Last adaptation to the version: 12.6.0
- Function: Update associated network objects
- Design update
Introduction
The GRE (=Generic Routing Encapsulation) protocol can be used to encapsulate other protocols and transport them via tunnels. It should be noted that the packets are not encrypted.
Possible use of the GRE protocol:
- For PPTP VPN
Create GRE tunnel
In this example, the firewall "Headquarters" has the IP address 198.51.100.75/24 on LAN1 and the remote site "Site-01" has the IP address 198.51.100.1/24 on LAN1.
The local subnets are 10.0.0.0/24 for "Central" and 10.1.0.0/24 for "Site-01".
To establish this connection, a transfer network is still required, which in this example is 10.250.0.0/24.
Create GRE interface | |||
| |||
Step 1 - Name + local IP addresses | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnNetworkNetwork configuration  Head Office
|
|---|---|---|---|
| Name: | gretun0 | Here you can enter the desired name for the GRE tunnel | |
| Local IP Address: | Local IP of the transfer network, which is specified with this | ||
| Local tunnel endpoint: | 203.0.113.204 | Public IP address of the local tunnel endpoint | |
Step 2 - Remote endpoint | |||
| Remote endpoint: | Public IP address of the remote tunnel endpoint |  Head Office Remote endpoint
| |
Step 3 - Zones | |||
| Zones: | external firewall-external firewall-internal dmz1 |
Here you can select the desired zones |  Head Office Zones
|
| Add new zone: | Yes gre |
If necessary, a new zone can be created here | |
| Auto-generate rules: | No | Auto-generated rules that may need to be replaced | |
| Update associated network objects: notempty new as of v12.6.0 |
On | If an existing zone has been selected, all network objects that are already in this zone and have an interface as a target are moved to the new interface. | |
Routing | |||
| |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnNetworkNetwork configuration  Head Office Add Route
|
| Source Network: | The field is optional | ||
| Gateway Type: | Set to Interface to be able to select an interface. | ||
| Gateway | gretun0 | Select the desired interface. | |
| Destination Network: | 10.1.0.0/24 | Destination network is the remote network of the remote station | |
| Weight | 0 |
A higher weighting can be entered here | |
Packet filter
Create firewall rule
The simple variant to connect the networks with each other is using the network objects of the entire networks and the any service.
The packet filter services should therefore be adapted to the application accordingly. In the test scenario, default-internet can be used, in which case the two packet filters look as follows:
| # | Source | Destination | Service | NAT | Task | Active | ||
 |
 internal-network |
gre-network |
 default-internet |
ACCEPT | On | |||
|
gre-network |
internal-network |
default-internet |
ACCEPT | On | |||
Create dedicated firewall rule
Of course, it is also advisable to work in a dedicated manner, i.e. to create individual network objects for each required connection and to enable only the required services in the port filter rule.
In this example, the mail server in "Site-01" is to be reached from the "Headquarters" network via "smtp". In addition, clients from the network of "Site-01" are to access the terminal server of the "Headquarters" via RDP.
- Open Area Network Objects
- Add a new object:
| Caption | Value | Description | UTMuser@firewall.name.fqdnFirewallnetwork objects  Head Office Add network object
|
|---|---|---|---|
| Name: | xsrv-GRE-mail-01 | Here the respective desired name for the network object can be chosen. | |
| Type: | Select the relevant type | ||
| Address: | The IP address is entered here | ||
| Zone: | Here the previously created zone "gre" was selected | ||
| Groups: | Additional groups can be selected | ||
The following packet filter rules must then be added under Button :
| # | Source | Destination | Service | NAT | Task | Active | ||
|
internal-network |
 xsrv-GRE-mail-01 |
 smtp |
ACCEPT | On | |||
|
gre-network |
srv-lg-rdp-01 |
ms-rdp |
ACCEPT | On | |||
Configuration of the remote terminal
On the remote UTM, the settings must be made in reverse.
Add interface
Step 1 - Name + local IP addresses | |||
| Caption | Value | Description | UTMuser@firewall.name.fqdnNetworkNetwork configuration  Remote station
|
|---|---|---|---|
| Name: | gretun0 | Here you can enter the desired name for the GRE tunnel | |
| Local IP Address: | Local IP of the transfer network, which is specified with this | ||
| Local tunnel endpoint: | 203.0.113.203 | Public IP address of the local tunnel endpoint | |
Step 2 - Remote endpoint | |||
| Remote endpoint: | What is local in "Headquarters" is remote in "Site-01". |  Remote station Remote endpoint
| |
Step 3 - Zones | |||
| Zones: | external firewall-external firewall-internal dmz1 |
Here you can select the desired zones | Remote station Zones
|
| Add new zone: | Yes gre |
If necessary, a new zone can be created here | |
| Auto-generate rules: | No | Auto-generated rules that may need to be replaced | |
| Update associated network objects: notempty new as of v12.6.0 |
On | If an existing zone has been selected, all network objects that are already in this zone and have an interface as a target are moved to the new interface. | |
Packet filter rules
| For incoming and outgoing port filter rules, corresponding services must be created. Rules designed outgoing in "Headquarters" must be created incoming at "Site-01". |
UTMuser@firewall.name.fqdnFirewallPacket filter  Remote station Configuration of the remote terminal - Add rule
| ||