You are right, the problem is in GRE state matching, but why EoIP tunnels is in invalid connection state now?Isn't EoIP using GRE?
So make sure you're allowing GRE before dropping invalid connections.*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
1) Yes.Are you talking about SSTP?
Certificate contains DNS name and you have sstp client with latest routeros version where you specify DNS as connect to address?
Agreed. Check the statistics of upload/download queues separately. It seems only one is used for all traffic.Perhaps something is happening in the packet flow and queuing that isn't what you expect