GRE tunneling on 24.10.5

I have attempted to create rules to forward a GRE tunnel with no luck.

I have used both Lucy and editing /etc/config/firewall and restarting firewall.

First: standard, except I only allow a specific IP to send gre packets

config rule
option src 'wan'
option dest 'lan'
option name 'Allow-GRE'
option proto 'gre'
option target 'ACCEPT'
list src_ip '44.5.7.255' // public IP of other end
list dest_ip '192.168.1.250' // internal IP of other tunnel end

googling:
config redirect
option name 'GRE-NAT'
option src 'wan'
option dest 'lan'
option target 'DNAT'
option proto 'gre'
option dest_ip '192.168.1.250'
option src_ip '44.5.7.255'
option src_dip '155.4.225.195'
option enabled '1'

I can see the GRE packets by tcpdumping eth0 or eth1, and see packets from the local GRE port
from 192.168.1.250 -> 44.5.7.255 and on eth1 from 44.5.7.255 -> 195.4.255.195, but no paqckets are forwarded. What did I do wrong? At the very least I expected outgoing NATed packets.
Gullik

GRE does not NAT

That is strange, since I managed to make it work yesterday. However, this was with a tunnel endpoint in a Raspberry PI 4, (just for testing) but it transfered over the same gateway.

I then changed the dest_ip option to the one I needed, restarted the service restart firewall,
but it did not come up.

Even more strange from a protocol point, I can do a port forward of PROTO 17, ADDRESS X and PORT y. This is exactly the same logic, but without a PORT number.
proto 6 and 17 are tcp and udp and 47 is gre....

Anyway, this should be supported, how else do you forward a tunnel in to one machine?

Gullik

You can do header rewrite in raw table.

iif lan proto gre ip saddr raspberry ip saddr set wan notrack
iif wan proto gre ip daddr wan ip daddr set raspberry notrack

Very interesting bug indeed. After running port forward 155.4.225.195 with the local ip address set to 192.168.1.95, changing the redirect to instead point to 192.168.1.250 (the desired target) i reran the service firewall restart .
After doing that, the Openwrt gateway STILL transmits gre packets to 192.168.1.95, even though this address is no longer present in the /etc/config/firewall script.

This means the setting up this filter leaves something in the kernel tables (192.168.1.95)

19:31:10.205808 IP 192.168.1.1 > 192.168.1.95: GREv0, length 44: IP 78.128.114.22.53555 > 44.5.7.115.23262: Flags [S], seq 3045938783, win 1024, length 0
19:31:11.802257 IP 192.168.1.1 > 192.168.1.95: GREv0, length 44: IP 45.142.193.10.50477 > 44.5.7.115.17256: Flags [S], seq 2119538187, win 1024, length 0

192.168.1.1 is the router.

i have done
service firewall stop
service firewall start
service firewall restart

I have not been able to reboot openwrt , others are using it....

Gullik

Flush conntrack conntrack -F

Hejjo Brada

what is iif? cannot find such command, do I need to install a package?

Gullik

Yes Watson, package is called conntrack.

Tnx Barad4,

Installing conntrack and doing a flush fixed it,

20:18:00.092338 IP 155.4.225.195 > 44.5.7.255: GREv0, length 88: IP 44.5.7.115 > 44.5.7.114: ICMP echo request, id 26692, seq 3653, length 64
20:18:00.105634 IP 44.5.7.255 > 155.4.225.195: GREv0, length 88: IP 44.5.7.114 > 44.5.7.115: ICMP echo reply, id 26692, seq 3653, length 64
20:18:01.092632 IP 155.4.225.195 > 44.5.7.255: GREv0, length 88: IP 44.5.7.115 > 44.5.7.114: ICMP echo request, id 26692, seq 3654, length 64
20:18:01.105948 IP 44.5.7.255 > 155.4.225.195: GREv0, length 88: IP 44.5.7.114 > 44.5.7.115: ICMP echo reply, id 26692, seq 3654, length 64

pings from .115 to .114 is now working.

So, problem resolved
Gullik

Please delete fake bug claim. Does not help anyone posting same over and over again.,

Incoming interface. It's an nft instruction.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.