Travel router - Spanning LAN across a VPN

Hello all,

I have recently purchased a map lite for use as a travel router. The basic idea is that I plug it in whenerever I am and it tunnels back to my home router, broadcasts the same SSID as home and essentially provides the same LAN (DHCP, gateway, DNS, etc).

With this in mind, I thought the best way to accomplish it would be to use an SSTP VPN and then a EoIP tunnel through that, then adding the EoIP tunnel to the existing bridges.

The VPN is setup on the “home” router as follows:

/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes pfs=yes tls-version=only-1.2

/ppp secret
add local-address=192.168.215.1 name=RemoteUser remote-address=192.168.215.2 service=sstp

and the client on the travel router:

/interface sstp-client
add add-default-route=yes authentication=mschap2 connect-to=SERIAL.sn.mynetname.net disabled=no name=sstp-out pfs=yes profile=default-encryption tls-version=only-1.2 user=RemoteUser

And works as it should, it connects and I can reach the assigned IPs (192.168.215.x) from each side.

EoIP on home router:

/interface eoip
add local-address=192.168.215.1 mac-address=02:AF:81:E4:17:32 mtu=1500 name=eoip-tunnel1 remote-address=192.168.215.2 tunnel-id=13

travel router:

/interface eoip
add local-address=192.168.215.2 mac-address=02:0D:6D:7E:17:FA mtu=1500 name=eoip-tunnel1 remote-address=192.168.215.1 tunnel-id=1

I’ve added the EoIP tunnel to my bridge on the home router but its listed as a disabled port:

As I understand theres not a way to monitor if the EoIP is up or not? I see occasional traffic on the interface window, I assume thats it trying to establish, but nothing consistent.

I’ve added the EoIP interface to the bridge on the travel router to the same effect. When I connect a client to the travel router SSID I don’t get assigned an IP address.
If I assign the travel router an address and setup a DHCP server, clients can connect and work as expected so I hopefully haven’t setup the travel router incorrectly.

What am I missing? Have I setup the EoIP tunnel incorrectly or have I misunderstood something and am going about the in the wrong way? Is there a better way to do this?

Thanks in advance for your help

A VPN is a tunnel already. Why tunnel through a tunnel?

Worse, you’re using a TCP tunnel on the outside. Unless you’re doing only low-bandwidth things through this connection, it’s likely to run into TCP meltdown problems.

If this “travel” scenario involves hotels and coffee shops and such, you’re likely to run into problems with captive hotspot portals if you force all WiFi traffic through the tunnel. You won’t be able to accept the local ToS BS needed to be allowed on the local net. Since each site is likely to work differently, I think the simplest option is to leave the VPN connection down to start, then bring it up only once you’re authenticated on the local LAN.

And works as it should, it connects and I can reach the assigned IPs (192.168.215.x) from each side.

Yes. That’s what a VPN does, which is why I question your wish to add EoIP to this. Why not declare success at this point and move on to other tasks?

I also have a map lite like as Road Warrior device (more used as toy to learn and play) but I do not see the real benefit to have the same LAN subnet addresses on that device.
VPN connection, check (wireguard: tip: since WG is a stateless interface, ping IP address on the other end for ‘alive’ status)
Same SSID as home, check (even 2 AND a connect list for known Wifi networks I regularly connect to, having as last option my hotspot of my cell phone)
Routing to home via tunnel, check.
But I use different IP subnet on my MapLite-LAN vs home-LAN.

Or are you serving an application on your laptop which also needs to be accessible from your hotel for people staying home ?
What’s the requirement for spanning that subnet (and complicating things maybe needlessly) ?

Well, that was one of my questions, if there was a better way to do it?

Captive portable was something I’d not considered, I will bear that in mind.

Yes, I know that’s what a VPN does
The purpose was not necessarily to add EoIP to it, but rather to see if I could span my LAN from home to my travel router. I didn’t want to have 2 separate subnets, only because it seemed like an interesting thing to do, from a bit of Googling EoIP looked to be the way to do this.

What would you suggest?

Nope, nothing special I need to access. Complicating things needlessly probably, I could have a separate subnet on the travel router, I just thought this would be an interesting exercise.

I’ve seen a few of the Mikrotik MUM presentations where they have used an EoIP tunnel over a VPN in this manner but my attempts at a similar configuration do not seem to work. Any reason why my EoIP tunnel doesn’t function?

Would BCP over the SSTP VPN be a better solution?

Stop trying to be excessively clever and accept that two separate subnets really is the simplest option. Routing between subnets is what routers do.

Thanks for your ‘help’.

Why do you insist on putting a tunnel inside a tunnel ?
a) It’s not needed for pure “road warrior” behavior
b) it impacts performance
c) it complicates the whole setup

Maybe I haven’t worded my question in the best way. If I have given the impression that the methods I have suggested above are the only way to accomplish this, that was not my intention.

