GRE между офисами. Не проходит трафик.

[qpujaismc]

Конфиги целиком покажите.

Тут чего-то на любое расширение и даже без него пишет что запрещено администратором.
Я на Яндекс диск выложу тогда
https://disk.yandex.ru/d/b-VOB3xrouo7JA
конфиг msc.cfg это Московский офис, ранее я его описывал как "одна сторона"
конфиг nn.cfg это Нижни Новгород, ранее я его описывал как "другая сторона"

[xvo]

Просто текстом под кат, плиз.

[qpujaismc]

Просто текстом под кат, плиз.

Понял. Прошу прощения.
Конфиг msc. Московский офис

 

# may/30/2023 10:56:22 by RouterOS 6.49.7
# software id = DU8B-8GQP
#
# model = CCR1016-12G
# serial number = 916209D50769
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412,2427,2437,2452,2457,2462 name=channel2hz \
reselect-interval=1d tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XX \
frequency=5180,5220,5240,5260,5280,5300,5745,5785 name=channel5hz \
tx-power=20
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] arp=proxy-arp comment=LAN
/interface l2tp-server
add name=l2tp-in1 user=""
/interface gre
add allow-fast-path=no ipsec-secret="{ХХХХХХХХХХХХХХ" local-address=\
ххх.85.27.ххх name=gre_to_Novgorod remote-address=ххх.64.134.ххх
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=password passphrase=772401001
/caps-man configuration
add channel=channel2hz country=russia datapath=datapath1 hw-protection-mode=\
rts-cts mode=ap name=cfg2hz rx-chains=0,1,2 security=password \
security.authentication-types=wpa2-psk security.encryption=aes-ccm \
security.group-encryption=aes-ccm ssid=ESI tx-chains=0,1,2
add channel=channel5hz country=russia datapath=datapath1 hw-protection-mode=\
rts-cts mode=ap name=cfg5hz rx-chains=0,1,2 security=password \
security.authentication-types=wpa2-psk security.encryption=aes-ccm \
security.group-encryption=aes-ccm ssid=ESI tx-chains=0,1,2
/caps-man interface
add channel=channel2hz channel.frequency=2412,2427,2437,2452,2457,2462 \
configuration=cfg2hz datapath=datapath1 disabled=yes l2mtu=1600 \
mac-address=B8:69:F4:2D:51:99 master-interface=none name=cap1 radio-mac=\
B8:69:F4:2D:51:99 radio-name=B869F42D5199 security=password
add channel=channel5hz channel.frequency=\
5180,5220,5240,5260,5280,5300,5745,5785 configuration=cfg2hz datapath=\
datapath1 disabled=yes mac-address=B8:69:F4:2D:51:98 master-interface=\
none name=cap2 radio-mac=B8:69:F4:2D:51:98 radio-name=B869F42D5198 \
security=password
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Block BitTorrent" name=layer7-bittorrent-exp regexp="^(\\x13bitto\
rrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?inf\
o_hash=|get/ann\?uk=|get /client/bitcomet/|get /data\\\?fid=)"
add comment=bittorrent name=bittorrent regexp="^(get /(scrape|announce)\\\?inf\
o_hash=|ge\t\r\\n/ann\?uk=|get\r\\n/client/bitcomet/)|d1:ad2:id20:|\\x08'7\
P\\)[RP]|^get (.*)User-Agent: bittorrent|^\\x04\\x17\\x27\\x10\\x19\\x80|^\
.\?.\?.\?.\?.\?.\?[0-9]_BitTorrent"
add comment="bittorrent search (\CF\EE\E8\F1\EA \E8 \EF\F0\EE\F1\EC\EE\F2\F0 \
\F4\E8\EB\FC\EC\EE\E2 \F7\E5\F0\E5\E7 Bittorrent)" name=bittorrent_search \
regexp="^get (/announce.php\\\?info_hash=.*|/announce\\\?info_hash=.*|/ann\
ounce.php\\\?passkey=.*|/announce\\\?passkey=.*|/\\\?info_hash=.*|/data\\\
\?fid=.*|/task/bt/.*|/task_recommend.*|/issupported )http/*[\\x09-\\x0d -~\
]"
add comment="Distributed Hash Table \97 \F0\E0\F1\EF\F0\E5\E4\E5\EB\E5\ED\ED\
\E0\FF \F5\E5\F8-\F2\E0\E1\EB\E8\F6\E0 Bittorrent" name=bittorrent-dht \
regexp="^d1:.d2:id20:|^d1:[a|r]d2:id20:.*:y1:[q|r]e"
add comment="Peer EXchange \97 \F0\E0\F1\F8\E8\F0\E5\ED\E8\E5 BitTorrent \EF\
\F0\EE\F2\EE\EA\EE\EB\E0 \E4\EB\FF \EE\E1\EC\E5\ED\E0 \F1\EF\E8\F1\EA\E0\
\EC\E8 \F3\F7\E0\F1\F2\ED\E8\EA\EE\E2" name=bittorrent_ut_pex regexp=\
".*:md11:.*:ut_pex.*:|^`.*:md11:.*:ut_pex.*"
add comment="Micro Transport Protocol \97 \F2\F0\E0\ED\F1\EF\EE\F0\F2\ED\FB\E9\
\r\
\n \EF\F0\EE\F2\EE\EA\EE\EB Bittorent \F1 \EA\EE\ED\F2\F0\EE\EB\E5\EC \E4\
\EE\F1\F2\E0\E2\EA\E8 (\EF\EE\E4\EE\E1\ED\EE TCP) \ED\E0\r\
\n \EE\F1\ED\EE\E2\E5 \EF\F0\EE\F2\EE\EA\EE\EB\E0 UDP" name=\
BitTorrent_block regexp=\
"\13bittorrent protocol|^`.*\13bittorrent protocol"
/ip ipsec peer
add address=ХХХ.64.134.ХХХ/32 disabled=yes local-address=ХХХ.85.27.ХХХ name=\
GRE_Peers
add exchange-mode=ike2 name=peer4 passive=yes
/ip ipsec policy group
add name=l2tp_group
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=\
aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr \
lifetime=31m
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc name=\
GRE_Proposals pfs-group=modp1536
/ip pool
add name=pool_lan ranges=192.168.10.151-192.168.10.254
add name=vpn_pool ranges=172.16.1.10-172.16.1.254
/ppp profile
add change-tcp-mss=yes comment="Scripts = \C4\EE\E1\E0\E2\EB\E5\ED\E8\E5 \E2 W\
