How to Configure MikroTik IPIP and GRE Tunnels
Connecting your local network to a remote server, like PerLod Hosting, is a common task for network admins. But which protocol should you use? The choice often comes down to the MikroTik GRE vs IPIP tunnel. Both are simple ways to link networks over the internet, but they handle traffic differently.
In this guide, we explain the differences between Generic Routing Encapsulation (GRE) and IP-in-IP (IPIP), when to use each, and provide a complete configuration to make your tunnel up and running in minutes.
Table of Contents
MikroTik GRE vs IPIP Tunnel: Quick Comparison
Before starting the configuration, it is helpful to understand the differences between GRE and IPIP protocols. Both protocols do the same job, creating a tunnel between networks, but each is better suited for different situations.
Here are the key differences between MikroTik GRE vs IPIP tunnel:
| Feature | IPIP Tunnel | GRE Tunnel |
|---|---|---|
| Protocol ID | 4 (IP-in-IP) | 47 (GRE) |
| Overhead | Lower (20 bytes) | Slightly Higher (24 bytes) |
| Payload Support | IPv4 Only | IPv4, IPv6, Multicast, Multiprotocol |
| Complexity | Simple, Single-purpose | Flexible, Standard |
| Best For | Connecting two MikroTik or Linux routers (IPv4 only) with minimal bandwidth loss. | OSPF routing, MPLS, or connecting with non-MikroTik hardware (Cisco/Juniper). |
Now that you have understood the key differences between MikroTik GRE vs IPIP tunnel, proceed to the following steps to see how you can configure each protocol.
1. Configure a MikroTik IPIP Tunnel
If you are connecting two MikroTik routers or a MikroTik VPS and an office router and only need to route private IPv4 traffic, the IPIP tunnel is the most efficient choice. It uses the simplest encapsulation method with the lowest overhead, which makes it ideal for basic site-to-site links where every byte of bandwidth counts.
Here is the Network diagram example to configure a MikroTik IPIP tunnel:
- Site A (Office): WAN IP 1.1.1.1, LAN 192.168.10.0/24
- Site B (Remote): WAN IP 2.2.2.2, LAN 192.168.20.0/24
Create an IPIP Interface
You must create the interface on the first router (Site A) with the command below:
/interface ipip add name=my-ipip remote-address=2.2.2.2 local-address=1.1.1.1 disabled=noExplanation:
- name: Custom name for the interface.
- remote-address: The public IP of the other router.
- local-address: Your own public WAN IP.
Then, run the following command on the second router (Site B) to create the interface:
/interface ipip add name=my-ipip remote-address=1.1.1.1 local-address=2.2.2.2 disabled=noAssign Private Tunnel IPs
Now that the tunnel interface is created, you need to assign IP addresses to it. These addresses allow the routers to talk to each other directly over the virtual link.
On site A, you can use the command below to assign the IP address, we use 10.255.255.0/30:
/ip address add address=10.255.255.1/30 interface=my-ipipOn site B, you can use the command below:
/ip address add address=10.255.255.2/30 interface=my-ipipConfigure IPIP Routing
The final step to configure a MikroTik IPIP tunnel is to tell the routers how to reach the remote networks. You need to add static routes so that traffic destined for the remote LAN is sent through the tunnel interface.
On Site A, route to Site B’s LAN with the command below:
/ip route add dst-address=192.168.20.0/24 gateway=10.255.255.2On Site B, route to Site A’s LAN with the following command:
/ip route add dst-address=192.168.10.0/24 gateway=10.255.255.12. Configure a MikroTik GRE Tunnel
If your network requirements are more advanced, such as needing to run OSPF routing, pass IPv6 traffic, or connect to non-MikroTik equipment like Cisco routers, a GRE tunnel is the standard choice. It offers greater flexibility and compatibility compared to IPIP.
