What's the setting to use to allow ICMP echo via GRE from an ISP or cloud provider?

In this capture, these are the addresses of which devices?
xx.xx.66.5, 102.189.xx.xx.static.m1net.com.sg, xx.xx.77.184

xx.xx.66.5 - Cloudflare
102.189.xx.xx.static.m1net.com.sg - bond0 dhcp IP
xx.xx.77.184 - Cloudflare

I don’t see the required packets in the capture
We need to run traffic capture during healthcheck 162.159.66.5 (during ping), and capture those packets:
tcpdump host 162.159.66.5

Could you also describe the address scheme somehow?
VyOS(IP)–(Public_IP)----(Internet)----(Public_IP)–Remote(IP)

02:58:42.995601 IP 162.159.66.5 > xx.xx.189.118.static.m1net.com.sg: GREv0, length 88: IP xx.xx.189.118.static.m1net.com.sg > xx.xx.33.33: ICMP echo reply, id 38833, seq 0, length 64

VyOS IP is dhcp so it’ll be the same as the M1 static IP which is the public IP.
The tun0 IP is the xx.xx.72.20 connecting to xx.xx.72.21 on Cloudflare’s side of the tunnel. This: 162.159.66.5 is the GRE anycast IP coming from Cloudflare that’s being used to ping my IP via GRE. On my tunnel, it’s my remote IP, on Cloudflare’s side of the tunnel, my public IP is the remote IP.

Most suggestions focus on firewall rules, but I doubt that’s the answer.
Is this problem as described here?

I think the keepalives are okay, think is the tunnel is up and working. But how Cloudflare does the tunnel health checks is to send ICMP echo replies via GRE, and it would look like the router is pinging itself I guess? Which is why the accept_local rule was set though I’m not quite sure why I need it, there must be some native VyOS rule that I’m missing or do I still have to use the kernel?