Setting up GRE-tunnel on EdgeRouter-X and Linux server with IPv6 and IPv4 IP addresses

Before I start to go though setting it all up, requirements will follow.

Requirements

  • 2 IPv4 public addresses, is recommended
  • 2 blocks of IPv6 addresses, or one large enough to subnet from (like /56, /60), tunnel needs a /64 and your own network is a /64.
  • Ubnt EdgeRouter
  • Server with the addresses
  • Root access on the server

I’m using a Ubuntu server, but this should work pretty much on any distro, but some commands might be different then.

Setting up the server

Creating the tunnel and bringing it up:

sudo sysctl -w sysctl net.ipv6.conf.all.forwarding=1 # You should configure that in /etc/sysctl.conf too.
sudo ip tunnel add <tunnel-name> mode gre remote <your-home-IPv4-address> local <server-IPv4-address> ttl 255
sudo ip link set <tunnel-name> up

Assigning an IP’s for the tunnel interface of the server:

sudo ip addr add 192.168.3.1/24 dev <tunnel-name>
sudo ip addr add 2001:db8:0:1::1/64 dev <tunnel-name>

Note: The IPv6 prefix I’m using in this is the one for documentation, yours will need to be calculated by yourself or by a online calculator like https://subnettingpractice.com/ipv6_subnetting.html.

Adding IPv6 route though the tunnel:

sudo ip r add 2001:db8:0:2::/64 via 2001:db8:0:1::2 dev <tunnel-name>

Setting up on EdgeRouter-X

Use SSH to log-in to the ER-X.

Going to configure mode and configuring the client side:

configure
set interfaces tunnel tun0 address 192.168.3.2/24
set interfaces tunnel tun0 address 2001:db8:0:1::2/64
set interfaces tunnel tun0 description "GRE tunnel"
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0 # Can be your WAN IP, but can be set like that too.
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip <Server 1st public IPv4 address>
set interfaces tunnel tun0 ttl 255
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit; save;
exit

Try to ping 192.168.3.1 and if it works, try to ping the server tunnel’s side IPv6 address too, in this case 2001:db8:0:1::1.
If both work, continue, otherwise fix it first, please keep in mind that GRE might not be allowed in a greater firewall (for example corporate firewall might block it).

Continuing on configuring, now to the LAN side:

configure
set interfaces switch switch0 address 2001:db8:0:2::1/64
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 0
set interfaces switch switch0 ipv6 router-advert managed-flag false
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix ::/64 autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix ::/64 on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix ::/64 valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
commit; save;
exit

Now you should have IPv6 addresses on your local machines and able to access IPv6 internet.

IPv4 NAT, port forwarding - Server Side

Enable IP forwarding and setup NAT rules, and forwarding of traffic:

sudo sysctl -w net.ipv4.ip_forward=1 # Set it in /etc/sysctl.conf too to persist reboots.
sudo iptalbes --table nat -F
sudo iptables --table nat -A PREROUTING -d <2nd public IPv4 address of Server> -i <WAN-interface> -j DNAT --to-destination 192.168.3.2
sudo iptables --table nat -A POSTROUTING -s 192.168.3.0/24 -o <wan-interface> -j SNAT --to-source <2nd public IPv4 address of Server>
sudo iptables -A FORWARD -i <tunnel-name> -j ACCEPT

IPv4 NAT, port forwarding - EdgeRouter Side

Actual port forwarding is here.

Forward http and https traffic from 2nd server IPv4 address to LAN computer at 192.168.1.2:

sudo iptables --table nat -A VYATTA_DNAT -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2
sudo iptables --table nat -A VYATTA_DNAT -i tun0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.2

And it should work after you have done MASQUERADE rule for tun0.

NOTE: I’m not sure if the iptables rules on the EdgeRouter will persist updates.

Feel free to leave comments. :)