5 Dec
2020
5 Dec
'20
3:06 a.m.
GRE works just fine depending on your system. We've
never had any problems with GRE except using Mikrotik devices. There is a bug in the GRE
implementation on MikroTiks where you will experience a 20-30% packet loss when the system
is under any non-trivial use (e.g. multiple audio streams or a file transfer). Several
versions of the OS and several different hardware platforms all experienced the same
issue. We changed to IPIP and IPIP6 and the issue disappeared with no other
reconfiguration. We're using a mix of IPIP, IPIP6, and GRE6 tunnels to a number of
sites fed out of our VPS gateway.
I cannot confirm that at all. We use GRE tunnels inside our network to connect isolated
areas back to our gateway over internet tunnels, and it works very well. The gateway
router is a MikroTik CCR1009 and most users use MikroTik RB750Gr3 or comparable routers.
No packet loss issues at all.
There are of course a couple of things you need to watch for:
- the "keepalive" mechanism is a defacto-standard thingy that is not working in
standard Linux systems so it has to be kept disabled when the other side is not a MikroTik
or maybe Cisco or comparable router
- as for any tunnel, the MTU is always lower than 1500 and you cannot send fullsize
packets through it without fragmentation. it is best to install a TCP MSS clamping rule
to limit the MTU of most traffic
- there is a bug in the firewall of more recent RouterOS versions which causes GRE traffic
not to be matched by Established/Related firewall rules, and be stamped as Invalid. So
when you have the default ruleset of "accept Established/Related, drop Invalid, then
accept certain incoming traffic" you need to insert a rule that accepts GRE traffic
from your peers BEFORE the "drop Invalid" rule.
Of course you can always use IPIP instead. I have chosen GRE in the hope that it is more
widely available on other makes of routers, and also it can transport IPv6 in the future.
But as GRE usually requires fixed public addresses on each end of the tunnel and also is
often a bit troublesome to pass through NAT routers, we also offer the additional option
of L2TP/IPsec tunnels, which can be setup from a dynamic address and have no issues with
NAT on the client side.
(the gateway router itself of course is directly on a fixed address)
Rob
5 Dec
5 Dec
9:35 a.m.
New subject: GRE tunnels
You just made me realize that 2 out of 3 of my site have non fix ip address and the one
that do have a fix address I have to be behind a NAT. (not my connection I am receiving
internet by a third party and I cannot ask for anyport fowarding or fixe local IP. I am
allowed to connect to the network but I need to keep a low profile and not getting noticed
at all.
So that mean that I will need something else than GRE tunnel.
________________________________________
De : 44Net <44net-bounces+petem001=hotmail.com(a)mailman.ampr.org> de la part de Rob
Janssen via 44Net <44net(a)mailman.ampr.org>
Envoyé : 5 décembre 2020 04:06
À : 44net(a)mailman.ampr.org
Cc : Rob Janssen
Objet : Re: [44net] GRE tunnels
GRE works just fine depending on your system. We've
never had any problems with GRE except using Mikrotik devices. There is a bug in the GRE
implementation on MikroTiks where you will experience a 20-30% packet loss when the system
is under any non-trivial use (e.g. multiple audio streams or a file transfer). Several
versions of the OS and several different hardware platforms all experienced the same
issue. We changed to IPIP and IPIP6 and the issue disappeared with no other
reconfiguration. We're using a mix of IPIP, IPIP6, and GRE6 tunnels to a number of
sites fed out of our VPS gateway.
I cannot confirm that at all. We use GRE tunnels inside our network to connect isolated
areas back to our gateway over internet tunnels, and it works very well. The gateway
router is a MikroTik CCR1009 and most users use MikroTik RB750Gr3 or comparable routers.
No packet loss issues at all.
There are of course a couple of things you need to watch for:
- the "keepalive" mechanism is a defacto-standard thingy that is not working in
standard Linux systems so it has to be kept disabled when the other side is not a MikroTik
or maybe Cisco or comparable router
- as for any tunnel, the MTU is always lower than 1500 and you cannot send fullsize
packets through it without fragmentation. it is best to install a TCP MSS clamping rule
to limit the MTU of most traffic
- there is a bug in the firewall of more recent RouterOS versions which causes GRE traffic
not to be matched by Established/Related firewall rules, and be stamped as Invalid. So
when you have the default ruleset of "accept Established/Related, drop Invalid, then
accept certain incoming traffic" you need to insert a rule that accepts GRE traffic
from your peers BEFORE the "drop Invalid" rule.
