GRE (Generic Routing Encapsulation)

Generic Routing Encapsulation (GRE) is a method of tunneling traffic between two endpoints without encryption. It can be used to route packets between two locations that are not directly connected, which do not require encryption. It can also be combined with a method of encryption that does not perform its own tunneling.


The GRE protocol was originally designed by Cisco, and it is the default tunneling mode on many of their devices.

GRE tunnels can carry either IPv4, IPv6, or both types of traffic at the same time.

GRE Interface Settings

Parent interface

The interface upon which the GRE tunnel will terminate. Often this will be WAN or a WAN-type connection.

Remote Address

The address of the remote peer. This is the address where the GRE packets will be sent by this firewall; The routable external address at the other end of the tunnel.

Local IPv4/IPv6 Tunnel Address

The internal IPv4 and IPv6 address for the end of the tunnel on this firewall. The firewall will use this address for its own traffic in the tunnel, and tunneled remote traffic would be sent to this address by the remote peer.

Remote IPv4/IPv6 Tunnel Address

The IPv4 and IPv6 address used by the firewall inside the tunnel to reach the far side. Traffic destined for the other end of the tunnel must use this address as a gateway for routing purposes.

IPv4/IPv6 Tunnel Subnet

The subnet mask for the GRE interface address.

Add Static Route

When set, the firewall adds an explicit static route for the remote inner tunnel address/subnet via the local tunnel address. This can help with reaching the remote subnet in cases where other route table entries may select the wrong path to that destination.


A short description of this GRE tunnel for documentation purposes.

GRE Interface Management

To create or manage a GRE interface:

  • Navigate to Interfaces > Assignments, GRE tab


    The items in this list are managed in the usual way. See Managing Lists in the GUI.

  • Click fa-plus Add to create a new GRE instance

  • Complete the settings as described in GRE Interface Settings

  • Click Save

  • Navigate to Interfaces > Assignments

  • Select the new GRE interface in the Available network ports list

  • Click fa-plus Add

  • Note the name given to the new interface (e.g. OPT1)

  • Navigate to Interfaces > <name> where <name> corresponds to the name of the GRE interface (e.g. OPT1)

  • Check Enable interface

  • Enter a new name for the interface in Description (optional)

  • Click Save

Then use the interface as any other WAN-type interface. The firewall automatically creates a dynamic gateway for routing purposes. Depending on the use case, the interface may need NAT or firewall rules, static routes, and so on.