hite_VPN \ED\E0 14 \E4\ED\E5\E9.caller-id = IP \E0\E4\F0\E5\F1" \
local-address=172.16.1.1 name=l2tp-server on-up="/ip firewall address-list\
\_add list=White_VPN address=\$\"caller-id\" timeout=14d" remote-address=\
vpn_pool use-encryption=required use-mpls=yes
/queue simple
add limit-at=5M/5M max-limit=5M/5M name=VoIP_Queues packet-marks=VoIP \
priority=1/1 target=10.10.0.0/24
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg2hz
add action=create-dynamic-enabled master-configuration=cfg5hz
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-server enabled=yes \
ipsec-secret="ХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХХ" \
keepalive-timeout=disabled one-session-per-host=yes use-ipsec=required
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=ХХХ.85.27.ХХХ/30 interface=ether1 network=213.85.27.32
add address=192.168.10.5/24 interface=ether2 network=192.168.10.0
add address=10.10.0.3/24 interface=ether2 network=10.10.0.0
add address=172.16.100.1/30 comment="Local IP GRE" interface=gre_to_Novgorod \
network=172.16.100.0
/ip cloud
set update-time=no
/ip dns
set servers=212.15.127.1,212.15.122.253,8.8.8.8
/ip firewall address-list
add address=192.168.10.26-192.168.10.254 list=black
add address=0.0.0.0/8 list=BOGON
add address=10.0.0.0/8 list=BOGON
add address=100.64.0.0/10 list=BOGON
add address=127.0.0.0/8 list=BOGON
add address=169.254.0.0/16 list=BOGON
add address=172.16.0.0/12 disabled=yes list=BOGON
add address=192.0.0.0/24 list=BOGON
add address=192.0.2.0/24 list=BOGON
add address=192.168.0.0/16 disabled=yes list=BOGON
add address=198.18.0.0/15 list=BOGON
add address=198.51.100.0/24 list=BOGON
add address=203.0.113.0/24 list=BOGON
add address=224.0.0.0/4 list=BOGON
add address=240.0.0.0/4 list=BOGON
add address=216.218.206.0/24 list=BOGON
add address=192.88.99.0/24 list=BOGON
add address=213.85.233.42 list=White_VPN
add address=ХХХ.64.134.ХХХ list=White_VPN
/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=8291 in-interface=\
ether2 protocol=tcp src-address=192.168.10.0/24
add action=drop chain=input dst-port=8291 log-prefix="Winbox Drop" protocol=\
tcp
add action=accept chain=forward comment="SIP/RTP ATC" dst-address=\
10.10.0.1-10.10.0.2 in-interface=ether1 log-prefix=SIP out-interface=\
ether2 port=1024-65535 protocol=udp src-address=77.37.252.101
add action=accept chain=forward dst-address=77.37.252.101 in-interface=ether2 \
log-prefix=SIP out-interface=ether1 port=1024-65535 protocol=udp \
src-address=10.10.0.1-10.10.0.2
add action=accept chain=input comment=V.Novgorod disabled=yes in-interface=\
gre_to_Novgorod
add action=accept chain=forward disabled=yes in-interface=gre_to_Novgorod
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=input in-interface=ether1 src-address=ХХХ.64.134.ХХХ
add action=accept chain=forward in-interface=ether1 src-address=\
ХХХ.64.134.ХХХ
add action=accept chain=input comment=SmartVIP in-interface=ether1 \
src-address=31.28.6.188
add action=accept chain=forward in-interface=ether1 src-address=31.28.6.188
add action=accept chain=forward comment="Allow DNS from ether2" dst-port=53 \
in-interface=ether2 protocol=udp src-address=192.168.10.0/24
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="VPN local IP forward" dst-address=\
192.168.10.0/24 log-prefix="RDP accept" out-interface=ether2 protocol=tcp \
src-address=172.16.1.0/24
add action=accept chain=forward dst-address=192.168.10.0/24 log-prefix=\
"RDP accept" out-interface=ether2 protocol=udp src-address=172.16.1.0/24
add action=accept chain=input comment="VPN - White list" dst-port=500,4500 \
in-interface=ether1 protocol=udp src-address-list=White_VPN
add action=accept chain=input dst-port=1701 in-interface=ether1 ipsec-policy=\
in,ipsec protocol=udp src-address-list=White_VPN
add action=add-src-to-address-list address-list=VPN_connect_ban \
address-list-timeout=4w2d chain=input comment=\
"VPN Connect - (Blockes RAW)" dst-port=500,1701,4500 in-interface=ether1 \
protocol=udp src-address-list=VPN_connect_7
add action=add-src-to-address-list address-list=VPN_connect_7 \
address-list-timeout=12h30m chain=input connection-state=new dst-port=\
500,1701,4500 in-interface=ether1 protocol=udp src-address-list=\
VPN_connect_6
add action=add-src-to-address-list address-list=VPN_connect_6 \
address-list-timeout=12h30m chain=input connection-state=new dst-port=\
500,1701,4500 in-interface=ether1 protocol=udp src-address-list=\
VPN_connect_5
add action=add-src-to-address-list address-list=VPN_connect_5 \
address-list-timeout=12h30m chain=input connection-state=new dst-port=\
500,1701,4500 in-interface=ether1 protocol=udp src-address-list=\
VPN_connect_4
add action=add-src-to-address-list address-list=VPN_connect_4 \
