Community discussions

 
900mhzdude
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Nov 09, 2010 8:49 pm

EOIP site to site only half working

Wed Oct 31, 2018 3:21 pm

VPN was not working for our remote office so we went with EOIP with OSPF


we have a 172.19.0.0/19

at our remote office, we can access any static IP on the 172.19.0.0./19

but our CPE's (We are a WISP) get DHCP from Pool 172.19.10.0 - 172.19.12.0/19


anything in that DHCP Pool we cannot access from our remote office


would this be a missing firewall rule?

I'm a bit new with Mikrotik we had a consultant set up the EOIP but he is a bit busy

also would like to learn how to do all this my self


Thanks in advance for any help
 
900mhzdude
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Nov 09, 2010 8:49 pm

Re: EOIP site to site only half working

Wed Oct 31, 2018 3:58 pm

an update

I can ping the DCHP Pool from our remote office inside the Mikrotik terminal

but not behind the NAT that is assigned to my laptop
 
User avatar
jurek
just joined
Posts: 7
Joined: Wed Oct 18, 2017 3:56 pm

Re: EOIP site to site only half working

Wed Oct 31, 2018 4:18 pm

Can you provide more info?

1. I understand that EoIP tunnel between main and remote office is up. Are you using L3 (both ends of EoIP tunnel have IP address?)
2. What is LANs IP addressing on both sides? (main, remote) you want to communicate.
3. Please explain where network 172.19.0.0/19 is assigned ? WAN, LAN?
Maybe draft diagram will help? :-)

4. If you are using OSPF you should see other ends networks on route list (IP->ROUTES) You can also add LOG Rule for OSPF and see any OSPF logs.
 
900mhzdude
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Nov 09, 2010 8:49 pm

Re: EOIP site to site only half working

Wed Oct 31, 2018 4:26 pm

172.19.0.0/19 is the LAN side of our core network

EOIP tunnel is 10.10.10.0/29

LAN Side of remote office is 10.0.0.0/24

if I give my laptop a static on 10.10.10.0/29
all works as it should

but on the IP Pool (DHCP) 10.0.0.0/24 we can only talk to static IP's in the core network not to any of the DHCP POOL



seems as if we are missing a bridge or firewall rule to connect the EOIP tunnel 10.10.10.0/29 Pool to our Local NAT Pool of 10.0.0.0/24
 
User avatar
xvo
Long time Member
Long time Member
Posts: 566
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: EOIP site to site only half working

Wed Oct 31, 2018 5:24 pm

Some things are still not clear: do you have your tunnel bridged with LAN only on one side or on both sides?
 
900mhzdude
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Nov 09, 2010 8:49 pm

Re: EOIP site to site only half working

Wed Oct 31, 2018 5:57 pm

the tunnel is a bridge to the Core network side 172.19.0.0/19

I need to bridge the EOIP tunnel IP to my Local NAT (I Think) but not sure how to do it

if I set my laptop a static on the EOIP Tunnel range everything works perfectly


I just need a DHCP Pool on the remote Mikrotik that bridges the EOIP tunnel pool


our DHCP pool right now on the remote network is only half working

but if I use the Static out of the EOIP Pool it works perfectly but consultant only set that up with a /29
and we need more IP's then that for our remote office
 
User avatar
xvo
Long time Member
Long time Member
Posts: 566
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: EOIP site to site only half working

Wed Oct 31, 2018 6:36 pm

Please post an export from both routers.
 
900mhzdude
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Nov 09, 2010 8:49 pm

Re: EOIP site to site only half working

Wed Oct 31, 2018 6:49 pm

nope not will all the Mikrotik security holes lately

I created a guest vlan trying to block it and the vlan works perfectly so I think I just need to create a vlan for it

thanks
 
User avatar
jurek
just joined
Posts: 7
Joined: Wed Oct 18, 2017 3:56 pm

Re: EOIP site to site only half working

Thu Nov 01, 2018 1:48 am

1. EoIP tunnel has 2 ends, so no reason to use /29 mask. I suggest to use 10.10.10.1/30, 10.10.10.2/30 and forget about connecting anything within this ip range. Additionally I recommend to enable IPSEC on EoIP tunnel.
2. If you are using only this one EoIP tunnel, use static routing instead of OSPF. This way you have better control.

MAIN OFFICE MIKROTIK:
/ip route
add distance=1 dst-address=10.0.0.0/24 gateway=10.10.10.x
#where 10.10.10.x is the IP of EoIP tunnel on REMOTE OFFICE MIKROTIK


REMOTE OFFICE MIKROTIK:
/ip route
add distance=1 dst-address=172.19.0.0/19 gateway=10.10.10.y
#where 10.10.10.y is the IP of EoIP tunnel on MAIN OFFICE MIKROTIK


Because you are using layer3 tunnel, no bridge is needed. It works almost like Site-To-Site VPN.
If you have any firewall rules, be sure traffic between 172.19.0.0/19 and 10.0.0.0/24 is not dropped (denied) by any of these rules.

Hopefully it will help you fix the issue !
 
900mhzdude
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Nov 09, 2010 8:49 pm

Re: EOIP site to site only half working

Thu Nov 01, 2018 3:18 am

Thanks for the help

Issue was an IP conflict with the NAT side of our CPEs changed the office IP range to 192 and working perfectly now


Now my issue is no matter what I do to lock down the guest VLAN to block access to the main network it can still reach the router other side of the EOIP I will play with adding drop rules to that router tomorrow


Just odd I told it to drop anything from 192.168.25.0/24 to 172.19.0.0/19 and it blocks all access to 172 exept the router on that network and guest can still ping anything on that network

Been searching all over Google for the firewall rules I'm missing but nothing yet

is there a way to stop inter VLAN routing on the guest VLAN?
Seems like that should be default
 
User avatar
jurek
just joined
Posts: 7
Joined: Wed Oct 18, 2017 3:56 pm

Re: EOIP site to site only half working

Thu Nov 01, 2018 4:25 am

This can be solved with firewall rules.
There are a lot of examples how to build good and simple firewall so you will definitely find something what fits your scenario.

My recommendation, or I should say Mikrotik's Gurus recommendation :-) is to use address lists and use them with firewall rules (not IP directly) so this way you can easily control traffic in future.

Good luck !

Who is online

Users browsing this forum: MSN [Bot] and 116 guests