I guess a lot of people have trouble with EoIP, so if someone can add some basic theory to explain how broadcast packets are supposed to flow through the router to and from the EoIP tunnel and what determines if packets are removed from a bridge to be routed, that might help.
I want to give an hAP ac lite to our road warriors to give them access to the office. I want to use EoIP so that they can use all the things that depend on multicast, particularly Bonjour.
I have spent over 10 hours reading the Wiki and other information like https://mum.mikrotik.com//presentations/MM15/presentation_2962_1445240964.pdf and https://wiki.mikrotik.com/images/5/5f/Create_Virtual_AP_for_Campus.pdf and http://forum.mikrotik.com/t/eoip-in-bridge-doesnt-work/108250/1 and much more, but I still cannot get it to work. There is conflicting information on what IP addresses of the tunnel endpoints should be relative to the public IP and private subnets of the routers. It’s very unclear how to bring up the remote router: where are they getting addresses from before they connect to the office? All the diagrams and documentation seem to start with the remote router already configured to be on the local subnet, but I don’t want multiple DHCP servers yet I need a way to connect to the router in order to bring it up before it acquires an address on the local subnet. Most of the documentation says the bridges do not need IP addresses, but some say it is important.
I have set up the hAP to connect to public WiFi via wlan1, get an address from the public WiFi via DHCP to use for WAN access, bring up an SSTP tunnel over the WAN and then bring up an EoIP tunnel over the SSTP tunnel, and that all seems to work. Things come up, anyway. The problems seem to be getting the packets out of the endpoints and through the router.
I have a bridge connecting wlan2 to eoip-tunnel1, but wlan2 clients cannot get DHCP addresses. DHCP discover packets make it to the router on the other side, the DHCP server assigns an address and responds, but the response doesn’t make it to the bridge. The DHCP server complains that it is offering a lease without success. When I put a DHCP client on the bridge to generate requests, I can see with the packet sniffer that the response is received by the eoip-tunnel1 on the hAP, but not the bridge. I thought a bridge was supposed to simply copy any packets coming into it to everything else on the bridge, but apparently that is not happening with the DHCP responses. Turning off RTSP did not help. Everything seems to have good MAC addresses, too.
I’m baffled, which usually means I’m misunderstanding something rather fundamental. I don’t see how a packet sniffer on the EoIP endpoint could be seeing received Ethernet broadcast packets from the DHCP server but they don’t make it to the bridge or out the wlan attached to it.
EoIP is not very stable in my experience, but has been usefull none the less.
To begin with, centralized router must work properly (which I’m sure it does )
Internet access
FW filters (you’ll have to allow EoIP if filters don’t exist! Make sure catch-all rule logs dropped packets)
LAN bridge with DHCP server and clients getting addresses
First, bring up your L3 tunnel (SSTP or L2TP). I would add a loopback interface with a /32 address on both routers. Make sure that routing is such that both routers can ping each other’s loopbacks.
At first, the hAP ac lite won’t work as a standalone router since your want them to get an address from the centralized site first. Create the EoIP tunnel using the loopback IPs of both routers (local-address, remote-address). Do NOT assign these EoIP interfaces IP addresses. They are L2 interfaces.
Once up:
on the centralized router, bind the EoIP interface to the bridge with the DHCP server and whatever other interfaces are on the centralize “LAN”. Whatever broadcast sent through the EoIP tunnel will reach this bridge and be heard by all interfaces AND the DHCP server.
on the hAP ac lite, bind it to a bridge with the desired ETHER ports and the WLAN2 interface. You’ve just created a collision/broadcast domain with ALL interfaces and the EoIP tunnel. This is your travelling “LAN”. Do NOT assign an IP address to this bridge unless it’s from the (central) DHCP server’s pool. And make sure it’s blocked in the IP Pool so it doesn’t get assigned by mistake.
From there, you should now be getting your IP addresses.
Now, my suggestion would be to do your VPNs at layer3, which would allow people on the road Internet access without having to connect to the office first. Once connected, run OSPF to have full office connectivity. But I assume you have a very specific need for doing that.
Also, whenever the hAP ac lite goes down, you’ll get an invalid interface under your bridge (on the centralized router) and might not be able to get it back up automaticaly at the next hAP ac lite’s login. Haven’t tested that so I’m guessing.
You sort of lost me at loopback with a /32 address. I read this wiki article and it said you can just create a bridge with no members, assign an IP address to the bridge, and it will work. I’m seeing behavior I don’t understand.
Office LAN is using 172.16.1.0/24 as private subnet. On the Office router I create a loopback bridge (no ports, STP off) which I will just call “bridge” for simplicity.
If I assign the bridge 172.16.1.251/24, I cannot ping it from the office. If I assign the bridge 172.16.1.251/32, well, that doesn’t really make sense since the rest of the office is using 172.16.1.0/24 and now I’ve created a net within a net, so it is not surprising that I still cannot ping it from the office. If I assign the bridge 10.255.255.1/32, then I can ping it from the office, but I wouldn’t expect to be able to ping it from the remote router, and I cannot.
