L2TP routed/bridged/vlans

Hello, I am exploring options to connect my “home office” with “work office”. Initial quick eoip setup (also currently running) looked preaty much what I wanted, but looking at it more closely I noticed couple of particularities, like internet gateway. Because EoIP is L2, DHCP is served across the tunnel and therefore my gateway is work office - all internet traffic goes through the tunnel to work office and out. Well, I don’t want that but I like other “domain” stuff (and also need it).

Reading about vpn tunnels a bit more I learned that tunnels can be bridged or routed. Bridged stuff behave like “L2” and routed like “L3” …in layman words So, to overcome this problem I could work on firewall to drop DHCP and configure it localy on each side, but I noticed here and there that “routing” is more the way to go when connecting remote offices etc. I also like the idea that my remote office is on different network. Like work is 172.31.1.0, remote is 172.31.2.0 etc.

Because I must not forget about vpn dial-in users I am sympathizing with L2TP now.
With L2TP I also have routed or bridged (BCP) way.
With BCP I guess I end up the same or similar as EoIP, correct?

My current quick test with L2TP remote to work office:

1. remote site dials-in to work l2tp server
2. dynamic route is created
3. dynamic interface is created
4. I can ping both ends of the tunnel
5. I can ping from work office device to remote office device
6. I can’t ping from remote office (winbox) to work office device (unless I use ping tool and select L2TP tunnel explicitly) (?)
7. Where is information or how do I tell routers that 172.31.1.0 is on the other end of the tunnel and vice versa for 172.31.2.0 ?

And finally, where do I fit VLANs into all this?
In work office I have bridge with 2 vlans (10 for PC, 20 for voip). How do I make l2tp tunnel as “trunk/uplink” to remote office?

Thank you for your valuable input on my mess above!
best regards

Hopefully L2TP/IPsec, plain L2TP is either not or weakly encrypted and the MSCHAPv2 password can have the NT hash and an equivalent password recovered.

With L2TP I also have routed or bridged (BCP) way.
With BCP I guess I end up the same or similar as EoIP, correct?

Similar yes, in fact you can have both L2 & L3 if desired. One thing to watch out for is that BCP doesn’t play nicely with VLAN-aware bridges, hopefully Mikrotik will fix it one day.

5. I can’t ping from remote office (winbox) to work office device (unless I use ping tool and select L2TP tunnel explicitly) (?)
6. Where is information or how do I tell routers that 172.31.1.0 is on the other end of the tunnel and vice versa for 172.31.2.0 ?

You need static routes. On the server use the routes= setting under /ppp secret, note there is a specific syntax, and on the client add a static route using the l2tp-client interface as the gateway.

And finally, where do I fit VLANs into all this?
In work office I have bridge with 2 vlans (10 for PC, 20 for voip). How do I make l2tp tunnel as “trunk/uplink” to remote office?

VLANs are a L2 construct. For L3 you are just routing IP packets, it is irrelevant if they originate from a VLAN or not.

Having separate L3 work and remote office subnets to keep the broadcast domains separate and not having to resort to hacks to isolate them is good, if you specifically need L2 for VoIP, then you can always run an EoIP tunnel over the L2TP/IPsec connection just for remote phones.

Hopefully L2TP/IPsec, plain L2TP is either not or weakly encrypted and the MSCHAPv2 password can have the NT hash and an equivalent password recovered.

Definately with IPsec.

Similar yes, in fact you can have both L2 & L3 if desired. One thing to watch out for is that BCP doesn’t play nicely with VLAN-aware bridges, hopefully Mikrotik will fix it one day.

I do have vlans configured under bridge vlan filtering as this appears to be a “promoted” way (I guess that is what you mean with vlan-aware bridges).

You need static routes. On the server use the > routes= > setting under > /ppp secret> , note there is a specific syntax, and on the client add a static route using the l2tp-client interface as the gateway.

I thought things will magicaly happen I noticed routes option under ppp secret. Will check it out.

VLANs are a L2 construct. For L3 you are just routing IP packets, it is irrelevant if they originate from a VLAN or not.

This is a bit foggy for me. L2TP is L2 or L3? I assumed L2TP is L2 (hence the name ?
If L2TP is L3 and just routing IP packets, then whatever goes in one side, comes out other side, including VLAN tags. So if I setup the same bridge vlan filtering on remote office, it should just work between both sites?

