EOIP tunnel blocked by firewall?

RouterOS General
1

I have a EOIP tunnel set up between two MT routers on LAN: it’s between two buildings that are connected with fiber cable that goes through a 3rd party switch. The tunnel itself is a basic one.

On MT01:

/ip address
add address=10.10.10.1/24 interface=ether2 network=10.10.10.0

/interface eoip
add local-address=10.10.10.1 mtu=1500 name=eoip-tunnel1 remote-address=10.10.10.2 tunnel-id=100  ipsec-secret=XXX

/interface bridge port
add bridge=bridgelocal interface=eoip-tunnel1

On MT02:

/ip address
add address=10.10.10.2/24 interface=ether2 network=10.10.10.0

/interface eoip
add local-address=10.10.10.2 mtu=1500 name=eoip-tunnel1 remote-address=10.10.10.1 tunnel-id=100  ipsec-secret=XXX

/interface bridge port
add bridge=bridgelocal interface=eoip-tunnel1

My firewall INPUT chain:

/ip firewall filter
add action=accept chain=input comment="CCR ALLOW established, related" connection-state=established,related
add action=drop chain=input comment="CCR DENY invalid connection states" connection-state=invalid
add action=accept chain=input comment="CCR ALLOW OpenVPN roadwarriors handshake" connection-state=new dst-port=11978 protocol=tcp
add action=accept chain=input comment="CCR ALLOW IPSEC tunnels from known endpoints" dst-port=500,4500,1701 in-interface-list=WAN protocol=tcp src-address-list=ipsec-allowed-endpoints
add action=accept chain=input comment="CCR ALLOW IPSEC tunnels from known endpoints" in-interface-list=WAN protocol=ipsec-esp src-address-list=ipsec-allowed-endpoints
add action=accept chain=input comment="CCR ALLOW DNS queries from LAN" dst-port=53 in-interface-list=INTERNAL protocol=tcp
add action=accept chain=input comment="CCR ALLOW DNS queries from LAN" dst-port=53 in-interface-list=INTERNAL protocol=udp
add action=accept chain=input comment="CCR ALLOW admins to access configuration ports" dst-port=1978,1922 protocol=tcp src-address-list=admins
add action=accept chain=input comment="CCR ALLOW ping from LAN" in-interface-list=LAN log-prefix=input_a_ping protocol=icmp
add action=accept chain=input comment="CCR ALLOW ping from WAN for Admins" log-prefix=input_a_ping protocol=icmp src-address-list=admins
add action=accept chain=input comment="CCR defcon: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="CCR Allow EoiP Tunnel" protocol=gre
add action=drop chain=input comment="CCR DENY everything else"

Now, without the second last rule (allowing GRE in input) there is no connection between MT1 nad MT2. Is that how it’s supposed to be?

2

Yes.