I've recently setup a vpn between my to homes via the internet. The vpn uses a PPTP tunnel to connect both networks via the internet. Within that tunnel I use an EoIP tunnel to transparently bridge the two networks.
I used the following guides to establish this connection:
http://wiki.mikrotik.com/wiki/Manual:Interface/EoIP
http://www.mikrotik.com/documentation/m ... /EoIP.html
Please refer to the network layout diagram bellow.
The PPTP connection seems to work correctly and the EoIP Tunnel as well. The only problem I have is that both networks run hotspots. This seems to interfere with my internet browsing and general internet connection of the nodes at both locations. It seems that if it try to access the internet on one of the nodes in network 1 (router 1) then it redirects me to the hotspot login page of network 2 (router 2).
The idea was to setup both networks on the same ip range but limit the addresses on both networks to specific ip's within this range, so to avoid duplicate ip's.
I first had a major issue with the dhcp-servers on both network. I didn't want to run one dhcp-server to serve both networks (in case the internet connection went down). I then found out that a bridge filter run could be applied to block off any dhcp requests from the one network to the other by dropping any requests through the eoip tunnel that use ports 67-68 of the udp protocol. That seemed to solve the problem of the dchp-server interference.
The two hotspot html login pages are on a different ip range then the local range of both networks. I then tried to block any requests through the EoIP tunnel to that (hotspot login page) ip range. After a while the it seemed I could access the internet via the network nodes while the pptp connection, eoip and bridge were enabled. I don't know if it was a result of this hotspot page ip blocking, because when I disabled this rule in the bridge filter, the internet still worked.
Furthermore, despite trying to transparently bridge these two networks, I cant seem to ping the nodes of network 2 from the nodes of network 1 and visa verse. I've tried multiple combinations of proxy-arp on the network interfaces of both bridges, but no success. I added walled-garden ip rules on both hotspot to allow any local traffic. This enabled me to ping router 2 from router 1 but I could still not ping nodes within network 2 from router 1. When trying to ping address 192.168.0.140 I get a response in winbox from 192.168.0.100 (local ip of router 2): host redirect.
I also can't seem to use winbox to connect to router 2 from network 1 (it is stuck at: retrieving preferences from 192.168.0.100). I can only use telnet. And it is unstable at best. It often disconnects. I have a feeling that my mtu and mru setting for all the interfaces are wrong. As I understand it the mtu of the outer tunnel (pptp) is to be the largest followed by the inner tunnel (eoip) smaller and the bridge the smallest. Is that correct? and if so, what are good values to use?
All that I would like this vpn to accomplish is the ability to see the network nodes on network 2 from the nodes on network 1, via windows' network discovery (ie not using the nodes' ip addresses in windows, but for windows to discover them automatically). But each network should still be served by its own dhcp-server and should still be governed by its own hotspot. Thus if the pptp link between them fail, they would still be able to operate as individual networks.
I would greatly appreciate any help with this. Even if it is just pointing me in the right direction.
The network layout is as follows:
Network 1 (Router 1):
Code: Select all
[Jeandre@Jeandre] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 R EtherNet_1_Main ether 1500 1526 1526
5 R UCom wlan 1500 2290
8 R JeandreCPT pptp-in 1600
9 R EoIP-JeandreCPT eoip-tunnel 1460 65535
10 R ;;; Ethernet to EoIp bridge through PPTP to JeandreCPT
Ethernet_EoIP_Bridge bridge 1500 1526
[Jeandre@Router1] /interface bridge> print
Flags: X - disabled, R - running
