EOIP over Wireguard (For RoMon purposes only)

gigabyte091 · August 13, 2025, 5:05pm

Without your configuration no one can tell what's wrong. I have EoIP over wireguard on RB4011 and it's working like a charm.

cemtech · August 13, 2025, 5:30pm

hi, gigabyte, well, just failing the romon, just exact this topic, i,m made a new post about that, because after 7.17 mikrotik says this can change on some device, i'm just want to confirm, if it's just me, o is really the help says

here is the link RoMON - RouterOS - MikroTik Documentation

this part

"Since RouterOS v7.17, if the RoMON service is enabled and the switch chip supports ACL rules, dynamic rules are automatically created to redirect these packets to the CPU, where the RoMON service operates. However, if the switch does not support ACL rules and configuration does not align, such as when CPU and RoMON untagged packets are not in the same VLAN, the RoMON service might not function as expected."

i can't do the rule by hand.

gigabyte091 · August 13, 2025, 6:21pm

I never noticed any problem with romon on any ros version on any device and i have all of devices you said you have in production and i never had any problem. RB4011 is my main router for now where all wireguard and eoip connections terminates.

RB4011 have two switch chips so maybe here lies the problem, without RB4011 config it's hard to say. Did you maybe attach EoIP interface to the bridge ?

cemtech · August 13, 2025, 7:53pm

ok gigabyte, what parts of config do you like to see, and your rb dont have any switch rule? because now, this rules are make dinamic, and others routers have, but, this one don't have it.

i try with really default config in romon section.

/tool romon
set enabled=yes id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all

as you see, apart they have secret, and shared with copy and paste it see in IP / neighbors

[@UNI] /tool/romon> discover 

[@UNI] /tool/romon>

/ip/neighbor> print 
Columns: INTERFACE, ADDRESS, MAC-ADDRESS, IDENTITY
#  INTERFACE       ADDRESS                 MAC-ADDRESS        IDENTITY       
0  ether6          172.16.15.2             48:A9:8A:00:00:00  SW_Sumer       
   bridge                                                                    
1  sfp-sfpplus1    172.16.151.2            48:A9:8A:00:00:00  Sw_Sudi        
2  eoip-  fe80::9:83ff:fe70:77ea  02:09:83:00:00:00  Grupo_
[IT-SUCA@UNI-CORO] /ip/neighbor>

gigabyte091 · August 14, 2025, 4:17am

Please continue in the newly created topic, there is no need to keeping this old topic alive

In that topic post your complete configuration of the router where you have a problem but remove sensitive information such as public IP addresses, public and private keys for wireguard etc.

My RB4011 doesn't have any switch rules.