/ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 134.249.180.254 1
1 A S 10.8.0.0/24 gre-tunnel_CORE 1
2 A S 10.194.128.0/24 gre-tunnel_CORE 1
3 ADC 134.249.182.213/27 134.249.182.213 ether1-WAN 0
4 ADC 172.16.13.0/30 172.16.13.2 gre-tunnel_CORE 0
5 A S 192.0.0.0/24 gre-tunnel_CORE 1
6 A S 192.168.1.0/24 gre-tunnel_CORE 1
7 A S 192.168.10.0/24 gre-tunnel_CORE 1
8 A S 192.168.11.0/24 gre-tunnel_CORE 1
9 A S 192.168.12.0/24 gre-tunnel_CORE 1
10 ADC 192.168.13.0/24 192.168.13.1 bridge-local 0
11 A S 192.168.15.0/24 gre-tunnel_CORE 1
12 A S 192.168.50.0/24 gre-tunnel_CORE 1
13 A S 192.168.74.0/24 gre-tunnel_CORE 1
14 A S 192.168.75.0/24 gre-tunnel_CORE 1
15 A S 192.168.77.0/24 gre-tunnel_CORE 1
16 A S 192.168.90.0/24 gre-tunnel_CORE 1
17 A S 192.192.192.0/24 gre-tunnel_CORE 1
] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp in-interface-list=all log=no log-prefix=""
1 chain=forward action=accept protocol=udp dst-port=1701,500,4500 log=no log-prefix=""
2 chain=input action=accept protocol=tcp in-interface-list=all dst-port=8291,8728,8729 log=no log-prefix=""
3 X ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
4 X ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
5 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
6 X ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
7 X ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
8 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
9 X ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
10 X ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
11 X ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1-WAN log=no log-prefix="" ipsec-policy=out,none
/ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
при попытке запинговать удаленный сервер, доступный через gre-tunel - тайм аут
> ping 192.168.15.9
SEQ HOST SIZE TTL TIME STATUS
0 192.168.15.9 timeout
1 192.168.15.9 timeout
2 192.168.15.9 timeout
3 192.168.15.9 timeout
4 192.168.15.9 timeout
5 192.168.15.9 timeout
вот что показывае утелита tracerout
http://prntscr.com/kv7ysc
(т.е. - запрос перенаправляется в тунель, где 172.16.13.1 - это IP-удаленного интерфейса gre-tunel. Где также прописан статический обратный маршрут на подсеть 192.168.13.0/24)
При этом проходящий трафик (forward) - например с пк находящегося в локальной сети - проходит без проблем.