Tunneling and Routing

RouterOS General
1

With the help of my friend Google & Mikrotik Sites, I have two working RB’s. The plan is to install one at my brothers house, over 50 miles, and the other will in my house. ISP on both is cable. I would like to connect both of these routers over a tunnel bypassing NAT. I have provided below information about the networks. More can be provided if needed.

R1 (RB493G - My House):
LAN: 172.30.10.0/24
NexEvo: 192.168.20.0/24
Loopback: 10.10.0.1/32

/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Allow LAN connections" in-interface=!ether1 src-address=172.30.10.0/24
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input log-prefix=Filter:
add action=drop chain=input comment="drop everything else"
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
add chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp
add chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=udp
add chain=services comment="allow SNMP" disabled=yes dst-port=161 protocol=tcp
add chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
add chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp
add chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
add chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
add chain=services comment="allow DNS request" disabled=yes dst-port=53 protocol=tcp
add chain=services comment="Allow DNS request" disabled=yes dst-port=53 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add chain=services comment="allow DHCP" disabled=yes dst-port=67-68 protocol=udp
add chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
add chain=services comment="allow IPIP" disabled=yes protocol=ipencap
add chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
add chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
add chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
add chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
add chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah
add chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
add chain=services comment="allow OSPF" disabled=yes protocol=ospf
add action=return chain=services

/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface=ether1 src-address=172.30.10.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.20.0/24

R2 (RB600A - Brothers House):
LAN: 172.30.11.0/24
Loopback: 10.10.0.2/32

/ip firewall filter
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Allow LAN connections" in-interface=!ether1 src-address=172.30.11.0/24
add action=drop chain=input comment="detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" jump-target=services
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add action=log chain=input log-prefix=Filter:
add action=drop chain=input comment="drop everything else"
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
add chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
add chain=services comment="allow MACwinbox " dst-port=20561 protocol=udp
add chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=udp
add chain=services comment="allow SNMP" disabled=yes dst-port=161 protocol=tcp
add chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
add chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp
add chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
add chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
add chain=services comment="allow DNS request" disabled=yes dst-port=53 protocol=tcp
add chain=services comment="Allow DNS request" disabled=yes dst-port=53 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add chain=services comment="allow DHCP" disabled=yes dst-port=67-68 protocol=udp
add chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
add chain=services comment="allow IPIP" disabled=yes protocol=ipencap
add chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
add chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
add chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
add chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
add chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah
add chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
add chain=services comment="allow OSPF" disabled=yes protocol=ospf
add action=return chain=services

/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface=ether1 src-address=172.30.11.0/24

From the sites that I have found, I am a bit confused on which type of tunnel is best. I have come to the conclusion that L2TP/IPSec or IPSec would be the way to go. I do plan to add in other sites and add in OSPF. OSPF is still a mystery to me but that can be worked out another day. I come here looking for recommended ways to reach the end goal.

2

I would just establish an IPSEC tunnel between the two routers. I have one setup with cable internet and it works great.