I have done that for a while and I do not see a lot of traffic, but there is some. Part of it is from gateways with dynamic address. When their address changes it takes a while for the update to bubble through DNS, the portal and AMPR-RIP, and during that time the traffic from their new address is dropped. But that does not matter, as return traffic would not arrive there either. A gateway with a daily changing external address is really not workable. Lately there has been a lot more bad GRE traffic. We run GRE tunnels as well, with a similar protection, and the default drop rule has logged quite some traffic the past months. Research indicates that it is related to a hacked video recording system, although it is unclear to me what the purpose or cause of the GRE traffic is. When browsing to the source address of these packets, one gets a logon screen of some Chinese video recording (for surveillance) system. Rob