pfSense

Turns out that the IPsec Filter Mode option on VPN > IPsec, Advanced Settings tab also works to allow two-way filtering of TCP and other traffic on Transport mode GRE tunnels, and presumably other similar transport mode scenarios. By default, this does not work ( See #4479 ).

No technical changes are needed, only the option text and help text need updated to note the additional scenarios covered by the existing option.

Some other notes, not all are for the GUI, but may be useful in later documentation:

• As with VTI, enabling this mode blocks all tunnel mode traffic so it's all or nothing -- either the user can filter on VTI and transport+GRE or they can filter on tunnel mode, but not both.
• No way to see/capture the actual GRE traffic -- traffic captured on WAN is only IPsec IKE/ESP and such.
• Rules to pass traffic between transport peers goes on the WAN interface directly (e.g. to pass outer GRE traffic), but there isn't a way to conditionally filter the traffic based on whether or not IPsec is up yet
• Rules to pass tunneled GRE traffic go on assigned GRE interfaces as expected.
• States for transport connections show on WAN, states for GRE show up on GRE -- both are logical but some people may expect to see states on the IPsec/enc interface which won't happen in this mode