Hi there,
I set up two EOIP tunnels using one bridge for both. Different users, different IPs… everything works fine… separately. If I turn on both tunnels, the traffic only is transmitted from the second one. The first one has no outgoing traffic. What am I doing wrong?
Attached You can find a simple draw of my connections schema. And sorry for my basic english!
Cheers
Rubén
It should work fine but the information on the drawing is insufficient to suggest what might be wrong, so post the configuration of all three machines following the hint in my automatic signature and the output of /interface eoip print detail, /interface bridge print detail, and /interface bridge host print when both tunnels are up.
Hi again,
Thanks for your help.
PPTP Server config
/interface bridge
add admin-mac=CC:2D:E0:64:D3:89 auto-mac=no comment=defconf igmp-snooping=yes
name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce
distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-YARARA
wireless-protocol=802.11
/interface eoip
add local-address=192.168.88.200 mac-address=02:42:62:50:21:C8 name=
eoip-tunnel1 remote-address=192.168.88.201 tunnel-id=0
add !keepalive local-address=192.168.88.240 mac-address=02:1E:1F:F9:7F:53 name=
eoip-tunnel2 remote-address=192.168.88.241 tunnel-id=666
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=*******
wpa2-pre-shared-key=*******
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=PPTP-Pool ranges=192.168.1.125-192.168.1.150
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
add bridge=bridge interface=eoip-tunnel1
add bridge=bridge interface=eoip-tunnel2
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
add address=192.168.1.4/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=80.58.61.250,80.58.61.254
/ip dns static
add address=192.168.1.4 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related disabled=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=yes
src-address=192.168.88.2-192.168.88.254
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=WAN
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.1.1
add disabled=yes distance=1 dst-address=239.0.2.0/32 gateway=bridge
/ppp secret
add local-address=192.168.88.210 name=username1 password=*****
remote-address=192.168.88.211 service=pptp
add local-address=192.168.88.200 name=eoipuser1 password=******** remote-address=
192.168.88.201 service=pptp
add local-address=192.168.88.240 name=eoipuser2 password=******** remote-address=
192.168.88.241 service=pptp
EOIP Tunnel Client 1
/interface bridge
add admin-mac=CC:2D:E0:64:96:9F auto-mac=no comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pptp-client
add connect-to=pptp.server.address disabled=no keepalive-timeout=disabled name=pptp-out1 password=****** user=eoipuser1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=spain disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mode=ap-bridge ssid=MikroTik-SS
wireless-protocol=802.11
/interface eoip
add !keepalive local-address=192.168.88.201 mac-address=02:38:92:53:EE:25 name=eoip-tunnel1 remote-address=192.168.88.200 tunnel-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=PcEERGbn wpa2-pre-shared-key=*******
/ip pool
add name=dhcp ranges=192.168.66.10-192.168.66.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=eoip-tunnel1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.66.1/24 comment=defconf interface=ether2 network=192.168.66.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.66.0/24 comment=defconf gateway=192.168.66.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.66.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 gateway=192.168.0.1
add distance=1 dst-address=172.26.22.0/32 gateway=pptp-out1
add distance=1 dst-address=172.26.23.0/32 gateway=pptp-out1
add distance=1 dst-address=239.0.2.0/32 gateway=eoip-tunnel1
/ppp secret
add name=userppp password=********
EOIP Client 2
/interface bridge
add admin-mac=CC:2D:E0:64:96:9F auto-mac=no comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=CC:2D:E0:64:96:9E
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=CC:2D:E0:64:96:9F
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=CC:2D:E0:64:96:A0
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=CC:2D:E0:64:96:A1
/interface wirelessN
set [ find default-name=wlan1 ] name=wlan2 ssid=MikroTik
/interface eoip
add !keepalive local-address=192.168.88.241 mac-address=02:38:92:53:EE:25 name=eoiptunnel1 remote-address=192.168.88.240 tunnel-id=666
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=***** wpa2-pre-shared-key=*******
/ip pool
add name=dhcp ranges=192.168.77.10-192.168.77.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface pptp-client
