EOIP site to site only half working

900mhzdude · October 31, 2018, 1:21pm

VPN was not working for our remote office so we went with EOIP with OSPF

we have a 172.19.0.0/19

at our remote office, we can access any static IP on the 172.19.0.0./19

but our CPE’s (We are a WISP) get DHCP from Pool 172.19.10.0 - 172.19.12.0/19

anything in that DHCP Pool we cannot access from our remote office

would this be a missing firewall rule?

I’m a bit new with Mikrotik we had a consultant set up the EOIP but he is a bit busy

also would like to learn how to do all this my self

Thanks in advance for any help

900mhzdude · October 31, 2018, 1:58pm

an update

I can ping the DCHP Pool from our remote office inside the Mikrotik terminal

but not behind the NAT that is assigned to my laptop

jurek · October 31, 2018, 2:18pm

Can you provide more info?

I understand that EoIP tunnel between main and remote office is up. Are you using L3 (both ends of EoIP tunnel have IP address?)
What is LANs IP addressing on both sides? (main, remote) you want to communicate.
Please explain where network 172.19.0.0/19 is assigned ? WAN, LAN?
Maybe draft diagram will help?
If you are using OSPF you should see other ends networks on route list (IP->ROUTES) You can also add LOG Rule for OSPF and see any OSPF logs.

900mhzdude · October 31, 2018, 2:26pm

172.19.0.0/19 is the LAN side of our core network

EOIP tunnel is 10.10.10.0/29

LAN Side of remote office is 10.0.0.0/24

if I give my laptop a static on 10.10.10.0/29
all works as it should

but on the IP Pool (DHCP) 10.0.0.0/24 we can only talk to static IP’s in the core network not to any of the DHCP POOL

seems as if we are missing a bridge or firewall rule to connect the EOIP tunnel 10.10.10.0/29 Pool to our Local NAT Pool of 10.0.0.0/24

xvo · October 31, 2018, 3:24pm

Some things are still not clear: do you have your tunnel bridged with LAN only on one side or on both sides?

900mhzdude · October 31, 2018, 3:57pm

the tunnel is a bridge to the Core network side 172.19.0.0/19

I need to bridge the EOIP tunnel IP to my Local NAT (I Think) but not sure how to do it

if I set my laptop a static on the EOIP Tunnel range everything works perfectly

I just need a DHCP Pool on the remote Mikrotik that bridges the EOIP tunnel pool

our DHCP pool right now on the remote network is only half working

but if I use the Static out of the EOIP Pool it works perfectly but consultant only set that up with a /29
and we need more IP’s then that for our remote office

xvo · October 31, 2018, 4:36pm

Please post an export from both routers.

900mhzdude · October 31, 2018, 4:49pm

nope not will all the Mikrotik security holes lately

I created a guest vlan trying to block it and the vlan works perfectly so I think I just need to create a vlan for it

thanks

jurek · October 31, 2018, 11:48pm

EoIP tunnel has 2 ends, so no reason to use /29 mask. I suggest to use 10.10.10.1/30, 10.10.10.2/30 and forget about connecting anything within this ip range. Additionally I recommend to enable IPSEC on EoIP tunnel.
If you are using only this one EoIP tunnel, use static routing instead of OSPF. This way you have better control.

MAIN OFFICE MIKROTIK:

/ip route
add distance=1 dst-address=10.0.0.0/24 gateway=10.10.10.x

#where 10.10.10.x is the IP of EoIP tunnel on REMOTE OFFICE MIKROTIK

REMOTE OFFICE MIKROTIK:

/ip route
add distance=1 dst-address=172.19.0.0/19 gateway=10.10.10.y

#where 10.10.10.y is the IP of EoIP tunnel on MAIN OFFICE MIKROTIK

Because you are using layer3 tunnel, no bridge is needed. It works almost like Site-To-Site VPN.
If you have any firewall rules, be sure traffic between 172.19.0.0/19 and 10.0.0.0/24 is not dropped (denied) by any of these rules.

Hopefully it will help you fix the issue !

900mhzdude · November 1, 2018, 1:18am

Thanks for the help

Issue was an IP conflict with the NAT side of our CPEs changed the office IP range to 192 and working perfectly now

Now my issue is no matter what I do to lock down the guest VLAN to block access to the main network it can still reach the router other side of the EOIP I will play with adding drop rules to that router tomorrow

Just odd I told it to drop anything from 192.168.25.0/24 to 172.19.0.0/19 and it blocks all access to 172 exept the router on that network and guest can still ping anything on that network

Been searching all over Google for the firewall rules I’m missing but nothing yet

is there a way to stop inter VLAN routing on the guest VLAN?
Seems like that should be default

jurek · November 1, 2018, 2:25am

This can be solved with firewall rules.
There are a lot of examples how to build good and simple firewall so you will definitely find something what fits your scenario.

My recommendation, or I should say Mikrotik’s Gurus recommendation is to use address lists and use them with firewall rules (not IP directly) so this way you can easily control traffic in future.

Good luck !