Of course you can always use IPIP instead. I have chosen GRE in the hope that it is more
widely available on other makes of routers, and also it can transport IPv6 in the future.
But as GRE usually requires fixed public addresses on each end of the tunnel and also is
often a bit troublesome to pass through NAT routers, we also offer the additional option
of L2TP/IPsec tunnels, which can be setup from a dynamic address and have no issues with
NAT on the client side.
(the gateway router itself of course is directly on a fixed address)
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
9:52 a.m.
New subject: GRE tunnels
Hi,
On 05/12/2020 15:35, pete M via 44Net wrote:
You just made me realize that 2 out of 3 of my site
have non fix ip address and the one that do have a fix address I have to be behind a NAT.
(not my connection I am receiving internet by a third party and I cannot ask for anyport
fowarding or fixe local IP. I am allowed to connect to the network but I need to keep a
low profile and not getting noticed at all.
So that mean that I will need something else than GRE tunnel.
This is one of the reasons I am using IPSec, only one end needs a fixed
IP address, all the others can change. Then I just do GRE over the IPSec
tunnel.
Thanks,
Iain.
--
https://hambsd.org/
10:04 a.m.
New subject: GRE tunnels
I would take a look at wireguard in this case. It's much easier to setup
then IPSec and OpenVPN as well as having the advantage of being much faster.
I've been using wireguard for just over a year now with no issues.
Let me know off-list if you would like a hand with setting up :)
On Sat, Dec 5, 2020 at 3:37 PM pete M via 44Net <44net(a)mailman.ampr.org>
wrote:
You just made me realize that 2 out of 3 of my site
have non fix ip
address and the one that do have a fix address I have to be behind a NAT.
(not my connection I am receiving internet by a third party and I cannot
ask for anyport fowarding or fixe local IP. I am allowed to connect to the
network but I need to keep a low profile and not getting noticed at all.
So that mean that I will need something else than GRE tunnel.
________________________________________
De : 44Net <44net-bounces+petem001=hotmail.com(a)mailman.ampr.org> de la
part de Rob Janssen via 44Net <44net(a)mailman.ampr.org>
Envoyé : 5 décembre 2020 04:06
À : 44net(a)mailman.ampr.org
Cc : Rob Janssen
Objet : Re: [44net] GRE tunnels
GRE works just fine depending on your system.
We've never had any
problems with GRE except using Mikrotik devices. There is a
bug in the GRE
implementation on MikroTiks where you will experience a 20-30% packet loss
when the system is under any non-trivial use (e.g. multiple audio streams
or a file transfer). Several versions of the OS and several different
hardware platforms all experienced the same issue. We changed to IPIP and
IPIP6 and the issue disappeared with no other reconfiguration. We're using
a mix of IPIP, IPIP6, and GRE6 tunnels to a number of sites fed out of our
VPS gateway.
I cannot confirm that at all. We use GRE tunnels inside our network to
connect isolated areas back to our gateway over internet tunnels, and it
works very well. The gateway router is a MikroTik CCR1009 and most users
use MikroTik RB750Gr3 or comparable routers. No packet loss issues at all.
There are of course a couple of things you need to watch for:
- the "keepalive" mechanism is a defacto-standard thingy that is not
working in standard Linux systems so it has to be kept disabled when the
other side is not a MikroTik or maybe Cisco or comparable router
- as for any tunnel, the MTU is always lower than 1500 and you cannot send
fullsize packets through it without fragmentation. it is best to install a
TCP MSS clamping rule to limit the MTU of most traffic
- there is a bug in the firewall of more recent RouterOS versions which
causes GRE traffic not to be matched by Established/Related firewall rules,
and be stamped as Invalid. So when you have the default ruleset of "accept
Established/Related, drop Invalid, then accept certain incoming traffic"
you need to insert a rule that accepts GRE traffic from your peers BEFORE
the "drop Invalid" rule.
Of course you can always use IPIP instead. I have chosen GRE in the hope
that it is more widely available on other makes of routers, and also it can
transport IPv6 in the future. But as GRE usually requires fixed public
addresses on each end of the tunnel and also is often a bit troublesome to
pass through NAT routers, we also offer the additional option of L2TP/IPsec
tunnels, which can be setup from a dynamic address and have no issues with
NAT on the client side.
(the gateway router itself of course is directly on a fixed address)
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
1450
days inactive
1450
days old
3 comments
4 participants
participants (4)
-
Alistair Mackenzie -
Iain R. Learmonth -
pete M -
Rob Janssen