GRE and IPIP Tunnels
GRE and IPIP Tunnels
Section titled “GRE and IPIP Tunnels”GRE (Generic Routing Encapsulation) and IPIP (IP-in-IP) are lightweight point-to-point tunnel protocols built into RouterOS. Both create virtual interfaces that carry traffic between two endpoints over an existing IP network, without encryption.
- GRE (IP protocol 47) — encapsulates any network-layer protocol. More flexible, supports keepalive probing.
- IPIP (IP protocol 4) — encapsulates IP inside IP only. Simpler and slightly lower overhead.
Neither protocol provides encryption or authentication on its own. For secure tunnels, pair them with IPsec.
Prerequisites
Section titled “Prerequisites”- RouterOS 6.x or later on both endpoints
- IP connectivity between the two endpoint public (or routable) addresses
- Firewall input rules permitting GRE (protocol 47) or IPIP (protocol 4) between endpoints
Concepts
Section titled “Concepts”Tunnel interface model
Section titled “Tunnel interface model”Both GRE and IPIP create a virtual point-to-point interface. Once the interface exists you treat it like any other RouterOS interface: assign an IP address, add routes, apply firewall rules.
The tunnel header adds overhead to each packet:
| Protocol | Header overhead | Carries |
|---|---|---|
| GRE | 24 bytes (IPv4) | Any network-layer protocol |
| IPIP | 20 bytes | IPv4 only |
Tunnel vs transport address
Section titled “Tunnel vs transport address”- Transport addresses (
local-address,remote-address) — the outer IP header. These must be routable between the two endpoints. - Tunnel addresses — IP addresses assigned to the tunnel interface itself. Used for routing over the tunnel. A
/30is typical for point-to-point links.
GRE Tunnel
Section titled “GRE Tunnel”Create the interface
Section titled “Create the interface”/interface gre add \ name=gre-to-branch \ local-address=198.51.100.1 \ remote-address=203.0.113.2Interface properties:
| Property | Default | Description |
|---|---|---|
name | — | Interface name |
local-address | 0.0.0.0 | Local transport IP (use 0.0.0.0 to bind to any outbound address) |
remote-address | — | Remote transport IP |
keepalive | 10s,10 | Interval and retry count for keepalive probes. Disables the interface if no response after retries. |
clamp-tcp-mss | yes | Clamp TCP MSS to prevent fragmentation |
allow-fast-path | yes | Enable hardware/fast-path acceleration |
mtu | 1476 | MTU of the tunnel interface |
disabled | no | Whether the interface is disabled |
Assign a tunnel IP address
Section titled “Assign a tunnel IP address”/ip address add address=10.10.10.1/30 interface=gre-to-branchAdd routes over the tunnel
Section titled “Add routes over the tunnel”/ip route add dst-address=192.168.20.0/24 gateway=10.10.10.2Firewall — allow GRE traffic
Section titled “Firewall — allow GRE traffic”Permit GRE (protocol 47) on the input chain between tunnel endpoints:
/ip firewall filter add \ chain=input \ protocol=gre \ src-address=203.0.113.2 \ action=accept \ comment="Allow GRE from branch"Place this rule before any default drop rule.
IPIP Tunnel
Section titled “IPIP Tunnel”Create the interface
Section titled “Create the interface”/interface ipip add \ name=ipip-to-branch \ local-address=198.51.100.1 \ remote-address=203.0.113.2Interface properties:
| Property | Default | Description |
|---|---|---|
name | — | Interface name |
local-address | 0.0.0.0 | Local transport IP |
remote-address | — | Remote transport IP |
clamp-tcp-mss | yes | Clamp TCP MSS to prevent fragmentation |
allow-fast-path | yes | Enable fast-path acceleration |
mtu | 1480 | MTU of the tunnel interface |
disabled | no | Whether the interface is disabled |
IPIP does not have a keepalive mechanism. Use routing protocol adjacency (e.g. OSPF) or external monitoring to detect tunnel failures.
Assign a tunnel IP address
Section titled “Assign a tunnel IP address”/ip address add address=10.20.20.1/30 interface=ipip-to-branchAdd routes over the tunnel
Section titled “Add routes over the tunnel”/ip route add dst-address=192.168.30.0/24 gateway=10.20.20.2Firewall — allow IPIP traffic
Section titled “Firewall — allow IPIP traffic”Permit IPIP (IP protocol 4) on the input chain:
/ip firewall filter add \ chain=input \ protocol=ipencap \ src-address=203.0.113.2 \ action=accept \ comment="Allow IPIP from branch"Site-to-Site Example
Section titled “Site-to-Site Example”Connect Site A (192.168.10.0/24, public IP 198.51.100.1) to Site B (192.168.20.0/24, public IP 203.0.113.2) using a GRE tunnel. The tunnel subnet is 10.10.10.0/30.
