Hi, exploring various options connecting two sites considering vlans and subnets: EoIP, L2TP etc. I came to a little puzzle on how to connect sites in most "optimal and the right way".
In my case I have on the primary site couple of vlans, including pbx on vlan 20.
Same vlans are replicated on the remote location too, for convenience, but may not be the final case.
Networks are different on both sites, except for pbx/voip which needs to be the same if I want to connect some phones on remote location.
I understand my options as:
EoIP/IPsec - to stretch layer 2 across, but need to consider things like dhcp, broadcast noise, same network, different networks etc., but everything will work.
L2TP/IPsec (or similar) - setting up routes between networks, but don't know what to do with voip as it must be on the same subnet?
I would like to go L2TP/IPsec way, but I am not sure how to manage pbx/voip vlan.
I don't have control over pbx/voip, it runs on vlan 20 and is in static configuration (192.168.20.0/24, GW/PBX 192.168.20.1).
I want networks to be different, but due to this pbx/voip eoip keeps comming up.
Is there a way to go pure L2TP/IPsec or maybe go with "routed" EoIP (establishing EoIP between sites, add routes for different networks, voip will work on its own?) or something different?
What is the right way to keep things simple, separate, minimize broadcast noise etc. long term solution?
Thank you!
Re: options for connecting two locations
Well,
Your situation doesn't seem to be complicated than it sound. There are 3 option you can go
1. You can deploy L2TP/IPsec and use BCP to bridge between 2 sites as if they are in the same network
2. You can use EOIP strictly for voice only which you can bridge EOIP to voice VLAN and the rest of traffic can use regular L2TP/IPsec to connect to other office
3. Mixture of L2TP/IPsec with BCP for VoIP and regular L2TP/IPsec for rest of traffic
Your situation doesn't seem to be complicated than it sound. There are 3 option you can go
1. You can deploy L2TP/IPsec and use BCP to bridge between 2 sites as if they are in the same network
2. You can use EOIP strictly for voice only which you can bridge EOIP to voice VLAN and the rest of traffic can use regular L2TP/IPsec to connect to other office
3. Mixture of L2TP/IPsec with BCP for VoIP and regular L2TP/IPsec for rest of traffic
Re: options for connecting two locations
Thanks for "brainstorming" this with me. I am preaty new to all this any maybe I am overcomplicating things, but this is only due to so many different ways things can be done with mikrotiks and things can easily go bad by mixing things that don't mix well :)
As I understand there is no difference (in result) between eoip and l2tp bcp. Both stretch L2 network. Is there any preference of one over the other? L2tp bcp is maybe more suitable because client doesn't require fixed ip, perhaps less problems with mtu etc. Any other "more" important difference?
I like idea with l2tp bcp for voip and l2tp for other. I could expand this idea easily to new remote locations if need arises and share voip only with some.
As I understand there is no difference (in result) between eoip and l2tp bcp. Both stretch L2 network. Is there any preference of one over the other? L2tp bcp is maybe more suitable because client doesn't require fixed ip, perhaps less problems with mtu etc. Any other "more" important difference?
I like idea with l2tp bcp for voip and l2tp for other. I could expand this idea easily to new remote locations if need arises and share voip only with some.
Re: options for connecting two locations
Well, just read that bridged l2tp doesn't support bridge vlan filtering, which is in place. It doesn't pass tagged frames, only untagged.
Re: options for connecting two locations
EoIP requires both location to have Public IP which some case people don't have public IP on both location, whereas L2TP only requires public IP on server site. In terms of performance, EoIP isn't that great (at least from what I have tested so far, the throughput wasn't impressive at all).
L2TP is by far the fastest VPN protocol that Mikrotik can offer which I would go this route.
For bridge between VLAN, you don't have to get the VLAN tag come across between offices. Let the switch and router do the tag, when it leaves the office, it should be untagged. That's why you will need to create 2 VPN connection. 1 for L2TP/BCP dedicated for Voice network and the other tunnel is for rest of traffic.
Hopefully this can help you.
