>GRE works just fine depending on your system. We've never had any problems with GRE except using Mikrotik devices. There is a bug in the GRE implementation on MikroTiks where you will experience a 20-30% packet loss when the system is under any non-trivial use (e.g. multiple audio streams or a file transfer). Several versions of the OS and several different hardware platforms all experienced the same issue. We changed to IPIP and IPIP6 and the issue disappeared with no other reconfiguration. We're using a mix of IPIP, IPIP6, and GRE6 tunnels to a number of sites fed out of our VPS gateway.
I cannot confirm that at all. We use GRE tunnels inside our network to connect isolated areas back to our gateway over internet tunnels, and it works very well. The gateway router is a MikroTik CCR1009 and most users use MikroTik RB750Gr3 or comparable routers. No packet loss issues at all.
There are of course a couple of things you need to watch for:
- the "keepalive" mechanism is a defacto-standard thingy that is not working in standard Linux systems so it has to be kept disabled when the other side is not a MikroTik or maybe Cisco or comparable router
- as for any tunnel, the MTU is always lower than 1500 and you cannot send fullsize packets through it without fragmentation. it is best to install a TCP MSS clamping rule to limit the MTU of most traffic
- there is a bug in the firewall of more recent RouterOS versions which causes GRE traffic not to be matched by Established/Related firewall rules, and be stamped as Invalid. So when you have the default ruleset of "accept Established/Related, drop Invalid, then accept certain incoming traffic" you need to insert a rule that accepts GRE traffic from your peers BEFORE the "drop Invalid" rule.
Of course you can always use IPIP instead. I have chosen GRE in the hope that it is more widely available on other makes of routers, and also it can transport IPv6 in the future. But as GRE usually requires fixed public addresses on each end of the tunnel and also is often a bit troublesome to pass through NAT routers, we also offer the additional option of L2TP/IPsec tunnels, which can be setup from a dynamic address and have no issues with NAT on the client side.
(the gateway router itself of course is directly on a fixed address)
Rob
Hi everyone,
Anyone been playing with GRE tunneling?
I am looking at that solution to bring part of my /24 to sites where I have multiple machine that each need a 44 address.
GRE have no encryption, it is only an encapsulation of a Layer 2 packet. This lower the actual possible MTU size lowering the throughput slightly. But it is an easy way to connect a site to the VPS. At the same time, we dont need encryption as all the data that are passing into that tunnel is supposed to be ok to route on the internet. and if they contain special thing they should already be encrypted with tls/ssl or other mean of securing the connection.
Anyone have experience with this?
I would then use openvpn is its normal way for simple client. Then I imagine I will need to bridge both tunnel so that every one could talk to each other at the VPS level.
Sounds plausible?
Pierre
VE2PF