Site A
Section titled “Site A”# Tunnel interface/interface gre add name=gre-to-b local-address=198.51.100.1 remote-address=203.0.113.2
# Tunnel IP/ip address add address=10.10.10.1/30 interface=gre-to-b
# Route to remote LAN via tunnel/ip route add dst-address=192.168.20.0/24 gateway=10.10.10.2
# Firewall — permit GRE from Site B and forward tunnel traffic/ip firewall filter add chain=input protocol=gre src-address=203.0.113.2 action=accept comment="GRE from Site B"/ip firewall filter add chain=forward in-interface=gre-to-b action=accept comment="GRE forward"Site B
Section titled “Site B”# Tunnel interface/interface gre add name=gre-to-a local-address=203.0.113.2 remote-address=198.51.100.1
# Tunnel IP/ip address add address=10.10.10.2/30 interface=gre-to-a
# Route to remote LAN via tunnel/ip route add dst-address=192.168.10.0/24 gateway=10.10.10.1
# Firewall — permit GRE from Site A and forward tunnel traffic/ip firewall filter add chain=input protocol=gre src-address=198.51.100.1 action=accept comment="GRE from Site A"/ip firewall filter add chain=forward in-interface=gre-to-a action=accept comment="GRE forward"Verify the tunnel
Section titled “Verify the tunnel”# Check interface state/interface gre print detail
# Ping the remote tunnel endpoint/ping 10.10.10.2
# Ping a host in the remote LAN/ping 192.168.20.1
# Confirm route is active/ip route print where dst-address=192.168.20.0/24MTU and Fragmentation
Section titled “MTU and Fragmentation”GRE adds 24 bytes of overhead; IPIP adds 20 bytes. On a standard 1500-byte Ethernet path:
| Protocol | Recommended tunnel MTU | TCP MSS clamp |
|---|---|---|
| GRE | 1476 | 1436 |
| IPIP | 1480 | 1440 |
RouterOS sets these defaults automatically. If the path MTU between endpoints is smaller (e.g., over a DSL link with PPPoE), reduce mtu accordingly:
/interface gre set gre-to-branch mtu=1452With clamp-tcp-mss=yes (the default), RouterOS rewrites TCP SYN MSS values to prevent black-hole issues. Leave this enabled unless you have a specific reason to disable it.
Adding IPsec Encryption
Section titled “Adding IPsec Encryption”GRE and IPIP tunnels carry traffic in plaintext. To encrypt them, use one of two approaches.
Option 1 — GRE ipsec-secret (simple, single tunnel)
Section titled “Option 1 — GRE ipsec-secret (simple, single tunnel)”Set the ipsec-secret property on the GRE interface. RouterOS automatically creates the matching IPsec peer and transport-mode policy:
# Site A/interface gre set gre-to-branch ipsec-secret=StrongSharedSecret
# Site B (same secret)/interface gre set gre-to-hq ipsec-secret=StrongSharedSecretRouterOS negotiates IKEv1 by default with this method. The IPsec policy protects GRE traffic (IP protocol 47) between the two transport addresses. No manual peer or policy configuration is required.
Limitations of ipsec-secret:
- IKEv1 only — cannot select IKEv2 or specific cipher suites
- Single pre-shared key per GRE interface
- Limited visibility into IPsec state (auto-generated peers are not editable)
Option 2 — Manual IPsec with GRE over the top (recommended for production)
Section titled “Option 2 — Manual IPsec with GRE over the top (recommended for production)”Build a full IKEv2 IPsec transport policy between the two public addresses, then layer GRE on top of it. This gives full control over encryption algorithms, DH groups, and key lifetimes.
Step 1: Configure IPsec on both routers
# On both sides — create a proposal and profile/ip ipsec proposal add name=gre-prop auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048/ip ipsec profile add name=gre-profile dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
# Site A: peer and policy pointing at Site B's public IP/ip ipsec peer add name=site-b address=203.0.113.2 exchange-mode=ike2 profile=gre-profile secret=StrongSharedSecret/ip ipsec policy add src-address=198.51.100.1/32 dst-address=203.0.113.2/32 protocol=gre tunnel=no action=encrypt proposal=gre-prop peer=site-b# Site B: mirror configuration/ip ipsec peer add name=site-a address=198.51.100.1 exchange-mode=ike2 profile=gre-profile secret=StrongSharedSecret/ip ipsec policy add src-address=203.0.113.2/32 dst-address=198.51.100.1/32 protocol=gre tunnel=no action=encrypt proposal=gre-prop peer=site-aStep 2: Create the GRE interface as usual (no ipsec-secret needed)
/interface gre add name=gre-to-branch local-address=198.51.100.1 remote-address=203.0.113.2/ip address add address=10.10.10.1/30 interface=gre-to-branch/ip route add dst-address=192.168.20.0/24 gateway=10.10.10.2Verify IPsec is encrypting the GRE traffic:
/ip ipsec active-peers print/ip ipsec statistics printThe ph2-state should show established for the GRE peer policy.
