Community discussions

MikroTik App
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Transporting public IP over a tunel GRE

Tue Feb 23, 2021 12:54 pm

I have a rb1100AHx2 behind a FTTH, the ONT is in brdge mode, so the mkt takes the IP of the ISP via DHCP client. This is everything correct. But really what I need is to make the users who are behind the mikrotik navigate through an IP that I have in my data center. For this I have set up a GRE tunnel between the mkt and another mkt in my data center, and I have put some private IP's in the tunnel.
Then I have made a src-nat of the private ip's that have to go out through the public IP that I have in the data center and that works. But what does not work for me is the entry, that is, if I try to enter through the public IP that I have in the data center, I do not reach the mkt that is really behind another FTTH connection from another operator. Do you know how I can solve this? Is there any similar example? Attached screenshots:
You do not have the required permissions to view the files attached to this post.
Last edited by tiago15 on Tue Feb 23, 2021 2:18 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Tue Feb 23, 2021 1:22 pm

Instead of random screenshots, post the complete configuration exports (from both Mikrotiks), anonymized as per the hint in my automatic signature below, each between [code] and [/code] tags.

My assumption is that you dst-nat the incoming connections at the Mikrotik in the datacenter (DC-tik), but you do not use policy routing at the Mikrotik at the Other Site (OS-tik). So whereas the requests from the clients in the internet do reach the servers in the OS-tik's LAN subnet, the responses take the default route, so they get src-nat'ed to OS-tik's public IP, and therefore the clients in the internet ignore them as they come from an unexpected source IP.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Tue Feb 23, 2021 1:40 pm

This is the export in the remote Mkt where I want to take the public IP from datacenter.

# feb/23/2021 12:31:12 by RouterOS 6.42.3
# software id = W1HS-K5SJ
#
# model = 1100AHx2
# serial number = 47B80498ADB1
/interface bridge
add fast-forward=no name=bridge1
add fast-forward=no name=loopback_publica
/interface ethernet
set [ find default-name=ether1 ] comment="WAN FIBRA"
set [ find default-name=ether2 ] comment="WAN ANTENA"
/interface pppoe-client
add disabled=no interface=ether2 name=pppoe-out1 password=econectia \
use-peer-dns=yes user=TEATRO
/interface l2tp-client
add connect-to=X:X:X:X name=l2tp-out1 password=econectia user=\
TEATRO
/interface gre
add !keepalive local-address=212.X.X.X name=gre-tunnel-CAB1-ECONECTIA \
remote-address=185.X.X.X
/interface vlan
add interface=ether1 name=vlan20_MASMOVIL vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.6.200-192.168.6.230
add name=dhcp_pool1 ranges=192.168.5.100-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether12 name=dhcp2
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether13
/ip address
add address=192.168.6.1/24 interface=bridge1 network=192.168.6.0
add address=172.20.100.202/30 interface=gre-tunnel-CAB1-ECONECTIA network=\
172.20.100.200
add address=publicIPfromDatacenter interface=loopback_publica network=5.X.X.X
add address=192.168.5.1/24 interface=ether12 network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=vlan20_MASMOVIL
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.6.0/24 gateway=192.168.6.1
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=rm_econectia \
passthrough=no src-address=192.168.6.0/24
/ip firewall nat
# pppoe-out1 not ready
add action=masquerade chain=srcnat comment="to ECONECTIA" out-interface=\
pppoe-out1
add action=masquerade chain=srcnat comment="to MASMOVIL " out-interface=\
vlan20_MASMOVIL
add action=src-nat chain=srcnat comment="to ECONECTIA por GRE" out-interface=\
gre-tunnel-CAB1-ECONECTIA to-addresses=publicIPfromDatacenter
add action=dst-nat chain=dstnat disabled=yes dst-port=0-9144 in-interface=\
vlan20_MASMOVIL protocol=tcp to-addresses=192.168.6.2 to-ports=0-9144
add action=dst-nat chain=dstnat disabled=yes dst-port=0-9144 in-interface=\
vlan20_MASMOVIL protocol=udp to-addresses=192.168.6.2 to-ports=0-9144
add action=dst-nat chain=dstnat disabled=yes dst-port=9147-65535 \
in-interface=vlan20_MASMOVIL in-interface-list=all protocol=tcp \
to-addresses=192.168.6.2 to-ports=9147-65535
add action=dst-nat chain=dstnat disabled=yes dst-port=9147-65535 \
in-interface=vlan20_MASMOVIL protocol=udp to-addresses=192.168.6.2 \
to-ports=9147-65535
/ip route
add check-gateway=ping comment=GRE_ECONECTIA distance=1 gateway=\
172.20.100.201 routing-mark=rm_econectia
add comment=Marcados_ECONECTIA distance=2 gateway=pppoe-out1 routing-mark=\
rm_econectia
add check-gateway=ping comment=MASMOVIL distance=1 gateway=212.X.X.X
add comment=ECONECTIA distance=2 gateway=pppoe-out1
add comment="Ruta por defecto para llegar a la cabecera econectia" distance=1 \
dst-address=publicIPofdatacenter/32 gateway=212.X.X:X
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=81
set ssh address=5.X.X.X/32,192.168.6.0/24 port=9145
set api disabled=yes
set winbox address=5.X.X.X/32,192.168.6.0/24 port=9146
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name="TEATRO "
/system routerboard settings
set silent-boot=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool netwatch
add disabled=yes down-script="/ip route set [find comment=MASMOVIL] disabled=y\
es\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=yes\r\
\n/interface pppoe-client enable 0" host=8.8.8.8 interval=5s up-script="/i\
p route set [find comment=MASMOVIL] disabled=no\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=no\r\
\n/interface pppoe-client disable 0"
add disabled=yes down-script="/ip route set [find comment=MASMOVIL] disabled=y\
es\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=yes" host=9.9.9.9 \
interval=5s up-script="/ip route set [find comment=MASMOVIL] disabled=no\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=no"
add disabled=yes down-script="/ip route set [find comment=MASMOVIL] disabled=y\
es\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=yes" host=\
77.75.76.3 interval=5s up-script="/ip route set [find comment=MASMOVIL] di\
sabled=no\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=no"
/tool user-manager database
set db-path=user-manager


