Why can't GRE access web?

gre

#1

PC to server PING no problem.

HTTP protocol can not be accessed

Is there a MTU problem? How to configure

The following is the detailed configuration information: I have deleted the useless.

VYOS-1:

vyos@HN-vyos-1-QH:~$ show configuration 
interfaces {
    ethernet eth0 {
        address 61.132.228.249/29
        duplex auto
        hw-id 90:b1:1c:39:25:54
        smp_affinity auto
        speed auto
	    policy {
           route To_HF-vyos
        }
    }
    ethernet eth1 {
        address 112.29.248.234/29
        description To_5700-19
        duplex auto
        hw-id 90:b1:1c:39:25:55
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    tunnel tun0 {
        address 172.18.251.2/30
        description To_HF-vyos
        encapsulation gre
        local-ip 112.29.248.234
        multicast disable
        remote-ip 112.29.177.141
    }
}
policy {
    route To_HF-vyos {
        rule 1 {
            set {
                table 1
            }
            source {
                address 61.132.228.248/29
            }
        }
	}
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 112.29.248.233 {
            }
        }
        table 1 {
            route 0.0.0.0/0 {
                next-hop 172.18.251.1 {
                }
            }
        }
    }
}

VYOS-2:

vyos@HF-vyos-2-QH:~$ show configuration 
interfaces {
    ethernet eth0 {
        address 172.16.132.2/30
        hw-id 90:b1:1c:43:b7:ca
    }
    ethernet eth1 {
        address 112.29.177.141/28
        hw-id 90:b1:1c:43:b7:cb
    }
    loopback lo {
    }
    tunnel tun0 {
        address 172.18.251.1/30
        description To_HN-vyos
        encapsulation gre
        local-ip 112.29.177.141
        remote-ip 112.29.248.234
    }
}

protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 172.16.132.1 {
            }
        }
        route 61.132.228.248/29 {
            next-hop 172.18.251.2 {
            }
        }
        route 112.29.248.224/28 {
            next-hop 112.29.177.129 {
            }
        }
    }
}

#2

You need to provide more information if you want any help with the configuration. You may use tshark to see the traffic in the tunnel. It will show if you need to enable Path-MTU-Discover on your web server. If you are running the GRE tunnel over ethernet you have under your control, you may enable jumboframes in your topology and configure higher MTU on the interfaces which carries your GRE tunnel.


#3

Hi,

It looks like a mtu problem (of course if there are no ACLs in traffic path).
You could try to configure tcp mss clamping.
1500-24(gre)-20(ip)-20(tcp)=1436

set policy route pppoe-out description ‘PPPoE TCPMSS clamping’
set policy route pppoe-out rule 100 protocol ‘tcp’
set policy route pppoe-out rule 100 set tcp-mss ‘1436’
set policy route pppoe-out rule 100 tcp flags ‘SYN’
set interfaces ethernet eth0 policy route ‘pppoe-out’

https://wiki.vyos.net/wiki/Ethernet


#4

Hello, I did not use your solution, I updated the details, please help me look at it.

Thank you!


#5

The routing table in R3 does it include correct routing for your GRE tunnel? The ACL in R1, R2 and R3 may drop your TCP if you have some asymmetric routing, but ICMP is allowed


#6

You still need to implement some TCP-MSS clamping. There are a few calculators on the web that will help you calculate proper MTU/MSS settings for various expected traffic types.

-Create the policy route that defines the TCP-MSS clamping
-Apply policy route to tunnel interface