LINUX.ORG.RU
решено ФорумAdmin

GRE lt40<>lt40 yota

 , , ,


0

1

Здравствуйте.

Который день бьюсь с задачей, ни как не получается настроить правильную работу туннеля GRE. Перекопал весь интернет, но правильно сформулировать вопрос не могу, т.к. не знаю в чем точно затык. Делал тупо по инструкции от производителя. Туннель формируется, но пинг не проходит (на интерфейсе wan приходит пакет, но ответ от него unreachable)

Первое устройство:

iptables-save

# Generated by iptables-save v1.6.2 on Thu Jul  1 14:06:33 2021
*raw
:PREROUTING ACCEPT [3552:595142]
:OUTPUT ACCEPT [1727:213867]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Thu Jul  1 14:06:33 2021
# Generated by iptables-save v1.6.2 on Thu Jul  1 14:06:33 2021
*nat
:PREROUTING ACCEPT [2240:511378]
:INPUT ACCEPT [54:3572]
:OUTPUT ACCEPT [200:9052]
:POSTROUTING ACCEPT [0:0]
:postrouting_VPN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_VPN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_VPN_postrouting - [0:0]
:zone_VPN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i rmnet_data0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i gre_GRE1 -m comment --comment "!fw3" -j zone_VPN_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o rmnet_data0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o gre_GRE1 -m comment --comment "!fw3" -j zone_VPN_postrouting
-A zone_VPN_postrouting -m comment --comment "!fw3: Custom VPN postrouting rule chain" -j postrouting_VPN_rule
-A zone_VPN_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_VPN_prerouting -m comment --comment "!fw3: Custom VPN prerouting rule chain" -j prerouting_VPN_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Jul  1 14:06:33 2021
# Generated by iptables-save v1.6.2 on Thu Jul  1 14:06:33 2021
*mangle
:PREROUTING ACCEPT [3734:611091]
:INPUT ACCEPT [2180:118815]
:FORWARD ACCEPT [204:25626]
:OUTPUT ACCEPT [1900:236839]
:POSTROUTING ACCEPT [2089:261865]
COMMIT
# Completed on Thu Jul  1 14:06:33 2021
# Generated by iptables-save v1.6.2 on Thu Jul  1 14:06:33 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_VPN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_VPN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_VPN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_VPN_dest_ACCEPT - [0:0]
:zone_VPN_forward - [0:0]
:zone_VPN_input - [0:0]
:zone_VPN_output - [0:0]
:zone_VPN_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i rmnet_data0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i gre_GRE1 -m comment --comment "!fw3" -j zone_VPN_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i rmnet_data0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i gre_GRE1 -m comment --comment "!fw3" -j zone_VPN_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o rmnet_data0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o gre_GRE1 -m comment --comment "!fw3" -j zone_VPN_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_VPN_dest_ACCEPT -o gre_GRE1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_VPN_dest_ACCEPT -o gre_GRE1 -m comment --comment "!fw3" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3: Custom VPN forwarding rule chain" -j forwarding_VPN_rule
-A zone_VPN_forward -m comment --comment "!fw3: Zone VPN to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_VPN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_VPN_forward -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_input -m comment --comment "!fw3: Custom VPN input rule chain" -j input_VPN_rule
-A zone_VPN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_VPN_input -m comment --comment "!fw3" -j zone_VPN_src_ACCEPT
-A zone_VPN_output -m comment --comment "!fw3: Custom VPN output rule chain" -j output_VPN_rule
-A zone_VPN_output -m comment --comment "!fw3" -j zone_VPN_dest_ACCEPT
-A zone_VPN_src_ACCEPT -i gre_GRE1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to VPN forwarding policy" -j zone_VPN_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o rmnet_data0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o rmnet_data0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o rmnet_data0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i rmnet_data0 -m comment --comment "!fw3" -j reject
COMMIT

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN
    link/ipip 0.0.0.0 brd 0.0.0.0
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-lan state UP qlen 1000
    link/ether be:45:43:80:65:4e brd ff:ff:ff:ff:ff:ff
7: rmnet0: <UP,LOWER_UP> mtu 2000 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/[530]
8: rmnet_data0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/[530]
    inet 109.188.67.***/30 scope global rmnet_data0
       valid_lft forever preferred_lft forever
    inet6 fe80::6894:4acb:4f36:****/64 scope link
       valid_lft forever preferred_lft forever
9: rmnet_data1: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
10: rmnet_data2: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
11: rmnet_data3: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
12: rmnet_data4: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
13: rmnet_data5: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
14: rmnet_data6: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
15: rmnet_data7: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether be:45:43:80:65:4e brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.1/24 brd 192.168.88.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd32:9407:9f4c::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::bc45:43ff:fe80:654e/64 scope link
       valid_lft forever preferred_lft forever
19: gre_GRE1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN
    link/gre 109.188.67.*** peer 109.188.84.***
    inet 10.81.105.5/24 scope global gre_GRE1
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5efe:6dbc:****/64 scope link
       valid_lft forever preferred_lft forever

ip route

default via 109.188.67.*** dev rmnet_data0  proto static  src 109.188.67.***
10.81.105.0/24 dev gre_GRE1  proto kernel  scope link  src 10.81.105.5
109.188.67.***/30 dev rmnet_data0  proto kernel  scope link  src 109.188.67.***
192.168.88.0/24 dev br-lan  proto kernel  scope link  src 192.168.88.1
192.168.90.0/24 dev gre_GRE1  scope link