And in the mkt in datacenter only I have the gre tunel with an IP private and a router that is in the screenshoot.
You do not have the required permissions to view the files attached to this post.
Last edited by tiago15 on Tue Feb 23, 2021 2:02 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Tue Feb 23, 2021 1:57 pm

If you mind disclosing your public IPs (which I suppose you do as you've obfuscated them in your OP), edit your previous post and obfuscate them also in the export, as I've recommended before.

I'll have a look on the details later.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Tue Feb 23, 2021 2:03 pm

Done.
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Tue Feb 23, 2021 5:06 pm

In the Theatre-tik configuration, the default route for traffic sent from 192.168.6.0/24 is via the GRE tunnel (by means of action=mark-routing in mangle and having that routing-mark on the default route via the GRE tunnel). This may be a correct setup if devices in this whole subnet have to always use the public IP of the DC-tik, and devices in the other subnet must never use it. Is this the case? (leaving aside the failower to local WAN if the GRE tunnel is down - btw, it can never be down as keepalive is disabled).

But as you (among other things) missed my request to post also the configuration export from the DC-tik, and as your screenshots in the OP show no action=dst-nat rules at all, I can't say whether the configuration of the DC-tik is correct or not.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Tue Feb 23, 2021 5:21 pm

"This may be a correct setup if devices in this whole subnet have to always use the public IP of the DC-tik, and devices in the other subnet must never use it. " Yes this is the case.

in the DC-tik I only have this route:

/ip route

add comment="Ruta para mandar ip publica a TEATRO " distance=1 \
dst-address=5.x.x.x/32 gateway=172.20.100.202

for going through the gre tunnel.
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Tue Feb 23, 2021 6:26 pm

