I am trying to find how to pass multiple VLANS over EoIP with bridge vlan-filtering enabled but I am having a hard time.
My setup is something like
WiFi Controller === Fortigate Firewall (7vlans) === Mikrotik CHR —— site A to site B l2tp/ipsec ——- Mikrotik Router === AP
So I want to pass 7 vlans through the EoIP over the l2tp/ipsec VPN tunnel from Fortigate firewall (site A) to Mikrotik Router (site B). I found a good idea to spin up a Mikrotik CHR, create and EoIP tunnel between the two Mikrotiks and pass through the vlans.
I really need it to be layer 2 because on site A there is a hardware WiFi Controller (doesn’t matter what brand) and I want to connect and Access Point to Site B, as if it was installed on Site A. Multiple SSIDs.
In the past (pre vlan-filtering era) I know that I would create a bridge and add bridge ports the eoip tunnel and then vlan interface directly that i wanted to pass. And I would create a different bridge for each vlan.
Now, with vlan-filtering what is the correct way to pass through multiple vlans? Can I treat the EoIP tunnel as an additional ethernet interface and tag/untag vlans in the bridge/vlan section as I would normally do with a slave ethernet interface?
Thank you. So far so good with RouterOs 7.20.7 on both Mikrotik Routers ( CHR and CCR2116 ).
I do get some logs about looped packets on the eoip interface when i tried dhcp client on site B’s vlan interfaces, as i was away during saturday and sunday and didn’t have anything plugged behind router to test.
I will connect the access point today on site B and will update with the config I used.
What is the WireGuard Protocol?
The WireGuard protocol is a modern VPN protocol designed for secure, fast, and efficient network communication. It creates encrypted tunnels between devices
What is the need for EOIP here? Why not just transport the subnets over wireguard straight through?
Or what you are looking for is having the vlans, sent over as though, the CHR is just like a switch in this case, trunk port into the CHR and out the CHR to the other MT device, carrying the vlans?
If the CHR is NOT VPS, you can ignore the next paragraph.
One concern npeca75, is how are you proposing to configure the wireguard in your case? I would highly recommend the CHR is NOT the server client for handshake. VPS/CHR if in the cloud ( assuming this is the case for the OP), are not deemed safe from potential hacking and thus one does not want to allow any traffic going through the CHR to reach subnets at either MT router, or worse the configuration of either MT router. AKA the use of a remote client to access home routers through the CHR would also be bad.
What can be done:
a. create a separate wireguard interface from home router to CHR, for the sole purpose of configuring the CHR. This would allow you at home router OR any remote device that is part of this wireguard interface can reach the CHR for config purposes (one way traffic). I would also add the second MT router as a peer client so that it is accessible for configuration etc...
b. For the wireguard interface dealing with EOIP, ensure that one of the MT routers is the server client for handshake and that the other router and the CHR are client peers for handshake.
One has to be sure that on both MT routers the firewall rules are explicit.
do not allow wireguard interface access in input chain (accept), or forward chain (to LAN).
Since the EOIP settings are on each MT router and not the CHR, there should be no way to gain access to the information even if the VPS is hacked. The worst outcome is lose access to the CHR.
Not sure if one should masquerade traffic going into the tunnel on each end.
Npeca75, could you share a 'safe' version of your setup (with fake numbers etc.....). Both routers and chr.........
On both sides of the EoIP, the devices are on-premise infrastructure, under my control. The CHR is an ESXi VM to be more precise.
Nothing to worry about.
As for why, I need to pass vlans because, as I wrote in the OP, I want to connect a remote Access Point, as if it was connected locally on the Wifi Access Controller, in order to do some tests with hotspot implementation with the SSIDs. The site that I need to test is around 300km away without any way to test WiFi scenarios unfortunately.
nsarant, what do you mean chr is an ESSXI VM? Do you rent a VPS in the cloud??
The only reason for the CHR is that both of your other MT routers do not have access to a public IP???
If at least one of them did, you could create your own Wireguard connection bypassing the CHR ???