address-list-timeout=12h30m chain=input connection-state=new dst-port=\
500,1701,4500 in-interface=ether1 protocol=udp src-address-list=\
VPN_connect_3
add action=add-src-to-address-list address-list=VPN_connect_3 \
address-list-timeout=10h chain=input connection-state=new dst-port=\
500,1701,4500 in-interface=ether1 protocol=udp src-address-list=\
VPN_connect_2
add action=add-src-to-address-list address-list=VPN_connect_2 \
address-list-timeout=10h chain=input connection-state=new dst-port=\
500,1701,4500 in-interface=ether1 protocol=udp src-address-list=\
VPN_connect_1
add action=add-src-to-address-list address-list=VPN_connect_1 \
address-list-timeout=10h chain=input connection-state=new dst-port=\
500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="VPN - Accept Input" dst-port=500,4500 \
in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=1701 in-interface=ether1 ipsec-policy=\
in,ipsec protocol=udp
add action=drop chain=forward comment="Drop New no dstnat forward" \
connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=4w3d chain=input comment="Perebor portov" dst-port=\
20,21,22,23,25,53,68,80,123,137-139,156,443,3389,8291 in-interface=ether1 \
log-prefix=Attack protocol=tcp
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=4w3d chain=input dst-port=\
110,143,587,993,995,1149,1721,2083,2087,2222,3306,8083,30000-35000 \
in-interface=ether1 log-prefix=Attack protocol=tcp
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=4w3d chain=input dst-port=\
22,23,25,53,80,110,137-139,443,156,1149,5060,5061 in-interface=ether1 \
log-prefix=Attack protocol=udp
add action=drop chain=input src-address-list=perebor_portov_drop
add action=drop chain=input comment="Port scanner drop" src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp psd=\
21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input dst-limit=\
32,32,src-and-dst-addresses/10s in-interface=ether1 protocol=tcp \
tcp-flags=syn,ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp \
tcp-flags=syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp \
tcp-flags=psh,ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input connection-limit=100,32 \
connection-nat-state="" connection-state="" in-interface=ether1 protocol=\
tcp tcp-flags=""
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward comment=SIP-Error content=\
"403 Forbidden" log-prefix="403 Forbiden"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward content="403 Wrong Guess"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward content="403 No Such User"
add action=drop chain=input comment="Drop Connection blacklist" in-interface=\
ether1 src-address-list=stage_connection_blacklist
add action=add-src-to-address-list address-list=stage_connection_blacklist \
address-list-timeout=4w2d chain=input comment="Scan add black list" \
in-interface=ether1 src-address-list=stage_connection_3
add action=add-src-to-address-list address-list=stage_connection_3 \
address-list-timeout=2w1h50m chain=input comment="Scan list stage3" \
connection-state=new in-interface=ether1 src-address-list=\
stage_connection_2
add action=add-src-to-address-list address-list=stage_connection_2 \
address-list-timeout=2w1h40m chain=input comment="Scan list stage2" \
connection-state=new in-interface=ether1 src-address-list=\
stage_connection_1
add action=add-src-to-address-list address-list=stage_connection_1 \
address-list-timeout=1w1h30m chain=input comment="Scan list stage1" \
connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop Torrent black list" log-prefix=\
1233 port=!0-24,26-1024,1723,3389,8002 protocol=tcp src-address-list=\
Torrent
add action=drop chain=forward log-prefix=1233 port=\
!0-24,26-1024,1194,1701,3389,4500 protocol=udp src-address-list=Torrent
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent UT_pex" layer7-protocol=\
bittorrent_ut_pex log-prefix=3 src-address=192.168.10.0/24 \
src-address-list=black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent DHT" layer7-protocol=\
bittorrent-dht log-prefix=4 src-address=192.168.10.0/24 src-address-list=\
black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent Micro Transport Protocol" \
layer7-protocol=BitTorrent_block log-prefix=5 src-address=192.168.10.0/24 \
src-address-list=black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent Bittorent Search" layer7-protocol=\
bittorrent_search log-prefix=6 src-address=192.168.10.0/24 \
src-address-list=black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent Bittorrent New" layer7-protocol=\
bittorrent log-prefix=7 src-address=192.168.10.0/24 src-address-list=\
black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent layer7-bittorrent-exp" \
layer7-protocol=layer7-bittorrent-exp log-prefix=8 src-address=\
