I have two routers running 6.49.2 and connected with a GRE tunnel.
I tried to add a new GRE tunnel by copying the existing tunnel (with same local and remote address) and clicking “disabled”, planning to later disabling the original and enabling this one.
However, immediately as the disabled tunnel is added, the existing tunnel stops working. I can see the newly added tunnel in the config in “disabled” state. When I remove it, the original starts working again.
Now of course I understand why you cannot have two GRE tunnels with exactly the same local and remote address (due to the lack of support of the “tunnel key” or “tunnel ID” in RouterOS, which is only supported for EoIP tunnels and not for IP GRE tunnels - that should be easy to fix).
However, what I do not understand is that a disabled GRE tunnel can take traffic from an enabled one. Until now I thought that disabled items are “just not there” as far as the underlying Linux system is concerned. But it seems that GRE tunnels are still added to the kernel even when they are disabled?
Re: "disabled" does not always mean completely disabled!
I would suspect that where the item in question has support for being disabled in the underlying Linux kernel or program then it would be instantiated from the UI/CLI settings so it may be referenced.
For example, a disabled interface could be created, but set to down, and the interface reference can be used in firewall rules; when the interface is enabled in the UI/CLI it is set to up, and all of the netfilter rules just start working. If the disabled interface did not exist it would have to be created when enabled and all of the firewall rules reparsed to insert any which refer to the interface.
For example, a disabled interface could be created, but set to down, and the interface reference can be used in firewall rules; when the interface is enabled in the UI/CLI it is set to up, and all of the netfilter rules just start working. If the disabled interface did not exist it would have to be created when enabled and all of the firewall rules reparsed to insert any which refer to the interface.
Re: "disabled" does not always mean completely disabled!
Yes that is probably what is going on, but apparently the kernel cannot handle the case where two GRE interfaces with the same remote address exist, one down and one up. It sends the traffic to the interface that is down, or maybe to the one that was created last, and communication fails.
However, there are many other configuration items in RouterOS where the Linux kernel has no support at all for items that are present but "down" or "disabled".
So I kind of expected that anything marked "disabled" is removed from the kernel config and only present in RouterOS's own config database.
Apparently that is now how it really works.
However, there are many other configuration items in RouterOS where the Linux kernel has no support at all for items that are present but "down" or "disabled".
So I kind of expected that anything marked "disabled" is removed from the kernel config and only present in RouterOS's own config database.
Apparently that is now how it really works.
Re: "disabled" does not always mean completely disabled!
I had this problem with something in the past, I think 6to4 interfaces, but I'm not sure anymore.