Having separate L3 work and remote office subnets to keep the broadcast domains separate and not having to resort to hacks to isolate them is good, if you specifically need L2 for VoIP, then you can always run an EoIP tunnel over the L2TP/IPsec connection just for remote phones.

Isn’t this a bit hacky? tunnel inside tunnel, performance?

Yes. The issue with BCP and some other less-often used L2 functionality is that no support for specifying PVID/untagged and tagged membership has been made for these dynamically added bridge ports. You would specify the PVID under /interface bridge port and VLAN membeship under /interface bridge vlan for statically added interfaces, there is nothing to provide this for dynamic ports.

You need static routes. On the server use the > routes= > setting under > /ppp secret> , note there is a specific syntax, and on the client add a static route using the l2tp-client interface as the gateway.

I thought things will magicaly happen I noticed routes option under ppp secret. Will check it out.

No. The Mikrotik has no idea which address ranges are accessible at the remote end. You can specify them statically for smaller setups, or use a routing protocol such as OSPF to exchange this information and insert the appropriate routes as required.

VLANs are a L2 construct. For L3 you are just routing IP packets, it is irrelevant if they originate from a VLAN or not.

This is a bit foggy for me. L2TP is L2 or L3? I assumed L2TP is L2 (hence the name ?
If L2TP is L3 and just routing IP packets, then whatever goes in one side, comes out other side, including VLAN tags. So if I setup the same bridge vlan filtering on remote office, it should just work between both sites?

The naming is confusing - it is tunnelling PPP, a layer 2 protocol. The PPP can handle layer 2 with BCP, layer 3 with IPCP (for IPv4) & IPV6CP (for IPv6).

IP has no concept of 802.1Q VLANs, they are an ethernet construct. Remember when you are connecting a PC to a router, for example, you are not making an IP connection, but an IPoE (IP over Ethernet) connection. Once the IP payload is unwrapped from the packet the local Mikrotik has a note of the interface it arrived via, but this is purely local information.

If the BCP implementation supported PVIDs and tagging correctly you could connect ethernet between the two sites, but this probably isn’t what you want to do.

Having separate L3 work and remote office subnets to keep the broadcast domains separate and not having to resort to hacks to isolate them is good, if you specifically need L2 for VoIP, then you can always run an EoIP tunnel over the L2TP/IPsec connection just for remote phones.

Isn’t this a bit hacky? tunnel inside tunnel, performance?

Yes, you have to weigh up the tradeoffs. Certainly using unencrypted EoIP inside a L2TP/IPsec is going to use less resources than having separate L2TP/IPsec and EoIP with IPsec tunnels, using BCP would be better but it is missing required features. If possible just stick to routed L3 and enforce segregation with firewall rules.

I am trying to wrap my head around all this. I think I am still missing some peices to understand correctly.

• Ethernet is L2
• VLAN is ethernet construct and therefore also L2.
• bridge is also operating on L2 as it is kind of a “virtual” switch between interfaces
• as long as I have interfaces in a bridge (either EoIP or L2TP etc.) it will be L2 and VLANs will pass as is
• as soon as I bring things on a routed level it is L3 (routing packets from one IP to another)
• VLANs are stripped in IP packets (or not? if not then they are unpacked on remote end and could be processed accordingly no?)

Yes to all.

• as long as I have interfaces in a bridge (either EoIP or L2TP etc.) it will be L2 and VLANs will pass as is

With EoIP yes. L2TP is layer 2 tunnelling of PPP encapsulation, the PPP payloads are typically layer 3 but can be layer 2 using BCP (except for the lack of functionality with VLAN-aware bridges)

• as soon as I bring things on a routed level it is L3 (routing packets from one IP to another)

Yes

• VLANs are stripped in IP packets (or not? if not then they are unpacked on remote end and could be processed accordingly no?)

IP packets do not contain VLANs so there is nothing to strip. VLANs may contain IP or other packet types.

Ok. I think it is a bit clearer now I had it a bit wrong there how L2/L3 relate to eachother.

If I go back to my original goal and want to connect head office with remote office and want to bridge L2 between sites then I need to use some kind of EoIP or BCP protocol. This way I can extend VLANs over to remote office.

