Community discussions

MikroTik App
 
Keanoj
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2020 2:43 am

EOIP behind existing firewall

Fri Dec 04, 2020 3:08 am

Hi all,
I’m new to Mikrotik and would like some advise on implementing EOIP
I have a Sonicwall and want to install a Mikrotik behind it to allow me to setup EOIP tunnel between 2 sites
Let’s keep it simple and assume my site 1 LAN is 192.168.1.0/24,
Sonicwall is .254

Assuming I want to bridge the LAN subnet, what ip do I give my WAN and LAN interface on my Mikrotik ?
how do I connect on site 2, do I create a DMZ and port forward PPTP again to that?
I have documentation on Mikrotik and how to configure EOIP but these are directly connected, I’m just unsure on how to implement on a site that would already have existing firewalls ?

Thanks in advance
 
Keanoj
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2020 2:43 am

Re: EOIP behind existing firewall

Mon Jan 11, 2021 6:52 pm

Any one care to help me on this ?
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP behind existing firewall

Mon Jan 11, 2021 7:11 pm

First of all, EoIP is an application using GRE as its carrier protocol, so you either need some kind of L3 VPN to the other site already provided by the Sonicwall, or you need to create such a VPN between the Mikrotiks, which assumes that at least one of the sites has a public IP address. In the unlikely case that you didn't care about encryption of the tunnel, it would be enough that both the Sonicwall and the firewall at the remote site would forward GRE packets arriving to their WAN from the remote site to the Mikrotiks' IPs, but in this case, you'd need both sites to have a public address.

On the other hand, if you will create your own VPN between the Mikrotiks, EoIP may not be the best choice for your purpose.

So you can see that you have to consider multiple aspects, and to get a proper advice, you have to provide more details about the existing and intended setup and topology at both sites.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Keanoj
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2020 2:43 am

Re: EOIP behind existing firewall

Mon Jan 11, 2021 7:57 pm

thanks for getting back to me Sindy, Just to clarify. Lets take a very simple 2 site conf.
I have a sonicwall in each site, there is a site to site VPN setup and working between the two. obviously Site 2 is a different subnet
lets say Sonicwall Site 1 is 192.168.1.254 and Sonicwall Site 2 is 192.168.2.254. My goal is to extend the 192.168.1.0/24 subnet to site 2 across the Sonicwall VPN's .
So lets say I have a Mikrotik device1 on 192.168.1.253 and MikroTik device2 on 192.168.2.253 on the other side ( devices can ping each other)
My confusion is around how to connect MiktoTik device 2. 1 port obviously has to be on the 192.168.2.0/24 subnet and I presume another port must be bridged so that anything plugged into it would be on the 192.168.1.0 subnet .
This is the part I'm not sure on how to achieve
I hope this makes sense ?
 
Keanoj
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2020 2:43 am

Re: EOIP behind existing firewall

Mon Jan 11, 2021 7:58 pm

I'll do up a quick diagram
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP behind existing firewall

Mon Jan 11, 2021 8:02 pm

No need given the description in the previous post. I'll come back in a while.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Keanoj
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2020 2:43 am

Re: EOIP behind existing firewall

Mon Jan 11, 2021 8:19 pm

 
Keanoj
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2020 2:43 am

Re: EOIP behind existing firewall

Mon Jan 11, 2021 8:22 pm

No need given the description in the previous post. I'll come back in a while.
Appreciate this Sindy thanks
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: EOIP behind existing firewall  [SOLVED]

Mon Jan 11, 2021 9:20 pm

As you've properly concluded yourself, you need a bridge. So let's say that currently, 192.168.1.253/24 is statically configured at ether1 directly. So you do the following:
  • /interface bridge add name=br-x
  • Now press Ctrl-X to get to safe mode if you are connected via ether1
  • /interface bridge port add bridge=br-x interface=ether1 ; /ip address set [find interface=ether1] interface=br-x
  • if you don't lose connection, you can press Ctrl-X again to leave safe mode and remove the changes above from the rollback buffer (of course do not press it now if you didn't press it in the step above)
  • if some IP firewall rules are used at the Mikrotik, replace ether1 by br-x everywhere
Next, you set up the EoIP tunnel:
/interface eoip add name=eoip-site2 local-address=192.168.1.253 remote-address=192.168.2.253 mtu=1500 disabled=yes
Setting the MTU is very important, as if you leave it at auto, it will accommodate to the actual MTU of the port through which the tunnel transport packets will leave, minus the EoIP header. But as the MTU of a bridge is automatically set to the lowest MTU of all the ones reported by member ports, and as in this particular setup the EoIP transport packets leave through the bridge, the MTU would decrease to 0 in a few steps as soon as you'd make the EoIP a member port of the bridge. If you force the MTU of the EoIP to 1500, it will accept large enough Ethernet frames to carry the 1500-byte IP packets at the tunnel interface, and silently fragment them into small enough transport packets if necessary.

Now you can add the EoIP interface to the same bridge like ether1:
/interface bridge port add bridge=br-x interface=eoip-site2

At the other site, the interface to which 192.168.2.253/24 is attached stays alone (as you don't want the two subnets to share the same L2 segment). So the EoIP tunnel there will be set using
/interface eoip add name=eoip-site1 local-address=192.168.2.253 remote-address=192.168.1.253 mtu=1500 disabled=yes

If you use the default firewall on the Mikrotiks, add protocol=!gre to the action=drop connection-state=invalid rule in chain input of /ip firewall filter
Once done, you can enable the EoIP tunnel interfaces at both ends.

Now you have to make the EoIP tunnel interface at Mikrotik 2 and the the Ethernet port to which the switch for the Site 1's LAN extension is connected member ports of the same bridge.

That should be all.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Keanoj
just joined
Topic Author
Posts: 7
Joined: Fri Dec 04, 2020 2:43 am

Re: EOIP behind existing firewall

Tue Jan 12, 2021 12:02 am

Fantastic Sindy, Thanks V. Much for this

Who is online

Users browsing this forum: havingproblem, kalto and 168 guests