192.168.10.0/24 src-address-list=black
add action=accept chain=forward comment="Forward Local" in-interface=ether2 \
out-interface=ether1 src-address=192.168.10.0/24
add action=accept chain=input comment="Input Local" in-interface=ether2 \
src-address=192.168.10.0/24
add action=accept chain=forward comment=Established-Related connection-state=\
established,related
add action=drop chain=input comment="Drop WAN" in-interface=ether1
add action=drop chain=forward in-interface=ether1
add action=drop chain=input comment="Drop All"
add action=drop chain=forward log-prefix=Forward
/ip firewall mangle
add action=mark-connection chain=forward comment="\CC\E0\F0\EA\E8\F0\EE\E2\EA\
\E0 \EF\E0\EA\E5\F2\EE\E2 IP \F2\E5\EB\E5\F4\EE\ED\E8\E8" in-interface=\
ether2 new-connection-mark=VoIP out-interface=ether1 passthrough=yes \
src-address=10.10.0.0/24
add action=mark-connection chain=forward dst-address=10.10.0.0/24 \
in-interface=ether1 new-connection-mark=VoIP out-interface=ether2 \
passthrough=yes
add action=mark-packet chain=forward connection-mark=VoIP new-packet-mark=\
VoIP passthrough=yes
add action=change-mss chain=postrouting comment="MTU. \C8\E7\EC\E5\ED\E8\F2\FC\
\_\E7\ED\E0\F7\E5\ED\E8\E5 \EF\EE\EB\FF MSS \ED\E0 \E7\ED\E0\F7\E5\ED\E8\
\E5, \E7\E0\E4\E0\ED\ED\EE\E5 \EF\E0\F0\E0\EC\E5\F2\F0\EE\EC new-mss" \
new-mss=clamp-to-pmtu out-interface=ether1 passthrough=yes protocol=tcp \
tcp-flags=syn
add action=clear-df chain=postrouting comment=\
"\CE\F7\E8\F1\F2\E8\F2\FC \F4\EB\E0\E3 do not fragmet" out-interface=\
ether1 passthrough=yes protocol=tcp
add action=strip-ipv4-options chain=postrouting comment="\CE\F7\E8\F1\F2\E8\F2\
\FC \E4\EE\EF\EE\EB\ED\E8\F2\E5\EB\FC\ED\FB\E5 \EE\EF\F6\E8\E8 ipv4 \E8\E7\
\_IP \EF\E0\EA\E5\F2\E0" out-interface=ether1 passthrough=yes protocol=\
tcp
add action=change-dscp chain=postrouting comment="\C8\E7\EC\E5\ED\E5\ED\E8\E5 \
\E7\ED\E0\F7\E5\ED\E8\E5 \EF\EE\EB\FF DSCP, \E4\F0\F3\E3\E8\EC \EF\E0\F0\
\E0\EC\E5\F2\F0\EE\EC new-dscp" new-dscp=0 out-interface=ether1 \
passthrough=yes protocol=tcp
add action=change-ttl chain=postrouting comment="\C8\E7\EC\E5\ED\E5\ED\E8\E5 T\
TL, \ED\E0 \E7\ED\E0\F7\E5\ED\E8\E5, \EE\EF\F0\E5\E4\E5\EB\E5\ED\ED\EE\E5 \
\EF\E0\F0\E0\EC\E5\F2\F0\EE\EC new-ttl" new-ttl=set:65 out-interface=\
ether1 passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT ipsec-policy=out,none \
out-interface=ether1
add action=accept chain=srcnat out-interface=gre_to_Novgorod
add action=dst-nat chain=dstnat comment="SIP NAT" dst-address=ХХХ.85.27.ХХХ \
dst-port=5060 in-interface=ether1 protocol=udp src-address=77.37.252.101 \
to-addresses=10.10.0.1 to-ports=5060
add action=dst-nat chain=dstnat comment="RTP NAT" dst-address=ХХХ.85.27.ХХХ \
dst-port=10024-65000 in-interface=ether1 protocol=udp src-address=\
77.37.252.101 to-addresses=10.10.0.2 to-ports=10024-65000
add action=dst-nat chain=dstnat comment="V.Novgorod to ESI Server" dst-port=\
3389 in-interface=ether1 protocol=tcp src-address=ХХХ.64.134.ХХХ \
to-addresses=192.168.10.7 to-ports=3389
add action=dst-nat chain=dstnat comment="SmartVIP to ESI Server" dst-port=\
3389 in-interface=ether1 protocol=tcp src-address=31.28.6.188 \
to-addresses=192.168.10.7 to-ports=3389
/ip firewall raw
add action=drop chain=prerouting comment=Bogon in-interface=ether1 \
src-address-list=BOGON
add action=drop chain=prerouting comment="VPN BAN" in-interface=ether1 \
log-prefix="RAW drop" src-address-list=VPN_connect_ban
add action=drop chain=prerouting comment=\
"\C2\E8\E4\E5\EE\F0\E5\E3\E8\F1\F2\F0\E0\F2\EE\F0" in-interface=ether2 \
src-address=192.168.3.2
add action=drop chain=prerouting comment="Drop Ping" in-interface=ether1 \
protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-timeout=1m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add disabled=yes peer=GRE_Peers secret="{ХХХХХХХХХХХХХХ"
/ip ipsec policy
add disabled=yes peer=GRE_Peers proposal=GRE_Proposals protocol=gre \
src-address=ХХХ.85.27.ХХ/32
add disabled=yes dst-address=192.168.20.0/24 peer=GRE_Peers proposal=\
GRE_Proposals protocol=gre src-address=192.168.10.0/24 tunnel=yes
/ip route
add distance=1 gateway=ХХХ.85.27.ХХ
add distance=1 dst-address=192.168.20.0/24 gateway=172.16.100.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name="Kerio Control"
/system logging
set 0 topics=info,!caps
add disabled=yes topics=ipsec
add disabled=yes topics=l2tp
/system ntp client
set enabled=yes primary-ntp=91.209.94.10 secondary-ntp=88.147.254.227
/system ntp server
set enabled=yes multicast=yes
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=0 from=""
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set file-limit=500000KiB file-name=sniffer filter-interface=ether2 \
filter-ip-address=10.100.1.0/24 streaming-server=192.168.10.15

