EoIP tunnel over several routers?

WirelessRudy · October 3, 2011, 11:41pm

I want to setup EoIP tunnel between separate LAN’s of clients in my network several nodes away from each other.
Both clients (CPE) can ping eachother because ping package goes out towards main gateway routed by each default gateway setting of any router it passes. After reaching Border GW it redirects the package back into my network to the proper AP which has CPE associated by checking each router’s routing tables in the route.

I have the eoip tunnel interface on both CPE’s bridged with the ether1 interface to overcome the none WDS usage on both routers, like the manual prescribes.

On site 1 I have dhcp-server set to the bridge. (It should serve both ends of the tunnel connected PC’s with an IP in the same network range. They share the network.)

On site 2 I have dhcp-client set to the bridge. This way I can see if it will pickup IP from other end of the tunnel.
It worked when ´real´ wlan IP’s were used in the tunnel setup but I lost connectivity to that unit. Had to disable the bridge in a mac session to bring it back in winbox.

I use the example of the MT manual:

Using exactly same IP given in example of manual both end of the tunnels can’t even ping each other. Which makes sense to me; how does next routers in my network know where to send package with destination the other end of the tunnel? All routers the package has to pass don’t have this info in their routing table.

As alternative I used the ´real´ IP addresses of both wlan’s of CPE’s for the tunnel configs, which seems to work but from the main border gateway I loose connectivity to the EoIP client end of the tunnel.

Some questions:

“Local Address” field in winbox tunnel config; Is that to be left empty? Or what address to fill in here?
How do the routers in-between know some tunnel has to pass (where to send the packages belonging to that tunnel.)

Code:
Site 1

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no \
    forward-delay=15s l2mtu=1526 max-message-age=20s mtu=1500 name=bridge1 priority=\
    0x8000 protocol-mode=none transmit-hold-count=6

/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=\
    ether1 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=\
    eoip-tunnel-1 path-cost=10 point-to-point=auto priority=0x80

/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no

/interface eoip
add arp=enabled disabled=no l2mtu=65535 local-address=0.0.0.0 mac-address=\
    02:37:B6:50:DC:C8 mtu=1500 name=eoip-tunnel-1 remote-address=10.0.0.2 tunnel-id=101

/ip address> print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.50.1/24 network=192.168.50.0 interface=ether1 
     actual-interface=bridge1 
 1 D address=172.25.51.12/26 network=172.25.51.0 interface=wlan1 actual-interface=wlan1 
 2   address=10.0.0.1/30 network=10.0.0.0 interface=wlan1 actual-interface=wlan1 

/ip route> print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=172.25.51.1 
        gateway-status=172.25.51.1 reachable wlan1 distance=1 scope=30 target-scope=10 
        vrf-interface=wlan1 

 1 ADC  dst-address=10.0.0.0/30 pref-src=10.0.0.1 gateway=wlan1 
        gateway-status=wlan1 reachable distance=0 scope=10 

 2 ADC  dst-address=172.25.51.0/26 pref-src=172.25.51.12 gateway=wlan1 
        gateway-status=wlan1 reachable distance=0 scope=10 

 3 ADC  dst-address=192.168.50.0/24 pref-src=192.168.50.1 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10 


/ip dhcp-server
add address-pool=DHCP-pool authoritative=after-2sec-delay bootp-support=static \
    disabled=no interface=bridge1 lease-time=3d name=dhcp1

ip dhcp-server network
add address=192.168.50.0/24 dns-server=208.67.222.222,208.67.220.220,10.50.50.1 \
    gateway=192.168.50.1

+++++++++++++++++++
Site 2:

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=\
    15s l2mtu=1526 max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=\
    10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=eoip-tunnel-2 \
    path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no

/interface eoip
add arp=enabled disabled=no l2mtu=65535 local-address=0.0.0.0 mac-address=02:54:E2:84:E0:12 mtu=1500 \
    name=eoip-tunnel-2 remote-address=10.0.0.1 tunnel-id=101

ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0 X address=192.168.50.2/24 network=192.168.50.0 interface=ether1 actual-interface=ether1 

 1 D address=172.25.60.4/25 network=172.25.60.0 interface=wlan1 (BH) actual-interface=wlan1 (BH) 

 2   address=10.0.0.2/30 network=10.0.0.0 interface=wlan1 (BH) actual-interface=wlan1 (BH)

print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=172.25.60.1 gateway-status=172.25.60.1 reachable wlan1 (BH) 
        distance=1 scope=30 target-scope=10 vrf-interface=wlan1 (BH) 

 1 ADC  dst-address=10.0.0.0/30 pref-src=10.0.0.2 gateway=wlan1 (BH) gateway-status=wlan1 (BH) reachable 
        distance=0 scope=10 

 2 ADC  dst-address=172.25.60.0/25 pref-src=172.25.60.4 gateway=wlan1 (BH) 
        gateway-status=wlan1 (BH) reachable distance=0 scope=10 

/ip dhcp-server> print
Flags: X - disabled, I - invalid 
 #   NAME              INTERFACE              RELAY           ADDRESS-POOL              LEASE-TIME ADD-ARP
 0 X dhcp1             ether1                                 dhcp_pool1                3d  

/ip dhcp-client> print detail
Flags: X - disabled, I - invalid 
 0   interface=wlan1 (BH) host-name="R1-002" add-default-route=yes default-route-distance=1 
     use-peer-dns=yes use-peer-ntp=yes status=bound address=172.25.60.4/25 gateway=172.25.60.1 
     dhcp-server=172.25.60.1 primary-dns=208.67.222.222 secondary-dns=208.67.220.220 
     primary-ntp=10.50.50.1 expires-after=2d42m19s 

 1   interface=bridge1 add-default-route=yes default-route-distance=0 use-peer-dns=yes use-peer-ntp=yes 
     status=searching...

fewi · October 4, 2011, 12:31am

That isn’t how tunneling works. At all.

