GRE tunnel Pfsense <-> Mikrotik



  • Anyone with success setting up a GRE tunnel Mikrotik <-> Pfsense?

    I have several GREs set up between Mikrotik routers, so I feel comfortable with the basics. But now I have a Pfsense in one location, and I can't get the tunnel up running, even without adding IPSEC to the mix. On the Pfsense side the GRE interface shows as UP, on the Mikrotik side it is "blinking" - running - not running - running, etc. Can't ping remote IPs on the inside.

    What I have tried:

    • Hard setting MTU to 1476 and 1500 on both sides.
    • Allow all FW rule on the GRE interface.
    • Adding a specific NO NAT rule on the GRE interface.
    • Temporarily adding allow all on the WAN interface, both sides, to rule out FW blocking.
    • Resetting states.

    Anything obvious I am missing, or are there known issues between these boxes?



  • Answer to self: Pfsense RIP doesn't allow for specification of subnets for which routing info is exchanged. So Pfsense exchanges all routes it has, incl those for OVPN, which make Mikrotik choke. Disabling RIP on Pfsense and adding static route on Mikrotik side fixed the problem. Tunnel is up. Next challenge: adding IPSEC to the mix.



  • Running GRE over IPsec is not a great idea due to the long running bug #4479, which is actually a kernel bug in FreeBSD.

    It can be more or less worked around with firewall rules, but this effectively disables filtering at all on the interface