to make it happen?

sry that it haven't work but it was just my first idea whats going wrong. as a next step i would do a deeper troubleshooting like doing a packet capture on different places at the network and so.

I just made the connection VIA SSTP and it worked!

SSTP will work as is build a new tcp connection. but you loose a lot of performances. if you need to transport a high mbps rate i suggest to dig deeper to find the gre problem. MTU problems are often pain in the a**. sooner or later you will face such problems again.

have to tried to find out the pathmtu between you routers? maybe it's not 1500 , and for sure than you have to recalculate the adjustment.

I know this thread is very old, but I have to deal with this situation this week and wanted to share my experience.

I have an EoIP tunnel between a CCR1036 and a small hAP. No IPSec, because I have to pass
the tunnel thru a Cisco ASA (so NATting is involved) and no SStP/PPtP, because I don't want to add overhead in the payload.

The MTU is set to "AUTO" and both Mikrotiks ajusted to 1458. Ping is working, but no TCP session (HTTP for exemple)
so I thought that the MSS is my problem. To adjust it, yes, it's in the Mangle table, but you also have to enable "ip firewall"
into the Bridge interface to make it work. Be careful, because all the traffic passing thru the bridge will now be "seen" in the Tables.

With this setup, I get an IP from the DHCP on the other side of the tunnel, my gateway is also on the other side of the
tunnel and I can browse successfully all the web sites I wanted.

Also, what I really like, since I want to create more then one EoIP tunnel with the same subnet into the CCR, I can bridge the
EoIP interface to a Vlan interface attached to a specific "VRF"; the tunnel will be terminated into the correct routing table.

That's it !

I found that having connection tracking set to auto was the problem for me, I had to set it to yes to make EoIP have real 1500 MTU.