Transit over two EOIP tunnels over PPTP

In the following scenario, computer A cannot browse computer B resources. The traffic goes over two EOIP tunnels built on top of PPTP tunnels. The mikrotik 1 and 3 act like PPTP clients to mikrotik 3 (PPTP server)

I exported the configuration as well from all three mikrotiks.

PPTP connections between mikrotik 1 and mikrotik 2, also between mikrotik 3 and mikrotik 2 are running.
EOIP tunnels on top of PPTP connections are also running.

on Mikrotik 1 and Mikrotik 3 there are bridges with eoip interfaces in them along with Ether4 (mikrotik 1) and Ether5 (mikrotik 3) in it.

For some reasons the network traffic between Computer A and B does’t work. I suspect firewall filter rules, forward chain. Please see the configuration of all three mikrotiks

mikrotik 1

/interface bridge
add name=bridge-rngtsl
add name=bridge1
/interface pptp-client
add connect-to=pptpserverdynamicip.sn.mynetname.net disabled=no name=pptp-out1 user=rngtsl
/interface eoip
add local-address=172.16.1.2 mac-address=02:8F:23:4E:A3:FB name=eoip-tunnel1-rng remote-address=172.16.1.1 tunnel-id=0
/interface list
add name=WAN
add name=LAN
..
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge-rngtsl interface=ether4
..

mikrotik 2

/interface bridge
add name=bridge-t
..
/interface ethernet
..
/interface eoip
add local-address=172.16.1.1 mac-address=02:E4:F7:7A:57:3B name=eoip-tunnel1 remote-address=172.16.1.2 tunnel-id=0
add local-address=172.16.2.1 mac-address=02:06:C4:5B:A2:BA name=eoip-tunnel2 remote-address=172.16.2.2 tunnel-id=2

..
add bridge=bridge-t interface=eoip-tunnel1
add bridge=bridge-t interface=eoip-tunnel2
..
/interface pptp-server server
set enabled=yes
..
/ppp secret
add local-address=172.16.1.1 name=rngtsl profile=default-encryption remote-address=172.16.1.2 service=pptp
add local-address=172.16.2.1 name=test profile=default-encryption remote-address=172.16.2.2 service=pptp
..

mikrotik 3

..
add connect-to=pptpserverdynamicip.sn.mynetname.net disabled=no name=pptp-out1 user=test
/interface eoip
add allow-fast-path=no local-address=178.251.107.131 mac-address=02:D5:5E:E0:70:C2 name=eoip-tunnel1-car remote-address=178.168.75.181 tunnel-id=0
add local-address=172.16.2.2 mac-address=02:36:E1:6B:FF:BB name=eoip-tunnel2 remote-address=172.16.2.1 tunnel-id=2
..
add bridge=bridge1-car interface=eoip-tunnel1-car
add bridge=bridge interface=ether2
add bridge=bridge1-car interface=eoip-tunnel2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,8.8.4.4,8.8.8.8 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
..

I don’t get the point directly open the EOIP between router 1 and 3 if that is what is intended

it’s mandatory to prevent exposure of mikrotik 1 to mikrotik 3. Some sort of legal stuff

Fair enough. But why not just use IPSec directly on the EoIP interface with a shared-secret? This seems simpler/cleaner, and perhaps faster, than PPTP tunnels.

Mikrotik 1 is behind NAT. It is basically connected to mobile phone hotspot or LTE dongle. The public IP address of the mobile phone or LTE dongle can change frequently.

Potentially, Mikrotik 3 will be also behind NAT (currently is with public IP address on one of its interfaces)

As far as I know, you have to have permanent IP addresses for establishing EOIP tunnels and this would not be the case for dynamic public IP addresses on LTE dongles or mobile phone hotspots in front of Mikrotik 1, as of now, and in front of Mikrotik 3, in near future.

PPTP has an advantage as it overcomes the problem of dynamic IP addresses for running EOIP on clients (Mikrotik 1 and 3)
.
.

when u post your config try to make it more clear, we do not need to know anything about /ip cloud, /user group , /ip firewall filter ect.

Since u are not reporting about that

What you are saying is still nonsensical once you open the PPTP tunnels those tunnels have endpoints which you can use to establish the EOIP and it doesn’t expose Mikrotik 2

Router 1 has an IP 172.16.1.2
Router 3 has an IP 172.16.2.2

All you need is a static route in router 1 and 3 so they can IP route to each other

Router 1

/ip route
add disabled=no dst-address=172.16.2.2/32 gateway=172.16.1.1

Router 3

/ip route
add disabled=no dst-address=172.16.1.2/32 gateway=172.16.2.1

You should be able to ping 172.16.2.2 from router 1 and 172.16.1.2 from router 3
Now form the EOIP directly between 172.16.1.2 and 172.16.2.2

Agreed, even with PPTP, one end still need to be public IP. Or otherwise routable over an internal network as noted. PPTP still uses GRE, like EoIP…it just uses an TCP port to setup so client side can be behind a NAT.

One important artifact of enabling IPSec on EoIP directly, is IKEv2 NAT traversal will be used for the outer IPSec tunnel. Without IPSec, EoIP’s GRE does need routable IP on BOTH sides. But with IPSec-enabled, only one side needs a static/routable IP.

Agree on /ip cloud , /user group however I think /ip firewall filter is required as the question is about network traffic not passing through EOIP tunnels

I see where you’re going with and it make sense. What I didn’t tell in the costraints of the setup is that I will have Computer C, D etc over MT 4, 5 etc which will be connected to MT2. Computer A will have to connect to only one Computer B, C etc at a time.

What you say makes perfect sense however I discovered that NAT traversal (required by IPsec behind NAT) doesn’t work at all in mobile phone hotspots or in LTE dongle which may act as Internet gateways for MT1 and MT2