ip tunnel add test mode gre remote 33.33.33.33
ip l set up test
ip a add 192.168.33.2 peer 192.168.33.1 dev test
ping 192.168.33.1
tcpdump -ni pppoe-wan proto gre
These commands output nothing, but if I change my WAN interface from pppoe to dhcp, I can get gre packets correctly. Also, if I change gre to ipip, it works too.
Anything I missed?
Could it be missing conntrack for gre? Try installing kmod-nf-nathelper-extra
Thanks, it works.
But why do I need it only in pppoe configuration?
Likely it's still about routing and firewalling, not dhcp or pppoe. But I can only guess 
With nf_conntrack_proto_gre unloaded, see if there are changes in outputs of iptables-save -c | grep -i invalid
You mean it's a configuration problem? But it's ok if I create ipip tunnel with the same method.
How should I diagnose it? nf_conntrack_proto_gre module can't be unloaded dynamically unless reboot.
ipip works because it will be matched (allowed) by generic protocol tracking in nf_conntrack.ko. gre is explicitly excluded because we build nf_conntrack_proto_gre as module. This is more or less a security issue as discussed in https://www.spinics.net/lists/netfilter-devel/msg33430.html
The other thing is that I just tested with OpenWrt 19.07.1 running on QEMU x86/64 that gre over links configured with DHCP should work.
You're right. It's not about dhcp or pppoe, but firewall.
After removing kmod-nf-nathelper-extra, GRE tunnel works on LAN interface, but fails on WAN interface. I have allowed proto 47 in INPUT chain, any more rules needed?
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.