Конфиг nn. Филиал Нижний Новгород.

 

# may/30/2023 10:54:02 by RouterOS 6.49.7
# software id = 0R8R-70AZ
#
# model = RB3011UiAS
# serial number = HD30856A35R
/interface bridge
add admin-mac=18:FD:74:9C:50:2B auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=ХХХХХХХХ service-name=internet.netwi.ru use-peer-dns=yes user=\
Electro_SI
/interface gre
add allow-fast-path=no ipsec-secret="{ХХХХХХХХХХХХ" local-address=\
ХХХ.64.134.ХХХ name=gre_to_Moscow remote-address=ХХХ.85.27.ХХХ
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Block BitTorrent" name=layer7-bittorrent-exp regexp="^(\\x13bitto\
rrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?inf\
o_hash=|get/ann\?uk=|get /client/bitcomet/|get /data\\\?fid=)"
add comment=bittorrent name=bittorrent regexp="^(get /(scrape|announce)\\\?inf\
o_hash=|ge\t\r\\n/ann\?uk=|get\r\\n/client/bitcomet/)|d1:ad2:id20:|\\x08'7\
P\\)[RP]|^get (.*)User-Agent: bittorrent|^\\x04\\x17\\x27\\x10\\x19\\x80|^\
.\?.\?.\?.\?.\?.\?[0-9]_BitTorrent"
add comment="bittorrent search (\CF\EE\E8\F1\EA \E8 \EF\F0\EE\F1\EC\EE\F2\F0 \
\F4\E8\EB\FC\EC\EE\E2 \F7\E5\F0\E5\E7 Bittorrent)" name=bittorrent_search \
regexp="^get (/announce.php\\\?info_hash=.*|/announce\\\?info_hash=.*|/ann\
ounce.php\\\?passkey=.*|/announce\\\?passkey=.*|/\\\?info_hash=.*|/data\\\
\?fid=.*|/task/bt/.*|/task_recommend.*|/issupported )http/*[\\x09-\\x0d -~\
]"
add comment="Distributed Hash Table \97 \F0\E0\F1\EF\F0\E5\E4\E5\EB\E5\ED\ED\
\E0\FF \F5\E5\F8-\F2\E0\E1\EB\E8\F6\E0 Bittorrent" name=bittorrent-dht \
regexp="^d1:.d2:id20:|^d1:[a|r]d2:id20:.*:y1:[q|r]e"
add comment="Peer EXchange \97 \F0\E0\F1\F8\E8\F0\E5\ED\E8\E5 BitTorrent \EF\
\F0\EE\F2\EE\EA\EE\EB\E0 \E4\EB\FF \EE\E1\EC\E5\ED\E0 \F1\EF\E8\F1\EA\E0\
\EC\E8 \F3\F7\E0\F1\F2\ED\E8\EA\EE\E2" name=bittorrent_ut_pex regexp=\
".*:md11:.*:ut_pex.*:|^`.*:md11:.*:ut_pex.*"
add comment="Micro Transport Protocol \97 \F2\F0\E0\ED\F1\EF\EE\F0\F2\ED\FB\E9\
\r\
\n \EF\F0\EE\F2\EE\EA\EE\EB Bittorent \F1 \EA\EE\ED\F2\F0\EE\EB\E5\EC \E4\
\EE\F1\F2\E0\E2\EA\E8 (\EF\EE\E4\EE\E1\ED\EE TCP) \ED\E0\r\
\n \EE\F1\ED\EE\E2\E5 \EF\F0\EE\F2\EE\EA\EE\EB\E0 UDP" name=\
BitTorrent_block regexp=\
"\13bittorrent protocol|^`.*\13bittorrent protocol"
/ip ipsec peer
add address=ХХХ.85.27.ХХХ/32 disabled=yes local-address=ХХХ.64.134.ХХХ name=\
GRE_peers
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=\
aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr \
lifetime=31m
add auth-algorithms=sha256 disabled=yes enc-algorithms=\
aes-256-cbc,aes-256-ctr name=GRE_Proposals pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.20.10-192.168.20.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w1d10m name=\
defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set enabled=yes ipsec-secret=MyG74suc use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.20.1/24 comment=defconf interface=bridge network=\
192.168.20.0
add address=172.16.100.2/30 comment="Local IP GRE" interface=gre_to_Moscow \
network=172.16.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.20.247 client-id=1:0:17:c8:9e:a6:a comment=\
"Printer Kyocera 2540" mac-address=00:17:C8:9E:A6:0A server=defconf
add address=192.168.20.241 client-id=1:40:f4:13:68:d9:7f comment=\
"\C2\E8\E4\EB\E5\EE\F0\E5\E3\E8\F1\F2\F0\E0\F2\EE\F0" mac-address=\
40:F4:13:68:D9:7F server=defconf
add address=192.168.20.239 client-id=1:40:f4:13:69:b6:d9 comment="\CA\E0\EC\E5\
\F0\E0 \E4\EB\FF \E2\E8\E4\E5\EE\F0\E5\E3\E8\F1\F2\F0\E0\F2\EE\F0\E0" \
mac-address=40:F4:13:69:B6:D9 server=defconf
add address=192.168.20.238 client-id=1:40:f4:13:69:b7:5e comment="\CA\E0\EC\E5\
\F0\E0 \E4\EB\FF \E2\E8\E4\E5\EE\F0\E5\E3\E8\F1\F2\F0\E0\F2\EE\F0\E0" \
mac-address=40:F4:13:69:B7:5E server=defconf
add address=192.168.20.237 client-id=1:40:f4:13:69:b7:2e comment="\CA\E0\EC\E5\
\F0\E0 \E4\EB\FF \E2\E8\E4\E5\EE\F0\E5\E3\E8\F1\F2\F0\E0\F2\EE\F0\E0" \
mac-address=40:F4:13:69:B7:2E server=defconf
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf gateway=192.168.20.1 netmask=24 \
ntp-server=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 disabled=yes list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=192.168.0.0/16 disabled=yes list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/4 list=BOGONS