L2TP is by far the fastest VPN protocol that Mikrotik can offer which I would go this route.
For bridge between VLAN, you don't have to get the VLAN tag come across between offices. Let the switch and router do the tag, when it leaves the office, it should be untagged. That's why you will need to create 2 VPN connection. 1 for L2TP/BCP dedicated for Voice network and the other tunnel is for rest of traffic.
Hopefully this can help you.
Re: options for connecting two locations
I have couple of vlans managed under bridge vlan filtering. I have hybrid ports configured. So traffic on my bridge is tagged... as I understand it.
I think I understand classic l2tp tunnel so I will focus only on l2tp bcp for voip, vlan 20:
l2tp bcp configured client dials in and dynamic interface is created on the bridge. How do I configure that interface to pass vlan 20 only? I am reading that bridge vlan filtering doesn't work for l2tp bcp interface.
I will experiment with this on monday.
I think I understand classic l2tp tunnel so I will focus only on l2tp bcp for voip, vlan 20:
l2tp bcp configured client dials in and dynamic interface is created on the bridge. How do I configure that interface to pass vlan 20 only? I am reading that bridge vlan filtering doesn't work for l2tp bcp interface.
I will experiment with this on monday.
Re: options for connecting two locations [SOLVED]
If it is really enough for you to push a single VLAN via the L2 tunnel, create a dedicated bridge "br-vlan20", create an /interface vlan with VLAN ID 20 on the main bridge (if not created yet), and make that /interface vlan a member port of br-vlan20. Then indicate br-vlan20 in the /ppp profile instead of the main bridge. If the /interface vlan with VLAN ID 20 already exists on the main bridge and IP configuration is attached to it, migrate that configuration to the br-vlan20.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Re: options for connecting two locations
Hi Sindy, thanks. Will do that on Monday.
I only need to "stretch" this one vlan, voip.I don't control this vlan, and there is no IP configuration attached to it. It is in its own static setup. I just put PBX and phones on it and it is already part of the main bridge - hybrid setup for phone/pc combo.
On this new br-vlan20 I dont configure any vlan filtering correct? Frames will cross tagged or untagged?
How do I make interface member of another bridge?
On client side I have main bridge with same setup as in office. Any special setup on client?
My current config (also "same" on the client):
I only need to "stretch" this one vlan, voip.I don't control this vlan, and there is no IP configuration attached to it. It is in its own static setup. I just put PBX and phones on it and it is already part of the main bridge - hybrid setup for phone/pc combo.
On this new br-vlan20 I dont configure any vlan filtering correct? Frames will cross tagged or untagged?
How do I make interface member of another bridge?
On client side I have main bridge with same setup as in office. Any special setup on client?
My current config (also "same" on the client):
Code: Select all
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=PC-VLAN vlan-id=10
add interface=BR1 name=VOIP-VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/ip pool
add name=PC-POOL ranges=172.31.1.50-172.31.1.99
/ip dhcp-server
add address-pool=PC-POOL disabled=no interface=PC-VLAN name=PC-DHCP
/interface bridge port
add bridge=BR1 comment="Trunk/Uplink: V10, V20" interface=ether2
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether5 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether6 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether7 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether8 pvid=10
add bridge=BR1 comment="Ingress/Hybrid: V10" ingress-filtering=yes interface=ether9 pvid=10
add bridge=BR1 comment="Ingress/PBX: V20" ingress-filtering=yes interface=ether10 pvid=20 frame-types=admit-only-untagged-and-priority-tagged
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 comment="Egress/Hybrid" vlan-ids=10 tagged=BR1,ether2 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,eoip-studenci
add bridge=BR1 comment="Egress/PBX" vlan-ids=20 tagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,BR1 untagged=ether10
/interface list member
add interface=ether1 list=WAN
add interface=VOIP-VLAN list=VLAN
add interface=PC-VLAN list=VLAN
add interface=PC-VLAN list=BASE
/ip address
add address=172.31.1.254/24 interface=PC-VLAN network=172.31.1.0
/ip dhcp-server network
add address=172.31.1.0/24 dns-server=172.31.1.1 gateway=172.31.1.254
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow L2TP" dst-port=1701 protocol=udp
add action=accept chain=input comment="accept PC_VLAN (base)" in-interface=PC-VLAN
add action=drop chain=input in-interface-list=!BASE
add action=drop chain=input comment="drop everything else"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=accept chain=forward comment="accept PC_VLAN internet access" connection-state=new in-interface=PC-VLAN out-interface-list=WAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/tool mac-server set allowed-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
Last edited by hpet on Sat Feb 20, 2021 9:17 pm, edited 1 time in total.
