GRE Tunnels

Generic Routing Encapsulation (GRE) tunnels provide secure, encrypted connectivity between Cloudflare’s edge and the on-premises pfSense router.

Overview

Magic Transit uses GRE tunnels to forward clean traffic from Cloudflare’s network to the origin infrastructure. All traffic is inspected and scrubbed at Cloudflare’s edge before being encapsulated and sent through the tunnel.

Active Tunnels

IPv4 Primary Tunnel

Tunnel Configuration:

  • Name: MT_GRE_1_TUNNELV4

  • Local Endpoint: 198.51.100.1 (pfSense WAN example)

  • Remote Endpoint: 203.0.113.5 (Cloudflare example)

  • Tunnel Interface: gre0

  • MTU: 1476 bytes

IP Addressing:

  • pfSense: 198.51.100.1/31 (documentation example)

  • Cloudflare: 198.51.100.0/31 (documentation example)

  • Network: Point-to-point /31 subnet

Health Monitoring:

  • Monitor IP: 198.51.100.0 (Cloudflare side example)

  • Source IP: 198.51.100.1 (pfSense side example)

  • Latency: 9.308ms average

  • Jitter: 0.24ms

  • Packet Loss: 0.0%

  • Status: Online

IPv6 Tunnel

Tunnel Configuration:

  • Name: MT_GRE_1_TUNNELV6

  • Status: Online

  • Latency: 9.343ms average

  • Jitter: 0.276ms

  • Packet Loss: 0.0%

IP Addressing:

  • pfSense: fd00:abcd:7:0:a9fe:1b1c:0:3 (obfuscated example)

  • Cloudflare: fd00:abcd:7:0:a9fe:1b1c:0:2 (obfuscated example)

Tunnel Configuration (pfSense)

The GRE tunnel is configured on pfSense interface gre0:

Interface: gre0
Type: GRE tunnel
Local Address: 198.51.100.1
Remote Address: 203.0.113.5
Tunnel Source: 198.51.100.1
Tunnel Destination: 198.51.100.0
MTU: 1476
Status: UP, RUNNING

Traffic Flow

Inbound (Internet → Origin):

  1. Internet traffic destined for protected IPs

  2. Anycast routing to nearest Cloudflare edge

  3. DDoS scrubbing and security filtering

  4. GRE encapsulation

  5. Tunnel to pfSense (198.51.100.1)

  6. pfSense decapsulation and routing to internal networks

Outbound (Origin → Internet):

  1. Traffic from internal networks

  2. pfSense routing decision

  3. GRE encapsulation (if policy requires)

  4. Tunnel to Cloudflare

  5. Cloudflare edge (203.0.113.5) processes and forwards to destination

Security Considerations

Tunnel Security:

  • GRE provides encapsulation but not encryption

  • IPsec can be layered over GRE for encryption if required

  • Cloudflare’s network provides DDoS protection upstream

  • pfSense firewall rules control what traffic enters the tunnel

Best Practices:

  • Monitor tunnel health continuously

  • Configure automatic failover for tunnel failures

  • Use IPsec encryption for sensitive traffic

  • Implement strict firewall rules for tunnel endpoints

Troubleshooting

Check Tunnel Status:

# On pfSense
ifconfig gre0
pfSsh.php playback gatewaystatus

Common Issues:

  • Tunnel Down: Check WAN connectivity, verify remote endpoint reachability

  • High Latency: Review Cloudflare edge routing, check WAN circuit performance

  • Packet Loss: Investigate MTU issues, check for interface errors

Health Check Verification:

The gateway monitoring system continuously tests tunnel health by sending ICMP probes to the Cloudflare endpoint (198.51.100.0). Failures trigger automatic alerts and can initiate failover procedures.

Performance Monitoring

Tunnel performance is monitored via pfSense gateway monitoring:

  • Latency: Average round-trip time

  • Standard Deviation: Jitter measurement

  • Packet Loss: Percentage of lost probes

  • Status: Online/Offline/Warning states

Current metrics show excellent tunnel performance with sub-10ms latency and zero packet loss.

Maintenance

Routine Maintenance:

  • Monitor tunnel statistics daily

  • Review gateway health checks weekly

  • Test failover procedures monthly

  • Verify Cloudflare configuration quarterly

Change Management:

Changes to tunnel configuration should be coordinated with Cloudflare support to ensure continuous service availability.