How to utilize a GRE / IPIP Tunnel with a Mikrotik Router

GRE / IPIP Tunnel for X4B protected services with Mikrotik routers

MikroTik RouterOS is a low cost router operating system which can be installed on either MikroTik proprietary Router Board's or standard x86 hardware. This operating system is based off Linux and features full support for GRE & IP-in-IP tunnels.

This tutorial will guide you through the steps to install a GRE or IP-in-IP tunnel on Mikrotik RouterOS 5.x.

Requirements:

• A X4B DDoS Protected Service
• A router with Mikrotik 5.x RouterOS

Notes:

This tutorial is for the configuration of a Singlehomed service, repeat as necessary for a multi-homed service or multiple tunnels.

Steps:

All variables expressed in commands have been expressed using a PHP-like syntax in terms of the variable names used in the Linux server bash script provided.

Step 1

Create IP-in-IP or GRE tunnel in X4B dashboard, this tunnel should be setup to be delivered to your routers public IP address. For this tutorial we wont use a GRE key, so un-tick that in the dashboard.

Step 2

Create port entries in the X4B dashboard (Single, Port Range or DMZ) as needed. These entries should be of type TCP (Tunnel), UDP (Tunnel) or HTTP (Tunnel).

Step 3

Create interface in Mikrotik RouterOS.

For IPIP (IP in IP):

/interface ipip
add disabled=no dscp=0 local-address=$LOCAL_ADDR mtu=1180 name=X4B-Tunnel \
    remote-address=$FILTER_ADDR

For GRE:

/interface gre
add disabled=no dscp=0 local-address=$LOCAL_ADDR mtu=1180 name=X4B-Tunnel \
    remote-address=$FILTER_ADDR

Step 4

Add the Tunnel IP addresses. These can be retreived from the Information page of your X4B Tunnel.

/ip address
add address=$INTERNAL_ADDR[0]/30 disabled=no interface=X4B-IP-Tunnel network=\
    $NETWORK

For example

NETWORK=10.17.21.16
GATEWAY=10.17.21.17
INTERNAL_ADDR=(10.17.21.18)

/ip address
add address=10.17.21.18/30 disabled=no interface=X4B-IP-Tunnel network=\
    10.17.21.16 

Step 5

It may also be necessary to allow all IP addresses through the firewall.

/ip firewall filter
add action=accept chain=input disabled=no src-address=$FILTER_ADDR
add action=accept chain=output disabled=no dst-address=$FILTER_ADDR
add action=accept chain=input disabled=no dst-port=80 protocol=tcp

Step 6

Create port forwardings (NAT) on your side (My Web Server IP 192.168.0.7). This example forwards 80 (TCP), replace this as required.

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=10.17.21.18 dst-port=\
    80 in-interface=X4B-Tunnel protocol=tcp to-addresses=192.168.0.7 \
    to-ports=80

Step 7

Create your server IP address on /ip firewall address-list menu . Let 192.168.0.7 be the IP address of the webserver.

/ip firewall address-list
add address=192.168.0.7 disabled=no list=WEBSERVER

Step 8

Create Routing Mangle for IP Routing

/ip firewall mangle
add action=mark-routing chain=prerouting comment="X4B Routing Mangle" disabled=no \
    new-routing-mark=X4B passthrough=no src-address-list=WEBSERVER

Step 9

Finally Create Route for sending packets over the GRE tunnel.

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=X4B-Tunnel routing-mark=X4B scope=30 target-scope=10