We use the same network diagram:
- Site A (Office): WAN IP 1.1.1.1, LAN 192.168.10.0/24
- Site B (Remote): WAN IP 2.2.2.2, LAN 192.168.20.0/24
Create GRE Interface
You must define the tunnel endpoints on your main router. You need to create a new GRE interface and point it to the public IP address of the remote site.
On Site A, you can run the command below:
/interface gre add name=my-gre remote-address=2.2.2.2 local-address=1.1.1.1Note: GRE uses Protocol 47. Ensure your firewall allows Input traffic for Protocol 47 if you have strict rules.
On Site B, you can use the following command:
/interface gre add name=my-gre remote-address=1.1.1.1 local-address=2.2.2.2Assign IP Addresses to the GRE Interface
Just like the IPIP tunnel, you need to assign an IP address to the GRE interface. This creates the private link between the two routers, which allows them to communicate over the tunnel.
On Site A, run the following command:
/ip address add address=10.255.255.1/30 interface=my-greOn Site B, run the command below:
/ip address add address=10.255.255.2/30 interface=my-greVerify GRE Tunnel with Ping
At this point, you can check if the connection actually works by sending a ping to the private IP address of the remote router:
From Site A, ping the internal IP of Site B:
/ping 10.255.255.2 count=5If it is successful, the tunnel is up. You can now add static routes as shown in the IPIP section or configure OSPF on the my-gre interface.
Secure MikroTik Tunnels with IPSec
Standard GRE and IPIP tunnels do not encrypt data, which means your traffic is sent in clear text across the internet. To ensure your connection is private and secure, it is critical to add encryption. You can protect the link by configuring an IPSec secret directly on the tunnel interface.
Modify Site A with the command below:
/interface gre set my-gre ipsec-secret=StrongPassword123! allow-fast-path=noModify Site B with the command below:
/interface gre set my-gre ipsec-secret=StrongPassword123! allow-fast-path=no- The ipsec-secret automatically generates the necessary IPSec Peers and Policies to encrypt the tunnel transport.
- allow-fast-path=no: Required for IPSec to process packets correctly on many hardware versions.
For detailed information on securing MikroTik Tunnels with IPSec, check this guide on Setting Up a Secure IPsec Tunnel on MikroTik VPS.
Which MikroTik Tunnels Should We Use? IPIP or GRE?
Now that you have seen how to configure both tunnels, the final decision depends on your specific needs. Here is a quick summary to help you choose the right protocol for your network:
- Use IPIP if you are strictly connecting MikroTik to MikroTik or Linux for IPv4 unicast and want to save 4 bytes per packet.
- Use GRE if you need a string and standard link that supports OSPF, MPLS, or non-MikroTik endpoints.
FAQs
Can I bridge Layer 2 traffic like VLANs over GRE or IPIP?
No. GRE and IPIP only route IP traffic (Layer 3). If you need to bridge Layer 2 networks or extend VLANs, use EoIP instead.
What happens if my WAN IP is dynamic for MikroTik Tunnels?
Not easily. GRE and IPIP require static IPs. If you have a dynamic IP, you will need to use MikroTik’s DDNS service and a script to automatically update the tunnel address when your IP changes.
Can I use MikroTik tunnels behind a NAT?
Yes. You must configure your NAT router to forward Protocol 47 for GRE or Protocol 4 for IPIP to your MikroTik. Standard TCP or UDP port forwarding will not work for this.
Conclusion
Choosing between MikroTik GRE vs IPIP Tunnel is about balancing efficiency with flexibility. If you need a simple link between two MikroTik devices to pass IPv4 traffic, IPIP is your best choice. However, if your network requires dynamic routing protocols like OSPF, needs to support IPv6, or connects to mixed-vendor environments like Cisco or Juniper, GRE is the best standard you can choose.
By following this guide, you have a secure site-to-site connection ready for production.
We hope you enjoy it. Subscribe to our X and Facebook channels to get the latest updates and articles.
