[Stuck]GRE Tunnel

[FlorinMarian]

/etc/network/interfaces

### Hetzner Online GmbH installimage

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback
iface lo inet6 loopback

iface enp0s31f6 inet6 static
  address 2a01:4f8:10a:2f8c::2
  netmask 64
  gateway fe80::1

iface enp0s31f6 inet manual

auto vmbr0
iface vmbr0 inet static
    address AA.BB.CC.DD
    netmask 255.255.255.192
    gateway 88.99.151.65
    # route 88.99.151.64/26 via 88.99.151.65
    up route add -net 88.99.151.64 netmask 255.255.255.192 gw 88.99.151.65 dev enp0s31f6
        bridge_ports enp0s31f6
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
    address 192.168.0.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
    post-up iptables -t nat -A PREROUTING -p tcp -i vmbr0 --dport 22 -j DNAT --to 192.168.0.2
    post-down iptables -t nat -D PREROUTING -p tcp -i vmbr0 --dport 22 -j DNAT --to 192.168.0.2

auto tun1
iface tun1 inet static
    address 192.168.168.2
    netmask 255.255.255.252
    pre-up iptunnel add tun1 mode gre local AA.BB.CC.DD remote EE.FF.GG.HH ttl 255
    up ifconfig tun1 multicast
    pointopoint 192.168.168.1
    post-down iptunnel del tun1
    post-up ip addr add 192.168.168.2/30 dev tun1
    # echo '100 BUYVM' >> /etc/iproute2/rt_tables
    post-up ip rule add from 192.168.168.0/30 table BUYVM
    post-up ip route add default via 192.168.168.1 table BUYVM

Proxmox SSH port: 60022

What's my purpose?
To run NAT + GRE Tunnel, same server.

What I want?
AA.BB.CC.DD:60022 -> Working
EE.FF.GG.HH:60022 -> Working
AA.BB.CC.DD:22 -> Working (this port coming from 192.168.0.2)
EE.FF.GG.HH:22 -> Not Working.

Any idea?
Thank you!

 

[wolfgang]

Hi,

I guess the iptables makes problems.

 

[FlorinMarian]

Hi,

I guess the iptables makes problems.

I didn't added any extra rule excepting what's shown in interfaces.
Any suggestion?
Thank you!

 

[wolfgang]

Are the pve firewall enabled?

 

[FlorinMarian]

Are the pve firewall enabled?

I've tried with/without firewall at all levels (KVM machine, Server, Datacenter).
What I've found it's that I never can connect from GRE endpoint with it's hidden IP address.

To be more clear:
Proxmox: GRE + Bridge + Ethernet connection.
Protected VM (outside): GRE + Ethernet

Trying to connect from AntiDDoS endpoint via telnet:
Proxmox public IP : 22 (coming from FreeBSD machine) -> Great
Proxmox public IP: 60022 (SSH of Proxmox server itself) -> Great
Proxmox GRE IP: 22 (Connection refused)
Proxmox GRE IP: 60022 -> Great

So, I can't succeed to forward port 22 of 192.168.0.2 to 192.168.168.2 (GRE local IP address).