Re: [44net] GRE tunnels

You just made me realize that 2 out of 3 of my site have non fix ip address and the one that do have a fix address I have to be behind a NAT. (not my connection I am receiving internet by a third party and I cannot ask for anyport fowarding or fixe local IP. I am allowed to connect to the network but I need to keep a low profile and not getting noticed at all. So that mean that I will need something else than GRE tunnel. ________________________________________ De : 44Net <44net-bounces+petem001=hotmail.com(a)mailman.ampr.org> de la part de Rob Janssen via 44Net <44net(a)mailman.ampr.org> Envoyé : 5 décembre 2020 04:06 À : 44net(a)mailman.ampr.org Cc : Rob Janssen Objet : Re: [44net] GRE tunnels problems with GRE except using Mikrotik devices. There is a bug in the GRE implementation on MikroTiks where you will experience a 20-30% packet loss when the system is under any non-trivial use (e.g. multiple audio streams or a file transfer). Several versions of the OS and several different hardware platforms all experienced the same issue. We changed to IPIP and IPIP6 and the issue disappeared with no other reconfiguration. We're using a mix of IPIP, IPIP6, and GRE6 tunnels to a number of sites fed out of our VPS gateway. I cannot confirm that at all. We use GRE tunnels inside our network to connect isolated areas back to our gateway over internet tunnels, and it works very well. The gateway router is a MikroTik CCR1009 and most users use MikroTik RB750Gr3 or comparable routers. No packet loss issues at all. There are of course a couple of things you need to watch for: - the "keepalive" mechanism is a defacto-standard thingy that is not working in standard Linux systems so it has to be kept disabled when the other side is not a MikroTik or maybe Cisco or comparable router - as for any tunnel, the MTU is always lower than 1500 and you cannot send fullsize packets through it without fragmentation. it is best to install a TCP MSS clamping rule to limit the MTU of most traffic - there is a bug in the firewall of more recent RouterOS versions which causes GRE traffic not to be matched by Established/Related firewall rules, and be stamped as Invalid. So when you have the default ruleset of "accept Established/Related, drop Invalid, then accept certain incoming traffic" you need to insert a rule that accepts GRE traffic from your peers BEFORE the "drop Invalid" rule. Of course you can always use IPIP instead. I have chosen GRE in the hope that it is more widely available on other makes of routers, and also it can transport IPv6 in the future. But as GRE usually requires fixed public addresses on each end of the tunnel and also is often a bit troublesome to pass through NAT routers, we also offer the additional option of L2TP/IPsec tunnels, which can be setup from a dynamic address and have no issues with NAT on the client side. (the gateway router itself of course is directly on a fixed address) Rob _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net