add address=240.0.0.0/4 list=BOGONS
add address=192.88.99.0/24 list=BOGONS
add address=192.168.20.11-192.168.20.254 list=black
/ip firewall filter
add action=accept chain=input comment="Winbox Moscow" dst-port=8291 \
in-interface-list=WAN protocol=tcp src-address=ХХХ.85.27.ХХХ
add action=accept chain=input dst-port=8291 in-interface=bridge protocol=tcp
add action=drop chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=Moscow disabled=yes in-interface=\
gre_to_Moscow log=yes log-prefix=rules
add action=accept chain=forward disabled=yes in-interface=gre_to_Moscow \
log-prefix=rules
add action=accept chain=forward ipsec-policy=in,ipsec log-prefix=rules
add action=accept chain=input in-interface-list=WAN src-address=ХХХ.85.27.ХХХ
add action=accept chain=forward in-interface-list=WAN src-address=\
ХХХ.85.27.ХХХ
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="Drop New no dstnat forward" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Allow DNS from ether2" dst-port=53 \
in-interface=bridge protocol=udp src-address=192.168.20.0/24
add action=accept chain=input dst-port=53 in-interface=bridge protocol=udp \
src-address=192.168.20.0/24
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=4w3d chain=input comment="Perebor portov" dst-port=\
20,21,22,23,25,53,68,80,123,137-139,156,443,3389,8291 in-interface-list=\
WAN log-prefix=Attack protocol=tcp
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=4w3d chain=input dst-port=\
110,143,587,993,995,1149,1721,2083,2087,2222,3306,8083,30000-35000 \
in-interface-list=WAN log-prefix=Attack protocol=tcp
add action=add-src-to-address-list address-list=perebor_portov_drop \
address-list-timeout=4w3d chain=input dst-port=\
22,23,25,53,80,110,137-139,443,156,1149,5060,5061 in-interface-list=WAN \
log-prefix=Attack protocol=udp
add action=drop chain=input in-interface-list=WAN src-address-list=\
perebor_portov_drop
add action=drop chain=input comment="Protect Connection Limit" \
in-interface-list=WAN src-address-list=blacklist
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=2w chain=input connection-limit=100,32 \
in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=psh,ack
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=syn,ack
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=2w chain=input in-interface-list=WAN protocol=tcp \
tcp-flags=syn
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=2w1h30m chain=input in-interface-list=WAN protocol=\
tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop Connection blacklist" \
in-interface-list=WAN src-address-list=blacklist_connection_drop
add action=add-src-to-address-list address-list=blacklist_connection_drop \
address-list-timeout=4w2d1h30m chain=input comment=\
"Scan list connection blacklist" connection-state=new in-interface-list=\
WAN src-address-list=blacklist_connection_3
add action=add-src-to-address-list address-list=blacklist_connection_3 \
address-list-timeout=2w1h30m chain=input comment="Scan list connection 3" \
connection-state=new in-interface-list=WAN src-address-list=\
blacklist_connection_2
add action=add-src-to-address-list address-list=blacklist_connection_2 \
address-list-timeout=2w1h30m chain=input comment="Scan list connection 2" \
connection-state=new in-interface-list=WAN src-address-list=\
blacklist_connection_1
add action=add-src-to-address-list address-list=blacklist_connection_1 \
address-list-timeout=2w1h30m chain=input comment="Scan list connection 1" \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Torrent black list" disabled=yes \
in-interface=bridge port=!0-24,26-1024,1723,3389 protocol=tcp \
src-address=192.168.20.0/24 src-address-list=Torrent
add action=drop chain=forward disabled=yes in-interface=bridge port=\
!0-24,26-1024,1194,1701,3389,4500 protocol=udp src-address=\
192.168.20.0/24 src-address-list=Torrent
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent UT_pex" disabled=yes in-interface=\
bridge layer7-protocol=bittorrent_ut_pex log-prefix=3 src-address=\
192.168.20.0/24 src-address-list=black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent DHT" disabled=yes in-interface=\
