NAT EOIP

Hi forum,

i want to nat eiop over a routeros device:

szenario: eoip endpoint → internet → router(fritzbox)->192-168.178.2-routerosdevice1-192.168.15.1->192.168.15.2-routerosdevice2

routerosdevice2 should initiate the tunnel.

I created a snat for protocol 47 for routerosdevice2 on routerdevice1
add action=src-nat chain=srcnat comment=“snat to eoip endpoint” dst-address=185.16.111.34 log=yes log-prefix=“eoip-snat allow” protocol=gre src-address=192.168.15.2 to-addresses=192.168.178.2i created a dnat for protocol 47 on routerosdevice1 to routerosdevice2
add action=dst-nat chain=dstnat comment=“tesr gre in” dst-address=192.168.178.2 in-interface=internet-port1 log=yes log-prefix=testdnat protocol=gre src-address=185.16.111.34 to-addresses=192.168.15.2
i see traffic coming from eoip endpoint on routerosdevice1 but the it’s not hitting the dnat rule.

Do you have any advice?

Best Regards,

Andreas

It works here. One problem can be if you first add tunnels and you add dstnat rules on routerosdevice1 after that. Dstnat only works for new connections, i.e. from very first packet. GRE doesn’t really have connections, but conntrack sees it as such. So if it have seen a GRE packet already, it will treat following ones with same source and destination as established connection and dstnat won’t touch them. You can either remove matching entries from “/ip firewall connection” or just reboot the router.

You can run EoIP over the top of L2TP. I do this when I’m connecting clients into my network who don’t have public or static IPs, or who have multiple connections with failover.