add connect-to=pptp.server.address disabled=no keepalive-timeout=disabled name=PPTP-client1 password=******* profile=default user=eoipuser2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge interface=eoiptunnel1
add bridge=bridge comment=defconf disabled=yes interface=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wlan2 list=WAN
/ip address
add address=192.168.77.1/24 comment=defconf interface=ether1 network=192.168.77.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=wlan2
/ip dhcp-server network
add address=192.168.77.0/24 comment=defconf gateway=192.168.77.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.77.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=172.26.22.0/32 gateway=PPTP-client1
add distance=1 dst-address=172.26.23.0/32 gateway=PPTP-client1
add distance=1 dst-address=239.0.2.0/32 gateway=eoiptunnel1
Interface configs
[admin@MikroTik] /interface eoip>> /interface eoip print detail
Flags: X - disabled, R - running
0 R name="eoip-tunnel1" mtu=auto actual-mtu=1408 l2mtu=65535 mac-address=02:42:62:50:21:C8 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
loop-protect-disable-time=5m local-address=192.168.88.200 remote-address=192.168.88.201 tunnel-id=0 keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes
1 R name="eoip-tunnel2" mtu=auto actual-mtu=1408 l2mtu=65535 mac-address=02:1E:1F:F9:7F:53 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
loop-protect-disable-time=5m local-address=192.168.88.240 remote-address=192.168.88.241 tunnel-id=666 dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=yes
[admin@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1408 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=CC:2D:E0:64:D3:89 protocol-mode=rstp fast-forward=yes igmp-snooping=yes multicast-router=temporary-query
multicast-querier=no startup-query-count=2 last-member-query-count=2 last-member-interval=1s membership-interval=4m20s querier-interval=4m15s query-interval=2m5s query-response-interval=10s
startup-query-interval=31s250ms igmp-version=2 auto-mac=no admin-mac=CC:2D:E0:64:D3:89 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no
dhcp-snooping=no
admin@MikroTik] > /interface bridge host print
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external
0 D 00:26:86:00:00:00 ether1 bridge 6s
1 DL 02:1E:1F:F9:7F:53 eoip-tunnel2 bridge
2 D 02:38:92:53:EE:25 eoip-tunnel2 bridge 1s
3 DL 02:42:62:50:21:C8 eoip-tunnel1 bridge
4 D 2C:CC:44:34:B2:C9 ether1 bridge 6s
5 D 34:57:60:DB:35:A3 ether1 bridge 0s
6 D 3C:5C:C4:07:5A:43 ether1 bridge 6s
7 D 68:63:59:95:FF:DB ether1 bridge 27s
8 D 68:9A:87:54:56:90 ether1 bridge 6s
9 D 90:EF:68:3C:A9:67 eoip-tunnel2 bridge 3s
10 D AA:AA:AA:1B:45:C7 ether1 bridge 0s
11 D AA:AA:AA:1B:46:C7 ether1 bridge 0s
12 D BC:60:A7:DC:37:35 ether1 bridge 6s
13 D C4:95:00:AC:D5:BF ether1 bridge 6s
14 D CC:2D:E0:64:96:9F eoip-tunnel2 bridge 24s
15 DL CC:2D:E0:64:D3:88 ether1 bridge
16 DL CC:2D:E0:64:D3:89 bridge bridge
Again, thanks for your support
And sorry, I realized that IPs of my drawing are not correct. They are all in 192.168.88.x subnet.
Regards
Could it be that both the PPTP clients are connected from behind the same public IP address? One of the problems with PPTP is that it uses GRE, and one of the problems with GRE is that it doesn’t use the concept of ports so only a single GRE “session” can exist between two IP addresses, so if one of these two addresses belongs to a NAT device and there is more than one GRE endpoint behind it, only one of the GRE sessions works at a time. Some NATs let the private->public packets run for both sessions which might explain why the EoIP tunnels are both reported as up at the “PPTP server” machine.
Yes, both eoiptunnels are connected trought the same public IP address to PPTP Mikrotik server… so, what can I do? Is there any way to avoid using another public IP? Maybe using another tunnel type?
Thanks!
PPTP is a security hole anyway, so use plain IKEv2 (L2TP encrypted using IPsec suffers from the same issue of multiple clients behind a NAT, even though the detailed reason is slightly different, and without encryption it is totally insecure).
I know, but first I’d like to solve the main issue. So, no ideas for tunneling using same public internet IP?
Sorry, as you can see I’m a little newbie…
Thanks
The problem are not the EoIP tunnels themselves - they are just victims of the PPTP problem with NAT. So until you set up a VPN which a) does not use TCP as transport and b) does not have problems with two clients behind the same public IP, the EoIP won’t work at both sites simultanously. And requirements a) and b) narrow the list to just two types of VPN out of those available on Mikrotik: L2TP without IPsec (so no encryption at all) and IKEv2.
