Thank you so much for the link! It helped a lot! Very good tutorial!Suggest reading this source if your keen to do the vlan router method.........
viewtopic.php?f=13&t=143620
You can and it even auto-updates the IP number if it changes dynamically.I hope I can set domain name for the remote host instead of the IP
Actually nothing in addition to what you've already open to permit IPsec. EoIP is a special use of GRE, and as GRE has no notion of ports, the connection tracker only uses source and destination IP addresses as connection ID. And as both ends actively send the GRE packets and the default firewall permits everything that is sent by the router itself, the tracked connection establishes at each end by the first packet sent by that end and the received packets then match connection-state=established.WAN side firewall will be interesting, what I have to open for EoIP.
Unfortunately not. What I had in mind was only that if your WAN address is a dynamically changing public one and you're subscribed to one of the DDNS services (such as Mikrotik's /ip cloud, you can use the domain name as the remote-address parameter of the /interface eoip, and RouterOS will track the changes and update the remote IP accordingly.Local endpoint can be only an IP at the EoIP settings. My WAN IP assigned dynamically via DHCP. You meant that this IP will be updated automatically when WAN port got a new one, right?
Code: Select all
[admin@router.local.example.com] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; eoip-tunnel-Zoldmali
name="peer17" address=a.b.5.107/32 local-address=172.20.0.1 profile=default exchange-mode=main send-initial-contact=yes
1 R name="peer1" passive=yes profile=profile_1 exchange-mode=main send-initial-contact=yes
[admin@router.local.example.com] > /ip ipsec remote-peers print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 message-1-sent a.b.5.107
1 R message-2-sent a.b.5.107
[admin@router.local.example.com] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 DA ;;; eoip-tunnel-Zoldmali
src-address=172.20.0.1/32 src-port=any dst-address=a.b.5.107/32 dst-port=any protocol=gre action=encrypt level=require
ipsec-protocols=esp tunnel=no proposal=default ph2-count=1
[admin@router.local.example.com] >
Code: Select all
[admin@zoldmali.intra.example.com] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; eoip-tunnel-Ostoros
name="peer8" address=x.y.200.185/32 local-address=a.b.5.107 profile=default exchange-mode=main send-initial-contact=yes
[admin@zoldmali.intra.example.com] > /ip ipsec remote-peers print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 message-3-sent x.y.200.185
[admin@zoldmali.intra.example.com] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 DA ;;; eoip-tunnel-Ostoros
src-address=a.b.5.107/32 src-port=any dst-address=x.y.200.185/32 dst-port=any protocol=gre action=encrypt level=require ipsec-protocols=esp tunnel=no proposal=default ph2-count=1
It never came to my mind to try to push VLANs through a L2TP tunnel in bridge mode, but I've expected it would be enough to configure the /interface bridge port and /interface bridge vlan items also for the L2TP interfaces. However, it seems RouterOS is not ready for this (at least as of 6.44.3). Whereas it adds the L2TP interfaces dynamically to the /interface bridge port list, albeit under the .id instead of the name, even after adding it (also using the .id) to /interface bridge vlan, the frames don't get through if vlan-filtering=yes on the bridges - even the tagless ones don't. If vlan-filtering=no, both tagless and tagged frames do get tunneled, but that doesn't help you much.
So if you really need to tunnel L2 to another site via L3 network, use IPsec-encrypted EoIP rather than IPsec-encrypted L2TP with bridge mode activated.
Have you tried above with L2TP and bridging control protocol?
andL2TP tunnel in bridge mode
are the same thing.L2TP and bridging control protocol
Yes, that's true. Both end are with dynamic IP changed quite rarely. Initial state is a EoIP tunnel with manually configured local IP addresses at both ends. It work fine already, but the dstnat-ed version.But I've understood from what you wrote earlier that both ends have dynamic public IP so both need to be configured the other one's domain name, is that true?
