GRE tunnel can not work with PPPoE WAN?

ip tunnel add test mode gre remote
ip l set up test
ip a add peer dev test
tcpdump -ni pppoe-wan proto gre

These commands output nothing, but if I change my WAN interface from pppoe to dhcp, I can get gre packets correctly. Also, if I change gre to ipip, it works too.
Anything I missed?

Could it be missing conntrack for gre? Try installing kmod-nf-nathelper-extra

Thanks, it works.
But why do I need it only in pppoe configuration?

Likely it's still about routing and firewalling, not dhcp or pppoe. But I can only guess :wink:

With nf_conntrack_proto_gre unloaded, see if there are changes in outputs of iptables-save -c | grep -i invalid

You mean it's a configuration problem? But it's ok if I create ipip tunnel with the same method.
How should I diagnose it? nf_conntrack_proto_gre module can't be unloaded dynamically unless reboot.

ipip works because it will be matched (allowed) by generic protocol tracking in nf_conntrack.ko. gre is explicitly excluded because we build nf_conntrack_proto_gre as module. This is more or less a security issue as discussed in

The other thing is that I just tested with OpenWrt 19.07.1 running on QEMU x86/64 that gre over links configured with DHCP should work.

You're right. It's not about dhcp or pppoe, but firewall.
After removing kmod-nf-nathelper-extra, GRE tunnel works on LAN interface, but fails on WAN interface. I have allowed proto 47 in INPUT chain, any more rules needed?

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.