in the DC-tik I only have this route:
/ip route
add comment="Ruta para mandar ip publica a TEATRO " distance=1 dst-address=5.x.x.x/32 gateway=172.20.100.202
The fact that the action=src-nat to-addresses=5.x.x.x comment="to ECONECTIA por GRE" ... rule at the Theatre-tik is sufficient to make the LAN hosts in the theatre get to internet via the DC-tik implies the following:
  • the 5.x.x.x address is not assigned to any interface on the Theatre-tik, i.e. the Theatre-tik doesn't treat it as its own address, so the route above is really used for the responses belonging to connections initiated from Theatre-tik LAN subnet
  • the internet knows that 5.x.x.x is accessible via the DC-tik (it is not clear whether it is a part of its WAN subnet or whether you propagate it using some dynamic routing protocol, but it is not relevant to the issue).
However:
  • in the Theatre-tik configuration, I cannot see any action=dst-nat rule that would act on packets arriving via the GRE tunnel. Hence the Theatre-tik just forwards, using the default route with no routing-mark, any packet that eventually arrives via the GRE tunnel with destination address 5.x.x.x and does not match an already existing src-nated connection in its connection tracking table.
  • I don't know the firewall rules on DC-Tik, so I don't know whether they let through incoming connections from the internet towards 5.x.x.x at all
The fact that there are no dst-nat rules at Theatre-tik also means that the incoming connection requests can be neither processed by the Theatre-tik itself nor forwarded to one of the LAN hosts.

In fact, you could simplify things a small bit if you assigned the 5.x.x.x/32 directly to the GRE tunnel at Theatre-tik end and used 5.x.x.x/32 as the network item in the /ip address configuration for the GRE interface at the DC-tik. This way, you won't need to add the route to 5.x.x.x/32 via 172.20.100.202 manually as it would be added automatically. But it would not change much about the rest, except that the 5.x.x.x would become one of own addresses of the Theatre-tik so services running on it would be accessible from the internet. This is rather a disadvantage in a situation when its /ip firewall filter is totally empty.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 10:01 am

In fact, you could simplify things a small bit if you assigned the 5.x.x.x/32 directly to the GRE tunnel at Theatre-tik end and used 5.x.x.x/32 as the network item in the /ip address configuration for the GRE interface at the DC-tik. This way, you won't need to add the route to 5.x.x.x/32 via 172.20.100.202 manually as it would be added automatically. But it would not change much about the rest, except that the 5.x.x.x would become one of own addresses of the Theatre-tik so services running on it would be accessible from the internet. This is rather a disadvantage in a situation when its /ip firewall filter is totally empty.Ihave tried this and it works in input and it's simple, but the problem now is that towards output now I don't go by the IP address 5.x.x.x , I go by 212.x.x.x any idea??