0 R ;;; Ethernet to EoIp bridge through PPTP to JeandreCPT
name="Ethernet_EoIP_Bridge" mtu=1500 l2mtu=1526 arp=proxy-arp
mac-address=00:0C:42:30:B4:98 protocol-mode=none priority=0x8000
auto-mac=no admin-mac=00:0C:42:30:B4:98 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
[Jeandre@Router1] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 EoIP-JeandreCPT Ethernet_EoIP_Br... 0x80 10 none
1 EtherNet_1_Main Ethernet_EoIP_Br... 0x80 10 none
[Jeandre@Router1] /interface bridge filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop DHCP Requests to JeandreCPT - Only Local DHCP server to serve STB Nodes
chain=output out-interface=EoIP-JeandreCPT action=drop mac-protocol=ip
dst-port=67-68 ip-protocol=udp
1 ;;; Drop Hotspot requests to Marshll-Network
chain=output out-interface=EoIP-JeandreCPT action=drop mac-protocol=ip
dst-address=192.168.5.0/24
[Jeandre@Router1] /interface eoip> print
Flags: X - disabled, R - running
0 R name="EoIP-JeandreCPT" mtu=1460 l2mtu=65535 mac-address=00:00:5E:80:10:00 arp=enabled local-address=0.0.0.0 remote-address=192.168.2.50
tunnel-id=1234
[Jeandre@Router1] /interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENCODING
0 R JeandreCPT USER123 1600 XXX.XXX.XXX.XXX 5m48s MPPE128 stateless
[Jeandre@Router1] /ppp secret> print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 USER123 pptp XXXX default-encryption 192.168.2.50
[Jeandre@Router1] > ip dhcp-server print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 dhcp1 Ethernet_EoIP_Bridge Jeandre-Network 3d yes
[Jeandre@Router1] > ip dhcp-server network print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
1 192.168.0.0/24 192.168.0.1
[Jeandre@Router1] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.0.1/24 192.168.0.0 Ethernet_EoIP_Bridge
2 172.16.207.2/24 172.16.207.0 UCom
5 D 192.168.2.10/32 192.168.2.50 JeandreCPT
[Jeandre@Router1] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
4 A S ;;; Static default route via UCom
0.0.0.0/0 172.16.207.1 5
13 ADC 172.16.207.0/24 172.16.207.2 UCom 0
14 ADC 192.168.0.0/24 192.168.0.1 Ethernet_EoIP_B... 0
16 ADC 192.168.2.50/32 192.168.2.10 JeandreCPT 0
[Jeandre@Router1] /ppp profile> print
Flags: * - default
0 * name="default" use-ipv6=yes use-mpls=default use-compression=default use-vj-compression=default use-encryption=default only-one=default
change-tcp-mss=yes
1 * name="default-encryption" use-ipv6=yes use-mpls=default use-compression=default use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes
[Jeandre@Router1] > ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 Jeandre-Hotspot Ethernet_EoIP_Bridge Jeandre-Network hsprof1 10m
[Jeandre@Router1] > ip hotspot profile print
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot rate-limit=""
http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=yes radius-accounting=yes radius-interim-update=received
nas-port-type=wireless-802.11 radius-default-domain="" radius-location-id=""
radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX
1 name="hsprof1" hotspot-address=192.168.5.1 dns-name="portal.jeandre_network.co.za"
html-directory=Final Hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=yes
radius-accounting=yes radius-interim-update=received nas-port-type=wireless-802.11
radius-default-domain="jeandre" radius-location-id="" radius-location-name=""
radius-mac-format=XX:XX:XX:XX:XX:XX
[Jeandre@Router1] > ip hotspot walled-garden ip print
Flags: X - disabled, I - invalid
# SERVER PROTOCOL DST-HOST DST-ADDRESS DST-PORT ACTION
0 Jeandre-Ho... 192.168.0.0/24 accept
2 www.google.com accept
3 www.google.c... accept
5 Jeandre-Ho... 192.168.2.0/24 accept
Network 2 (Router 2):
Code: Select all
[Jeandre@Router2] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 ;;; WiFi Network Interface
Marshal_Network_Wifi wlan 1500 2290
2 R ;;; Lan Network Interface
EtherNet_1 ether 1500 1526
3 R ;;; Bridge Interface - To bridge lan and wifi to one network and ip range
Ethernet_Wifi_EoIP_Bridge bridge 1460 1526
4 R ;;; WAN Network Interface - Internet - Vodacom 3G via mini-pci-e
VodaCom_3G ppp-out 1500
