Cambium L2GRE with Mikrotik Problem

RouterOS General
1

L2GRE.png
I am trying to achieve this
http://community.cambiumnetworks.com/t5/cnPilot-E-Series-Enterprise-APs/Layer-2-Generic-Routing-Enca

GOAL
Basically 2 SSIDs v5 and v15 in e410.
If I connect to v5, I’ll get vlan5 ip
I need guidance

PROBLEMS:
from e410 AP can’t ping Mikrotik vlan5 ip 10.0.5.1 or vice versa
from Mikrotik can’t ping e410 vlan15 ip 10.0.15.228

QUESTIONS:

  1. whether my GRE Server config in Mikrotik correct or not
  2. how to check in Mikrotik my GRE tunnel is up and connected

tq

CONFIG:
-Monitor/Network/Tunnel status UP

CAMBIUM
management cambium-remote url https://cloud.cambiumnetworks.com
management user admin password $crypt$1$w/Xp3UpofaMqhizbPdlCEfZU7ILYx1yz
management ssh
management cambium-remote
management cambium-remote validate-server-cert
no management telnet
no management http
management http port 80
management https
management https port 443
led
lldp
no poe-out
country-code CN
wpa2-handshake-retry 4 4
wpa2-handshake-timeout 100 500 1000
wpa2-handshake-log-level 4
placement indoor
!
wireless radio 1
no shutdown
channel auto
channel-width 20
channel-list all-channels
data-rate unicast 1b 2b 5.5b 11b 12 18 24 36 48 54
data-rate non-unicast highest-basic
power auto
no airtime-fairness
auto-channel-select on-startup
antenna-gain 5
beacon-interval 100
dynamic-channel-selection
dynamic-channel-selection threshold 100
dynamic-channel-selection samples 20
off-channel-scan dwell-time 50
auto-rf chan-hold-time 120
auto-rf packet-error-rate-threshold 30
auto-rf channel-utilization-threshold 25
mesh-xtnded-dev-list
wmm-parameters downstream txoplimit vi 3008
wmm-parameters downstream txoplimit vo 1504
wmm-parameters upstream txoplimit vi 3008
wmm-parameters upstream txoplimit vo 1504
!
wireless radio 2
no shutdown
channel auto
channel-width 80
channel-list all-channels
data-rate unicast 6b 9 12b 18 24b 36 48 54
data-rate non-unicast highest-basic
power auto
no airtime-fairness
auto-channel-select on-startup
antenna-gain 5
beacon-interval 100
dynamic-channel-selection
dynamic-channel-selection threshold 100
dynamic-channel-selection samples 20
off-channel-scan dwell-time 50
auto-rf chan-hold-time 120
auto-rf packet-error-rate-threshold 30
auto-rf channel-utilization-threshold 25
mesh-xtnded-dev-list
wmm-parameters downstream txoplimit vi 3008
wmm-parameters downstream txoplimit vo 1504
wmm-parameters upstream txoplimit vi 3008
wmm-parameters upstream txoplimit vo 1504
!
wireless wlan 1
ssid v5
no shutdown
vlan 5
security wpa2-psk
no protected-mgmt-frames
passphrase $crypt$1$UPOgD8jDUyHxZnqF2NTpkFqIDDB9LbuJ
band 2.4GHz
dtim-interval 1
allow-tkip
max-associated-client 127
client-cache cnMaestro
tunnel-mode
mac-authentication policy deny
passpoint interworking access-network-type private
no guest-access
dhcp-option82
dhcp-option82 circuit-id vlanid
dhcp-option82 remote-id vlanid
!
wireless wlan 2
ssid v15
no shutdown
vlan 15
security wpa2-psk
no protected-mgmt-frames
passphrase $crypt$1$G67aNNOTPGS/i9IvxBTZrQECrD36p4pK
band 2.4GHz
dtim-interval 1
max-associated-client 127
client-cache cnMaestro
tunnel-mode
mac-authentication policy deny
passpoint interworking access-network-type private
no guest-access
dhcp-option82
dhcp-option82 circuit-id vlanid
dhcp-option82 remote-id vlanid
!
interface eth 1
switchport mode access
switchport access vlan 1
!
interface vlan 1
ip nat inside
ip address zeroconf
management-access all
ip address 192.168.88.228 255.255.255.0
!
interface vlan 5
ip nat inside
management-access all
ip address 10.0.5.228 255.255.255.0
!
interface vlan 15
ip nat inside
management-access all
ip address 10.0.15.228 255.255.255.0
!
ntp server pool.ntp.org
tunnel encapsulation l2gre
!
tunnel l2gre
remote-host 192.168.88.11
dscp 0
mtu 1500
no tcp-mss
!
ip route default 192.168.88.1
ip name-server 1.1.1.1
ip name-server 9.9.9.9
ip domain-name ngtrain.com
!
timezone Asia/Jakarta
hostname E410-97ACF5
no snmp-server
ip gw-source-precedence static 1
ip gw-source-precedence dhcpc 2
ip gw-source-precedence pppoe 3
logging syslog 7