Re: options for connecting two locations
Correct. The /interface vlan receives frames tagged with VID 20 from the main bridge, untags them, and forwards them to br-vlan20; in the opposite direction, it receives tagless frames from br-vlan20, tags them, and forwards them to the main bridge. Although you are not going to attach an IP address to VLAN 20 on the main bridge, the "bridge" port of the main bridge must be a tagged member of VLAN 20 in order that it worked:On this new br-vlan20 I dont configure any vlan filtering correct? Frames will cross tagged or untagged?
/interface bridge vlan add bridge=bridge vlan-ids=20 tagged=bridge,...
The setup must be the same at both ends.On client side I have main bridge with same setup as in office. Any special setup on client?
And you don't need a separate L2TP connection for the L3 tunnel. The L2 tunnel interconnecting the bridges and the L3 tunnel will exist in parallel, so you can use the L3 one for routing between the sites.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Re: options for connecting two locations
Was a bit late with my "edit" to post :) where I added my current config.
vlan 20 is already member of main bridge, how do I add it as member of another bridge?
vlan 20 is already member of main bridge, how do I add it as member of another bridge?
Re: options for connecting two locations
The VLAN 20 config for BR1 is fine as it is, as BR1 is on the tagged list for vlan-ids=20 there.
The /interface vlan is just a tagging/untagging pipe, whose tagged end is attached to the interface mentioned in its parameters, so in your case, BR1.
You make its tagless end a member port of br-vlan20 the same way you make ethernet ports members of BR1:
/interface bridge port add bridge=br-vlan20 interface=VOIP-VLAN
The /interface vlan is just a tagging/untagging pipe, whose tagged end is attached to the interface mentioned in its parameters, so in your case, BR1.
You make its tagless end a member port of br-vlan20 the same way you make ethernet ports members of BR1:
/interface bridge port add bridge=br-vlan20 interface=VOIP-VLAN
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Re: options for connecting two locations
Ah, yes. Correct.Thank you Sindy.
Still need to wrap my head around all this a bit, but otherwise I think I have everything I need to make it work.
Thanks for pointing out that I can use the same tunnel for other L3 routed traffic too.
I had idea to have 2 tunnels:
1. l2tp bcp for stretching voip: I can share this dialup with some remote locations where voip is required
2. l2tp for other L3 routed traffic: I can share this dialup with every location for other traffic.
But I wonder what happenes if client without "voip vlan setup" connects to this l2tp bcp vlan20 bridge? will just this part not work without side effects and all the rest will work ok?
Still need to wrap my head around all this a bit, but otherwise I think I have everything I need to make it work.
Thanks for pointing out that I can use the same tunnel for other L3 routed traffic too.
I had idea to have 2 tunnels:
1. l2tp bcp for stretching voip: I can share this dialup with some remote locations where voip is required
2. l2tp for other L3 routed traffic: I can share this dialup with every location for other traffic.
But I wonder what happenes if client without "voip vlan setup" connects to this l2tp bcp vlan20 bridge? will just this part not work without side effects and all the rest will work ok?
Re: options for connecting two locations
I'm not sure what happens if the client's /ppp profile row specifies a bridge and the server's one doesn't or vice versa, you have to try. But you can specify a particular row of /ppp profile for each client at that client's /ppp secret row, so you'll just need two profile rows at server side if clients without BCP get eventually rejected.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Re: options for connecting two locations
Thank you all for help.
Works perfectly as suggested.
Works perfectly as suggested.