Page MenuHomeVyOS Platform
Create Task
Maniphest T3374

IPv6 GRE Tunnel issues
Closed, ResolvedPublicBUG
Actions

Description

Hello,

I am having a problem with setting up GRE tunnels over IPv6.
Here are the basic configurations of the 2 routers

ROUTER-1

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-name wan-local-6 default-action 'drop'
set firewall ipv6-name wan-local-6 enable-default-log
set firewall ipv6-name wan-local-6 rule 10 action 'drop'
set firewall ipv6-name wan-local-6 rule 10 log 'enable'
set firewall ipv6-name wan-local-6 rule 10 state invalid 'enable'
set firewall ipv6-name wan-local-6 rule 20 action 'accept'
set firewall ipv6-name wan-local-6 rule 20 log 'enable'
set firewall ipv6-name wan-local-6 rule 20 state established 'enable'
set firewall ipv6-name wan-local-6 rule 20 state related 'enable'
set firewall ipv6-name wan-local-6 rule 30 action 'accept'
set firewall ipv6-name wan-local-6 rule 30 log 'enable'
set firewall ipv6-name wan-local-6 rule 30 protocol 'gre'
set firewall ipv6-name wan-local-6 rule 40 action 'accept'
set firewall ipv6-name wan-local-6 rule 40 protocol 'ipv6-icmp'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name wan-local default-action 'drop'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 10 action 'drop'
set firewall name wan-local rule 10 log 'enable'
set firewall name wan-local rule 10 state invalid 'enable'
set firewall name wan-local rule 20 action 'accept'
set firewall name wan-local rule 20 log 'enable'
set firewall name wan-local rule 20 state established 'enable'
set firewall name wan-local rule 20 state related 'enable'
set firewall name wan-local rule 30 action 'accept'
set firewall name wan-local rule 30 log 'enable'
set firewall name wan-local rule 30 protocol 'gre'
set firewall name wan-local rule 40 action 'accept'
set firewall name wan-local rule 40 protocol 'icmp'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '198.51.100.1/24'
set interfaces ethernet eth0 address '2001:db8:1000::1/64'
set interfaces ethernet eth0 firewall local ipv6-name 'wan-local-6'
set interfaces ethernet eth0 firewall local name 'wan-local'
set interfaces ethernet eth0 hw-id '0c:d8:6a:66:03:00'
set interfaces ethernet eth1 hw-id '0c:d8:6a:66:03:01'
set interfaces ethernet eth2 hw-id '0c:d8:6a:66:03:02'
set interfaces loopback lo
set interfaces tunnel tun0 address 'fd00::1/64'
set interfaces tunnel tun0 address '10.0.0.1/30'
set interfaces tunnel tun0 encapsulation 'ip6gre'
set interfaces tunnel tun0 local-ip '2001:db8:1000::1'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 remote-ip '2001:db8:1000::2'
set interfaces tunnel tun0 source-interface 'eth0'
set interfaces tunnel tun1 address 'fd01::1/64'
set interfaces tunnel tun1 address '10.1.1.1/30'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '198.51.100.1'
set interfaces tunnel tun1 remote-ip '198.51.100.2'
set interfaces tunnel tun1 source-interface 'eth0'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$ztLNDTcT7$9Zjtmyy8.4/Bh99nqe5/Osc8lEzhPzzEqE5lpecJdOYiRNF7Z.Q2kAp3MHGXxsvjPjf9pxtQLjPKvsRyea4he/'
set system login user vyos authentication plaintext-password ''
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'

ROUTER-2

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-name wan-local-6 default-action 'drop'
set firewall ipv6-name wan-local-6 enable-default-log
set firewall ipv6-name wan-local-6 rule 10 action 'drop'
set firewall ipv6-name wan-local-6 rule 10 log 'enable'
set firewall ipv6-name wan-local-6 rule 10 state invalid 'enable'
set firewall ipv6-name wan-local-6 rule 20 action 'accept'
set firewall ipv6-name wan-local-6 rule 20 log 'enable'
set firewall ipv6-name wan-local-6 rule 20 state established 'enable'
set firewall ipv6-name wan-local-6 rule 20 state related 'enable'
set firewall ipv6-name wan-local-6 rule 30 action 'accept'
set firewall ipv6-name wan-local-6 rule 30 log 'enable'
set firewall ipv6-name wan-local-6 rule 30 protocol 'gre'
set firewall ipv6-name wan-local-6 rule 40 action 'accept'
set firewall ipv6-name wan-local-6 rule 40 protocol 'ipv6-icmp'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name wan-local default-action 'drop'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 10 action 'drop'
set firewall name wan-local rule 10 log 'enable'
set firewall name wan-local rule 10 state invalid 'enable'
set firewall name wan-local rule 20 action 'accept'
set firewall name wan-local rule 20 log 'enable'
set firewall name wan-local rule 20 state established 'enable'
set firewall name wan-local rule 20 state related 'enable'
set firewall name wan-local rule 30 action 'accept'
set firewall name wan-local rule 30 log 'enable'
set firewall name wan-local rule 30 protocol 'gre'
set firewall name wan-local rule 40 action 'accept'
set firewall name wan-local rule 40 protocol 'icmp'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '198.51.100.2/24'
set interfaces ethernet eth0 address '2001:db8:1000::2/64'
set interfaces ethernet eth0 firewall local ipv6-name 'wan-local-6'
set interfaces ethernet eth0 firewall local name 'wan-local'
set interfaces ethernet eth0 hw-id '0c:d8:6a:b7:90:00'
set interfaces ethernet eth1 hw-id '0c:d8:6a:b7:90:01'
set interfaces ethernet eth2 hw-id '0c:d8:6a:b7:90:02'
set interfaces loopback lo
set interfaces tunnel tun0 address 'fd00::2/64'
set interfaces tunnel tun0 address '10.0.0.2/30'
set interfaces tunnel tun0 encapsulation 'ip6gre'
set interfaces tunnel tun0 local-ip '2001:db8:1000::2'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 remote-ip '2001:db8:1000::1'
set interfaces tunnel tun0 source-interface 'eth0'
set interfaces tunnel tun1 address 'fd01::2/64'
set interfaces tunnel tun1 address '10.1.1.2/30'
set interfaces tunnel tun1 encapsulation 'gre'
set interfaces tunnel tun1 local-ip '198.51.100.2'
set interfaces tunnel tun1 remote-ip '198.51.100.1'
set interfaces tunnel tun1 source-interface 'eth0'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$bXuwE0gi.CjpQRv$TFbrTmtcqCQ9f6Df.yqygi99R8M/8vR1NDfado2ESXBzv0tGlVbdRKjdlHZGw9pNrpEWUG5m0BdMnrJqkbDpv/'
set system login user vyos authentication plaintext-password ''
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'

