EoIP doesn't work on RB493

Mandroid76 · July 9, 2019, 5:11pm

Good evening
After storm, our hEX Lite on old remote location stopped working. We configured RB493 as replacement, but we faced a problem. EoIP doesn't work with RB493. I updated deviced on both ends and tried different things and nothing working. Only when I change value KeepAlive from 10 seconds to few minutes, they connect between each other and pass mac-adresses between each other but remote hardware unreachable anyway. When I tried reconfigure EoIP tunnel to hAP Lite, tunnel works perfectly without any trouble. What am I missing?
Local end: RB450G(EoIP to different locations, works perfect), RouterOS 6.45.1
Remote end: RB493, RouterOS 6.45.1
Local End configuration:

jul/09/2019 17:00:35 by RouterOS 6.45.1

software id = WTHK-66VY

model = 450G

serial number = 33B601DA3464

/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface eoip
add keepalive=10m10s mac-address=02:9B:78:BF:F2:D0 mtu=1500 name=rb493 remote-address=91.203.25.158 tunnel-id=1
/interface vlan
add interface=bridge1 name=vlan_mng vlan-id=50
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/snmp community
set [ find default=yes ] name=UNTC
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=rb493
/ip neighbor discovery-settings
set discover-interface-list=all
/interface pptp-server server
set enabled=yes
/ip address
add address=195.238.176.10/27 interface=ether1 network=195.238.176.0
add address=10.11.9.100/16 interface=vlan_mng network=10.11.0.0
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=tcp src-address=94.100.215.0/24
add action=accept chain=input protocol=tcp src-address=195.238.176.0/27
add action=drop chain=input protocol=tcp
/ip route
add distance=1 gateway=195.238.176.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=94.100.215.0/24,195.238.176.0/27
set api disabled=yes
set winbox address=94.100.215.0/24,195.238.176.0/27
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/snmp
set contact=noc@untc.net.ua enabled=yes location=208 trap-version=2
/system identity
set name=dev-test-perl
/system logging
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=info
add action=disk topics=warning
/system ntp client
set enabled=yes primary-ntp=195.238.176.2 secondary-ntp=195.238.176.6
/tool bandwidth-server
set authenticate=no enabled=no
Remote end configuration:
[noc@dev-test-perl] > export

jul/09/2019 20:01:20 by RouterOS 6.45.1

software id = WNXS-TLED

model = 493

serial number = 2797018DCECF

/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] loop-protect=on
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
set [ find default-name=ether5 ] loop-protect=on
set [ find default-name=ether6 ] loop-protect=on
set [ find default-name=ether7 ] loop-protect=on
set [ find default-name=ether8 ] loop-protect=on
set [ find default-name=ether9 ] loop-protect=on
/interface eoip
add allow-fast-path=no keepalive=10m10s mac-address=02:9B:78:BF:F2:D1 mtu=1500
name=rb450g remote-address=195.238.176.10 tunnel-id=1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=rb450g
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=10.11.0.120/16 disabled=yes network=10.11.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input protocol=tcp src-address=94.100.215.0/24
add action=accept chain=input protocol=tcp src-address=195.238.176.0/27
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=94.100.215.0/24,195.238.176.0/27
set api disabled=yes
set winbox address=94.100.215.0/24,195.238.176.0/27
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=dev-test-perl
/system logging
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=info
add action=disk topics=warning
add topics=l2tp
/system ntp client
set enabled=yes primary-ntp=195.238.176.2 secondary-ntp=195.238.176.6
/tool bandwidth-server
set enabled=no

sindy · July 9, 2019, 6:52pm

Your firewall doesn’t block GRE at either end so your trouble should not be caused by the most popular change in 6.45.1. Can you shorten the keepalive to 30s and watch at both ends simultaneously what /tool sniffer print interface=ether1 shows when you try to ping an IP address on the remote end of the tunnel (from a device connected to one of bridged ports at one end to a device connected to one of bridged port at the other end), and check what /interface bridge host print shows? A couple of days someone else here was hunting for an EoIP issue which turned out to be an ethernet interface issue where the frames didn’t get out although the interface was up at L1 and sniffer was showing them to be sent, so if the sniff above shows packets in both directions, run also /tool sniffer print interface=etherX,eoip-interface-name at both ends (where etherX is the interface you use to connect the external host and eoip-interface-name is the one used locally) and see how far the frames get.

Off-topic, is UNTC a new name of what used to be UHT years ago?