Problem with TCP and GRE tunnel

StomperG · Apr 1, 2024, 4:19 PM

@stephenw10 I did it now and theres no logs on the local side (WAN) while doing a pcap

stephenw10 · Apr 1, 2024, 5:19 PM

iperf is a package you can install in the gui. You can also install just the backend pkg at the command line if you want.

@StomperG said in Problem with TCP and GRE tunnel:

I did it now and theres no logs on the local side (WAN) while doing a pcap

So the local side isn't actually sending GRE packets even though the pcap on the GRE interface shows them?

StomperG · Apr 1, 2024, 5:59 PM

@stephenw10 At least the WAN pcap on the local dont show anything

stephenw10 · Apr 1, 2024, 6:02 PM

Nothing at all? It must show the GRE packets if the curl command succeeds. Or do you mean just during the unexpected delay?

Konstanti · Apr 1, 2024, 6:16 PM

@StomperG

Hi
maybe this will help
I don't remember why I set up the rules this way (I think I read it in some article), but
1 GRE interface (MSS 1380)
2 created this floating rule for GRE interface (TUN100)

here is an example of the information transfer rate through a tunnel with these settings

stephenw10 · Apr 1, 2024, 6:27 PM

That can be required for GRE+IPSec transport. Although there is now an option to allow it without that: https://redmine.pfsense.org/issues/12289

However in that situation the initial handshake would fail. And that shouldn't apply here because it's not encrypted. But....anything's possible!

StomperG · Apr 1, 2024, 6:59 PM

@stephenw10 Hey that's for the local or remote pf? I tried on local and had the same result :/

StomperG · Apr 1, 2024, 7:02 PM

@stephenw10 Nothing at all on the local WAN
Never did an iperf, is there any topic for that?

stephenw10 · Apr 1, 2024, 8:10 PM

Yeah I wouldn't expect it to make any difference there because you're not using IPSec transport.

To my earlier question; do you really see no GRE packets in the pcap on the local WAN? Or just during the gap?

stephenw10 · Apr 1, 2024, 8:12 PM

At the command line on each end you can run iperf3. So run iperf3 -s to start a server at one end. Then iperf3 -c <server IP> at the other.

StomperG · Apr 1, 2024, 9:23 PM

@stephenw10 On the local WAN i literally see 0 lines of logs during de pcap

StomperG · Apr 1, 2024, 9:30 PM

@stephenw10 I just need to run this 2 commands and wait? Or did i need to do something else on the VM with the problem? And the server IP is the GRE IP right?

stephenw10 · Apr 1, 2024, 10:02 PM

Hmm, are you filtering the pcap on the local pf?

Yes the server side runs continually until you kill it. The client will run for 30s by default.
https://man.freebsd.org/cgi/man.cgi?query=iperf3

StomperG · Apr 1, 2024, 10:36 PM

@stephenw10

Server:

Client:

stephenw10 · Apr 1, 2024, 10:49 PM

Hmm, same both ways?

Try using one of the other IPs on the server as the target. The GRE endpoint IP can behave in an odd way.

StomperG · Apr 1, 2024, 10:57 PM

@stephenw10 I tried but or give me firewall problem because the port isnt exposed or give me that

stephenw10 · Apr 1, 2024, 11:04 PM

Which way are you testing? The server end should listen on all available IPs by default. I would expect the client end to have a route to any of them.

StomperG · Apr 1, 2024, 11:10 PM

@stephenw10 Im starting the server on the VPC (from the company where i bought the IP's and VPC) and client on the local pf VM

stephenw10 · Apr 1, 2024, 11:19 PM

Ok so you should be able to use the VPC WAN address as the target for the client.

StomperG · Apr 2, 2024, 12:27 AM

@stephenw10