0

I have two debian machines in difference locations and want to enable routing between the two internal subnets via GRE.

My general routing is already working, meaning any internal machine directs traffic towards the two machines which are connected via GRE and also traffic is send through the tunnel, but when receiving this traffic it's not forwarded into the local subnet anymore.

My configuration on those two machines (not using actual IPs):

Host A (172.19.0.1):

ip tunnel add tun0 mode gre remote 172.20.0.1 local 172.19.0.1
ip addr add 10.10.10.1/24 dev tun0
ip link set tun0 up

Host B (172.20.0.1):

ip tunnel add tun0 mode gre remote 172.19.0.1 local 172.20.0.1
ip addr add 10.10.10.2/24 dev tun0
ip link set tun0 up
echo 1 > /proc/sys/net/ipv4/ip_forward

Pinging either machine on the tunnel interface IPs (10.10.10.1 and 10.10.10.2) works flawlessly, but when I try to ping an internal IP through the tunnel by e.g. running ping 10.100.77.8 -I tun0 on Host A I don't get a response. tcpdump shows that there is not even one generated which indicates that the packet never hit's the interface after being unpacked by the GRE.

root@hostb:~# tcpdump -i any host 172.19.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:36:10.983403 IP 10.10.10.1 > 172.20.0.1: GREv0, length 88: IP 10.10.10.1 > 10.100.77.8: ICMP echo request, id 20422, seq 8, length 64
10:36:10.983419 IP 10.10.10.1 > 10.100.77.8: ICMP echo request, id 20422, seq 8, length 64
10:36:11.991415 IP 10.10.10.1 > 172.20.0.1: GREv0, length 88: IP 10.10.10.1 > 10.100.77.8: ICMP echo request, id 20422, seq 9, length 64
10:36:11.991427 IP 10.10.10.1 > 10.100.77.8: ICMP echo request, id 20422, seq 9, length 64

I cannot see the ICMP packet coming in on target machine 10.100.77.8. There are no rules in iptables configured while default action is always ACCEPT.

Dero
  • 75
  • 1
  • 14

3 Answers3

0

Another issue I've bumped into today which had a similar manifestation was due to a bug in CentOS 8.3 and VXLAN or GRE tunnels.

The solution was to disable tx-checksum-ip-generic with ethtool -K nic1 tx off.

According to the Redhat solution, issue should get fixed in Redhat 8.4.

mrg2k8
  • 91
  • 3
  • 6
0

Seems like something wrong in the source address select, because you have the internal tunnel address in the outer header of the GRE packets. The source address of the outer header should be 172.19.0.1, not 10.10.10.1.

10:36:10.983403 IP10.10.10.1> 172.20.0.1: GREv0, length 88:\ IP 10.10.10.1 > 10.100.77.8: ICMP echo request, id 20422, seq 8, length 64

Check the output of the ip route get 10.100.77.8 on the host A. Also check the output of the ip route get 10.100.77.8 from 10.10.10.1 iif tun0 on the host B. If you see something like invalid cross-device link you should disable the rp_filter.

Also, show the output of 'ip -4 r ls' command from the both hosts.

Anton Danilov
  • 4,874
  • 2
  • 11
  • 20
  • The packet was generated on the machine hosting the GRE so it selected this as source IP. Wasn't the issue in this case. I figured out that by default rp_filter is activated on the machines for new interfaces. Deactivating this solved the issue. Will compose a final answer to this. – Dero May 27 '19 at 12:30
  • It's not a normal situation. The drops by `rp_filter` is just a side effect of other issue. You have the uncomplete routing setup. Check the output of `iptables-save`. It'll list the full firewall rule set. – Anton Danilov May 27 '19 at 12:38
  • As said there are no configurations done in iptables. But here you go: `*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]COMMIT` – Dero May 27 '19 at 14:55
  • I cannot explain the source address mismatch, but it's will affect to your configuration in the future. – Anton Danilov May 27 '19 at 15:05
0

Problem solved. rp_filter was enabled for the tunnel interfaces

$ cat /proc/sys/net/ipv4/conf/all/rp_filter
1
$ cat /proc/sys/net/ipv4/conf/tun0/rp_filter
1

Changing both of those to 0 fixed the issue.

Dero
  • 75
  • 1
  • 14