theatre-tik config

# feb/24/2021 08:55:26 by RouterOS 6.42.3
# software id = W1HS-K5SJ
#
# model = 1100AHx2
# serial number = 47B80498ADB1
/interface bridge
add fast-forward=no name=bridge1
add fast-forward=no name=loopback_publica
/interface ethernet
set [ find default-name=ether1 ] comment="WAN FIBRA"
set [ find default-name=ether2 ] comment="WAN ANTENA"
/interface pppoe-client
add interface=ether2 name=pppoe-out1 password=econectia use-peer-dns=yes \
user=TEATROBENICASSIM
/interface l2tp-client
add connect-to=5.x.x.x name=l2tp-out1 password=econectia user=\
TEATRO_BENICASSIM
/interface gre
add !keepalive local-address=212.x.x.x name=gre-tunnel-CAB1-ECONECTIA \
remote-address=185.x.x.x
/interface vlan
add interface=ether1 name=vlan20_MASMOVIL vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.6.200-192.168.6.230
add name=dhcp_pool1 ranges=192.168.5.100-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=ether12 name=dhcp2
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether13
/ip address
add address=192.168.6.1/24 interface=bridge1 network=192.168.6.0
add address=172.20.100.202/30 interface=gre-tunnel-CAB1-ECONECTIA network=\
172.20.100.200
add address=5.x.x.x disabled=yes interface=loopback_publica network=\
5.x.x.x
add address=192.168.5.1/24 interface=ether12 network=192.168.5.0
add address=5.x.x.x interface=gre-tunnel-CAB1-ECONECTIA network=\
5.x.x.x
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=vlan20_MASMOVIL
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.6.0/24 gateway=192.168.6.1
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=rm_econectia \
passthrough=no src-address=192.168.6.0/24
/ip firewall nat
# pppoe-out1 not ready
add action=masquerade chain=srcnat comment="to ECONECTIA" out-interface=\
pppoe-out1
add action=masquerade chain=srcnat comment="to MASMOVIL " out-interface=\
vlan20_MASMOVIL
add action=src-nat chain=srcnat comment="to ECONECTIA por GRE" out-interface=\
gre-tunnel-CAB1-ECONECTIA to-addresses=5.x.x.x
add action=dst-nat chain=dstnat disabled=yes dst-port=0-9144 in-interface=\
vlan20_MASMOVIL protocol=tcp to-addresses=192.168.6.2 to-ports=0-9144
add action=dst-nat chain=dstnat disabled=yes dst-port=0-9144 in-interface=\
vlan20_MASMOVIL protocol=udp to-addresses=192.168.6.2 to-ports=0-9144
add action=dst-nat chain=dstnat disabled=yes dst-port=9147-65535 \
in-interface=vlan20_MASMOVIL in-interface-list=all protocol=tcp \
to-addresses=192.168.6.2 to-ports=9147-65535
add action=dst-nat chain=dstnat disabled=yes dst-port=9147-65535 \
in-interface=vlan20_MASMOVIL protocol=udp to-addresses=192.168.6.2 \
to-ports=9147-65535
/ip route
add check-gateway=ping comment=GRE_ECONECTIA distance=1 gateway=\
gre-tunnel-CAB1-ECONECTIA routing-mark=rm_econectia
add comment=Marcados_ECONECTIA distance=2 gateway=pppoe-out1 routing-mark=\
rm_econectia
add check-gateway=ping comment=MASMOVIL distance=1 gateway=212.x.x.x
add comment=ECONECTIA distance=2 gateway=pppoe-out1
add comment="Ruta por defecto para llegar a la cabecera econectia" disabled=\
yes distance=1 dst-address=185.x.x.x/32 gateway=212.x.x.x
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=81
set ssh address=5.x.x.x/32,192.168.6.0/24 port=9145
set api disabled=yes
set winbox address=5.x.x.x/32,192.168.6.0/24 port=9146
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name="TEATRO BENICASIM"
/system routerboard settings
set silent-boot=no
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool netwatch
add disabled=yes down-script="/ip route set [find comment=MASMOVIL] disabled=y\
es\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=yes\r\
\n/interface pppoe-client enable 0" host=8.8.8.8 interval=5s up-script="/i\
p route set [find comment=MASMOVIL] disabled=no\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=no\r\
\n/interface pppoe-client disable 0"
add disabled=yes down-script="/ip route set [find comment=MASMOVIL] disabled=y\
es\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=yes" host=9.9.9.9 \
interval=5s up-script="/ip route set [find comment=MASMOVIL] disabled=no\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=no"
add disabled=yes down-script="/ip route set [find comment=MASMOVIL] disabled=y\
es\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=yes" host=\
77.75.76.3 interval=5s up-script="/ip route set [find comment=MASMOVIL] di\
sabled=no\r\
\n/ip route set [find comment=[GRE_ECONECTIA] disabled=no"
/tool user-manager database
set db-path=user-manager
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 12:31 pm

the problem now is that towards output now I don't go by the IP address 5.x.x.x , I go by 212.x.x.x any idea??
If you talk about packets sent by the router itself (i.e. you refer to chain output), the routing-mark is only assigned in mangle/prerouting, which means that packets sent by the router itself use the main routing table and thus go via pppoe-out1 with the 212... attached to it. So you have to assign a routing-mark also in mangle/output so that the router itself was using the GRE as its primary WAN, but exclude GRE transport packets to DC-tik's address from the marking (as they are sent by the router itself as well).

If you talk about packets sent from 192.168.6.0/24: you have set check-gateway=ping on a route whose gateway is an interface name, which makes little sense, but at least my version of RouterOS filters this nonsense out and keeps the route active. Is that route marked as Active in /ip route print on Theatre-tik? I can see nothing else suspicious: the route with the routing-mark exists, a mangle/prerouting rule assigns the same routing-mark value, and the src-nat rule matching on out-interface=gre exists too.