Code: Select all
[admin@router.intra.example.com] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; EoIP DDNS
chain=srcnat action=accept protocol=gre log=no log-prefix=""
1 ;;; default configuration
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=""
2 I ;;; university VPN
;;; sstp-UNIV not ready
chain=srcnat action=masquerade out-interface=sstp-UNIV
3 ;;; EoIP DDNS
chain=dstnat action=dst-nat to-addresses=172.20.0.1 to-ports=500 protocol=udp in-interface-list=WAN log=no log-prefix=""
4 ;;; EoIP DDNS
chain=dstnat action=dst-nat to-addresses=172.20.0.1 to-ports=4500 protocol=udp in-interface-list=WAN log=no log-prefix=""
5 ;;; HTTP
chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=80 protocol=tcp in-interface-list=WAN dst-port=80 log=no log-prefix=""
6 ;;; HTTPS
chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=443 protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=""
7 ;;; SSH
chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=22 protocol=tcp in-interface-list=WAN dst-port=22 log=no log-prefix=""
8 X ;;; SMTP
chain=dstnat action=dst-nat to-addresses=192.168.0.199 to-ports=25 protocol=tcp in-interface-list=WAN dst-port=25 log=no log-prefix=""
9 ;;; torrent kliens
chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=60995-60999 protocol=tcp in-interface-list=WAN dst-port=60995 log=no log-prefix=""
10 ;;; szerver torrent kliens
chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=51413 protocol=tcp in-interface-list=WAN dst-port=51413 log=no log-prefix=""
11 ;;; Syncthing (Gabor1)
chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=22000 protocol=tcp in-interface-list=WAN dst-port=22000 log=no log-prefix=""
admin@router.intra.example.com] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; eoip-tunnel-Zoldmali
name="peer21" address=x.x.5.107/32 local-address=172.20.0.1 profile=default exchange-mode=main send-initial-contact=yes
1 R name="peer1" passive=yes profile=profile_1 exchange-mode=main send-initial-contact=yes
[admin@router.intra.example.com] > /ip ipsec remote-peers print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 R message-2-sent x.x.5.107
1 message-1-sent x.x.5.107
Code: Select all
[admin@router.intra.example.com] > /ip ipsec remote-peers print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 message-1-sent x.x.5.107
[admin@router.intra.example.com] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; eoip-tunnel-Zoldmali
name="peer23" address=x.x.5.107/32 local-address=172.20.0.1 profile=default exchange-mode=main send-initial-contact=yes
1 X R name="peer1" passive=yes profile=profile_1 exchange-mode=main send-initial-contact=yes
[me@clienTik] > ip ipsec peer print where dynamic Flags: X - disabled, D - dynamic, R - responder
0 D ;;; eoip1
name="peer8" address=192.168.5.1/32 local-address=192.168.163.1 profile=default exchange-mode=main send-initial-contact=yes
[me@clienTik] > ip ipsec policy print where (!disabled)
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 DA ;;; eoip1
src-address=192.168.163.1/32 src-port=any dst-address=192.168.5.1/32 dst-port=any protocol=gre action=encrypt level=require ipsec-protocols=esp tunnel=no proposal=default
ph2-count=2
[me@clienTik] > ip ipsec remote-peers print Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 R established 192.168.5.1 5m44s
1 established 192.168.5.1 5m41s
[me@clienTik] > ip firewall connection print detail where (src-address~"192.168.5.1(\$|:)" or dst-address~"192.168.5.1(\$|:)") and !(protocol~"tcp|icmp") and !(dst-address~":524[67]|:5678")
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC d protocol=udp src-address=192.168.5.1:4500 dst-address=192.168.5.100:4500 reply-src-address=192.168.163.1:4500 reply-dst-address=192.168.5.1:4500 timeout=2m59s
orig-packets=78 orig-bytes=8 020 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=76 repl-bytes=6 411 repl-fasttrack-packets=0 repl-fasttrack-bytes=0
orig-rate=640bps repl-rate=0bps
1 C protocol=gre src-address=192.168.163.1 dst-address=192.168.5.1 reply-src-address=192.168.5.1 reply-dst-address=192.168.163.1 gre-key=256 timeout=23s orig-packets=40
orig-bytes=1 120 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps
repl-rate=0bps
2 C protocol=gre src-address=192.168.5.1 dst-address=192.168.163.1 reply-src-address=192.168.163.1 reply-dst-address=192.168.5.1 gre-key=256 timeout=23s orig-packets=38
orig-bytes=1 064 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps
repl-rate=0bps
[me@serverTik] > ip ipsec peer print where dynamic
