Hi forum,

i want to nat eiop over a routeros device:

szenario: eoip endpoint -> internet -> router(fritzbox)->192-168.178.2-routerosdevice1-192.168.15.1->192.168.15.2-routerosdevice2

routerosdevice2 should initiate the tunnel.

I created a snat for protocol 47 for routerosdevice2 on routerdevice1 i created a dnat for protocol 47 on routerosdevice1 to routerosdevice2
i see traffic coming from eoip endpoint on routerosdevice1 but the it's not hitting the dnat rule.

Do you have any advice?

Best Regards,

Andreas

It works here. One problem can be if you first add tunnels and you add dstnat rules on routerosdevice1 after that. Dstnat only works for new connections, i.e. from very first packet. GRE doesn't really have connections, but conntrack sees it as such. So if it have seen a GRE packet already, it will treat following ones with same source and destination as established connection and dstnat won't touch them. You can either remove matching entries from "/ip firewall connection" or just reboot the router.

You can run EoIP over the top of L2TP. I do this when I'm connecting clients into my network who don't have public or static IPs, or who have multiple connections with failover.