Hello,
I’m trying to make EoIP this way:
The EoIP tunnel works fine and in my case I would rather have all offices to be in the same network that’s why I used EoIP, but at the same time, each office should be able to surf on its own internet as if not to use the internet from Office 1 that’s why I had to use an extra mikrotik, an extra switch-rourer, and an extra IP-adress in each office which also means extra costs and a bigger risk for functional disabilities.
When I tried to set the routing in only one mikrotik in each office, but then some webistes stopped working.
I used mikrotik RB750gr3 during this case.
Is there a way to be able to have only one mikrotik in each office?
Thanks in advance
Stretching layer 2 is a reflex I think most Sys Admins have that Net Admins cringe at.
Why are you feeling the need to have layer 2 stretched across all of your locations? Hint, it’s not always a completely wrong thing. Sometimes we have to do what we have to do.
That being said I don’t see why it wouldn’t be possible with a single MikroTik at each location.
Like idlemind says.
Just need to have properly configured natting and routing (default route)for internet traffic per office. Then bridging for EoIP traffic between offices and local ports and that’s it.
But keep in mind that a /23 makes for a bigger broadcast domain, thus more chances for problems. What is your need for this setup?
Regards,
Sent from Tapatalk
Create 2 EoIP interfaces on Office1 (use unique tunnel-ids)
Create 1 EoIP interface on each Office1 and Office2 (match tunnel-id to appropriate EoIP interface at Office1)
Create a bridge interface on each MikroTik
Add the EoIP ports and the ether interfaces you want to use as bridge ports to the newly created bridge.
At all 3 devices set:
/interface bridge settings set use-ip-firewall=yes
Then create firewall rules to drop DHCP traffic that would ingress the bridge interface. Here is an example if Office1 was .254, Office2 was .253 and Office3 was .252.
Office1
/ip firewall filter add action=drop chain=forward dst-port=68 src-port=67 in-bridge-port=(EoIP Interface Name for Office2) protocol=udp src-address=X.X.X.253
/ip firewall filter add action=drop chain=forward dst-port=68 src-port=67 in-bridge-port=(EoIP Interface Name for Office3) protocol=udp src-address=X.X.X.252
Office2
/ip firewall filter add action=drop chain=forward dst-port=68 src-port=67 in-bridge-port=(EoIP Interface Name for Office1) protocol=udp src-address=X.X.X.254
/ip firewall filter add action=drop chain=forward dst-port=68 src-port=67 in-bridge-port=(EoIP Interface Name for Office3) protocol=udp src-address=X.X.X.252
Office3
/ip firewall filter add action=drop chain=forward dst-port=68 src-port=67 in-bridge-port=(EoIP Interface Name for Office1) protocol=udp src-address=X.X.X.254
/ip firewall filter add action=drop chain=forward dst-port=68 src-port=67 in-bridge-port=(EoIP Interface Name for Office2) protocol=udp src-address=X.X.X.253
Lastly, create a DHCP server on each MikroTik and assign them each only a portion of the available space (make sure that you do not overlap at all). When you add the network for the DHCP server make sure you match the gateway IP to the correct site (.252, .253 or .254).
This will create the environment you want. I’m not sure what kind of performance impact you will experience by putting the bridge in ip firewall filter mode that said it is likely to be poor / slow anyways because of the bridge over the Internet.
This example does not include any encryption but you can find guides on how to layer encryption into EoIP tunnels in a number of places. I’ve confirmed those rules will drop DHCP during the discover phase while allowing the server process local to that site to go through.
Pic of my GNS3 lab for this:
