Hi,
I have two mikrotik routers in diferent locations with multiple networks, some of then connected via EoIP tunnel, look this basic network scheme
The EoIP tunnels are working fine, I can ping machines between networks 172.26.33.0/24 and 172.26.34.0/24, machines in network 172.26.34.0/24 can also ping machines in network 172.26.33.0/24, including the gateways in both ends. Client machines in network 172.26.35.0/24 can ping machines in 172.26.33.0/24 and 172.26.34.0/24, also, they can ping the gateways in is network location (172.26.33.254 and 172.26.34.254) but the can’t ping 172.26.33.253 and 172.26.34.253.
Machines in networks 172.26.33.0/24 and 172.26.34.0/24 are servers and our goal is translate the servers in the more transparent way to the new location. After the servers are moved we are going to change the gateways in both mikrotiks (172.26.33.253 would become 172.26.33.254 and vice versa.), but in our tests, after change the gateways, the clients can’t connect to any machine in 172.26.33.0/24 and 172.26.34.0/24.
I have inspected the icmp traffic with torch on both routers, when a client ping 172.26.33.253 I see those packets arrive at the remote location, and, in the main location I see the response monitoring the bridge interface, but this response does not reach the client.
In firewall filter I have a rule to allow traffic from the Bridge to ether35. I don’t know whats wrong, any help is appreciated.
You’re asking about problem with your routing but you don’t provide the setup you have (and serms to have an error in it)?
Hi,
sorry for the delay, after reviewing the configuration I found some bugs which, after being corrected, solved the problem. Now, I have another issue, I have done some speedtest using iperf and I have a very poor performance across the tunnel.
Machine in site A to public iperf server:
iperf3 -c proof.ovh.net -p 5202
Connecting to host proof.ovh.net, port 5202
[ 5] local 172.26.34.20 port 38740 connected to 141.95.207.211 port 5202
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 118 MBytes 987 Mbits/sec 7346 32.5 KBytes
[ 5] 1.00-2.00 sec 114 MBytes 958 Mbits/sec 8271 26.9 KBytes
[ 5] 2.00-3.00 sec 113 MBytes 946 Mbits/sec 6975 42.4 KBytes
[ 5] 3.00-4.00 sec 114 MBytes 957 Mbits/sec 7243 238 KBytes
[ 5] 4.00-5.00 sec 113 MBytes 949 Mbits/sec 6529 45.2 KBytes
[ 5] 5.00-6.00 sec 114 MBytes 954 Mbits/sec 7832 110 KBytes
[ 5] 6.00-7.00 sec 114 MBytes 954 Mbits/sec 8056 140 KBytes
[ 5] 7.00-8.00 sec 112 MBytes 944 Mbits/sec 7383 60.8 KBytes
[ 5] 8.00-9.00 sec 114 MBytes 954 Mbits/sec 7980 41.0 KBytes
[ 5] 9.00-10.00 sec 114 MBytes 954 Mbits/sec 8315 83.4 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.11 GBytes 956 Mbits/sec 75930 sender
[ 5] 0.00-10.03 sec 1.11 GBytes 950 Mbits/sec receiver
Machine in site B to public iperf server:
iperf3 -c proof.ovh.net -p 5202
Connecting to host proof.ovh.net, port 5202
[ 5] local 172.26.34.30 port 35042 connected to 141.95.207.211 port 5202
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 20.8 MBytes 175 Mbits/sec 0 1.16 MBytes
[ 5] 1.00-2.00 sec 42.5 MBytes 357 Mbits/sec 1203 955 KBytes
[ 5] 2.00-3.00 sec 31.2 MBytes 262 Mbits/sec 0 1024 KBytes
[ 5] 3.00-4.00 sec 32.5 MBytes 273 Mbits/sec 0 1.05 MBytes
[ 5] 4.00-5.00 sec 33.8 MBytes 283 Mbits/sec 0 1.08 MBytes
[ 5] 5.00-6.00 sec 33.8 MBytes 283 Mbits/sec 0 1.10 MBytes
[ 5] 6.00-7.00 sec 36.2 MBytes 304 Mbits/sec 0 1.11 MBytes
[ 5] 7.00-8.00 sec 35.0 MBytes 294 Mbits/sec 0 1.11 MBytes
[ 5] 8.00-9.00 sec 35.0 MBytes 294 Mbits/sec 0 1.11 MBytes
[ 5] 9.00-10.00 sec 35.0 MBytes 294 Mbits/sec 0 1.11 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 336 MBytes 282 Mbits/sec 1203 sender
[ 5] 0.00-10.03 sec 334 MBytes 279 Mbits/sec receiver
Machine at site A to machine at site B through the tunnel
iperf3 -c 172.26.34.30 -p4242
Connecting to host 172.26.34.30, port 4242
[ 5] local 172.26.34.20 port 52302 connected to 172.26.34.30 port 4242
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 959 KBytes 7.85 Mbits/sec 37 12.7 KBytes
[ 5] 1.00-2.00 sec 573 KBytes 4.69 Mbits/sec 0 33.9 KBytes
[ 5] 2.00-3.00 sec 573 KBytes 4.69 Mbits/sec 21 14.1 KBytes
[ 5] 3.00-4.00 sec 382 KBytes 3.13 Mbits/sec 5 19.8 KBytes
[ 5] 4.00-5.00 sec 764 KBytes 6.26 Mbits/sec 2 21.2 KBytes
[ 5] 5.00-6.00 sec 573 KBytes 4.69 Mbits/sec 2 32.5 KBytes
[ 5] 6.00-7.00 sec 573 KBytes 4.69 Mbits/sec 13 29.7 KBytes
[ 5] 7.00-8.00 sec 764 KBytes 6.26 Mbits/sec 24 18.4 KBytes
[ 5] 8.00-9.00 sec 382 KBytes 3.13 Mbits/sec 13 14.1 KBytes
[ 5] 9.00-10.00 sec 573 KBytes 4.69 Mbits/sec 4 24.0 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 5.97 MBytes 5.01 Mbits/sec 121 sender
[ 5] 0.00-10.04 sec 5.63 MBytes 4.71 Mbits/sec receiver
This is my config at site A
IP Addresses:
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 1.2.3.4/24 1.2.3.0 ether1-WAN
1 172.26.33.253/24 172.26.33.0 bridge-EOIP-A
EoIP Interface:
/interface eoip print
Flags: X - disabled, R - running
0 R name="eoip-A" mtu=1500 actual-mtu=1500 l2mtu=65535 mac-address=02:6B:BD:C9:12:6F arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=1.2.3.4 remote-address=4.3.2.1 tunnel-id=150 keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="XXXXXXXXX" allow-fast-path=no
The bridge:
/interface bridge print
Flags: X - disabled, R - running
0 R name="bridge-EOIP-A" mtu=1500 actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=06:03:AB:DA:3C:3E protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
Bridge ports:
/interface bridge port print
4 ether5-A bridge-EOIP-A yes 1 0x80 10 10 none
5 eoip-A bridge-EOIP-A 1 0x80 10 10 none
The config at site B
IP Addresses:
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
0 D 4.3.2.1/32 4.3.2.0 WAN
1 172.26.33.254/24 172.26.33.0 bridge-EOIP-B
EoIP Interface:
/interface eoip print
Flags: X - disabled, R - running
0 R name="eoip-B" mtu=1500 actual-mtu=1500 l2mtu=65535 mac-address=FE:DA:E7:5E:75:15 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=4.3.2.1 remote-address=1.2.3.4 tunnel-id=150 keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="XXXXXXXXX" allow-fast-path=no
The bridge:
/interface bridge print
Flags: X - disabled, R - running
0 R name="bridge-EOIP-B" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=E4:8D:8C:39:82:30 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
Bridge ports:
/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether06 bridge-EOIP-B no 1 0x80 10 10 none
1 eoip-B bridge-EOIP-B 1 0x80 10 10 none
The two mikrotiks have direct access to internet and have public ip’s, I played with the encryption algorithms and the best result was obtained with SHA-256 + aes-256-cbc. The mikrotik at site A is a VM of CHR with a p10 license activated, the mikrotik at site B is a 1100AHx2.
I see a lot of posts talking about the MTU, but, in my tests, I have not obtained any improvement by modifying the recommended value. I do not know how to correctly calculate the value I should have.
Please, any help is welcome.
Regards
Sorry I’m going to open a new post because the subject of this don’t reflect the actual problem and this may reduce the possibility of finding an answer.The new post is here:
http://forum.mikrotik.com/t/eoip-performance/170800/1