When the tunnel is established, it is impossible to reach the remote network if it applies an ingress filtering policy.
This is what the logs go back to; GRE is constantly seen as an invalid stream.

vyos@router2:~$ ping fd00::1
PING fd00::1(fd00::1) 56 data bytes

--- fd00::1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
root@router1:~# tail -f /var/log/messages
Mar  1 09:09:56 router1 kernel: [  303.025798] [wan-local-6-10-D] IN=eth0 OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:86:dd SRC=2001:0db8:1000:0000:0000:0000:0000:0002 DST=2001:0db8:1000:0000:0000:0000:0000:0001 LEN=136 TC=0 HOPLIMIT=64 FLOWLBL=825134 PROTO=47

In pure IPv4 mode, it works without problems.

vyos@router2:~$ ping fd01::1 count 1
PING fd01::1(fd01::1) 56 data bytes
64 bytes from fd01::1: icmp_seq=1 ttl=64 time=3.24 ms

--- fd01::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.238/3.238/3.238/0.000 ms
root@router1:~# tail -f /var/log/messages -n0
Mar  1 09:21:11 router1 kernel: [  977.976415] [wan-local-30-A] IN=eth0 OUT= MAC=0c:d8:6a:66:03:00:0c:d8:6a:b7:90:00:08:00 SRC=198.51.100.2 DST=198.51.100.1 LEN=128 TOS=0x00 PREC=0x00 TTL=255 ID=64348 DF PROTO=47

This problem is reproducible under VyOS 1.3.x and 1.4.x.

Thanks for your help,
Regards,

Details

Difficulty level
Unknown (require assessment)
Version
1.4.x ; 1.3.x
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

Event Timeline

linuxludo created this task.Mar 1 2021, 9:24 AM
linuxludo updated the task description. (Show Details)
linuxludo updated the task description. (Show Details)Mar 1 2021, 9:27 AM
linuxludo updated the task description. (Show Details)Mar 1 2021, 9:30 AM
linuxludo updated the task description. (Show Details)
Viacheslav added a subscriber: Viacheslav.Mar 1 2021, 5:57 PM

Try to place that rule after established, for example, number 25

set firewall ipv6-name wan-local-6 rule 10 action 'drop'
set firewall ipv6-name wan-local-6 rule 10 log 'enable'
set firewall ipv6-name wan-local-6 rule 10 state invalid 'enable'
linuxludo added a comment.Mar 1 2021, 6:11 PM

It does not work when established / invalid rules are at the top of the access list in any order. This works if the invalid state rule is positioned after the GRE rule, but this is not an expected behavior.

linuxludo added a comment.Mar 3 2021, 10:53 AM

It seems to be a BUG in netfilter conntrack module with GRE protocol over IPv6.
I patched the conntrack module and it now works as expected.
I just submit this patch to the netfilter maintainers.
Wait & See...

Viacheslav added a comment.Mar 3 2021, 12:37 PM

@linuxludo Can you share a link?

linuxludo added a comment.Mar 3 2021, 12:59 PM

Due to the limited ability to open a pull request on the linux kernel's github repository, I had to submit the patch to netfilter maintainers team by email.

pasik added a subscriber: pasik.Mar 3 2021, 4:10 PM
linuxludo added a comment.Mar 4 2021, 9:21 AM

You can review the patch here

http://patchwork.ozlabs.org/project/netfilter-devel/patch/[email protected]/

c-po changed the task status from Open to Blocked.Mar 9 2021, 8:59 PM
linuxludo added a comment.Apr 8 2021, 12:04 PM

Just for your information.
The patch was added to kernel 5.4, 5.10 and 5.11.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/

Regards,

c-po added a subscriber: c-po.Apr 8 2021, 1:51 PM

@linuxludo thanks for the heads-up - should be fixed in the next bugfix version of 5.10 then which I regularely update VyOS to. See T3318

c-po added a comment.Apr 17 2021, 8:58 PM

Latest rolling runs 5.10.30 - patch is in there, please verify

c-po changed the task status from Blocked to Needs testing.Apr 17 2021, 8:58 PM
c-po assigned this task to linuxludo.
c-po moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
linuxludo added a comment.May 10 2021, 9:06 AM

I tested vyos-1.3-rolling-202105011026-amd64.iso and everything is correct

Viacheslav closed this task as Resolved.May 10 2021, 9:31 AM
c-po moved this task from In Progress to Finished on the VyOS 1.4 Sagitta board.May 29 2021, 9:12 PM