Page 1 of 1

bridge eoip loses internal lan connectivity

Posted: Thu Mar 16, 2006 9:44 pm
by SPDurkee
I am setting up an eoip tunnel between two data centers. I then attempt to bridge the internal lan of each data center with the eoip interface on each router.

As soon as I enable the bridge, I lose connectivity to the internal ip address assigned to the router.

I then assign the internal ip to the bridge interface instead of the nic, however I still have no connectivity to this ip from the internal lan.

Any thoughts?

Posted: Fri Mar 17, 2006 9:19 am
by mag
should be working.
did you clear the ARP-cache at the client?
maybe posting the configuration could help.

Posted: Fri Mar 17, 2006 2:44 pm
by SPDurkee
clearing the arp cache on any client didnt help.

Here's my config:
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:5E:80:00:01 stp=no priority=32768 ageing-time=5m forward-delay=15s garbage-collection-interval=5s hello-time=2s max-message-age=20s

Router1 is assigned an ip of 192.168.0.51 on the bridge (which contains the eoip connection & the internal nic)

Router2 is assigned an ip of 192.168.0.52 on the bridge (which contains the eoip connection & the internal nic)

I can ping each router from eachother, however I can not ping any computers on either lan, nor can I ping the routers from the computers.

Posted: Fri Mar 17, 2006 3:05 pm
by sergejs
Add to bridge local and EoIP interfaces, check if the MAC-addresses for the EoIP tunnels are not the same.
Could you ping computers from the router, they are connected to ?

Posted: Fri Mar 17, 2006 3:24 pm
by mag
and the EoIP-Interface should not be in the same bridge with the interface the EoIP-tunnel goes out. an example:
/ interface eoip 
add name="tunnel-101" mtu=1500 mac-address=00:00:5E:80:10:11 arp=enabled remote-address=1.1.1.1 \
    tunnel-id=101 comment="" disabled=no 

/ interface bridge 
add name="lan" disabled=no 

/ interface bridge port 
add interface=ether3 bridge=lan priority=128 path-cost=10 comment="" disabled=no 
add interface=tunnel-101 bridge=lan priority=128 path-cost=10 comment="" disabled=no 
other side:
/ interface eoip 
add name="tunnel-101" mtu=1500 mac-address=00:00:5E:80:10:12 arp=enabled remote-address=2.2.2.2 \
    tunnel-id=101 comment="" disabled=no 

/ interface bridge 
add name="lan" disabled=no 

/ interface bridge port 
add interface=ether3 bridge=lan priority=128 path-cost=10 comment="" disabled=no 
add interface=tunnel-101 bridge=lan priority=128 path-cost=10 comment="" disabled=no 

Posted: Fri Mar 17, 2006 3:34 pm
by SPDurkee
After creating the bridge, I have a total of 4 interfaces on each router:
External
Internal
Bridge1
EOIP-Location1

External
Internal
Bridge1
EOIP-Location2

The bridge for each router contains the Internal and EOIP interfaces.

I can ping Router1 from Router2 but can not ping any computers connected to the same lan Router1 is conencted to from Router1. The same is true for Router2.

Maybe there is another way to do what I'm trying to do?

I need to allow servers in InternalLAN1 connect to servers in InternalLAN2 through some sort of route or tunnel over the public internet.

Your help is greatly appreciated.

  [SOLVED]

Posted: Fri Mar 17, 2006 5:54 pm
by mag
I can ping Router1 from Router2 but can not ping any computers connected to the same lan Router1 is conencted to from Router1. The same is true for Router2.
i can't see a difference, besides that i have enabled proxy-arp at one side, but this is for PPTP only. Did you check if the EoIP-Tunnel is working? That is seeing MAC-Adresses from the other tunnel-side, and check if any traffic is going through the tunnel. Maybe you should post "/interface export" and "ip address print"
Maybe there is another way to do what I'm trying to do?

I need to allow servers in InternalLAN1 connect to servers in InternalLAN2 through some sort of route or tunnel over the public internet.
If no layer 2 is needed, of course a layer 3 connection, e.g. PPTP- or IPSec-tunnel would be better. Do the public interfaces have static IP-addresses? If yes, i would suggest using an IPSec-tunnel.

Posted: Fri Mar 17, 2006 6:07 pm
by SPDurkee
Unfortunately my networking knowledge is limited, but what I'm looking to do is have any server on the internal network in one data center seemlessly connect with any server in the internal network on the other data center.

All the servers are in the 192.168.0.x/24 subnet, ideally the solution would also allow broadcast packets so the windows servers could identify eachother by name.

Posted: Fri Mar 17, 2006 6:34 pm
by mag
All the servers are in the 192.168.0.x/24 subnet, ideally the solution would also allow broadcast packets so the windows servers could identify eachother by name.
LAN-Broadcasts could cause a lot of WAN-Traffic, does that matters?
AFAIK Windows-server could interconnect without seeing broadcasts, using the Windows Domain System, Active Directory or something (sorry my Windows-knowledge is limited)

But EoIP is working with MT ROS for sure. BTW which Router OS version is used?

Posted: Fri Mar 17, 2006 6:39 pm
by SPDurkee
WAN traffic will most likely not be an issue, however I can switch to WINS or even use a HOSTS file if need be.

Both routers are 2.9.6.

Posted: Fri Mar 17, 2006 7:10 pm
by mag
ok, i'd guess EoIP is the right tunnel, so i still see a few unanswered questions:
...
check if the MAC-addresses for the EoIP tunnels are not the same.

Could you ping computers from the router, they are connected to?
...
Did you check if the EoIP-Tunnel is working? That is seeing MAC-Adresses from the other tunnel-side, and check if any traffic is going through the tunnel.

you should post "/interface export" and "ip address print"
...

Posted: Sat Mar 18, 2006 4:44 pm
by SPDurkee
The mac addresses for the eoip tunnel are different: 00:00:5E:80:00:01 & 00:00:5E:80:00:02

I can not ping the computers from the router they are connected to.

I can ping the router on the other end of the EOIP tunnel, and it does show traffice moving through the eoip interface

Rather than posting all the interface information here. I've created a web page showing it all: http://www.terrasite.com/mikrotik.htm

One additional note, the arp list on the Rochester router seems to populate with the MACs from server in Vienna, however the ARP list in Vienna never seems to populate.

Posted: Sat Mar 18, 2006 5:00 pm
by SPDurkee
Issue solved, well sort of.

The routers were installed as virtual servers using Microsoft Virtual Server 2005 R2. It appears, that this is why I can not ping other computers on the lan. I can ping other virtual servers set up on the same boxes through the tunnel.

It looks like if I setup dedicated servers to do this, the eoip tunnel and brdige would work normally.

Thank you for all the help & suggestions.

Posted: Sat Mar 18, 2006 5:11 pm
by tneumann
Looks basically OK.

Here's a few things you might try, based on the configuration you published on the URL you posted.

1. You have configured two IP addresses on the external interface of the Rochester router, and you have configured
the higher-numbered / second one of them (74.39.252.133) as the EoIP tunnel peer on the Vienna router.
Try using 74.39.252.129 as the EoIP tunnel endpoint (change the Vienna router accordingly).

2. Why do you have arp=proxy-arp on the bridge1 interface on the Rochester router?
Try changing it to arp=enabled

3. While you are at it: Since you've added the IP address to the bridge1 interface (that's good) and not
to the interfaces that are members of the bridge (Internal, eoip-*), you can switch off arp altogether on the
Internal and eoip-* interfaces on both routers.
ARP functionality only makes sense on interfaces that actually have IP addresses assigned to them.

--Tom