СК
Лишнее убрал
[polukhinri@ccr1016-grt01-sib] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; accept established, related, untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
2 ;;; drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
3 ;;; accept OSPF
chain=input action=accept protocol=ospf in-interface-list=VPN log=no log-prefix=""
5 ;;; accept IKE, IPsec ESP over UDP
chain=input action=accept protocol=udp in-interface-list=WAN dst-port=500,4500 log=no log-prefix=""
6 ;;; accept IPsec ESP
chain=input action=accept protocol=ipsec-esp in-interface-list=WAN log=no log-prefix=""
7 ;;; accept GRE
chain=input action=accept protocol=gre in-interface-list=WAN log=no log-prefix="" ipsec-policy=in,ipsec
15 ;;; drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
[polukhinri@ccr1016-grt01-sib] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; src-nat from LAN to WAN
chain=srcnat action=src-nat to-addresses=X.X.X.X out-interface-list=WAN log=no log-prefix=""
[polukhinri@ccr1016-grt01-sib] /interface list member> print
Flags: X - disabled, D - dynamic
# LIST INTERFACE
3 VPN gre-tunnel1
4 VPN gre-tunnel2
5 VPN gre-tunnel3
[polukhinri@ccr1016-grt01-sib] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; accept established, related, untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
2 ;;; drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
3 ;;; accept OSPF
chain=input action=accept protocol=ospf in-interface-list=VPN log=no log-prefix=""
5 ;;; accept IKE, IPsec ESP over UDP
chain=input action=accept protocol=udp in-interface-list=WAN dst-port=500,4500 log=no log-prefix=""
6 ;;; accept IPsec ESP
chain=input action=accept protocol=ipsec-esp in-interface-list=WAN log=no log-prefix=""
7 ;;; accept GRE
chain=input action=accept protocol=gre in-interface-list=WAN log=no log-prefix="" ipsec-policy=in,ipsec
15 ;;; drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
[polukhinri@ccr1016-grt01-sib] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; src-nat from LAN to WAN
chain=srcnat action=src-nat to-addresses=X.X.X.X out-interface-list=WAN log=no log-prefix=""
[polukhinri@ccr1016-grt01-sib] /interface list member> print
Flags: X - disabled, D - dynamic
# LIST INTERFACE
3 VPN gre-tunnel1
4 VPN gre-tunnel2
5 VPN gre-tunnel3
как у вас, создал interface-list с именем VPN, добавил туда gre-туннель, создал правило, разрешающее OPSF на input с этого листа, отключил правило NAT для туннеля GRE
не помогло
не помогло