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; eoip1
name="peer8829" address=192.168.5.100/32 local-address=192.168.5.1 profile=default exchange-mode=main send-initial-contact=yes
[me@serverTik] > ip ipsec policy print where dynamic
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 DA ;;; eoip1
src-address=192.168.5.1/32 src-port=any dst-address=192.168.5.100/32 dst-port=any protocol=gre action=encrypt level=require ipsec-protocols=esp tunnel=no proposal=default
ph2-count=2
[me@serverTik] > ip ipsec remote-peers print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 RN established 192.168.5.100 9m4s
1 N established 192.168.5.100 9m7s
[me@serverTik] > ip firewall connection print detail where (dst-address~"192.168.5.100" or src-address~"192.168.5.100") and !(protocol~"tcp|icmp") and !(dst-address~":524[67]")
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC protocol=udp src-address=192.168.5.1:4500 dst-address=192.168.5.100:4500 reply-src-address=192.168.5.100:4500 reply-dst-address=192.168.5.1:4500 timeout=2m55s
orig-packets=110 orig-bytes=10 297 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=109 repl-bytes=8 717 repl-fasttrack-packets=0 repl-fasttrack-bytes=0
orig-rate=0bps repl-rate=0bps
1 C protocol=gre src-address=192.168.5.100 dst-address=192.168.5.1 reply-src-address=192.168.5.1 reply-dst-address=192.168.5.100 gre-key=256 timeout=25s orig-packets=57
orig-bytes=1 596 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps
repl-rate=0bps
2 C protocol=gre src-address=192.168.5.1 dst-address=192.168.5.100 reply-src-address=192.168.5.100 reply-dst-address=192.168.5.1 gre-key=256 timeout=25s orig-packets=57
orig-bytes=1 596 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps
repl-rate=0bps
The bridge should have no ports so the packets actually don't go through the bridge at all, it is just a hook to hang the local IP at.I'm just wondering loudly what could be the problem. I have PPTP and L2TP VPN servers on this end. Can it be the problem? Fast forward should be on or off on the bridge where 172.20.0.1 IP is?
Code: Select all
[admin@zoldmali.intra.example.com] > /ip firewall connection print detail where src-address~":4\?500" or dst-address~":4\?500"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC protocol=udp src-address=x.y.5.107:500 dst-address=a.b.200.185:500 reply-src-address=a.b.200.185:500 reply-dst-address=x.y.5.107:500 timeout=2m55s orig-packets=6 099 orig-bytes=1 015 168 orig-fasttrack-packets=0
orig-fasttrack-bytes=0 repl-packets=5 013 repl-bytes=733 896 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
[admin@zoldmali.intra.example.com] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; eoip-tunnel-Ostoros
name="peer9" address=a.b.200.185/32 local-address=x.y.5.107 profile=default exchange-mode=main send-initial-contact=yes
[admin@zoldmali.intra.example.com] > /interface eoip print
Flags: X - disabled, R - running
0 name="eoip-tunnel-Ostoros" mtu=1500 actual-mtu=1500 l2mtu=65535 mac-address=02:8D:2E:10:ED:D5 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m
local-address=x.y.5.107 remote-address=home.example.com current-remote-address=a.b.200.185 tunnel-id=500 keepalive=10s,10 dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="somethingverysecretpassword-NOT-THE-REAL" allow-fast-path=no
Code: Select all
[admin@router.intra.example.com] > /ip firewall connection print detail where src-address~":4\?500" or dst-address~":4\?500"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
0 SAC F protocol=tcp src-address=192.168.0.249:50051 dst-address=192.168.0.248:554 reply-src-address=192.168.0.248:554
reply-dst-address=192.168.0.249:50051 tcp-state=established timeout=23h59m59s orig-packets=5 380 148 orig-bytes=216 617 382
orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=7 264 270 repl-bytes=5 164 107 870 repl-fasttrack-packets=0 repl-fasttrack-bytes=0
orig-rate=17.2kbps repl-rate=213.4kbps
1 SAC protocol=udp src-address=a.b.200.185:500 dst-address=x.y.5.107:500 reply-src-address=x.y.5.107:500 reply-dst-address=a.b.200.185:500
timeout=2m51s orig-packets=5 002 orig-bytes=731 016 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=6 085 repl-bytes=1 012 664
repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
2 SAC F protocol=tcp src-address=192.168.0.249:50040 dst-address=192.168.0.248:554 reply-src-address=192.168.0.248:554
reply-dst-address=192.168.0.249:50040 tcp-state=established timeout=4m59s orig-packets=31 337 506 orig-bytes=1 255 000 250
orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=63 081 209 repl-bytes=87 859 385 452 repl-fasttrack-packets=0 repl-fasttrack-bytes=0
orig-rate=137.2kbps repl-rate=9.3Mbps
3 C s protocol=udp src-address=172.20.0.1:500 dst-address=x.y.5.107:500 reply-src-address=x.y.5.107:500 reply-dst-address=a.b.200.185:119
timeout=3s orig-packets=2 orig-bytes=976 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0
repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps
[admin@router.intra.example.com] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; eoip-tunnel-Zoldmali
name="peer30" address=x.y.5.107/32 local-address=172.20.0.1 profile=default exchange-mode=main send-initial-contact=yes
1 X R name="peer1" passive=yes profile=profile_1 exchange-mode=main send-initial-contact=yes
[admin@router.intra.example.com] > /interface eoip print
Flags: X - disabled, R - running
0 R name="eoip-tunnel-Zoldmali" mtu=1500 actual-mtu=1500 l2mtu=65535 mac-address=02:77:DB:60:AC:F6 arp=enabled arp-timeout=auto loop-protect=default
loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=172.20.0.1 remote-address=zoldmali.example.com
current-remote-address=x.y.5.107 tunnel-id=500 dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="somethingverysecretpassword-NOT-THE-REAL"
allow-fast-path=no
Code: Select all
[admin@router.intra.example.com] > /ip ipsec remote-peers print terse
0 RN local-address=172.20.0.1 port=4500 remote-address=x.y.5.107 port=1024 state=established side=responder uptime=4m29s last-seen=29s
1 N local-address=172.20.0.1 port=4500 remote-address=x.y.5.107 port=4500 state=established side=initiator uptime=4m20s last-seen=20s
[admin@zoldmali.intra.example.com] > /ip ipsec remote-peers print terse
0 RN local-address=x.y.5.107 port=4500 remote-address=a.b.81.15 port=4500 state=established side=responder uptime=4m13s last-seen=13s
1 N local-address=172.20.0.2 port=4500 remote-address=a.b.81.15 port=4500 state=established side=initiator uptime=4m21s last-seen=21s
The mere fact that there is both an initiator and responder mode remote-peer at each end is OK - there are no "client" and "server" roles of the endpoints of EoIP (or GRE in general, or IPIP) tunnels (which is a difference as compared to L2TP), so the dynamically generated IPsec peers for these types of tunnels cannot be restricted to the responder role at any end.at both end, I can see a 'responder' and an 'initiator' in the ipsec remote peers. The strange thing is the two ends are different, meaning that at one end there are only private IP as local address, while at the others public IP is used for responder. Is this okay? If yes, why?
Code: Select all
[admin@zoldmali.intra.example.com] > /ip firewall nat print terse
0 comment=EoIP DDNS chain=srcnat action=accept protocol=gre src-address=172.20.0.2 log=no log-prefix=""
1 comment=default configuration chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=""
2 comment=EoIP DDNS chain=dstnat action=dst-nat to-addresses=172.20.0.2 to-ports=500 protocol=udp in-interface=ether1-gateway dst-port=500 log=no
log-prefix=""
3 comment=EoIP DDNS chain=dstnat action=dst-nat to-addresses=172.20.0.2 to-ports=4500 protocol=udp in-interface=ether1-gateway dst-port=4500 log=n
o log-prefix=""
4 comment=torrent chain=dstnat action=dst-nat to-addresses=192.168.2.3 to-ports=60001 protocol=tcp in-interface=ether1-gateway dst-port=60001 log=
no log-prefix=""
5 X comment=Picur HTTP chain=dstnat action=dst-nat to-addresses=192.168.2.9 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=80 log=no
log-prefix=""
6 comment=Anita Docker Container SSH chain=dstnat action=dst-nat to-addresses=192.168.2.8 to-ports=4567 protocol=tcp in-interface=ether1-gateway d
st-port=4567 log=yes log-prefix=Anita Docker SSH kapcsolat
One more clarification - order of rules does matter, but only within the same chain (srcnat or dstnat in case of /ip firewall nat). So whether you put first all srcnat rules and then all dstnat rules or whether you interleave the rules belonging to these two chains while maintaining their mutual order in each chain only affects the amount of headache when someone (e.g. yourself three months later) has to read the rules, but not the firewall operation.I checked that end where the issue happened and the rules were in different order: first accept gre, then the two dst-nat and finally the default masquarade. I moved default masquarade rule at the 2nd place right after the accept gre and now the two ends works the same way with private IP.