5 R ;;; VPN#PPTP Client to Connect to STB - VPN to Jeandre
JeandreSTB pptp-out 1600
6 R ;;; EoIP Tunnel through PPTP to Jeandre STB
EoIP-JeandreSTB eoip-tunnel 1460 65535
[Jeandre@Router2] /interface bridge> print
Flags: X - disabled, R - running
0 R ;;; Bridge Interface - To bridge lan and wifi to one network and ip range
name="Ethernet_Wifi_EoIP_Bridge" mtu=1460 l2mtu=1526 arp=proxy-arp
mac-address=00:00:5E:80:00:01 protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:0C:42:49:04:6C max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[Jeandre@Router2] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 EtherNet_1 Ethernet_Wifi_EoIP_... 0x80 10 none
1 I Marshal_Network_Wifi Ethernet_Wifi_EoIP_... 0x80 10 none
2 EoIP-JeandreSTB Ethernet_Wifi_EoIP_... 0x80 10 none
[Jeandre@Router2] /interface bridge filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop all DHCP requeststo Jeandre-Network
chain=output out-interface=EoIP-JeandreSTB action=drop mac-protocol=ip
dst-port=67-68 ip-protocol=udp
1 ;;; Drop all Hotspot requests to Jeandre-Network
chain=output out-interface=EoIP-JeandreSTB action=drop mac-protocol=ip
dst-address=192.168.5.0/24
[Jeandre@Router2] /interface> eoip print
Flags: X - disabled, R - running
0 R ;;; EoIP Tunnel through PPTP to Jeandre STB
name="EoIP-JeandreSTB" mtu=1460 l2mtu=65535 mac-address=00:00:5E:80:00:01
arp=enabled local-address=0.0.0.0 remote-address=192.168.2.10 tunnel-id=1234
[Jeandre@Router2] /interface> pptp-client print
Flags: X - disabled, R - running
0 R ;;; VPN#PPTP Client to Connect to STB - VPN to Jeandre
name="JeandreSTB" max-mtu=1460 max-mru=1460 mrru=1600 connect-to=mydns.dyndns.org
user="USER123" password="XXXX" profile=default-encryption
add-default-route=no dial-on-demand=no allow=pap,chap,mschap1,mschap2
[Jeandre@Router2] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
1 X S 0.0.0.0/0 VodaCom_3G 1
2 ADC X.X.X.X/32 X.X.X.X VodaCom_3G 0
3 ADC 192.168.0.0/24 192.168.0.100 Ethernet_Wifi_E... 0
4 ADC 192.168.2.10/32 192.168.2.50 JeandreSTB 0
[Jeandre@Router2] /ip> dhcp-server print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 Marshall_Network_DHCP Ethernet_Wifi_EoIP_Bridge Marshall_Network_Pool 3d yes
[Jeandre@Router2] /ip dhcp-server network> print
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 ;;; Network setup to allocate default gateway and dns server to clients
192.168.0.0/24 192.168.0.100
[Jeandre@Router2] /ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 Marshall-Network HP Ethernet_Wifi_EoIP_Bridge Marshall_Network_Pool Marshall-Network SP none
[Jeandre@Router2] /ip hotspot profile> print
Flags: * - default
0 * name="Marshall-Network SP" hotspot-address=192.168.5.2 dns-name="hotspot.marshallnetwork" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=mac,http-chap mac-auth-password="" split-user-domain=no use-radius=no
[Jeandre@Router2] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.0.100/24 192.168.0.0 Ethernet_Wifi_EoIP_Bridge
2 D X.X.X.X/32 X.X.X.X VodaCom_3G
3 D 192.168.2.50/32 192.168.2.10 JeandreSTB
[Jeandre@Router2] > ip hotspot walled-garden ip print
Flags: X - disabled, I - invalid
# SERVER PROTOCOL DST-HOST DST-ADDRESS DST-PORT ACTION
0 ;;; Access for users to access the internal network - Bypass usage counters
Marshall-Network HP 192.168.0.0/24 accept
1 ;;; BYP-Access for users to accessSymantec Norton update server - Activated when 2GB limit reached
Marshall-Network HP liveupdate.symantec.com accept
2 ;;; BYP-Access for users to access Symantec Norton update server - Activated when 2GB limit reached
Marshall-Network HP liveupdate.symantecliveupdate.com accept
3 ;;; BYP-Access for users to access Mikrotik Wiki & Manuals - Activated when 2GB limit reached
Marshall-Network HP wiki.mikrotik.com accept
4 ;;; Access for users to Jeandre-Network
Marshall-Network HP 192.168.2.0/24 accept
I would realy appreciate it if someone could perhaps help me out with this. I don't believe my mtu/mru setting and arp settings are correct. Could anyone please advise me on this.
Thanks so much.
Kind regards