GRE / IPIP Tunnel for X4B protected services with Mikrotik routers
MikroTik RouterOS is a low cost router operating system which can be installed on either MikroTik proprietary Router Board's or standard x86 hardware. This operating system is based off Linux and features full support for GRE & IP-in-IP tunnels.
This tutorial will guide you through the steps to install a GRE or IP-in-IP tunnel on Mikrotik RouterOS 5.x.
- A X4B DDoS Protected Service
- A router with Mikrotik 5.x RouterOS
This tutorial is for the configuration of a Singlehomed service, repeat as necessary for a multi-homed service or multiple tunnels.
All variables expressed in commands have been expressed using a PHP-like syntax in terms of the variable names used in the Linux server bash script provided.
Create IP-in-IP or GRE tunnel in X4B dashboard, this tunnel should be setup to be delivered to your routers public IP address. For this tutorial we wont use a GRE key, so un-tick that in the dashboard.
Create port entries in the X4B dashboard (Single, Port Range or DMZ) as needed. These entries should be of type TCP (Tunnel), UDP (Tunnel) or HTTP (Tunnel).
Create interface in Mikrotik RouterOS.
For IPIP (IP in IP):
/interface ipip add disabled=no dscp=0 local-address=$LOCAL_ADDR mtu=1180 name=X4B-Tunnel \ remote-address=$FILTER_ADDR
/interface gre add disabled=no dscp=0 local-address=$LOCAL_ADDR mtu=1180 name=X4B-Tunnel \ remote-address=$FILTER_ADDR
Add the Tunnel IP addresses. These can be retreived from the Information page of your X4B Tunnel.
/ip address add address=$INTERNAL_ADDR/30 disabled=no interface=X4B-IP-Tunnel network=\ $NETWORK
NETWORK=10.17.21.16 GATEWAY=10.17.21.17 INTERNAL_ADDR=(10.17.21.18)
/ip address add address=10.17.21.18/30 disabled=no interface=X4B-IP-Tunnel network=\ 10.17.21.16
It may also be necessary to allow all IP addresses through the firewall.
/ip firewall filter add action=accept chain=input disabled=no src-address=$FILTER_ADDR add action=accept chain=output disabled=no dst-address=$FILTER_ADDR add action=accept chain=input disabled=no dst-port=80 protocol=tcp
Create port forwardings (NAT) on your side (My Web Server IP 192.168.0.7). This example forwards 80 (TCP), replace this as required.
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-address=10.17.21.18 dst-port=\ 80 in-interface=X4B-Tunnel protocol=tcp to-addresses=192.168.0.7 \ to-ports=80
Create your server IP address on /ip firewall address-list menu . Let
192.168.0.7 be the IP address of the webserver.
/ip firewall address-list add address=192.168.0.7 disabled=no list=WEBSERVER
Create Routing Mangle for IP Routing
/ip firewall mangle add action=mark-routing chain=prerouting comment="X4B Routing Mangle" disabled=no \ new-routing-mark=X4B passthrough=no src-address-list=WEBSERVER
Finally Create Route for sending packets over the GRE tunnel.
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=X4B-Tunnel routing-mark=X4B scope=30 target-scope=10