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_output  all  --  anywhere             anywhere             /* !fw3 */

Chain forwarding_VPN_rule (1 references)
target     prot opt source               destination

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_VPN_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_VPN_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (3 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_dest_ACCEPT (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_forward (1 references)
target     prot opt source               destination
forwarding_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN forwarding rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone VPN to lan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_input (1 references)
target     prot opt source               destination
input_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_VPN_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_output (1 references)
target     prot opt source               destination
output_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN output rule chain */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to VPN forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Второе устройство:

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN
    link/ipip 0.0.0.0 brd 0.0.0.0
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-lan state UP qlen 1000
    link/ether 02:47:df:a6:b2:da brd ff:ff:ff:ff:ff:ff
7: rmnet0: <UP,LOWER_UP> mtu 2000 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/[530]
8: rmnet_data0: <UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/[530]
    inet 109.188.84.***/30 scope global rmnet_data0
       valid_lft forever preferred_lft forever
    inet6 fe80::a51f:d5b9:65f6:****/64 scope link
       valid_lft forever preferred_lft forever
9: rmnet_data1: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
10: rmnet_data2: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
11: rmnet_data3: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
12: rmnet_data4: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
13: rmnet_data5: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
14: rmnet_data6: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
15: rmnet_data7: <> mtu 1500 qdisc noop state DOWN qlen 1000
    link/[530]
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 02:47:df:a6:b2:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.90.1/24 brd 192.168.90.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd44:59d4:5862::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::47:dfff:fea6:b2da/64 scope link
       valid_lft forever preferred_lft forever
19: gre_GRE1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN
    link/gre 109.188.84.*** peer 109.188.67.***
    inet 10.81.105.6/24 scope global gre_GRE1
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5efe:6dbc:****/64 scope link
       valid_lft forever preferred_lft forever

ip route

default via 109.188.84.*** dev rmnet_data0  proto static  src 109.188.84.***
10.81.105.0/24 dev gre_GRE1  proto kernel  scope link  src 10.81.105.6
109.188.84.***/30 dev rmnet_data0  proto kernel  scope link  src 109.188.84.***
192.168.88.0/24 dev gre_GRE1  scope link
192.168.90.0/24 dev br-lan  proto kernel  scope link  src 192.168.90.1

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* Drop SSDP on WWAN */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_VPN_output  all  --  anywhere             anywhere             /* !fw3 */

Chain forwarding_VPN_rule (1 references)
target     prot opt source               destination

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_VPN_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_VPN_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (3 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_dest_ACCEPT (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_forward (1 references)
target     prot opt source               destination
forwarding_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN forwarding rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone VPN to lan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_input (1 references)
target     prot opt source               destination
input_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_VPN_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_output (1 references)
target     prot opt source               destination
output_VPN_rule  all  --  anywhere             anywhere             /* !fw3: Custom VPN output rule chain */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_VPN_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_VPN_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to VPN forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */


Последнее исправление: smrnvdmtr (всего исправлений: 3)
Выбор местоположения ЦОД по latency
Как сделать подсказку для команды на bash

iptables-save или iptables -L -n -v -x.

Такое кол-во правил анализируйте сами, если вы видите входящий ping, то для начала попробуйте добавить в начало (iptables -I INPUT) разрешающее правило, и отключите rp_filter.

mky ★★★★★
()
Ответ на: комментарий от mky

Добавил iptables-save в первое сообщение. Там устройство голое, пытаюсь настроить только туннель, ни чего больше нет. Там группы правил я так понимаю. При добавлении разрешающее правило, пинги пошли сразу (только если их выполнять на роутере, на компьютере пинги не идут), но только до роутера, в сеть все еще не проходит.

smrnvdmtr
() автор топика
Ответ на: комментарий от smrnvdmtr

GRE плохо проходит через NAT, т.к. ему требуются особые NAT helper’ы, которые не везде включены или настроены. Вполне возможно, что вы настроили всё правильно, просто на сети Yota GRE не пройдёт.

ValdikSS ★★★★★
()
Ответ на: комментарий от ValdikSS

GRE туннель формируется и трафик гуляет по нему (yota не блокирует этот трафик), когда понгуешь с роутера, пакет приходит в интерфейс WAN и там остается, правило нового соединения не срабатывает, если пинговать с обоих устройств, то пакеты проходят.

smrnvdmtr
() автор топика
Ответ на: комментарий от smrnvdmtr

Открыл порт gre, пинги начали ходить, от роутера до удаленных устройств. Если с устройства до удаленных устройств, то пакет не проходит ближайший роутер, пишет что заданный порт не доступен.

smrnvdmtr
() автор топика
Ответ на: комментарий от smrnvdmtr

Всем спасибо за внимание, проблема была в прошивке устройства, пришлось в ручном режиме править конфигурационные файлы и все после этого заработало. Правила были правильные от части)

smrnvdmtr
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Выбор местоположения ЦОД по latency
Admin
Как сделать подсказку для команды на bash