What if I don’t want to use bridging, but routing, have a separate networks, but still want to have a notion of VLANs? …just not extended but somehow “connected”.
Example:
HEAD: 192.168.1.0/24, VLANs 10, 20
REMOTE: 192.168.2.0/24, VLANs 10, 20
like opening L2TP tunnel and route V10 to V10 and V20 to V20? possible? how?

Yes, excepting the limitations of the current BCP implementation.

What if I don’t want to use bridging, but routing, have a separate networks, but still want to have a notion of VLANs? …just not extended but somehow “connected”.
Example:
HEAD: 192.168.1.0/24, VLANs 10, 20
REMOTE: 192.168.2.0/24, VLANs 10, 20
like opening L2TP tunnel and route V10 to V10 and V20 to V20? possible? how?

Your need a subnet per VLAN, as you would in any case.

If you had Head: 192.168.11.0/24 + 192.168.12.0/24 and Remote: 192.168.21.0/24 + 192.168.22.0/24
you would need static routes so each site knows to send traffic for the target address ranges through the tunnel Head: 192.168.21.0/24 + 192.168.22.0/24 via VPN and Remote: 192.168.11.0/24 + 192.168.12.0/24 via VPN
then you would be able to communicate between two devices on any subnet at either end.

If you specifically wish to prohibit some communication, for example 192.168.11.0/24 can only communicate with 192.168.21.0/24, and 192.168.12.0/24 can only communicate with 192.168.22.0/24 then you would add firewall rules.

Note VLANs don’t come into play at all, they are only relevant for the local ethernet connections between devices and Mikrotik at each site. Each end has no idea what VLANs may be in use at the other.

If you had Head: 192.168.11.0/24 + 192.168.12.0/24 and Remote: 192.168.21.0/24 + 192.168.22.0/24

By this you mean V10 and V20 (example) IP addresses on Head and Remote?
So this is something along L3 VLAN (simple VLAN routing) I am just reading about here: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

If so, then yes, I understand that and at this moment there is no notion of VLANs which are local on each site once they enter local bridge… basicly V10 on Head could be routed to V400 on Remote.

Yes, although the IP could be encapsulated in VID 11 + 12 at one end, and VID 21 + 22 at the other.

So this is something along L3 VLAN (simple VLAN routing) I am just reading about here: > https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

Not really, the simple VLAN routing example (bad wording IMHO) has IP encapsulated in VLANs transported by ethernet so the VLAN IDs do have to be the same at either end. VPNs (other than EoIP & BCP) just transport IP.

Yes, although the IP could be encapsulated in VID 11 + 12 at one end, and VID 21 + 22 at the other.

I assumed that 192.168.1.0/24 + 192.168.12.0/24 etc are IP addresses assigned to a VLAN interfaces (under /ip addresses).
Now I think I don’t get it again

What are: 192.168.11.0/24 + 192.168.12.0/24 and Remote: 192.168.21.0/24 + 192.168.22.0/24 ?

Thanks for being patient with me.

They were examples of subnets attached to the VLAN interfaces at each end. Your original example has two VLANs but only one subnet at each end which is insufficient.

Need to process all this on my own a bit. I lost my self somwhere. Will get back to it

I think I need to “reset” myself and start fresh if you are still willing to explain/help I would appreciate.
Attached is my current running setup.

HO (172.31.1.0/24) - running:

1. bridge vlan filtering (V10 PCs, V20 VoIP)
2. voip pbx is from my ISP provider and I don’t have control over - it is plugged into e10 and tagged V20
3. other ports are in hybrid setup for phone/PC combo (V10 untagged and V20 tagged)

RO (172.31.2.0/24) - trying to setup (currently running EoIP but I don’t like it for various reasons):

1. will have same configuration as HO (bridge vlan filtering with V10 and V20 hybrid ports from e2-e9)
2. open tunnel (ie L2TP/IPsec) to HO (server)
3. route V10 and V20 over the tunnel and join networks.

In attached screenshot I attached IP address on V10 (PC-VLAN) and V20 (VOIP-VLAN) - I understand this is called terminated?
The idea I have is to route 172.31.1.254 (V10) and 172.20.1.1 (V20 over the tunnel and join to RO network.

Questions running in my head:

1. is this sound solution?
2. do I need separate tunnel for each network/vlan?
3. or can I route both networks through the same tunnel, and how? How does this traffic come out on the other side…