MIKROTIK
/interface bridge
add name=bridge1
/interface gre
add !keepalive local-address=192.168.88.11 mtu=1500 name=gre-tunnel1
remote-address=192.168.88.228
/interface vlan
add interface=ether2 name=vlan5 vlan-id=5
add interface=ether3 name=vlan15 vlan-id=15
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolv5 ranges=10.0.5.101-10.0.5.200
add name=poolv15 ranges=10.0.15.101-10.0.15.200
/ip dhcp-server
add address-pool=poolv5 disabled=no interface=vlan5 name=dhcp1
add address-pool=poolv15 disabled=no interface=vlan15 name=dhcp2
/ppp profile
add bridge=bridge1 name=pppBridging
/interface l2tp-server server
set default-profile=pppBridging enabled=yes max-mru=1500 max-mtu=1500
/ip address
add address=192.168.88.11/24 interface=ether1 network=192.168.88.0
add address=10.0.15.1/24 interface=vlan15 network=10.0.15.0
add address=10.0.5.1/24 interface=vlan5 network=10.0.5.0
/ip dhcp-server network
add address=10.0.5.0/24 gateway=10.0.5.1
add address=10.0.15.0/24 gateway=10.0.15.1
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.88.1

2

Mikrotik suports GRE and EoIP. Technically, EoIP is very similar to L2GRE but its not same. EoIP also supports L2 and is based originaly on GRE, but the protocol is proprietary and most likely there will be difference (I can’t tell for sure because L2GRE is also poprietary protocol)
Same way, GRE is not the same as L2GRE: GRE is L3 tunnel and does not support L2 even if you put it to bridge as you did in your config.

On the other hand, if your AP is directly connected to mikrotik, why don’t you use just simple VLANs? there is no reason to tunnel it because each VLAN and untagged traffic are already all separated. EoIP/L2GRE are useful only when devices are not directly connected and there is some L3 forwarding between them.

3

This is just POC, that’s why I directly connected AP to WAN port of Mikrotik to simulate WAN link
In my theory, VLAN5 SSID and VLAN15 SSID in AP should can ping VLAN5 and VLAN15 pc in Mikrotik site because L2 tunnel created by GRE Tunnel on both AP and Mikrotik

QUESTIONS:

  1. how to verify GRE tunnel is up in Mikrotik Site because in AP GRE Tunnel is up

tq

4

What he is saying us L2GRE and EoIP are not necessarily compatible tunnel types. God knows what L2GRE means from an implementation perspective. While EoIP is based on GRE and it encapsulates Ethernet it isn’t a standard. Unless you’ve verified that the tech is compatible you’re barking up the wrong tree.

5

UPDATE1:
-Cambium said L2GRE in Mikrotik is not open standard.
They only test L2GRE with Cisco and Linux

6

I said that long time ago :smiley: Anyway, they are right:
Firstly, there is no L2GRE in RouterOS.
Secondly, most similar are EoIP and old plain GRE, both are different and incompatible with L2GRE.