Hello,
Here is the current setup:
R1: CZ : RB450Gx4
R2: FR: Chateau LTE6 ax (default subnet 192.168.88.0/24), default firewall , only extra rules to allow incoming proto 47.50
I have established an EOIP tunnel between R1 and R2 but…what I would like, if possible to masquerade all traffic form R2 through R1.
BTW, installing/config a VPN to the device connected to R2 is out of question. (only DM if someone is interested).
Since you linked the two networks together with EOIP it’s basically like having two subnets on the same local network. You might want to consider hairpin NAT or a different approach like L3 VPNs (IPSec, Wireguard etc).
Could you explain in simpler terms what you’re trying to achieve?
So, I will try to keep the political debate out of this:
Me and a french colleague are working in PRague. Since 1 st of July company was a bit loose regarding “roaming” users outside country where office is located.
So, based on new enforced rules if any vpn is detected as being detected installed on machine will be removed.
So, i propose him to help with this, “bridge” our mikrotik routers and masquerade the traffic from his router through mine 
Okay, but why use L2 (EOIP) instead of an IP-based VPN tunnel like WireGuard or even SD-WAN like Zerotier?
Well, that is something that I try to also figure out, what is is the best approach for this.
I did find EOIP implementation/examples quite straight forward, but… no idea how is in case of zerotier .
Hi, not an expert but I’m trying to achieve something similar;
I have two hAP ac3 with 3 VLANs configured at the same way (also same internal addresses), one at my house one at parent’s, there is a shared NAS to reach.
Wireguard is configured, with my PC I have access using the app, I would like to find a way to connect to the other router without applications, this is what I did:
EoIP + IPSec, configured in both routers, assigned an address to EoIP, added a route, disabled my third address VLAN (Server), this should be L3 EoIP, it’s working, what I’m not sure is about the overhead “EoIP tunnel adds at least 42 byte overhead (8byte GRE + 14 byte Ethernet + 20 byte IP)” + PPoE, EoIP MTU Is set to “auto”.
EoIP + IPSec, configured in both routers, added interface to the bridge with VLAN ID, disabled my third address VLAN (Server) and DHCP, this should be L2 EoIP, all the traffic is routed via the other router, any device connected to Server VLAN at my home is getting public IP of parents ISP.
Bridge has lowered interfaces MTU to the EoIP value.
Still need to try to connect routers via Wireguard but should be similar at first case, except that I prefer a solution available if using a natted IP.
ZeroTier is a little bit more complicated but take a look at @Amm0’s post, very knowledge.
If someone more experienced has any suggestions about L2 vs. L3 EoIP, MTU values and overhead, please give us an hint
An IP-based tunnel like IPIP is just as simple to set up as EOIP using ipsec-secret. Also, there are plenty of guides on how to set up WireGuard and ZeroTier. All of these are IP-based tunnels that can be “masqueraded” on the endpoint.
So, 1st things 1st
Indeed zeroTier sounds interesting, but for the sake of implementing a solution (as EOIP is already setup).
R1:
WAN IP (ether1): 100.100.100.100
eoip-tunnel1: 172.17.1.4
LAN: 192.168.50.0/25
R2:
WANIP (pppoe-out1): 200.200.200.200
eoip-tunnel1: 172.17.1.3
LAN: 192.168.88.0/24
R1 can ping 172.17.1.3, 192.168.88.0/24
R2 can ping 172.17.1.4
So, by default , the masquerade rule is masquerading through WAN interface (pppoe-out)
If I understand well what do i need
to define a rule , or something like, to have as default GW or to masquerade through eoip-tunnel interface the LAN traffic from R2…