Tunnels work by encapsulating the packets within the tunnel. To the two routers that are tunnel endpoints there is one hop between each other - the tunnel.

You need to use the actual IP addresses on the CPEs (which appear to be the 172.16/12 addresses) as the local and remote IP address of the EoIP tunnel. Then you assign other IP addresses in a different range to the EoIP interfaces themselves, such as 10.0.0.1/30 and 10.0.0.2/30. When you then ping 10.0.0.0.2 from the .1 end of the tunnel it takes the packet and wraps it into another packet that is sourced from its WLAN IP address and goes to the IP address of the WLAN interface on the other remote router. Those WLAN IPs are all any routers between them see. They are not aware there is another packet inside the packet they are routing. The remote router receives that packet on its WLAN interface, decapsulates it, and sees the “inner” packet from 10.0.0.1 to 10.0.0.2.

Of course any router between the two cannot reach any IP addresses inside the tunnel since they aren’t part of the tunnel. The tunnel is like a virtual point to point link.

WirelessRudy · October 4, 2011, 12:49am

fewi:

That isn’t how tunneling works. At all.

Tunnels work by encapsulating the packets within the tunnel. To the two routers that are tunnel endpoints there is one hop between each other - the tunnel.

You need to use the actual IP addresses on the CPEs (which appear to be the 172.16/12 addresses) as the local and remote IP address of the EoIP tunnel. Then you assign other IP addresses in a different range to the EoIP interfaces themselves, such as 10.0.0.1/30 and 10.0.0.2/30. When you then ping 10.0.0.0.2 from the .1 end of the tunnel it takes the packet and wraps it into another packet that is sourced from its WLAN IP address and goes to the IP address of the WLAN interface on the other remote router. Those WLAN IPs are all any routers between them see. They are not aware there is another packet inside the packet they are routing. The remote router receives that packet on its WLAN interface, decapsulates it, and sees the “inner” packet from 10.0.0.1 to 10.0.0.2.

Of course any router between the two cannot reach any IP addresses inside the tunnel since they aren’t part of the tunnel. The tunnel is like a virtual point to point link.

Hehe, that’s the kind of info I want!

I have been playing with it in the mean time and I think I’ve got it going. Tomorrow I will go to both ends and test it with my laptop. After that I’ll probably come back to see if you can see any flaws I might have left.

At the same time, I want it to run on a encrypted tunnel. Something for tomorrow! It’s now way too late and I need to get some hours of sleep!
Thanks.

WirelessRudy · October 4, 2011, 10:13pm

fewi:

That isn’t how tunneling works. At all.

Tunnels work by encapsulating the packets within the tunnel. To the two routers that are tunnel endpoints there is one hop between each other - the tunnel.

You need to use the actual IP addresses on the CPEs (which appear to be the 172.16/12 addresses) as the local and remote IP address of the EoIP tunnel. Then you assign other IP addresses in a different range to the EoIP interfaces themselves, such as 10.0.0.1/30 and 10.0.0.2/30. When you then ping 10.0.0.0.2 from the .1 end of the tunnel it takes the packet and wraps it into another packet that is sourced from its WLAN IP address and goes to the IP address of the WLAN interface on the other remote router. Those WLAN IPs are all any routers between them see. They are not aware there is another packet inside the packet they are routing. The remote router receives that packet on its WLAN interface, decapsulates it, and sees the “inner” packet from 10.0.0.1 to 10.0.0.2.

Of course any router between the two cannot reach any IP addresses inside the tunnel since they aren’t part of the tunnel. The tunnel is like a virtual point to point link.

Ok, I can ping 10.0.0.2 from .1 end and vice versa. So that works.

On both ends the eoip interfaces are together with router’s Ethernet1 interface in a bridge. This way both end’s Ethernet addresses are interconnected at OSI (mac) level 2, yes?
So if I give both end bridges an Ip address in the same network, like 192.168.50.1/24 and 192.168.50.2/24 and on the .1 end I also set a dhcp-server than the whole 192.168.5.0/24 cloud on both ends are transparantly connected by this EoIP tunnel?
Meaning on both ends PC’s as dhcp-client obtain and get an IP address of that one dhcp server?

I think it works that way.
I have one question though: Why the use of the 10.0.0.1 and 10.0.0.2 addresses on the eoip interfaces?
Why not the 192.168.50.1 and ..50.2 on these? In fact they already are because they are on the bridge and the eoip interfaces are in the bridges?
I don’t understand the need of these 10.0.0.0/30 addresses?

fewi · October 5, 2011, 1:01am

You don’t need those addresses in your scenario.

janisk · October 5, 2011, 10:30am

that address was given just as an example. Usually you just use tunnel to connect two LANs and just set up routing. In your case you set up bridge and thus you expanded Ethernet network and both ends can have addresses of the same network.

just check sizes of networks you are bridging. Or else someone will give you t-shirt - “Friends don’t let friends bridge networks” for small networks this should not be an issue.