Multiple EoIP via L2TP

asy · July 20, 2020, 11:18am

Hello.

I need to configure multiple EoIP tunnel and something is not working. RouterOS 6.47.1.
Main router’s configuration:

/interface eoip
add loop-protect=off mac-address=02:B1:D2:9E:00:01 name=eoip-tunnel1 remote-address=192.168.201.1 tunnel-id=0
add loop-protect=off mac-address=02:B1:D2:9E:00:02 name=eoip-tunnel2 remote-address=192.168.201.2 tunnel-id=1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge interface=eoip-tunnel1
add bridge=bridge interface=eoip-tunnel2
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp enabled=yes
/ppp secret
add local-address=192.168.201.254 name=login1 password=pass profile=l2tp remote-address=192.168.201.1 service=l2tp
add local-address=192.168.201.254 name=login2 password=pass profile=l2tp remote-address=192.168.201.2 service=l2tp

First client (works):

/interface l2tp-client
add connect-to=10.1.1.193 disabled=no name=l2tp-out1 password=pass user=login1
/interface eoip
add mac-address=02:67:3B:58:17:76 name=eoip-tunnel1 remote-address=192.168.201.254 tunnel-id=0
/interface bridge port
add bridge=bridge2 interface=ether5
add bridge=bridge2 interface=eoip-tunnel1

Second client (not works)

/interface l2tp-client
add connect-to=10.1.1.193 disabled=no name=l2tp-out1 password=pass user=login2
/interface eoip
add mac-address=02:B1:D2:9F:33:78 name=eoip-tunnel1 remote-address=192.168.201.254 tunnel-id=1
/interface bridge port
add bridge=bridge2 interface=ether5
add bridge=bridge2 interface=eoip-tunnel1

What am I doing wrong? The second client starts working if I off the first one and change the user to login1 and tunnel-id to 0 on second.

sindy · July 20, 2020, 11:58am

Can you run both EoIP tunnels via the same L2TP connection and distinguish them from one another using tunnel-id, or you have some reasons to use two independent L2TP connections with independent user names? I’m afraid that two L2TP clients connecting to the same server are causing the trouble, as they use the same UDP port at both local and remote end.

nje431 · July 20, 2020, 12:01pm

Unless you need it, Try turning off RSTP on each of the bridges and see if that works.

asy · July 20, 2020, 12:09pm

I set protocol-mode to none now, but it didn’t help.

asy · July 20, 2020, 12:16pm

I need to know the IP of each client to configure EoIP. Or am I wrong here?

L2TP works: 192.168.201.1 and 192.168.201.2 are avaliable from 192.168.201.254

sindy · July 20, 2020, 12:20pm

Sorry, I’ve missed that the two L2TP clients are at different hardware. So no idea at the moment what is wrong.

asy · July 20, 2020, 12:37pm

Second client starts working if I set tunnel-id to 0 only. Change username isn’t needed. So only “tunnel-id=0” works somehow.

sindy · July 20, 2020, 3:16pm

It’s really weird. I’m using multiple EoIP tunnels differentiated by tunnel-id and there is no problem. But there may be some interaction with the firewall - EoIP misuses some header fields of GRE for the ID which may explain the difficulties of connection tracking with GRE packets carrying the EoIP payload.

Please follow the hint in my automatic signature below for both the L2TP server and the L2TP client, I’ll suggest you some firewall rules to add which may help. In short, GRE handling has been “improved” a few RouterOS versions ago, and since then you have to add rules to let incoming GRE packets get through.

Also, if you don’t need to use VLANs on the L2 tunnels with vlan-filtering set to yes on the bridge, you may avoid the issues with GRE handling and save some packet space by using BCP, which creates an L2 tunnel in parallel to the L3 one using L2TP alone.

asy · July 21, 2020, 6:18am

It is strange that “tunnel-id=0” helps to bypass the firewall. But You are right. Rule for L2TP network helps for other tunnel-id numbers:

/ip firewall filter add action=accept chain=input src-address=192.168.201.0/24 place-before=0

Thanks.