Hello, ive got problem settings up GRE throw proxmox im manage to make the tunnel and ping ip from my proxmox but i do not get any network on vm side it would be great if someone could help me even discord vocal and look at it via anydesk that would be helpful, this is my contact email : contact@benjamin-leroy.ch
Hi,
did you already solved your problem?
Otherwise it would be quite helpful to know, what you already tried ^^
How is your current setup looking?
already tried mikrotik setup with gre debian or on proxmox directly i could ping the ips less then 1ms but not goping throw on a vm
We can trie to catch together on the nopez discord tell me on local germany time, what time would you be available
What do you mean by „i could ping the ips less then 1ms“ and „not going through on on a vm“?
Common mistakes are for example:
- The MTU must be set explicitly to properly work. This means, your bridge should have the mtu set, in order to automatically adapt that setting on containers. For vm’s you have to set it explicitly (or to 1, which has the special meaning of „adapt from interface“).
- Firewall issues. Proxmox allows by default outgoing traffic. Incoming traffic must be allowed. So you have to allow incoming gre traffic. The general effects of firewalls on each container/vm still apply (as long as enabled).
- The routing setting must be enabled on the proxmox host (aka ip_forward).
I dont know mikrotik, so i realy dont understand what you mean/did with „mikrotik setup“. Maybe this Tutorial could help you out https://community.noez.de/t/noez-de-community-tutorial-gre-tunnel/1689. It is in german, but the text is quite simple. So, deepl could help you out?
The thing I don’t manage I don’t have the same network conf my proxmox network goes through vmbr1 so I think that ptobblem and not through eno1
So, you are using a routed setup in general? That’s not the deal.
BY THE WAY:
Join the discord server. Noez currently has major problems with attacks. Which is why the GRE tunnels regularly does not work.
Just for some clarification:
- Proxmox restricts bridge names to start with „vmbr“. Otherwise you can not select them through the gui.
- Bridges in general must be some sort of „network card“. A tap interface should work as well. Tun interfaces (like gre[tun]) do not have a mac address (00:00:00:00:00:00) and therefore can not be bridged.
- So in order to bridge tunnel interfaces to containers/vms, you have to route (and not bridge).
Here is my config. It is a bit messy, since i put everything into one single file. But having a gre.sh with 777 permission is also not ideal.
The hashtag symbol is for comments. The comment is always before the section that is descriped.
PLEASE read everything one by one and try to understand it!
# Start that bridge on startup
# Comment this line out for the first test. So, in case you loose connection to your server, you can simply restart the server without creating that misconfigured bridge again.
auto vmbr200
# Nearly every name that starts with vmbr can be used.
# Define a static bridge without any parent interfaces
# Use your main ip of your proxmox instance. You can use any /32 private ip as well. This makes no difference.
iface vmbr200 inet static
address [MAIN IP]/32
bridge-ports none
bridge-stp off
bridge-fd 0
# Set the mtu explicitly on the bridge interface.
# Containers will adapt the mtu.
# VMs do not adapt the mtu by default. Either set it through the gui to 1476 or to 1 (= special meaning, aka adapt the mtu)
mtu 1476
# Proxmox Firewall blocks incoming traffic by default. Outgoing traffic is fine.
# Allow incoming gre traffic
# You could do this in the gui as well
# Using -I (for instert instead of append) to have a higher prio as the default proxmox rules
post-up iptables -I INPUT -s [NOEZ EXTERNAL REMOTE IP] -d [MAIN IP] -p gre -j ACCEPT
# Create the gre tunnel.
# You can name your tunnel nearly everything you want. gre0 is prohibited.
# I prefer some catchy names.
post-up ip tunnel add greNeptun mode gre local [MAIN IP] remote [NOEZ EXTERNAL REMOTE IP] ttl 255
post-up ip link set dev greNeptun mtu 1476
# Add the private tunnel-ip to the gre tunnel.
# The system knows by /30 that the gateway ip is accessable through the gre tunnel
post-up ip addr add [NOEZ INTERNAL CLIENT IP]/30 dev greNeptun
# Start the tunnel
post-up ip link set dev greNeptun up
# Put incoming traffic into table 20 (repeat for every additional ip)
post-up ip rule add to [NOEZ ADDITIONAL PUBLIC IP]/32 table 20 prio 1
# Route incoming traffic to vmbr200 (repeat for every additional ip)
post-up ip route add [NOEZ ADDITIONAL PUBLIC IP]/32 dev vmbr200 table 20
# Put outgoing traffic into table 21 (repeat for every additional ip)
post-up ip rule add from [NOEZ ADDITIONAL PUBLIC IP]/32 table 21 prio 2
# Route everything else through the tunnel
post-up ip route add default via [NOEZ TUNNEL GATEWAY IP] table 21
# Allow Forwarding between these interfaces
post-up iptables -I FORWARD -i greNeptun -o vmbr200 -j ACCEPT
post-up iptables -I FORWARD -i vmbr200 -o vmbr200 -j ACCEPT
post-up iptables -I FORWARD -i vmbr200 -o greNeptun -j ACCEPT
# --- CLEAN SHUTDOWN ---
# Disallow Forwarding
pre-down iptables -D FORWARD -i greNeptun -o vmbr200 -j ACCEPT
pre-down iptables -D FORWARD -i vmbr200 -o vmbr200 -j ACCEPT
pre-down iptables -D FORWARD -i vmbr200 -o greNeptun -j ACCEPT
# Flush Rules (you do not have do delete every rule manually)
pre-down ip rule flush table 20
pre-down ip rule flush table 21
# Flush Routes (you do not have do delete every route manually)
pre-down ip route flush table 20
pre-down ip route flush table 21
# Stop Tunnel
pre-down ip link set dev greNeptun down
# Delete GRE-Tunnel
pre-down ip link del dev greNeptun
# Disallow GRE-Tunnel (Deleting the rule)
pre-down iptables -D INPUT -s [NOEZ EXTERNAL REMOTE IP] -d [MAIN IP] -p gre -j ACCEPT
What my setup does:
- It creates a new bridge named vmbr200 and sets the main ip of my proxmox host. I simply reuse that.
- After this bridge is created, i create the tunnel interface and configure that as well
- Traffic from/to the tunnel/the containers/vms gets separated by the rules into different tables
- Depending of the table, the traffic gets routed differently.
- On shutdown everything should be removed correclty
What my setup does not:
- Creates a rule in order to allow pinging the proxmox host from the containers/vms.
- Using an additional NOEZ-IP for my proxmox host. This can be tricky to understand.
- Changing the ip_forward setting to 1. Which is realy important!
Additional info about vms (important):
Containers adapt the mtu. And through the gui the gateway ip is set correctly. VMs are different.
Since every /32 IP is outside of another /32, most distros do not allow setting the gateway during installation. This leads to the scenario, that i always have to do the installation without an internet connection. I always have to set the ip afterwards. AND i always have to install resolveconf and configure the mirrors manually. This is not easy!
What you might have noticed:
There is no single line mentioning the enoX/ethX/enpXsY or any other vmbr interface. As said, it makes no difference if you are using a bridged- or a routed setup for proxmox.
Last but not least:
As you might have noticed, there are multiple ways of configuring gre tunnels. This is my solution.
Using gre tunnels correctly is not easy. Please read everything! And maybe, add some more information in your next comment. Otherwise we can not help you. Literally nobody whats to write this long explanations ^^