I don’t think I have insisted on anything, I am trying to see if there was a way to span my LAN from my home router to another router elsewhere.
Essentially I would like to connect my travel router to an internet connection (let’s set aside potential complications with captive portals for now and assume I have internet access) and when connecting my client devices to it via wireless they appear on the same subnet as my home router and are able to communicate with other devices on the same subnet.

Basically the equivalent of taking a “really” long network cable and being able to plug in to my LAN from wherever

I, perhaps mistakenly, assumed EoIP could do this as the wiki page said:

Possibility to bridge LANs over encrypted tunnels

Is there a protocol which can do this?
How would you accomplish this in a secure manner?

How I do it:
Map Lite
Separate LAN for private connections, standard firewall between WAN and LAN.
WG tunnel to home (or pick whatever VPN protocol you’re most familiar with but NOT SSTP… it’s considered compromised. Your call.)
Map Lite scans wifi environment and when it sees a wifi it knows, it connects. Tunnel is being made and private SSID is being broadcast (slave interface on main wlan).
When no known network is present, I can always use my cell hotspot to have a connection (normally you could also configure to use eth1 if you want but that one maplite I have, has a bust eth-port ). At that point I can change network settings for the location I’m at (read: I add it to connect list).
Assuming internet connection is ok, laptop or phone or whatever can connect to my SSID on maplite.
And when I want to print something from my laptop, I just hit print, info goes over wifi to maplite, router part handles it, it goes through Wireguard, to Hex-home-router, to home printer, and all that wherever I am.
Same for accessing my NAS, home VM farm, whatever.

Having Wireguard directly on laptop or phone makes this a bit less necessary (I could also connect directly), but I still prefer to have “something” in between my devices and public wifi.
When at work, I go directly. One can assume that’s a controlled wifi environment with no bad boys lurking.
When out in public, I prefer that little bugger as interface.

Thank you for taking the time to type your reply, some useful information in there, I didn’t know SSTP wasn’t recommended anymore. I also hadn’t considered delaying the broadcast of the SSID before the tunnel had been established.

However, my primary question still hasn’t been answered, how do I span my LAN from one router to another?

To be clear, I do not want to route between two subnets, I would like to bridge my LAN between two routers.

And yet the question keeps coming back.
Why should you ? For what purpose ?
IMHO routing with Mikrotik is far easier then extending a LAN segment. Who cares another IP range is being used ? Router will take care of that. That’s what routers are supposed to do.

From what I know, if you really want to go that route, EoIP over whatever other VPN you got running is an option.
But I still don’t see the added value purely for road warrior behavior.

To see if I can, and why not? I want to learn how to do things, I can already route between two subnets, I want to see if I can do this as well.

Awesome, so I wasn’t completely on the wrong track with this.
From the configuration I first posted if there any reason why it would not be working?
As mentioned I can’t see a way to check the EoIP tunnel status, how do I troubleshoot it?

Education mainly, I like learning new/interesting things. It may not necessarily be the best way but having that knowledge means I have more to draw upon from my personal “toolbox”.

And surely, the fact it’s possible means there must be some applications for it, this may not be the most appropriate but I may encounter something in the future where I need to do this.

Also, genuinely, thank you for your input so far

I believe SSTP is “compromised” only when you leave the “tls-version=only-1.2” bit off, since it opens it to the POODLE attack. If all of your clients are able to speak SSTP over TLS 1.2, you might be okay. (Scroll down to the end of the article for this uncertainty’s “why.”) Whether RouterOS should have an “only-1.3” option is not something I can answer for you.

There are two other reasons to avoid SSTP, neither of which has to do with compromised security protocols:

1. It’s TCP-only, making it a bad choice for tunneling other TCP connections due to the TCP meltdown problem.

2. It’s Microsoft-specific. Even if you don’t use other desktop and laptop computers with other OSes, neither of the major mobile OSes have built-in SSTP. They do have built-in IPSec, but that’s miserable to set up and manage, so if you have to add a third-party VPN client to solve both sets of problems, it might as well be something modern, portable, and simple like WireGuard. The prior option filling that role is OpenVPN over UDP, but that’s got known bugs in ROS 7, so WireGuard it is again. (OpenVPN over TCP is reported to work properly in ROS 7, but now you’re back to to the TCP meltdown problem.)
   
   
   

how do I span my LAN from one router to another?

With another subnet.

Seriously: you appear to believe two subnets connected by a router is not a “LAN,” but in fact virtually every LAN bigger than a single office building is composed of multiple subnets. Now you’ve got the opportunity to play on the big kids’ playground, yet you’re caviling.

I would like to bridge my LAN between two routers.

What specific end result do you hope to gain? “Because I can” is a poor answer. Tell me what service breaks if you do it the way the tech was designed, then sit back and wait for people to tell you how to solve that.

I’ll start: Windows Explorer windows no longer populate with other hosts sharing resources, since multicast normally stops at a routing boundary. Solution: forward the WS-DISCOVERY protocol across the barrier.

Thanks for your ‘help’.

You’re returning sarcasm to wisdom.

Even if you get EoIP working over SSTP, it will still be wrong, so we’re refusing to “help” you sail off into a sea of “wrong.”