Troubleshooting
Section titled “Troubleshooting”Check interface status
Section titled “Check interface status”/interface gre print detail/interface ipip print detailA running interface shows R (running) in the flags column. An interface that is X (disabled) or missing R indicates a problem.
Monitor tunnel state (IPIP)
Section titled “Monitor tunnel state (IPIP)”/interface ipip monitor ipip-to-branchEnable debug logging
Section titled “Enable debug logging”/system logging add topics=interface,debug action=memory/log print where topics~"interface"Packet capture — verify encapsulated traffic
Section titled “Packet capture — verify encapsulated traffic”# Capture GRE traffic (protocol 47)/tool sniffer quick ip-proto=47
# Capture IPIP traffic (protocol 4)/tool sniffer quick ip-proto=4Common problems
Section titled “Common problems”| Symptom | Likely cause | Fix |
|---|---|---|
| Interface stays down | Firewall dropping tunnel protocol | Add input accept rule for protocol 47 (GRE) or 4 (IPIP) |
| Interface up, no traffic | Missing route | Add /ip route for remote subnets |
| Interface up, no traffic | Forward chain drop rule | Add forward accept rule for tunnel interface |
| High packet loss | MTU mismatch / fragmentation | Lower tunnel MTU, verify clamp-tcp-mss=yes |
| GRE goes down intermittently | Keepalive timeout too aggressive | Increase keepalive: /interface gre set <name> keepalive=30s,5 |
| Asymmetric routing breaks tunnel | local-address=0.0.0.0 picks wrong source | Set explicit local-address matching the expected return path |
Ping through the tunnel step by step
Section titled “Ping through the tunnel step by step”# 1. Is the tunnel interface running?/interface print where name=gre-to-branch
# 2. Can you reach the remote tunnel IP?/ping 10.10.10.2
# 3. Can you reach a host in the remote LAN?/ping 192.168.20.1
# 4. Is there a route for the remote LAN?/ip route print where dst-address=192.168.20.0/24
# 5. Is there a firewall forward rule?/ip firewall filter print where chain=forwardGRE vs EoIP vs IPIP — Choosing the Right Tunnel
Section titled “GRE vs EoIP vs IPIP — Choosing the Right Tunnel”RouterOS offers three lightweight tunnel types for site-to-site connectivity. The right choice depends on whether you need L2 or L3 transport, multicast support, and whether interoperability with non-MikroTik equipment matters.
| GRE | IPIP | EoIP | |
|---|---|---|---|
| Layer | L3 | L3 | L2 (Ethernet) |
| Carries | Any network-layer protocol | IPv4 only | Ethernet frames |
| IP protocol | 47 | 4 | 47 (GRE subtype) |
| Header overhead | 24 bytes | 20 bytes | 28 bytes |
| Keepalive support | Yes | No | No |
| Multicast support | Yes | No | Yes (as Ethernet) |
| Encryption | Via IPsec or ipsec-secret | Via IPsec | Via IPsec or ipsec-secret |
| Non-MikroTik compatible | Yes (standard RFC 2784) | Yes (standard RFC 2003) | No (MikroTik proprietary) |
| Typical use | Routed site-to-site, dynamic routing (OSPF/BGP) | Simplest IP transit, lowest overhead | Bridge remote sites at L2, extend VLANs |
When to use GRE
Section titled “When to use GRE”- You need to run dynamic routing protocols (OSPF, BGP) over the tunnel — GRE carries multicast which these protocols require.
- One or both endpoints are non-MikroTik routers (Cisco, Juniper, Linux) — GRE is a standard protocol.
- You want keepalive detection to bring down routes when the remote end is unreachable.
When to use IPIP
Section titled “When to use IPIP”- The simplest possible IP-over-IP transport where lowest overhead matters.
- Both endpoints only carry IPv4 unicast traffic with no need for multicast.
- You need to minimize per-packet overhead on constrained links.
When to use EoIP
Section titled “When to use EoIP”- You need to extend a LAN at Layer 2 across two sites (same broadcast domain, same VLAN).
- You are bridging switch ports between two MikroTik routers.
- Both endpoints are MikroTik (EoIP is proprietary and will not work with other vendors).
See Also
Section titled “See Also”- WireGuard VPN — encrypted tunnel with modern cryptography
- L2TP/IPsec — remote access with built-in encryption
- IPsec — encrypt GRE/IPIP tunnels with manual IPsec policies