So provide more details on what exactly you have in mind when talking about input and output. Do you mean single packets or whole connections? From/to the Theatre-tik itself or from 192.168.6.0/24?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 12:50 pm

I mean that 192.168.6.0/24 goes to internet with the public IP 5.x.x.x (that's correct) but if I try to access from internet by the public IP 5.x.x.x to a private IP in range 192.168.6.0/24 o directly to the theatre-tik by winbox, it's not possible. From internet to the theater-tik I only can access from the 212.x.x.x ( that's the problem) I need to come inside the mikrotik and private subnet by the same ip as I use to internet 5.x.x.x
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 1:26 pm

I'm still a bit lost. You do have dst-nat rules which forward some port ranges to 192.168.6.2, but all these rules match on in-interface=vlan20_MASMOVIL. So whatever arrives to 5.x.x.x lands on the Theatre-tik itself, and if the Theatre-tik responds, it responds via the 212.x.x.x address for the reasons explained in my previous post.

So if you want to connect to the Theatre-tik itself using Winbox via 5.x.x.x, you have to add the mangle/output marking rule to allow the responses to be routed via the GRE tunnel. But if you did that just like this, you would lose the possibility to connect to the Mikrotik itself via 212.x.x.x. So in this case, the right thing is to assign a connection-mark cm_econectia in mangle chain input if in-interface=...GRE..., and in mangle chain output, translate that connection-mark to routing-mark rm_econectia. This way, both requests coming in via regular WAN and via the GRE will be responded using the appropriate routing table.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 2:24 pm

I understand what you say, but I don't know how to implement it for incoming traffic:
this is my mangle table now:

0 chain=prerouting action=mark-routing new-routing-mark=rm_econectia
passthrough=no src-address=192.168.6.0/24 log=no log-prefix=""

1 chain=input action=mark-connection new-connection-mark=cm_econectia
passthrough=no in-interface=gre-tunnel-CAB1-ECONECTIA log=no
log-prefix=""

2 chain=output action=mark-routing new-routing-mark=rm_econectia
passthrough=yes connection-mark=cm_econectia log=no log-prefix=""
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 2:30 pm

These two rules are exactly what I had in mind. Has it not made it possible to connect by Winbox to 5.x.x.x?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 2:40 pm

No, its not working. So Do you know any example in internet similar to the config I need? , thanks in advanced for your patient.
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 2:44 pm

While trying to connect to the Winbox port, run /tool sniffer quick port=the-winbox-port on the Theatre-tik. It should show you what is going on, i.e. whether the firewall (or the address setting on the /ip service row) blocks the incoming request (so no response is sent at all) or whether the response is sent but via a wrong interface/from a wrong address.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 2:56 pm

ether1 313.019 24086 <- 00:00:5E:00:01:32 4C:5E:0C:3B:A2:DE 20
vlan20_MASMOVIL 313.019 24087 <- 00:00:5E:00:01:32 4C:5E:0C:3B:A2:DE
vlan20_MASMOVIL 313.019 24088 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32
ether1 313.019 24089 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32 20
ether1 313.036 24090 <- 00:00:5E:00:01:32 4C:5E:0C:3B:A2:DE 20
vlan20_MASMOVIL 313.036 24091 <- 00:00:5E:00:01:32 4C:5E:0C:3B:A2:DE
vlan20_MASMOVIL 313.038 24092 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32
ether1 313.038 24093 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32 20
gre-tunnel-CAB1-... 313.065 24094 <-
vlan20_MASMOVIL 313.065 24095 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32
ether1 313.065 24096 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32 20
ether1 313.09 24097 <- 00:00:5E:00:01:32 4C:5E:0C:3B:A2:DE 20
vlan20_MASMOVIL 313.09 24098 <- 00:00:5E:00:01:32 4C:5E:0C:3B:A2:DE
vlan20_MASMOVIL 313.09 24099 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32
ether1 313.09 24100 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32 20
ether1 313.104 24101 <- 00:00:5E:00:01:32 4C:5E:0C:3B:A2:DE 20
vlan20_MASMOVIL 313.104 24102 <- 00:00:5E:00:01:32 4C:5E:0C:3B:A2:DE
gre-tunnel-CAB1-... 313.12 24103 <-
vlan20_MASMOVIL 313.12 24104 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32
ether1 313.12 24105 -> 4C:5E:0C:3B:A2:DE 00:00:5E:00:01:32 20

when I try to access via 5.x.x.x in gre tunnel
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 3:09 pm

Make the command line window as wide as your screen allows, there is almost no information in the output of the /tool sniffer quick. But it does show that the connection request comes via gre and the responses leave via VLAN 20, so something doesn't work well about the connection marking and routing marking.