bridge layer7-protocol=bittorrent-dht log-prefix=4 src-address=\
192.168.20.0/24 src-address-list=black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent Micro Transport Protocol" \
disabled=yes in-interface=bridge layer7-protocol=BitTorrent_block \
log-prefix=5 src-address=192.168.20.0/24 src-address-list=black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent Bittorent Search" disabled=yes \
in-interface=bridge layer7-protocol=bittorrent_search log-prefix=6 \
src-address=192.168.20.0/24 src-address-list=black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent Bittorrent New" disabled=yes \
in-interface=bridge layer7-protocol=bittorrent log-prefix=7 src-address=\
192.168.20.0/24 src-address-list=black
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
1d chain=forward comment="List Torrent layer7-bittorrent-exp" disabled=\
yes in-interface=bridge layer7-protocol=layer7-bittorrent-exp log-prefix=\
8 src-address=192.168.20.0/24 src-address-list=black
add action=accept chain=input comment="Input Local" in-interface=bridge \
src-address=192.168.20.0/24
add action=accept chain=forward comment="Forward Local" in-interface=bridge \
out-interface-list=WAN src-address=192.168.20.0/24
add action=accept chain=forward comment=Established-Related connection-state=\
established,related
add action=drop chain=input comment="Drop input WAN" in-interface-list=WAN
add action=drop chain=forward comment="Drop Forward WAN" in-interface-list=\
WAN
add action=drop chain=input comment="Drop All" log=yes
add action=drop chain=forward
/ip firewall mangle
add action=change-mss chain=postrouting comment="MTU. \C8\E7\EC\E5\ED\E8\F2\FC\
\_\E7\ED\E0\F7\E5\ED\E8\E5 \EF\EE\EB\FF MSS \ED\E0 \E7\ED\E0\F7\E5\ED\E8\
\E5, \E7\E0\E4\E0\ED\ED\EE\E5 \EF\E0\F0\E0\EC\E5\F2\F0\EE\EC new-mss" \
new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp \
tcp-flags=syn
add action=clear-df chain=postrouting comment=\
"\CE\F7\E8\F1\F2\E8\F2\FC \F4\EB\E0\E3 do not fragmet" \
out-interface-list=WAN passthrough=yes protocol=tcp
add action=change-dscp chain=postrouting comment="\C8\E7\EC\E5\ED\E8\F2\FC \E7\
\ED\E0\F7\E5\ED\E8\E5 \EF\EE\EB\FF \F2\EE\F7\EA\E8 \EA\EE\E4\E0 \E4\E8\F4\
\F4\E5\F0\E5\ED\F6\E8\F0\EE\E2\E0\ED\ED\FB\F5 \F3\F1\EB\F3\E3 (DSCP), \E7\
\E0\E4\E0\ED\ED\EE\E5 \EF\E0\F0\E0\EC\E5\F2\F0\EE\EC new-dscp" new-dscp=0 \
out-interface-list=WAN passthrough=yes protocol=tcp
add action=strip-ipv4-options chain=postrouting comment="\CE\F7\E8\F1\F2\E8\F2\
\FC \E4\EE\EF\EE\EB\ED\E8\F2\E5\EB\FC\ED\FB\E5 \EE\EF\F6\E8\E8 ipv4" \
out-interface-list=WAN passthrough=yes protocol=tcp
add action=change-ttl chain=postrouting comment=\
"\CC\E0\F1\EA\E8\F0\F3\E5\EC TTL" new-ttl=set:65 out-interface-list=WAN \
passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat log-prefix=nat out-interface=gre_to_Moscow
add action=dst-nat chain=dstnat comment=\
"\C2\E8\E4\E5\EE\F0\E5\E3\E8\F1\F2\F0\E0\F2\EE\F0 (\EF\EE\F0\F2 80)" \
dst-port=80 in-interface-list=WAN protocol=tcp src-address=ХХХ.85.27.ХХХ \
to-addresses=192.168.20.241 to-ports=80
add action=dst-nat chain=dstnat comment="\CA\E0\EC\E5\F0\FB \E2 \E2\E8\E4\E5\
\EE\F0\E5\E3\E8\F1\F2\F0\E0\F2\EE\F0\E5 (\EF\EE\F0\F2 8002)" dst-port=\
8002 in-interface-list=WAN protocol=tcp src-address=ХХХ.85.27.ХХХ \
to-addresses=192.168.20.241 to-ports=8002
/ip firewall raw
add action=drop chain=prerouting comment=Bogon in-interface-list=WAN \
src-address-list=BOGONS
add action=drop chain=prerouting comment="Drop Ping" in-interface-list=WAN \
protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add disabled=yes peer=GRE_peers secret="{ХХХХХХХХХХХХ"
/ip ipsec policy
add disabled=yes peer=GRE_peers proposal=GRE_Proposals protocol=gre \
src-address=ХХХ.64.134.ХХХ/32
add disabled=yes dst-address=192.168.10.0/24 peer=GRE_peers proposal=\
GRE_Proposals protocol=gre src-address=192.168.20.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=172.16.100.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=Provider password=ХХХХХХХХ
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=TRENDnet
/system ntp client
set enabled=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

