Setting up GRE-tunnel on EdgeRouter-X and Linux server with IPv6 and IPv4 IP addresses

Before I start to go through setting it all up, requirements will follow.

Requirements

  • 2 IPv4 public addresses, is recommended
  • 2 blocks of IPv6 addresses, or one large enough to subnet from (like /56, /60), tunnel needs a /64, and your own network is a /64.
  • Ubiquiti EdgeRouter
  • Server with the addresses
  • Root access on the server

I’m using an Ubuntu server, but this should work pretty much on any distro, but some commands might be different in that case.

Setting up the server

Creating the tunnel and bringing it up:

sudo sysctl -w sysctl net.ipv6.conf.all.forwarding=1 # You should configure that in /etc/sysctl.conf too.
sudo ip tunnel add <tunnel-name> mode gre remote <your-home-IPv4-address> local <server-IPv4-address> ttl 255
sudo ip link set <tunnel-name> up

Assigning an IP’s for the tunnel interface of the server:

sudo ip addr add 192.168.3.1/24 dev <tunnel-name>
sudo ip addr add 2001:db8:0:1::1/64 dev <tunnel-name>

Note: The IPv6 prefix I’m using in this is the one for the documentation, yours will need to be calculated by yourself or by an online calculator like https://subnettingpractice.com/ipv6_subnetting.html.

Adding IPv6 route though the tunnel:

sudo ip r add 2001:db8:0:2::/64 via 2001:db8:0:1::2 dev <tunnel-name>

Setting up on EdgeRouter-X

Use SSH to log-in to the ER-X.

Going to configure the mode and configuring the client side:

configure
set interfaces tunnel tun0 address 192.168.3.2/24
set interfaces tunnel tun0 address 2001:db8:0:1::2/64
set interfaces tunnel tun0 description "GRE tunnel"
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 local-ip 0.0.0.0 # Can be your WAN IP, but can be set like that too.
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip <Server 1st public IPv4 address>
set interfaces tunnel tun0 ttl 255
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit; save;
exit

Try to ping 192.168.3.1 and if it works, try to ping the server tunnel’s side IPv6 address too, in this case 2001:db8:0:1::1.
If both work, continue, otherwise fix it first, please keep in mind that GRE might not be allowed in a greater firewall (for example corporate firewall might block it).

Continuing on configuring, now to the LAN side:

configure
set interfaces switch switch0 address 2001:db8:0:2::1/64
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert link-mtu 0
set interfaces switch switch0 ipv6 router-advert managed-flag false
set interfaces switch switch0 ipv6 router-advert max-interval 600
set interfaces switch switch0 ipv6 router-advert other-config-flag false
set interfaces switch switch0 ipv6 router-advert prefix ::/64 autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix ::/64 on-link-flag true
set interfaces switch switch0 ipv6 router-advert prefix ::/64 valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true
commit; save;
exit

Now you should have IPv6 addresses on your local machines and able to access IPv6 internet.

IPv4 NAT, port forwarding - Server Side

Enable IP forwarding and setup NAT rules, and forwarding of traffic:

sudo sysctl -w net.ipv4.ip_forward=1 # Set it in /etc/sysctl.conf too to persist reboots.
sudo iptalbes --table nat -F
sudo iptables --table nat -A PREROUTING -d <2nd public IPv4 address of Server> -i <WAN-interface> -j DNAT --to-destination 192.168.3.2
sudo iptables --table nat -A POSTROUTING -s 192.168.3.0/24 -o <wan-interface> -j SNAT --to-source <2nd public IPv4 address of Server>
sudo iptables -A FORWARD -i <tunnel-name> -j ACCEPT

IPv4 NAT, port forwarding - EdgeRouter Side

Actual port forwarding is here.

Forward http and https traffic from the 2nd server IPv4 address to LAN computer at 192.168.1.2:

sudo iptables --table nat -A VYATTA_DNAT -i tun0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2
sudo iptables --table nat -A VYATTA_DNAT -i tun0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.2

And it should work after you have done MASQUERADE rule for tun0.

NOTE: I’m not sure if the iptables rules on the EdgeRouter will persist updates.

Feel free to leave comments. :)


© 2018-2020 Skyler Mäntysaari