Всем привет, ситуация следующая: пытаюсь сделать прозрачный прокси на squid, внутренняя сеть
172.16.20.0/23, адрес squid 172.16.20.2, адрес роутера 172.16.20.1. Вот конфиг squid

http_port 3128 intercept
wccp2_router 172.16.20.1
wccp_version 2
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
wccp2_service dynamic 80
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80

конфиг iptables

*nat
:PREROUTING ACCEPT [22408138:1641103166]
:POSTROUTING ACCEPT [15287405:1010994105]
:OUTPUT ACCEPT [14994438:993199759]
-A PREROUTING -i gre1 -p tcp -m tcp -d 0/0 -j DNAT --to-destination 172.16.20.2:3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

создаю gre туннель
iptunnel add gre1 mode gre remote 172.16.20.1 local 172.16.20.2 dev eth1.12
ifconfig gre1 172.16.20.10 up

конфиг Cisco 2811(12,4)

ip wccp 80 redirect-list wccp

interface FastEthernet0/0
description INTERNET
mac-address c47d.4f1e.ca55
ip address 193.*.*.17 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.12
description SERVERS
encapsulation dot1Q 12
ip address 172.16.20.1 255.255.254.0
ip wccp 80 redirect in
ip nat inside
ip virtual-reassembly in
!

ip access-list extended wccp
deny   ip host 172.16.20.2 any
deny   ip host 172.16.20.10 any
permit ip any any
!

Не работает, хост пытается выйти в интернет, и страница не загружается

CR#sh ip wccp 80
Global WCCP information:
    Router information:
        Router Identifier:                   193.*.*.17
        Protocol Version:                    2.0

    Service Identifier: 80
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        144
          Process:                           0
          CEF:                               144
        Service mode:                        Open
        Service Access-list:                 -none-
        Total Packets Dropped Closed:        0
        Redirect Access-list:                wccp
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            0
        Group Access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total GRE Bypassed Packets Received: 0

Tcpdump на машине с squid показывает что пакетов на gre1 интерфейсе нет.

CR#sh ip wccp 80 detail
WCCP Client information:
        WCCP Client ID:          172.16.20.2
        Protocol Version:        2.0
        State:                   Usable
        Redirection:             GRE
        Packet Return:           GRE
        Assignment:              HASH
        Initial Hash Info:       00000000000000000000000000000000
                                 00000000000000000000000000000000
        Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:          256 (100.00%)
        Packets s/w Redirected:  222
        Connect Time:            00:36:06
        GRE Bypassed Packets
          Process:               0
          CEF:                   0
          Errors:                0

Подскажите куда копать, второй день ковыряю