PPTP + EoIP on 3 zones / 2 buildings

drzen · December 15, 2010, 8:32am

Hi,

I have two buildings with 3 networks on each.
I need to create a virtual network with 3 networks.

I will use PPTP + EoIP.

Router 1:

/interface pptp-server server set enabled=yes

/ppp secret
add name="USERNAME" service=pptp password="PASS" \
local-address=192.168.10.1 remote-address=192.168.10.2  \
disabled=no 

/interface eoip add name=eoiptunnel remote-address=192.168.10.2 \
tunnel-id=101 disabled=no

/interface bridge add name=bridge1

/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=eoiptunnel

Router 2:

/interface pptp-client
add name="pptp-tunnel1" connect-to=10.10.1.1 \
user="USERNAME" password="PASS" \
profile=default-encryption add-default-route=no \
disabled=no 

/interface eoip add name=eoiptunnel remote-address=192.168.10.1 \
tunnel-id=101 disabled=no

/interface bridge add name=bridge1

/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=eoiptunnel

(Thanks to tutorial http://blog.butchevans.com/2008/09/mikrotik_routeros_transparent_bridge_pptp_eoip/)

The questions are:

How to setup all 3 (+3) bridge and not only first ethernet?
How to setup dhcp server so give the correct default gateway? (in EoIP I have only one dhcp server for each network)
Anyone have experience with captive portal (hotspot) one for each interface?

Thanks in advance for your ideas.
v.

butche · December 16, 2010, 7:14pm

One PPtP tunnel will be fine. You will create a unique EoIP tunnel (unique tunnel-id) for each “zone”. You will create a unique bridge per “zone” as well. Something like:

/interface bridge
add name=zoneAbridge
add name=zoneBbridge
(and so forth)

Then, you will add (under /interface bridge ports) the appropriate EoIP tunnels and ethernet ports for each zone.

drzen · December 17, 2010, 6:24am

Thanks.
There is a method to setup dhcp (on mikrotik) on every zone so I can give the correct gateway for each building?

v.

butche · December 17, 2010, 8:43am

Yes there is. You simply configure the dhcp server on the appropriate bridge interface. You can refer to the wiki for more information on that.

drzen · December 17, 2010, 9:49am

Thanks!
Now I’m configuring first router (left router).

DHCP servers are only in private and service ethernet, the same that have a bridge (guest netwok isn’t bridged and eoip).

When connect cable to private I get correct ip, if I connect to service eth I get the same subnetwork ip.

This is relevant configuration code. A note:
First internal network: name=private 192.168.10.x/24 - bridged
Second internal network: name=service 192.168.11.x/24 - bridged
Third internal network: name=guest 192.168.20.x/24 - NOT bridged

/interface bridge
add name=bridgePrivate 
add name=bridgeService

/interface ethernet
set 0 arp=enabled  master-port=none name=adsl speed=100Mbps
set 1 arp=enabled  master-port=none name=private speed=100Mbps
set 2 arp=enabled  master-port=none  name=service speed=100Mbps
set 3 arp=enabled master-port=none name=guest speed=100Mbps

/interface eoip
add name=eoiptunnel10 remote-address=192.168.100.2 tunnel-id=10
add name=eoiptunnel11 remote-address=192.168.100.2 tunnel-id=11

/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1

/ip pool
add name=private ranges=192.168.10.100-192.168.10.200
add name=guestSM ranges=192.168.20.100-192.168.20.200
add name=service ranges=192.168.11.100-192.168.11.200

/ip dhcp-server
add address-pool=private authoritative=after-2sec-delay bootp-support=static \
    disabled=no interface=bridgePrivate lease-time=3d name=private
add address-pool=guestSM authoritative=after-2sec-delay bootp-support=static \
    disabled=no interface=guest lease-time=3d name=guest
add address-pool=service authoritative=after-2sec-delay bootp-support=static \
    disabled=no interface=bridgeService lease-time=3d name=service

/interface bridge port
add bridge=bridgePrivate interface=private 
add bridge=bridgePrivate interface=eoiptunnel10
add bridge=bridgePrivate interface=service
add bridge=bridgePrivate interface=eoiptunnel11 

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no

/interface ethernet switch port
set (unknown) vlan-header=leave-as-is vlan-mode=none
set (unknown) vlan-header=leave-as-is vlan-mode=none
set (unknown) vlan-header=leave-as-is vlan-mode=none
set (unknown) vlan-header=leave-as-is vlan-mode=none

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

/ip address
add address=10.10.4.200/20 broadcast=10.10.15.255  interface=adsl network=10.10.0.0
add address=192.168.20.254/24 broadcast=192.168.20.255  interface=guest network=192.168.20.0
add address=192.168.10.254/24 broadcast=192.168.10.255  interface=private network=192.168.10.0
add address=192.168.11.254/24 broadcast=192.168.11.255  interface=service network=192.168.11.0


/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.254 gateway=192.168.10.254 netmask=24
add address=192.168.11.0/24 dns-server=192.168.11.254 gateway=192.168.11.254 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.254 gateway=192.168.20.254 netmask=24

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=adsl

butche · December 17, 2010, 6:34pm

This has moved beyond what I can offer free support for. Perhaps some others can offer input. FWIW, the configuration you posted looks fine at first glance, other than IP assignments, which belong on the bridge (not the physical interface)

The information I offered works here in my lab and in the 4 or 5 other networks I’ve configured with this scenario. Verify the bridge configurations on both sides to ensure that you do not have a bridge loop. Also, the IP addresses and DHCP server should be configured on the actual bridge interface (not the physical ports). I am assuming that you are not using a vlan configuration on top of the bridges, as this can cause some heartache under certain circumstances.

drzen · December 18, 2010, 1:09pm

I don’t understand a step:

I need an address to phisical eth and an address to bridge interface?
Or only for bridge interface?

/ip address
add address=10.10.4.200/20 broadcast=10.10.15.255  interface=adsl network=10.10.0.0
add address=192.168.20.254/24 broadcast=192.168.20.255  interface=guest network=192.168.20.0
add address=192.168.10.254/24 broadcast=192.168.10.255  interface=bridgePrivate network=192.168.10.0
add address=192.168.11.254/24 broadcast=192.168.11.255  interface=bridgeService network=192.168.11.0

I know that’s in over free support. Knownledge is a great value. Thanks for your support. (I hope this is the last question)

v,

butche · December 18, 2010, 7:03pm

The interface facing the other router will need an IP address. This IP is used for the PPtP tunnel. The PPtP tunnel has an IP on both ends (of course) and this IP is used to terminate the EoIP tunnel. The Bridge that is used to bridge the EoIP tunnel and some other interface has an IP for the purpose of providing IP services to the end users. The interface that is in the bridge does NOT need an IP, as the bridge has one already.