Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
GRE over NAT
« previous
next »
Print
Pages: [
1
]
Author
Topic: GRE over NAT (Read 400 times)
d4rkd3n1337
Newbie
Posts: 4
Karma: 0
GRE over NAT
«
on:
August 25, 2024, 11:07:05 am »
Hello, guys. I really hope that there are experts among you.
I have next setup:
First site:
OPNsense edge gate\fw (ISP public ip, for example 1.1.1.1) (DMZ ip: for example 10.1.1.1)
Cisco Router in DMZ with tunnels (GRE) interfaces: 10.1.1.2
Second site:
OPNsense edge gate\fw (ISP public ip, for example: 2.2.2.2)
I have working GRE tunnel by scheme:
S2 OPNSense -> MyOPNSense -> (NAT GRE) -> Cisco
by this scheme I have ~60-80mbit troughpout
Today, for testing I made GRE tunnel in local network (vm to cisco), and I get over 600mbit!
Maybe, in OPNsense have settings for GRE over NAT? Because it's very strange.
What can bottleneck?
Ex configs:
Cisco:
interface ga0/0 - ip address 10.1.1.2/24 (DMZ)
interface Tunnel2
(GRE) ip address 10.0.91.1/30
(GRE) tunnel source 10.1.1.2
(GRE) tunnel destination 2.2.2.2
S2 OPNsense:
em0 (WAN, public ISP, anyway...) - ip: 2.2.2.2
gre0:
source - 2.2.2.2
destination - 1.1.1.1
gre local 10.0.91.2/30
If need, I can provide more info
And sorry for my bad english
Logged
doktornotor
Hero Member
Posts: 709
Karma: 70
Re: GRE over NAT
«
Reply #1 on:
August 25, 2024, 11:27:50 am »
I'd say you need some MTU/MSS clamping. Firewall ‣ Settings ‣ Normalization. I'd start with something like 1360 for the Max MSS.
«
Last Edit: August 25, 2024, 11:30:50 am by doktornotor
»
Logged
d4rkd3n1337
Newbie
Posts: 4
Karma: 0
Re: GRE over NAT
«
Reply #2 on:
August 25, 2024, 11:35:30 am »
Good idea. But, it is globally, right? On GRE sites (cisco\opnsense mtu set to 1476)
From here, I have next question - where natting GRE, we decrement MTU?
Logged
doktornotor
Hero Member
Posts: 709
Karma: 70
Re: GRE over NAT
«
Reply #3 on:
August 25, 2024, 11:37:10 am »
No, it is not globally, it's per interface (group). See the hints here:
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
«
Last Edit: August 25, 2024, 11:38:54 am by doktornotor
»
Logged
d4rkd3n1337
Newbie
Posts: 4
Karma: 0
Re: GRE over NAT
«
Reply #4 on:
August 25, 2024, 12:07:16 pm »
so, I'm trying start iperf with udp, (iperf3 -c server.behind.tunnel -u -b 120M) and get 120Mbit\s (of course with losses, its UDP). But I don't understand yet, where do I need to set MSS? In the firewall settings (normalization) or on the gates with GRE? or both (OPNsense with GRE, OPNsense with NAT GRE and Cisco with GRE)?
Logged
doktornotor
Hero Member
Posts: 709
Karma: 70
Re: GRE over NAT
«
Reply #5 on:
August 25, 2024, 12:20:16 pm »
What's unclear about the normalization settings from the link I've posted? (It's about Wireguard but it's exactly the same place and same settings -- just applied to GRE interface(s).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
GRE over NAT