mikrotik-office1 --- [2 x eoip over ipsec = bonding1] ---
\
[bridge-central] --- mikrotik-main-office
/
mikrotik-office2 --- [2 x eoip over ipsec = bonding2] ---
....
Offices could have several ISPs. I am using static routing
I am not satisfied with this setup, because of rare failures and manual work to restore from it.
Router needs to reboot or play with eoip on/off. Failures take place on provider failures, but only seldom. I think that this is a bug with bonding eoip (or bridging, forgot which one), because it just disappeared once after turning on and off eoip. I have to recreate another one instance, it didn’t help and after reboot there were 2 instances.
But question is how you would implement that connection using mikrotiks? best practices …
You can give me the right way, not precise configs
Thanks!
You recommend to read about pcc and load-balancing. read it many times ))), so pcc already working.
My question is more about routing and vpn based on mikrotik
I would suggest that you remove the bonding and move over to OSPF ECMP (Equal cost multipathing).
I dont tend to use the EOIP Tunnels because they are proprietary to Mikrotik, and so we do this with IPIP Tunnels.
So;
step 1, build IPIP Tunnel between the offices, two tunnels each branch office via each separate ISP.
step 2, encrypt the tunnel with IPSec
step 3, configure OSPF to run INSIDE the IPIP Tunnels and set the interfaces to be point-to-point and have an equal cost (say 10) to each of them)
THat should work well, giving both load balancing and failover, as well as dealing with the static routes that are a pain to manage.
Greg Sowell has a great video on this, that can help you.
We meet again!. Yes, I have looked at your video and am in the process of trialling it, as it should solve some of the complexity of rolling out new sites. Very nice design.
We are currently doing this on 75 Branches, and your solution addresses a number of scalability problems.
Just couple of days i’ve decided to revise my network config in first post. And made eoip over ipsec but without bonding like you suggest
I did 2 different eoips from one end and made them bridged on the other end (/24 network), but they show error in ospf log about locally originated packets. And the idea was to make them point to pont (/30).
Tomaskir, i’ve tried to make l2tp server about a year, but it listens only on one of several ISP interfaces. Am I wrong?
If you bridge them, that will create an L2 loop (as EOIP are L2 interfaces). That is why OSPF was complaining about receiving locally originated packets.
Also, watch for the MTU on the EOIP interfaces, to avoid fragmentation.
All in all, I really recommend L2TP/IPSec with OSPF for all routing needs.
