Hi,
I have a mikrotik B2011 plugged in to my BT infinity Modem, Port ether6 connects PPPOE and ether 4 is my firewall.
PPPOE gets DHCP from network and my devices have static IP’s assigned.
We have a site to site VPN which will not come up, it worked when I used port ether1 but I had speed issues with that port so used ether6 instead, this fixed my speed issues but broke my VPN and guide on where to go next please.
Hi,
what do you mean by “Port ether6 connects PPPOE and ether 4 is my firewall.”?
Is this schematic correct?
BT Modem LAN port <=> eth6 RB2011 eth4 <=> firewall <=> yout local network
Is the IP address obtained correctly on the RB2011 eth6 port? Is it a public IP or private? Do you have internet access from the RB2011? Can you post the output of /ip route print?
Yes thats correct, PPPOE has got a DHCP address from the ISP of 81.x.x.x and Eth 4 isin a bridge with IP Address 217.x.x.38/255.255.255.248 which is my router address.
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS 0.0.0.0/0 81.x.x.1 11 ADC 81.x.x.1/32 81.x.x.101 BTInfinity 02 ADC 217.x.x.32/29 217.x.x.38 bridge-local 0
[admin@4Sight] >>
Yes Internet Access is fine
Check under interface → bridge → port and check if ether6 has been added tot he list.
If ether 1 is there then remove that one and repalce with ether6
Also check if ether1 had ip address assigned to it and change it to ether 6
Is the mac address of your firewall visible in /interface bridge host print?
Is the mac address and IP address of the firewall visible in /ip arp print?
Is the firewall anyhow accessible (for example by ping, if it answers ICMP probes) from your LAN subnet (217.x.x.32/29) or from the internet?
Which side of the VPN initiates it? Is it your firewall or the other side? You can try /tool packet sniffer to see if the traffic is visible.
Have you checked the logs of the firewall? Do they say anything?
Are you have Valid IP Address in each side routers ?
if you have tow IP Valid in each router you can easily run EOIP Tunnel and have a Layer 2 Connection !
but if you dont have IP Valid in each Router , you can easily set PPTP Server Enable in your Router(must have Valid IP address for Transport your Traffic in Internet Structure) , and Create Secret in Your Router then set Remote IP Address and Local Address and in other side create PPTP Client !
(Sorry Sorry … My English Language is very bad 
)
Is the mac address of your firewall visible in /interface bridge host print? YES
Is the mac address and IP address of the firewall visible in /ip arp print? YES
Is the firewall anyhow accessible (for example by ping, if it answers ICMP probes) from your LAN subnet (217.x.x.32/29) or from the internet? YES the firewall is accessable from the 217.x.x.x subnet
Which side of the VPN initiates it? Is it your firewall or the other side? You can try /tool packet sniffer to see if the traffic is visible.
Have you checked the logs of the firewall? Do they say anything?
The Firewall initiates the VPN on the untrusted side, A Packet trace shows packets being sent but nothing returning.
The packet trace was done where? On which device & interface?
What about the firewall being accessible from the internet?
The firewall responds to a ping from the Internet, Packet trace is done on the firewall external interface.
so you can create new VPN Connection to your PC or Laptop and test it in your LAN(Connect to ether1 port of your router directly), and check it ! are you can connect to your VPN Server(Router) ?
Try to sniff packets on the RB, on it’s WAN interface. Apply a filter for the firewall IP address and check if the traffic is visible.
Strangly enough half of this seems to have fixed it
Check under interface → bridge → port and check if ether6 has been added tot he list.
If ether 1 is there then remove that one and repalce with ether6
Also check if ether1 had ip address assigned to it and change it to ether 6
Although Eth1 was disabled and not plugged in or being used it was still in the bridge, I removed it and all is working, Not sure I understand why but Im happy its working.
Thanks.
Was ether6 already added to bridge ports?
Great glad it solved it.
DOnt forget the karma 
yes thats was added and disabled
So how come the firewall was accessible, visible in the bridge table and ARP table, huh?