[xvo]

Firewall'ы на обоих машинах нормально закрытые, так что первое, что приходит в голову - отключить нижние drop правила в цепочках forward и таким образом просто исключить, что это где-то в них недодумано что-то.

Плюс к этому, можно попробовать отключить правила drop invalid - был какой-то баг с gre и этим правилом, но правда вроде на более ранних версиях ROS, потом починили.

[qpujaismc]

Firewall'ы на обоих машинах нормально закрытые, так что первое, что приходит в голову - отключить нижние drop правила в цепочках forward и таким образом просто исключить, что это где-то в них недодумано что-то.

Чего за магия я не понимаю.
У меня были правила

 

/ip firewall filter
add action=accept chain=input comment=V.Novgorod disabled=yes in-interface=gre_to_Novgorod
add action=accept chain=forward disabled=yes in-interface=gre_to_Novgorod

И на другой стороне

 

/ip firewall filter
add action=accept chain=input comment=Moscow disabled=yes in-interface=gre_to_Moscow log=yes log-prefix=rules
add action=accept chain=forward disabled=yes in-interface=gre_to_Moscow log-prefix=rules

Я их отключил так как не работало до этого.
Сейчас включил и добавил в них IP (то есть по идее еще сильнее ограничив). И сейчас все заработало.
Смотрел уже по логам попадания в нижних правилах Drop.
Вроде как ранее в логах я смотрел, в них не попадало ничего.
Чего раньше нужно было не пойму вообще, но спасибо вам огромное.

[xvo]