GRE interface configuration

Introduction

The GRE (=Generic Routing Encapsulation) protocol can be used to encapsulate other protocols and transport them via tunnels. It should be noted that the packets are not encrypted.

Possible use of the GRE protocol:

• For PPTP VPN

Create GRE tunnel

In this example, the firewall "Headquarters" has the IP address 198.51.100.75/24 on eth0 and the remote site "Site-01" has the IP address 198.51.100.1/24 on eth0.

The local subnets are 10.0.0.0/24 for "Central" and 10.1.0.0/24 for "Site-01".

To establish this connection, a transfer network is still required, which in this example is 10.250.0.0/24.

Create GRE interface
Menu → Network →Network configuration Start Wizard + GRE
Name and local IP addresses
Name:	gretun0	Here you can enter the desired name for the GRE tunnel	Name and local IP addresses
Local IP Address:	10.250.0.1/24	Local IP of the transfer network, which is specified with this
Local tunnel endpoint:	203.0.113.204	The respective public IP
Remote endpoint
Remote endpoint:	203.0.113.203/---	The remote endpoint has the IP 203.0.113.203	Remote endpoint
Zones
Zones:	× external × firewall-external × firewall-internal × dmz1	Here you can select the desired zones	Zones
Add new zone:	Yes gre	If necessary, a new zone can be created here
Auto-generate rules:	No	Auto-generated rules that may need to be replaced
Back	By clicking on the button previous steps can be edited again
Finish	Clicking the button saves the entries and adds the interface
Abort	Clicking the button cancels the process, deletes the entries and closes the dialog
Routing
Select → Network →Network configurationTab Routing from the menu. Add a new route
Source Network:	/24	The field is optional	Add Route
Gateway Interface:	gretun0	The interface that has just been created must be selected
Destination Network:	10.1.0.0/24	Destination network is the remote network of the remote station
Weight	0	A higher weighting can be entered here
Save	Clicking the button saves the entries and adds the route
Close	Clicking the button cancels the process, deletes the entries and closes the dialog

Port filter

Create firewall rule

The simple option to connect the networks with each other is using the network objects of the entire networks and the "any" service.

However, security and control are always obtained only when working dedicatedly.

• In the → Firewall →Port filter menu.
• Add a new rule
• Source is the internal-network
• Destination is remote network gre-network
• Select default-internet as the service in the test scenario.
• Click Add
• Add another rule
• Source is the remote network gre-network
• Destination is the internal-network
• Select default-internet as the service in the test scenario.
• Click Add and close

Create dedicated firewall rule

Of course, it is also advisable to work in a dedicated manner, i.e. to create individual network objects for each required connection and to enable only the required services in the port filter rule.

In this example, the mail server in "Site-01" is to be reached from the "Headquarters" network via "smtp". In addition, clients from the network of "Site-01" are to access the terminal server of the "Headquarters" via RDP.

• Open → Firewall →PortfilterTab Network Objects
• Add a new object:

Name:	xsrv-GRE-mail-01	Here the respective desired name for the network object can be chosen.	Add network object
Type:	Host	Select the relevant type
Address:	10.1.0.10/---	The IP address is entered here
Zone:	gre	Here the previously created zone "gre" was selected
Groups:		Additional groups can be selected
Save	Here the entries are saved and the network object is added.
Save and close	Here the entries are saved, the network object is created and the editing dialog is closed.
Close	Here the process is canceled, the entries are deleted and the dialog is closed.
In the → Firewall →Port filter menu. Add a new rule Source is internal-network Destination is remote network xsrv-GRE-mail-01 Select smtp as the service when accessing the mail server Click Add			Zugriff vom internen Netz zum Mailserver der Gegenstelle erlauben
Eine weitere Regel hinzufügen Quelle ist das entfernte Netz gre-network Ziel ist srv-lg-rdp-01 Als Dienst beim Zugriff auf den Terminalserver ms-rdp wählen Hinzufügen und schließen klicken (Siehe oben)
The ruleset			The rule group with the port filter rules

Configuration of the remote terminal
On the remote UTM, the settings must be made in reverse.
Name:	gretun0	Here you can enter the desired name for the GRE tunnel	Name and local IP addresses
Local IP Address:	10.250.0.2/24	Local IP of the transfer network, which is specified with this
Local tunnel endpoint:	203.0.113.203	The respective public IP
Remote endpoint:	203.0.113.204/---	What is local in "Headquarters" is remote in "Site-01".	Remote endpoint
Zones:	× external × firewall-external × firewall-internal × dmz1	Here you can select the desired zones	Zones
Add new zone:	Yes gre	If necessary, a new zone can be created here
Auto-generate rules:	No	Auto-generated rules that may need to be replaced
Back	By clicking on the button previous steps can be edited again
Finish	Clicking the button saves the entries and adds the interface
Abort	Clicking the button cancels the process, deletes the entries and closes the dialog
Add rule
For incoming and outgoing port filter rules, corresponding services must be created. Rules designed outgoing in "Headquarters" must be created incoming at "Site-01".			Configuration of the remote terminal - Add rule