EoIP behind NAT routers

RouterOS General
1

Hi,

I’m new to MikroTik devices, so please excuse me if the question is stupid :wink:

I have a customer setup where we need an L2 link between multiple remote sites and a central site. I got the recommendation to look at MikroTik routers and their EoIP which other people were already using successfully. I’m trying to do a lab setup now, but have not been able to get it to work … the samples I found typically do not cover my setup.

At both the central and remote locations, other routers or firewalls provide the internet connection. At the central site, I have static IPs, one of which I could forward to the RB1100 router. At the remote locations, I typically do not have that ability due to low-cost SoHo routers being used that do not allow an external->internal static NAT, so remote sites will only be able to actively connect to the central site; even with scripted IPs on the central site I would not be able to initiate the connection from the central site. Also, the remote sites usually do not have any DynDNS or similar configured yet, as it wasn’t necessary to date.

I have now done a setup as follows:


RB1100-------------------Simulated-Internet------------------RB2011

IPs:
RB1100 outside interface with static external IP 20.30.40.10
Simulated-Internet towards RB1100: 20.30.40.1
Simulated-Internet towards RB2011: 192.168.20.1
RB 2011 outside interface: 192.168.20.10

“Simulated-Internet” does a NAT from 192.168.20.* to its other IP 20.30.40.1 (which in real life could be any dynamic Internet IP)

What I need now is - from how I understand the docs I found to date - any IP-tunnel between the two RBs, of which I’d need some sort of road-warrior setup that allows dial-ups with any IP and identification of the remote end via some other method. After that, I need the EoIP setup from one or more internal ports on the 2011 to an internal port on the 1100.

What protocol/tunnel do I need to or should use (I’m assuming IPSEC as most of the other tunnel protocols require configured tunnel IPs for both sides) that can be the basis for the EoIP?

Thanks in advance!