received a response from support: disable fast-path
/interface gre set 0 allow-fast-path=no
after this firewall see all packets

Thank You

tested with ipsec - proto 47 logged 03:54:07 firewall,info input: in:ether1 out:(unknown 0), src-mac b8:69:f4:00:eb:cc, proto 50, 192.168.61.1->192.168.61.3, len 124 03:54:07 firewall,info input: in:ether1 out:(unknown 0), proto 47, 192.168.61.1->192.168.61.3, len 74 03:54:07 firewall,info input: in...

[admin@MikroTik] > /ip firewall connection print where protocol~"gre" Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat # PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS 0 C gre 19...

no any established rule. I encountered a problem while changing the configuration on rb750g3 and tested with clean config on rb2011LS (config in first post) [admin@MikroTik] > /ip firewall filter print all Flags: X - disabled, I - invalid, D - dynamic 0 chain=input action=drop protocol=gre log=yes l...

these rules must count and log any packet and drop gre? /ip firewall filter add action=drop chain=input log=yes protocol=gre add action=accept chain=input in-interface=!ether2 log=yes if /interface gre set gre-tunnel1 disable=yes - input proto 47 logged 01:40:08 firewall,info input: in:ether1 out:(u...

I try the wiki rule to drop insecury GRE, and it's not work for me. Then I test more primitive config and see that if GRE interface enabled - firewall ignored input traffic (no packets count, no log message) Below is an example configuration and ping (ignored first rule action=drop chain=input log=y...

on first connect to device 6.34.1
winbox 3.1 ignore current setting /ip ipsec peer dh-group=modp2048
seen as modp1024, and if for example change comments for this peer, winbox reset dh-group to modp1024