I do not understand why I cannot ping the bridge from the office when assigning it an IP on the local subnet. This perhaps goes back to my original point that I’m missing something about packets move through the switch. I would expect anything in the office to be able to ping anything on the router with an IP on the same subnet.
I’m not sure what kind of routes to set up to make the 10.255.255.x addresses talk to each other over the EoIP link. I tried
# On the office router
/ip route
add distance=1 dst-address=10.255.255.2/32 gateway=eoip-tunnel1 pref-src=10.255.255.1
# On the remote router
/ip route
add distance=1 dst-address=10.255.255.1/32 gateway=eoip-tunnel1 pref-src=10.255.255.2
but that did not work, and neither did changing the gateways to be the LAN bridges the EoIP tunnel is connected to. When I tried to ping 10.255.255.2 from the Office lan, I got “Destination Host Unreachable” from the Office router 172.16.1.1, despite everything in the routing table showing as reachable. Note also that Winbox can see the remote router from the office by MAC address, so something is working, but it still cannot connect to it, so something is broken.
I would appreciate help understanding why this does not work as well as help fixing it.
Side-note, what’s your need for Bonjour? You may be able to do it with DNS-SD instead and it can be routed.
Main question. If you are using SSTP to secure the EoIP tunnel then the routes you added need to reflect the SSTP interface not the EoIP interface. Instead of using interface and pref-src, I prefer to set the gateway to the IP of the remote side of the SSTP tunnel.
(mik1) ← Interwebs → (mik2)
mik1 wan ip - 1.1.1.1
mik2 wan ip - 2.2.2.2
mik1 sstp ip - 172.16.1.1/30
mik2 sstp ip - 172.16.1.2/30
mik1 loop ip - 10.255.255.1/32
mik2 loop ip - 10.255.255.2/32
The routes will be gateway’d to 172.16.1.2 on mik1 and 172.16.1.1 on mik2.
It’s not just Bonjour, it’s that and Dropbox and Chromecast and if I can get the EoIP to work I can eliminate a lot of “why doesn’t this work over VPN” questions.
I feel ya, I’ve seen a lot of people trying to “break” mDNS related discovery mechanisms by trying to force them over routed links. I can at least get behind stretching them if they are absolutely needed. I just didn’t want you to feel constrained to EoIP solely for AirPrint or something like that. I think Google Cast supports DNS-SD if you setup the records in DNS (bind, MS AD). Not sure what DropBox needs mDNS related services for…
OK, my particular problem solved (but don’t worry there’s more). Sorry it’s not more universally helpful, but I’ll post the resolution anyway.
When I set up the EoIP on the Office router, I did the following:
Create an EoIP Tunnel
Create a bridge for the Office LAN
Move the DHCP server from ether2 to the new bridge
Add ether2 to the new bridge
Add the EoIP Tunnel to the new bridge
What I failed to do, but needed to do was:
Move the statically assigned LAN gateway address from ether2 to the bridge
I’m not exactly sure why this was necessary, particularly since the bridge picked up the MAC address of the ether2. I would love an explanation of that.
So, on to the next part: how do I set up routing between the 2 LAN subnets on the remote router and why isn’t this automatically working? I’ll start a new thread.
I prefer using interfaces because our network is small and I do not have the monitoring tools to see if routing goes badly, so I want my routing tables to reflect my physical network diagram.
In the office (the SSTP server side), it is true that the dynamic interface goes away and becomes invalid when the connection drops, which is why RouterOS lets you set up a static binding instead, which you can use as a gateway. On the client side, you want to use the SSTP interface because that is what enables “dial on demand” and even if you are not using that feature, it’s one less thing to have to change if for some reason you change the IPs of the tunnel.
For an earlier question: Yes, you create a bridge named “loopback” and assign it a /32 address in a different range of course and no ports attached to it. End of story, working bridge
For your LAN bridge on the remote router, when I did the setup in GNS3, I assigned that bridge a DHCP-CLIENT, which told me when the setup worked. It got an address from the DHCP server.
Looking at your static routing, use IP addresses as gateways, not interfaces. We’ll use interfaces as gateways in very particular (P2P links) situations. That could cause your reachability issue.
For full reachability, use OSPF. It’s fairly easy to setup and removes all risks of typos after you get it running properly. So you can add more VPN clients and the network will learn the routes for all destinations. In this case, it becomes important (for OSPF) to use loopbacks. It also makes identification faster if you create a good addressing plan with a certain logic. You’ll activate OSPF on the loopbacks, LANs and SSTP subnets. That way everbody knows about everbody else once OSPF has converged.
DHCP server and IP address on ether2: As it has now become a slave interface to your LAN bridge, all L3 services NEED to go on the bridge as it is the master interface. Yes, traffic comes in from ether2, but it passes it on to the brideg.
)