What does /ip route print show?

And while the winbox connection attempt is ongoing, what does /ip firewall connection print detail where dst-address~":the-winbox-port" show?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 7:00 pm

Finally it has gone, doing the config you said at the start. In fact, you could simplify things a small bit if you assigned the 5.x.x.x/32 directly to the GRE tunnel at Theatre-tik end and used 5.x.x.x/32 as the network item in the /ip address configuration for the GRE interface at the DC-tik. v, I don't understand well the config but now 192.168.6.0/24 network, uses 5.x.x.x for incoming and outcoming traffic. so all the traffic from 192.168.6.0/24 goes through the GRE tunnel.

I have another problem now, and is that speed is more or less a half of the real speed if traffic goes through the normal gateway 212.x.x.x Could be a MTU size problem in GRE tunnel? Any ideas? regards!!
 
sindy
Forum Guru
Forum Guru
Posts: 6884
Joined: Mon Dec 04, 2017 9:19 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 8:17 pm

I don't understand well the config but now 192.168.6.0/24 network, uses 5.x.x.x for incoming and outcoming traffic. so all the traffic from 192.168.6.0/24 goes through the GRE tunnel.
When you specify an IP address as a gateway of a route, the system searches through the network values of the /ip address rows to find one to which the gateway address fits, and uses the interface to which this /ip address item is associated as an out-interface for the packet. If the interface is a point-to-point one, which is the case of GRE, there are no more steps; for point-to-multipoint interfaces, the IP address of the gateway must be also resolved to a MAC address, so that the packet was sent through the right interface to the right device.
Plus routes with distance 0 are dynamically created for each /ip address item, with dst-address matching the network parameter of the /ip address item, with the interface of that /ip address item as gateway.

So if you set the 5.x.x.x/32 as a network at the /ip address item attached to the GRE interface at the DC-tik, a route to 5.x.x.x/32 via that GRE interface is dynamically created. The address value of the item may be any IP address other than 5.x.x.x.

At Theatre-tik, 5.x.x.x/32 must be up on some interface in order that the Theatre-tik would consider it its own; it is most logical to set it as the own address of the GRE interface. The network address associated to the GRE must be different from 5.x.x.x/32, but it actually doesn't matter much if it is the same (like in your export above) if you use the interface name, rather than the network address associated to it, as a gateway parameter of routes.


I have another problem now, and is that speed is more or less a half of the real speed if traffic goes through the normal gateway 212.x.x.x Could be a MTU size problem in GRE tunnel? Any ideas? regards!!
MTU is definitely reduced by tunneling via GRE, as the GRE headers occupy part of the actual Ethernet/PPPoE MTU, but not to 1/2. Without IPsec encryption, the MTU of GRE tunnel transported using MTU 1500 packets is 1476 bytes, so more than 98% of the original one. TCP accommodates to this, so instead of sending 1500-byte packets which the router would split into two each, it sends slightly more 1476-byte packets.

But bear in mind that if you test the throughput using a symmetric flow, the bandwidth of the WAN interface at the DC-tik is the limiting factor, as each direction of the flow occupies both download and upload bandwidth at that interface. A y.y.y.y -> 5.x.x.x packet is first received by DC-tik via WAN and then forwarded to 5.x.x.x via the tunnel via the same WAN interface; the response from Theatre-tik is first received by DC-tik via WAN and then forwarded to y.y.y.y via the same WAN interface.

So you may want to use non-symmetric throughput test (i.e. one which tests upload and download bandwidth separately), it should show less depressive results.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
tiago15
just joined
Topic Author
Posts: 13
Joined: Mon Aug 31, 2020 3:03 pm

Re: Transporting public IP over a tunel GRE

Wed Feb 24, 2021 10:47 pm

Thanks a lot for the explanation, best regards for being so patient with me.

Who is online

Users browsing this forum: Baidu [Spider], Cliff007, jordenlora, kanuns and 221 guests