WatchGuard Support Center

Knowledge Base - Article

 Configure an EoGRE tunnel from a WatchGuard Wi-Fi Cloud AP to a GRE endpoint

How do I configure an EoGRE tunnel from a Wi-Fi Cloud AP to a GRE end point?


Tunneling provides a mechanism to transport packets of a protocol within another protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms that uses IP as the transport protocol to encapsulate other different protocols. The tunnels behave as a virtual point-to-point link that has two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.

This diagram shows the encapsulation process of GRE (Generic Routing Encapsulation) packet as it traverses the WatchGuard AP and enters the GRE tunnel interface:

User-added image
 WatchGuard APs support these types of GRE tunneling.
  1. EoGRE (Ethernet over GRE).
  2. GRE in NAT SSID mode. This option only supports uni-directional traffic where the tunnel is used to transmit data from the AP to the other end of the tunnel. Traffic from the endpoint to the AP will not travel through the GRE tunnel.
  3. EoGRE over IPsec (for detailed information, see Configure EoGRE over IPSec in Wi-Fi Cloud)

Requirements for Configuring an EoGRE tunnel from an AP

  • You must configure the SSID Profile in bridged network mode. 
  • Make that you have routing rules properly configured to route traffic of the EoGRE tunnel to desired destination.
  • The Remote Endpoint should be reachable from the tunnel interface of the AP.
  • On the same AP, the Tunnel IP address across all VLANs and the SSIDs configured in GRE mode must be unique.
  • If you configure "Local Endpoint VLAN" in "Ethernet Over GRE", the VLAN must be available on the trunk port to which the AP is connected. If the VLAN ID specified in the SSID > Network section and Remote Bridging sections are the same, then the VLAN ID specified in the "Network" section is encapsulated inside the GRE of the above "Local Endpoint VLAN" and needs to be available on another side of the network.
  • On the same AP, if there are two or more SSIDs configured for GRE then they must use a unique remote endpoint or a unique key or different SSID VLAN.

Configure EoGRE in Wi-Fi Cloud

WatchGuard Wi-Fi Cloud implements the EoGRE functionality within the Network Interface Profile configuration. A network interface profile represents the tunnel interface on the AP through which network traffic from the configured SSIDs can be routed to a remote endpoint. The remote endpoint then re-routes this traffic to their respective path or destination. 

When you configure network interface profiles, you can specify a primary endpoint and a secondary endpoint. The wireless traffic is bridged to the secondary endpoint if the primary endpoint fails. The secondary endpoint is optional and is functional only if you enable a secondary endpoint and configure the host name and local endpoint VLAN for the secondary endpoint.

The secondary endpoint checks for the availability of the primary endpoint and transfers control to the primary endpoint when it is available. A Network Interface Profile must be attached to an SSID Profile when you enable remote bridging on the SSID profile.

To configure an EoGRE tunnel interface:

  1. Open Manage.
  2. Select Configuration > Device Configuration > Network Interfaces.
  3. Click Add Network Interface Profile.
  4. In the Remote Endpoint (IP address/Hostname) text box, type the IP address or hostname of the remote end point.
  5. In the GRE Primary Key text box, type a key. This key must be the same on both sides of tunnel.
  6. In the Local Endpoint VLAN text box, type the VLAN ID of the source interface on the AP.
User-added image
  1. Click Save.

When the tunnel interface is created, you can map the interface to the SSID Profile:

  1. Select Configuration > Device Configuration > SSID Profiles.
  2. Expand the Network section.
  3. Select the Remote Bridging check box. 
  4. From the Network Interface Profile drop-down list, select the Network Interface Profile you created in the previous step.
User-added image
  1. Click Save.

To establish the tunnel, make sure the remote endpoint is configured correctly to accept the tunnel request from the WatchGuard AP.

Configuration Example (Cisco ASR router with EoGRE)

To configure a Cisco ASR router as a remote endpoint:
  1. Create a tunnel interface.
ASR(config)# interface Tunnel68
  1. Assign a MAC address.
ASR(config-if)# mac-address 0000.5e00.0068
  1. Assign an IP address the same as the gateway of the DHCP pool.
ASR(config-if)# ip address
ASR(config-if)# no ip redirects
  1. Declare a Gigabit interface that is connected to the AP as the tunnel source.
ASR(config-if)# tunnel source GigabitEthernet0/0/0
  1. Declare the tunnel mode (Ethernet over GRE for IPv4). 
ASR(config-if)# tunnel mode ethernet gre ipv4
  1. Configure a tunnel key (optional) that matches that of the WatchGuard AP
ASR(config-if)# tunnel key 2000
ASR(config-if)# tunnel vlan 2000

DHCP pool configuration:

  1. Select an DHCP pool subnet for tunneling. For example, /24. Clients will receive the IP from this pool.
ASR(config)# ip dhcp pool DHCP_TUNNEL_68
ASR(dhcp-config)# network
  1. Select a gateway IP from this subnet. For example,
ASR(dhcp-config)# default-router
  1. Exclude this gateway IP from the DHCP assignment (to avoid allotting this IP to any client)
ASR(dhcp-config)# ip dhcp excluded-address
ASR(dhcp-config)# dns-server
ASR(dhcp-config)# exit

Note: The Cisco ASR router supports GRE with Advanced Enterprise Service License (SLASR1-AES).