Hi,
I would like to ask how to link 3 LAN through WAN?
LAN A: 10.0.0.0/24 → WAN (Internet)
LAN B: 10.0.3.0/24 → WAN (Internet)
LAN C: 1.0.0.0/24 → WAN (Internet)
My idea is to bridge LAN A to LAN B
Then bridge LAN C to LAN B also
So B is acting like a Bridge (Rendezvous / Meeting Point)
Should I use OSPF, RIP or EOIP?
All of them are production networks, so I need to make sure that I won’t lose them.
I don’t know what do you mean by “bridging”. As per your description, you use different IP subnets in the three LANs, so in that case if you “bridge” them (this is a Layer 2 operation), the hosts in the three sites will not be able to communicate, as they’re configured in a three differen subnetworks.
In your case you could you use any tunneling technology (l2tp,pptp,ppp, or even ipsec in tunnel mode) to establish logical transport links between the sites. Than you could run any IGP routing protocol within the logical tunnels to provide reachability between the sites. Personally I would prefer OSPF as a routing protocl, but in your case RIP will also do just fine.
Hi lz1dsb,
Thank you for your reply.
I want to merge this network, so..
People in LAN A can connect to LAN B & C,
People in LAN B can connect to LAN A & C,
People in LAN C can connect to LAN A & B,
I’ve made PPTP-out from LAN A to LAN B, and PPTP-out from LAN C to LAN B (as I’ve planned to make LAN B as meeting point)
How to make the routing now? Any idea?
Thank you.
How do you make the routing…
First you select the routing protocol.
Second you enable the routing process.
Third you enable it on the interfaces you want it to run.
Fourth you select the local networks you would like to advertise.
If you give me more details (interfaces and networks) I could be more specific…
With a simple topology like this, I would start with static routes. You only need to add two routes at each site.
The WAN IP Address is DHCP (i.e. Non-Static) on both LAN 1 and LAN 3.
So you set up your server at LAN2 and the routers at LAN1 and LAN3 will act as clients, establishing secure connection to the server. There’s not a problem with that, I use similar setup.
How to route them through WAN?
Using OSPF or EoIP?
OSPF is a routing protocol which in general distributes IP Layer 3 information in your routing domain i.e. reachability information for all of the subnetworks you have in your network.
How to use it? - just enable the process and advertise all of the subnetworks that you want to distribute, even the those used for the VPN tunnels.
EoIP is another matter. It provides Layer 2 reachability over a WAN segment. If you use EoIP, you do not need a routing protocol as all of your network branches would be in the same Layer 2 segement i.e. they should use the same subnetwork Layer 3 address.
Cheers,
Boyan
Thank you for your good explanation, I just tried using EoIP, but when I add the EoIP on the bridge, my remote network become unreachable, the weird thing is all of it’s subnet become request timed-out. So I need to contact my remote network admin to undo the last action. Any idea what’s wrong with it?
Hm… that’s strange, could you post an excerpt from the EoIP and the related configs?
I’m following exactly like explained on http://wiki.mikrotik.com/wiki/Manual:Interface/EoIP
When I do this (port add bridge=bridge1 interface=eoip-remote) my public network and it’s subnet all become unreachable:
[admin@Our_GW] interface bridge> add
[admin@Our_GW] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth
[admin@Our_GW] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 eoip-remote bridge1 128 10
1 office-eth bridge1 128 10
[admin@Our_GW] interface bridge>
I wouldn’t use bridges with the EoIP tunnels - each site already has a seperate subnet.
if you have this:
A <–eoip–> B <–eoip–> C
Then in site A, add static routes for B lan and C lan with gateway=eoip-interface-name
In site C, static routes for A lan and B lan, gateway=eoip-interface-name
In site B, static route for A lan, gateway=eoip-A-interface, and C lan, gateway=eoip-C-interface
That will get you up and running - but remember that this is not encrpyted. You’ll want to use encryption for your final installation.
Hi ZeroByte,
Good idea, I will try it..
No need OSPF, just static route?
