Community discussions

MikroTik App
 
alv84
newbie
Topic Author
Posts: 34
Joined: Mon Dec 27, 2021 5:46 am

GRE not working

Sun May 22, 2022 1:56 pm

dear all mikrotik fans. hi
i am quite new to mikrotik networking so please forgive me beforehand.
i am trying to setup a basic gre tunnel between cisco isr4300 and a 951ui-2hnd routers. on cisco side everything seems to be set ok; including: tunnel state is reported up/up, wan interface ip is set, lan interface ip is set ... here is the ip plan:
cisco:
wan ip: 1.1.1.2/30
lan ip: 192.168.253.1/30
tunnel ip: 10.10.10.1/30
routing report:
10.10.10.0/30 is directly connected, Tunnel0
10.10.10.1/32 is directly connected, Tunnel0
...
172.16.0.0/24 is subnetted, 2 subnets
172.16.1.0 [1/0] via 10.10.10.2
172.16.2.0 [1/0] via 10.10.10.2

on mikrotik side, i've uploaded the config file to see where i've gone wrong or missing:
# jan/02/1970 00:59:17 by RouterOS 6.44.5
# software id = 0G7Y-54W3
#
# model = 951Ui-2HnD
# serial number = B8570BE4F3C7
/interface bridge
add admin-mac=C4:AD:34:82:55:8B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-82558F wireless-protocol=802.11
/interface gre
add local-address=2.2.2.2 name=tunnel0 remote-address=1.1.1.2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2_LAN
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
/ip address
add address=2.2.2.2/30 interface=ether1_WAN network=2.2.2.0
add address=172.16.2.1/24 interface=ether2_LAN network=172.16.2.0
add address=10.10.10.2/30 interface=tunnel0 network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1_WAN
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat dst-address=192.168.253.0/24 src-address=\
    172.16.2.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=ether1_WAN
/ip route
add distance=1 dst-address=192.168.253.0/24 gateway=10.10.10.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

right now i cannot ping the tunnel on both sides, neither cisco-to-mikrotik nor mikrotik-to-cisco.
kind regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: GRE not working

Sun May 22, 2022 5:33 pm

Try this before the drop rule (#4):
/ip firewall filter
add chain=input src-address=1.1.1.2 protocol=gre action=accept
 
alv84
newbie
Topic Author
Posts: 34
Joined: Mon Dec 27, 2021 5:46 am

Re: GRE not working

Sun May 22, 2022 11:21 pm

thank you so much Sob.
that didn't work unfortunately. seems like the tunnel never gets up because of a routing problem. when i ping cisco-side tunnel ip from inside mikrotik it prints "no route to host". i have tried both connecting these two directly using network cables as well as emulation in envionments like gns3 or eve-ng. yet again, no success! the result is exactly the same: "no route to host" + Success rate is 0 percent (0/5)
i'm pretty perplexed.
regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: GRE not working

Mon May 23, 2022 2:57 am

I only now noticed that all your firewall rules are disabled, so previous advice couldn't help, because everything is already allowed.

But why it doesn't work. I thought that 2.2.2.2 and 1.1.1.2 were just masked public addresses and that you have default route from DHCP (although it would be slightly unusual to have both DHCP and static address). But if it's test with direct connection and nothing from DHCP, it can't work, because there's no route to reach remote 1.1.1.2.
 
alv84
newbie
Topic Author
Posts: 34
Joined: Mon Dec 27, 2021 5:46 am

Re: GRE not working

Mon May 23, 2022 8:07 am

dear Sob, hi
yes right now the routers are directly connected with non-valid static IPs. how can i get it to work? by working i mean being able to ping two sides of the gre tunnel from inside the routers. in other words, how can i establish correct static routes between these two. Or, why do you say technically that "there's no route to reach remote 1.1.1.2"? i expect the two should ping each others static ip. is this expectation wrong?
let me clarify that i have access to public valid IPs and i am able to test this, as i suppose, simple scenario between the really public routers. may this solve the reachability?
regards.
 
alv84
newbie
Topic Author
Posts: 34
Joined: Mon Dec 27, 2021 5:46 am

Re: GRE not working

Mon May 23, 2022 10:20 am

as an update to this issue, i tried to do it as basic as possible. right now, two static non-public IPs are set on directly connected ports of the two routers. now, i can cisco router IP from mikrotik but pinging from cisco to mikrotik fails. seems like there is a setting on mikrotik that blocks connectivity from cisco side. any ideas?
by the way, mikrotik 951ui-2hnd have default configuration with it, ain't know if this matters.
GUYS COMMON I REALLY NEED HELP IN HERE!
regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: GRE not working

Mon May 23, 2022 2:07 pm

What's reachable depends on routes, and routes depend on masks. If you have ether1_WAN with 2.2.2.2/30 and that's connected directly to other router, then if they should communicate, other routes needs to have 2.2.2.1/30, because it's in given subnet.
 
alv84
newbie
Topic Author
Posts: 34
Joined: Mon Dec 27, 2021 5:46 am

Re: GRE not working

Sat May 28, 2022 12:59 pm

thanks to all buddies, this issue is solved. the problem was way more of a basic thing.

Who is online

Users browsing this forum: CJWW, EmuAGR, Kuitz, NetHorror, TheCat12 and 84 guests