I’m new to MikroTik routers, so please excuse my possible ignorance …
We have a customer setup we are trying to get to work, which after going through several examples doesn’t match any, and before I try to dig in even further in the wrong directions, I thought it might be a good idea to ask some questions for pointers first …
The customer has multiple sites, with the central site using static IPs. Anyway, there is a firewall that takes care of the Internet link, and can provide a static IP via NAT to the RB1100.
The external sites typically use both a dynamic IP towards the Internet, and do not have the ability to do a decent outside->inside NAT, allowing only access to the Internet to internal devices. Also, typically there is no DynDNS or similar set up as it hasn’t been necessary to date.
In order to connect local APs (non-MikroTik) via L2 to the central site and it’s portal/filter system, I want to set up an EoIP tunnel between the remote sites to the central site. Anyway, all examples I have found that use dynamic IPs usually use both some DynDNS service, and also the RB would be the device that has the dynamic IP itself …
How can I set up the basic connection with the dynamic IP on the remote site towards the central site, and add the EoIP?
You need to use Dynamic DNS. EoIP must know the IP address of the other end. So one way or another you must provide it to it.
DDNS is the easiest way to do that.
Mikrotik already includes its own Dynamid DNS service (/ip cloud)
So you simply enable ddns on each site that has dynamic IPs. You make note of the dynamic ddns entries assigned to each site.
You create the EoIP tunnels on each site. You don’t need to fill in the ‘Local Address’ field, only the ‘Remote address’ (ie: the central site’s IP).
Then on the central site you create the EoIP tunnels and on the ‘remote address’ field you add the dynamic dns you got on the remote sites on the previous step.
If you have a restrictive firewall and need to allow those dynamic IPs automatically, just create an address-list with domain names (the dynamic dns of the remote sites) and it will automatically resolve them and update them when they change.
Then use this address-list in an allow rule to accept the EoIP (GRE protocol) traffic from them.
You could of course do all this with custom scripts and custom ddns service (that’s how I did it for years), but IMHO it doesn’t worth the trouble anymore since it’s supported natively on mikrotik on the latest versions.
Only caveat: For domains in address lists to work you need version 6.36 or newer. For domains in EoIP tunnels you need some relatively new version (I don’t recall when domain support was added in EoIP tunnels)
you can make in a central place PPPtP server and this sites with dynamic IP connect via ppptp to the main and then over the PPPtP links make eoip tunnel - it worked for me just fine
Yes, that works, I’ve been doing that for years myself. But you either end up with too much packet fragmentation or too small MTU resulting in less overall achievable bandwidth.
Since Mikrotik now natively supports DDNS & domains in EoIP tunnels there’s no need for double packet encapsulation (EoIP over PPTP and presumably over PPPoE).
If security is required, then IPSec is more secure than PPTP (which is broken for years now)
Seeing that the remote ends will not be using “decent” routers with which I could forward everything from the outside to a certain IP on the inside, I reckon the PPTP setup would be the most viable way to implement this … so just pick a network for the PPTP network, then use those for the EOIP? Fragmentation is of course always a thing to watch out for, but given that the remote end already use PPPoE, we’re way down anyway, so I will probably put a MSS of 1300 on the ends …
Hm … is the PPTP client not available on the RB2011 router?
Edit: My mistake, I had PPP disabled on the 2011, after re-enabling it, PPTP is now available again …
Update: Yup, worked like a charm … pretty easy once you know what needs to be done … will look into using BCP inside of PPTP instead of EoIP … one less layer …