Update: Just tried with static routing not working:
Tried from 1.0.3.1/24:
[admin@MikroTik] > too trace 1.0.0.2
# ADDRESS RT1 RT2 RT3 STATUS
1 0.0.0.0 0ms 0ms 0ms
2 x.x.x.x 1ms 0ms 0ms host unreachable
3 x.x.x.x 0ms 6ms 0ms host unreachable
4 x.x.x.x 0ms 0ms 6ms host unreachable
5 0.0.0.0 0ms 0ms 0ms
6 x.x.x.x 6ms 0ms 0ms host unreachable
7 x.x.x.x 0ms 6ms 0ms host unreachable
8 x.x.x.x 0ms 0ms 7ms host unreachable
[admin@MikroTik] >
Where x.x.x.x is 10.0.3.1’s public IP Address.
Possible routing looping issue with 0.0.0.0/0 (default route)
You know, I was thinking to use just the interface itself, but maybe GRE interface would be better for such a thing than EoIP interface (I think it secretly uses GRE anyway). GRE is natively a point-to-point style of interface, so specifying the interface name as the “next hop” of a route is completely valid.
If you want IP addresses on the tunnel interfaces, that’s easy too - just use something like 10.255.255.x/30 on each of your two links.
A (.2) ← {10.255.255.0/30}–>(.1) B (.5) ← {10.255.255.4/30} → (.6) C
Then the gateway= for each static route would be the IP of the far side of the tunnel -
so on A:
B lan, gateway=10.255.255.1
C lan, gateway=10.255.255.1
on B:
A lan, gateway=10.255.255.2
C lan, gateway=10.255.255.6
on C:
A lan, gateway = 10.255.255.5
B lan, gateway = 10.255.255.5
It takes a lot of typing to explain like this, but it’s actually quite simple and makes a lot of sense when you set it up.
Tried with GRE (GRE local IP using VPN local IP, GRE remote IP using VPN remote IP)
But not working either:
[admin@MikroTik] > too trace 1.0.0.2
# ADDRESS RT1 RT2 RT3 STATUS
1 0.0.0.0 0ms 0ms 0ms
2 0.0.0.0 0ms 0ms 0ms
3 0.0.0.0 0ms 0ms 0ms
4 0.0.0.0 0ms 0ms 0ms
[admin@MikroTik] >
Any idea what’s wrong?
This is more interesting now.. 
test..
My, but this thread has gotten long. 
If this is still not working, then you should probably start attacking small subsets of the goal.
Make a GRE tunnel from A to B, put an IP address on each end, and then be able to ping across it successfully.
If you’re trying to use IPSec to protect the GRE, or anything else, turn that off while getting started.
Your goal is to make this:
Router1 -
create gre tunnel interface “gre-to-R2” with local IP = R1’s wan IP, and remote IP = R2’s wan IP.
If the IP of Router1 or Router2 is dynamic, then you will not be able to use GRE.
You should use L2TP or PPTP.
Of course, just to make it work right now just to see it, that’s fine. When the IP changes, the tunnel will break…
Anyway, step 2 is to put an IP on the ‘inside’ of the tunnel. (the addresses above are ‘outside’ of the tunnel)
/ip address add address=10.10.10.1/30 interface=gre-to-R2
On Router2
create gre tunnel interface “gre-to-R1” with local IP = R2’s wan IP, and remote IP = R1’s wan IP.
Then add IP address 10.10.10.2/30 to interface gre-to-R1
Make sure that in both routers, in the ip firewall filter, input chain will allow packets from the other rotuer’s wan IP.
With those conditions met, you should be able to ping 10.10.10.2 from R1 and see the traffic counters showing activity on the interface.
After that works, simply create static routes as discussed previously in the thread.
Hi, thank you for your answer.
Is it possible to use VPN IP address with this condition?
Because the R2 doesn’t have public IP address. How do we overcome this?
As long as the network knows to route correctly between the two sites, then they don’t need public IP addresses.
Just use the “upstream” interface IPs as the GRE / L2TP / PPTP endpoint addresses.