Well, I tried BCP bridging with l2tp interface and… the same issue. I don’t know why the behaviour is just the same. As you can see, there’s no EoIP tunneling and connections (separately) runs so fine. I’m just thinking that I’m missing something…
When both connections are running, one of them sends no packets
Have you set use-ipsec to yes and ipsec-secret in l2tp configuration?
Btw, there is one more issue in your configuration, but I don’t think it explains the L2 tunnel behaviour. On the server, you have attached the /ip dhcp-client to ether1 and attached two /ip address to ether2 but at the same time you’ve made ether1 and ether2 member ports of /interface bridge named bridge. That’s incorrect, elements of IP configuration cannot be attached to interfaces which are at the same time member ports of bridges, it causes weird errors. So you fix change this first of all.
Next, can you re-confirm again that your physical network topology looks like this?
____ ______________ | |
____________ ( ) | |-------| VPN client 1 |
| | public IP A ( ) public IP B | | ||
| VPN server |------------------( )----------------| WAN(NAT) LAN | ______________
|| () | | | |
||-------| VPN client 2 |
|____|
If so, the L2TP tunnels can only work for both clients if ipsec=yes is not used in the l2tp configuration.
peinamuertos,
do you really have the same MAC address on both clients’ bridges ?
Worse than that, have you saved a backup on client 1 and loaded it on client 2? Because it’s not only the admin-mac of the bridge, it’s also that the MAC addresses of Ethernet ports are user-configured on client 2.
For bridging of external traffic this doesn’t matter, but if you check the tunnel by sending data to the IP address of the bridge on the client device, the duplicity does matter.
And loading a backup of one device to another is prohibited in general, you have to export the configuration on one device and import it on the other one after editing out the duplicities from the script file. In your case, reset client 2 to defaults, export configuration from client 1 and import it to client 2 after making the necessary changes in it.
Well,.. sorry. I told you… Newbie. Changed config and new MAC = all working under L2TP with IPsec
Thanks a lot to everyone!!!
Hi @peinamuertos,
Sorry for this out off-topic question, but i see two ARPs in your previous message list with prefix “AA:AA:AA:1B” than i have been seeking for a time withou sucess … If you know, could you tell me what they are?
The are currently appearing in home lan traffic analysis with a lot of bandwitdh use and it’s frustating and annoying. I think they must be about internal PoE traffic repartitors or so on … but can’t find any information regarding it in Internet …
Much thanks and sorry by the interrumption …
10 D AA:AA:AA:1B:45:C7 ether1 bridge 0s
11 D AA:AA:AA:1B:46:C7 ether1 bridge 0s
Best regards!
JM
Hi Sindy, I have been studying your posts regarding L2TP IPSEC not allowing 2 or more users from the same public IP to have internet access, but I see you have written here that L2TP without encryption is able to have more than one device have internet access. Can you help me achieve this? I stopped my Non-encryption tunnels because when I used ipsec on my phone it would sever the connection and or stop internet … But would it work if I use IKEv2 on my mobile and kept L2TP without encryption running at the same time? Can I have more that 1+ L2TP non encrypted tunnels working behind the same public IP and achieve NAT correctly out the box?
Security is not an issue speed is however.
Thanks in advance, I will meanwhile try to test.
Yes, multiple bare L2TP clients can connect from behind the same NAT. And bare L2TP connections do not interfere with IKEv2 in any way.
The issue L2TP/IPsec has with NAT is caused by the fact that its standard requires use of transport mode of IPsec SA. If you don’t use the dynamically generated IPsec configuration and manually set up your own one using tunnel mode of IPsec SA, you can use multiple IPsec-encrypted L2TP tunnels passing through the same NAT. But such setup is only possible with routers, not with phones; with PCs, there might be a way but I’ve never tested it, as it is much simpler to use IKEv2 on a PC than to set up this non-standard configuration.
Thank you Sindy, I will test this possible solution, a t the moment I have not been successful in more than 1 bare L2TP tunnels using same WAN IP. But I will try again, is there a particular setting I need to set for this to work harmoniously?
Just at the stage of configuring IKEv2 for laptop and phone users, I have managed to connect but just trying to push all traffic through the tunnel.
I don’t know about any. But there were some issues with L2TP in one of recent RouterOS versions, check the release anouncement topics and the changelog for 6.47(.x) and 6.48(.x).