GRE (Generic Routing Encapsulation)¶
Generic Routing Encapsulation (GRE) is a method of tunneling traffic between two endpoints without encryption. It can be used to route packets between two locations that are not directly connected, which do not require encryption. It can also be combined with a method of encryption that does not perform its own tunneling.
Note
The GRE protocol was originally designed by Cisco, and it is the default tunneling mode on many of their devices.
GRE tunnels can carry either IPv4, IPv6, or both types of traffic at the same time.
GRE Interface Settings¶
- Parent interface:
The interface upon which the GRE tunnel will terminate. Often this will be WAN or a WAN-type connection.
- Remote Address:
The address of the remote peer. This is the address where the GRE packets will be sent by this firewall; The routable external address at the other end of the tunnel.
- Local IPv4/IPv6 Tunnel Address:
The internal IPv4 and IPv6 address for the end of the tunnel on this firewall. The firewall will use this address for its own traffic in the tunnel, and tunneled remote traffic would be sent to this address by the remote peer.
- Remote IPv4/IPv6 Tunnel Address:
The IPv4 and IPv6 address used by the firewall inside the tunnel to reach the far side. Traffic destined for the other end of the tunnel must use this address as a gateway for routing purposes.
- IPv4/IPv6 Tunnel Subnet:
The subnet mask for the GRE interface address.
- Add Static Route:
When set, the firewall adds an explicit static route for the remote inner tunnel address/subnet via the local tunnel address. This can help with reaching the remote subnet in cases where other route table entries may select the wrong path to that destination.
- Description:
A short description of this GRE tunnel for documentation purposes.
GRE Interface Management¶
To create or manage a GRE interface:
Navigate to Interfaces > Assignments, GRE tab
Note
The items in this list are managed in the usual way. See Managing Lists in the GUI.
Click Add to create a new GRE instance
Complete the settings as described in GRE Interface Settings
Click Save
Navigate to Interfaces > Assignments
Select the new GRE interface in the Available network ports list
Click Add
Note the name given to the new interface (e.g. OPT1)
Navigate to Interfaces > <name> where
<name>
corresponds to the name of the GRE interface (e.g. OPT1)Check Enable interface
Enter a new name for the interface in Description (optional)
Click Save
Then use the interface as any other WAN-type interface. The firewall automatically creates a dynamic gateway for routing purposes. Depending on the use case, the interface may need NAT or firewall rules, static routes, and so on.