Selectively tunnel device traffic through GRE tunnel

bamf · January 28, 2023, 12:02pm

Hi,

I have ordered an additional IP address which I can use via a GRE tunnel. My plan ist to tunnel only specific devices through this tunnel so that they reach out to servers on the internet via this IP address and are rechable through this IP adress. For example a VM or another device on my network.

That’s what I have achieved so far:

/etc/config/network

config interface 'tunnel1'
        option proto 'gre'
        option peeraddr '5.230.x.x'

config interface 'tunnel2'
        option proto 'static'
        option ipaddr '172.16.2.2'
        option netmask '255.255.255.252'
        option device '@tunnel1'

config interface 'tunnel3'
        option device '@tunnel1'
        option proto 'static'
        option ipaddr '5.230.x.x'
        option gateway '172.16.2.1'
        option defaultroute '0'

/etc/config/firewall

config nat
        option target 'SNAT'
        option src 'tunnel2'
        option name 'SNAT tunnel'
        option snat_ip '5.230.x.x'
        option enabled '1'

config zone
        option input 'ACCEPT'
        option name 'tunnel_gre'
        option output 'ACCEPT'
        list network 'tunnel1'
        list network 'tunnel2'
        list network 'tunnel3'
        option masq '1'
        option forward 'REJECT'
        option family 'ipv4'

config forwarding
        option dest 'wan'
        option src 'tunnel_gre'

config forwarding
        option dest 'tunnel_gre'
        option src 'lan'

The tunnel itself works, I can ping my public tunnel IP from the outside and the internal gateway from my router.

What do I need to do, if I want to tunnel all traffic for a specific device, for example 192.168.100.100?

hagrid · January 28, 2023, 5:05pm

I would suggest to set the tunnel3 to have its own routing table and then play a bit with policy based routing.

Something like this should work.

This sets the tunnel3 to use the routing table 100 (you can chose anything in between 2 and 252) and you can even have the default route in this table.
You can verify this by issuing ip route show table 100 to see the content of this table.

config interface 'tunnel3'
        option device '@tunnel1'
        option proto 'static'
        option ipaddr '5.230.x.x'
        option gateway '172.16.2.1'
        option ip4table '100'

Then you need to add this configuration for policy based routing.

config rule
	option src '192.168.100.100'
	option lookup '100'

With this, all traffic with source 192.168.100.100 will perform the lookup in the table 100 and not in the default table.
Verify this by issuing the ip rule show, you should get something like this.

root@staging-gw-prg:~# ip rule show
0:	from all lookup local
1:	from 192.168.100.100 lookup 100
32766:	from all lookup main
32767:	from all lookup default

You need to play a bit with this to get the results you want. In case you need to troubleshoot the traffic, tcpdump is your friend.

bamf · January 28, 2023, 6:15pm

Did what you suggested, but it looks a bit different as your output:

root@omnia:~# ip route show table 100
5.230.x.x dev gre4-tunnel1 proto static scope link

root@omnia:~# ip rule show
0:      from all lookup local
1:      from all lookup 100
10000:  from 5.230.x.xlookup 100
20000:  from all to 5.230.x.x lookup 100
32766:  from all lookup main
32767:  from all lookup default
90045:  from all iif lo lookup 100

root@omnia:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         62.156.x.x 0.0.0.0         UG    0      0        0 pppoe-wan
5.230.x.x 62.156.x.x 255.255.255.255 UGH   0      0        0 pppoe-wan
10.111.111.0    *               255.255.255.0   U     0      0        0 tun_turris
62.156.x.x *               255.255.255.255 UH    0      0        0 pppoe-wan
172.16.2.0      *               255.255.255.252 U     0      0        0 gre4-tunnel1
192.168.100.0   *               255.255.255.0   U     0      0        0 br-lan

Traceroute from the 192.168.100.100 device still uses the default gateway from my ISP:

  1    <1 ms    <1 ms    <1 ms  192.168.100.1
  2    14 ms    13 ms    13 ms  62.156.x.x

Something seems to be still missing?

hagrid · January 28, 2023, 6:22pm

Yes, you do not have the default route in the table 100.
Try to add the defaut route to the table 100 by typing ip ro add default via 172.16.x.x table 100.

Remove the policy rule 1 (I hope this will work ip rule del pref 1) and add ip rule add pref 1 from 192.168.100.100/32 table 100 and test it again.

DO NOT USE the route command as it is broken for last 20 years. Learn to use iproute.