NAT with GRE tunnel as WAN interface

[jtl]

Hello

I should explain some things first.

I have a server running Proxmox (Debian 8.7 x64). It's connection to the internet is eth0 (behind NAT with GRE protocol forwarded)

The GRE interface (gre1) is created and monitored by a custom daemon running on the host, but otherwise doesn't touch firewall rules or routes. The IP of this machine in the GRE tunnel is 192.168.168.2 and the remote endpoint is 192.168.168.1

I have one network bridge setup (vmbr0). Here is the relevant config.

auto vmbr0
iface vmbr0 inet static
    address 10.2.0.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.2.0.0/24' -o gre1 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.2.0.0/24' -o gre1 -j MASQUERADE

On the machine that is the other end of the GRE tunnel I already have iptables configured to NAT properly and can ping 192.168.168.1 and outside destinations by using ping -I gre1 <destinaton> on the host however inside a VM I can ping 192.168.168.2 and .1 but not outside destinations.

I suspect the solution to this is some routing-table foo as I did get it working earlier by replacing the default gateway route on the host with 192.168.168.1 and manually creating a route for the GRE tunnel endpoint via 192.168.1.1 (my router), however this also forces all host traffic through the GRE tunnel, which I do not want, only VM traffic.

Thanks

 

[jtl]

In addition the commands to route everything through the GRE tunnel including host traffic (works)

ip route add GRE_TUNNEL_GATEWAY via 192.168.1.1 # to avoid running the GRE tunnel in itself
ip route change default via 192.168.168.1

Now if only I could get it working so only vmbr0 interface goes through the GRE tunnel, grr.