In our company we have this situation:
Head office with Mikrotik router with multiple VLANs and DHCP Relays to Windows server. Two EoIP tunnels for branch offices.
Branch offices with Mikrotik routers connected over EoIP tunnel with IPSec. All traffic over tunnel is grouped in VLANs.
In this moment, if some device is connected to MT at branch office the default gateway for this device is MT in head office and all traffic(DHCP request, HTTP/S request or internal traffic) is routed to the MT in head office.
My question: It is posible create something like split traffic?
I mean that default gateway for the devices at branch offices would be the mikrotik in that office and send only internal company traffic over EoIP. Of course I want to keep the VLANs and the DHCP server, which is the head office.
to begin with, I would leave EoIP, divide the network into necessary subnets or VLANs if necessary, connect the locations with an IPIP thread e.g.
If you do that, you will have a neatly arranged network, and the problem you mention will disappear by itself…
Why leave EoIP and go to the IPIP when we used at all offices MT? IPIP doesnt support VLANs, right?
How to set DHCP relay on windows server in case of IPIP? Now I have multiple DHCP relay according to VLANs on head office router.
I use OSPF between two locations with 3-4 subnets on each side just for simplicity.
Sure, you can use EoIP, but why would you need to carry VLANs over Internet? IPIP has lower overhead. Just point the dhcp-relay to the Windows DHCP server at HQ.
Traffic/network isolation and will be done in the nearest firewall.
So, I think I will try the IPIP tunnel at one branch office, how will it work.
How do I set up the same subnet in different places through the IPIP tunnel? I have multiple VLANs, some unique for branch offices but some are the same and I need the devices on them to communicate across branches. It is posible without OSPf?
If I may suggest… take a small MIkrotik, connect it somewhere to the Internet (at home?!) and make an IPIP connection to the company… add some kind of computer to it and test everything you need until you are sure that everything works for you. …
Why am I suggesting this to you?
If you start to change something in production and run into a problem/obstacle, you will very quickly go back to the old way - because that’s what works for you and production must not stop.
Everyone answered you wisely and IPIP is indeed a better solution than EoIP.
EoIP has its purpose and there are times when it is irreplaceable, but in the environment you described, IPIP is better.
So today after work I tried IPIP between two branch offices… I even managed to get OSPF up and running.
OSPF worked great if I had different subnets on the branches, but I couldn’t set it up for the same subnet on both branches (I have 3 vlans, which I need to repeat in all branches)
You’re right that trying a functioning infrastructure is suicide
btw, at first glance I had the feeling that EoIP was a little faster than IPIP
After weekend and massive study of mikrotik documentation, I think the only solution is to use IPIP in combination with EOIP. Because if I need the same network on both branches, I can’t do it via IPIP… or do you have some other idea?
It is posible create something like split traffic?
I mean that default gateway for the devices at branch offices would be the mikrotik in that office and send only internal company traffic over EoIP
and
Because if I need the same network on both branches
are not compatible. To be able to make routing decisions at branch offices you need different networks at each location.
Use GRE, IPIP or other IP tunnel plus routing for any subnets which are unique to a site. For any subnets which are shared across sites you are stuck with EoIP and a single gateway.
I will probably do it this way. One more question. Use EoIP inside IPIP or create EoIP independent of IPIP?? If I use it inside, do I have to turn on IPSec or does it already encrypt IPIP?
Offhand I’m not sure if multiple tunnels between the same public IP addresses will work with IPsec, the generated policies may interfere with each other so it would need testing.
If you only used IPsec for the IPIP tunnel and established the EoIP tunnel between some internal IP addresses then the EoIP tunnel traffic is protected by the IPIP tunnel IPsec, however you do have the additional encapsulation overheads.
