Community discussions

 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Linking 3 LAN through WAN (Internet)

Sat Mar 07, 2015 7:55 am

Hi,

I would like to ask how to link 3 LAN through WAN?

LAN A: 10.0.0.0/24 --> WAN (Internet)

LAN B: 10.0.3.0/24 --> WAN (Internet)

LAN C: 1.0.0.0/24 --> WAN (Internet)

My idea is to bridge LAN A to LAN B

Then bridge LAN C to LAN B also

So B is acting like a Bridge (Rendezvous / Meeting Point)

Should I use OSPF, RIP or EOIP?

All of them are production networks, so I need to make sure that I won't lose them.
[ IMikroTik ] >
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Linking 3 LAN through WAN (Internet)

Sat Mar 07, 2015 11:28 am

I don't know what do you mean by "bridging". As per your description, you use different IP subnets in the three LANs, so in that case if you "bridge" them (this is a Layer 2 operation), the hosts in the three sites will not be able to communicate, as they're configured in a three differen subnetworks.
In your case you could you use any tunneling technology (l2tp,pptp,ppp, or even ipsec in tunnel mode) to establish logical transport links between the sites. Than you could run any IGP routing protocol within the logical tunnels to provide reachability between the sites. Personally I would prefer OSPF as a routing protocl, but in your case RIP will also do just fine.
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Sat Mar 07, 2015 9:45 pm

I don't know what do you mean by "bridging". As per your description, you use different IP subnets in the three LANs, so in that case if you "bridge" them (this is a Layer 2 operation), the hosts in the three sites will not be able to communicate, as they're configured in a three differen subnetworks.
In your case you could you use any tunneling technology (l2tp,pptp,ppp, or even ipsec in tunnel mode) to establish logical transport links between the sites. Than you could run any IGP routing protocol within the logical tunnels to provide reachability between the sites. Personally I would prefer OSPF as a routing protocl, but in your case RIP will also do just fine.
Hi lz1dsb,

Thank you for your reply.

I want to merge this network, so..

People in LAN A can connect to LAN B & C,

People in LAN B can connect to LAN A & C,

People in LAN C can connect to LAN A & B,

I've made PPTP-out from LAN A to LAN B, and PPTP-out from LAN C to LAN B (as I've planned to make LAN B as meeting point)

How to make the routing now? Any idea?

Thank you.
[ IMikroTik ] >
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Linking 3 LAN through WAN (Internet)

Sun Mar 08, 2015 2:57 pm

How do you make the routing...
First you select the routing protocol.
Second you enable the routing process.
Third you enable it on the interfaces you want it to run.
Fourth you select the local networks you would like to advertise.

If you give me more details (interfaces and networks) I could be more specific...
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: Linking 3 LAN through WAN (Internet)

Sun Mar 08, 2015 7:09 pm

With a simple topology like this, I would start with static routes. You only need to add two routes at each site.
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Mon Mar 09, 2015 6:01 am

With a simple topology like this, I would start with static routes. You only need to add two routes at each site.
The WAN IP Address is DHCP (i.e. Non-Static) on both LAN 1 and LAN 3.
[ IMikroTik ] >
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Linking 3 LAN through WAN (Internet)

Mon Mar 09, 2015 9:23 am

With a simple topology like this, I would start with static routes. You only need to add two routes at each site.
The WAN IP Address is DHCP (i.e. Non-Static) on both LAN 1 and LAN 3.
So you set up your server at LAN2 and the routers at LAN1 and LAN3 will act as clients, establishing secure connection to the server. There's not a problem with that, I use similar setup.
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Wed Mar 11, 2015 1:00 am

With a simple topology like this, I would start with static routes. You only need to add two routes at each site.
The WAN IP Address is DHCP (i.e. Non-Static) on both LAN 1 and LAN 3.
So you set up your server at LAN2 and the routers at LAN1 and LAN3 will act as clients, establishing secure connection to the server. There's not a problem with that, I use similar setup.
How to route them through WAN?

Using OSPF or EoIP?
[ IMikroTik ] >
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Linking 3 LAN through WAN (Internet)

Sun Mar 15, 2015 11:57 am

OSPF is a routing protocol which in general distributes IP Layer 3 information in your routing domain i.e. reachability information for all of the subnetworks you have in your network.
How to use it? - just enable the process and advertise all of the subnetworks that you want to distribute, even the those used for the VPN tunnels.
EoIP is another matter. It provides Layer 2 reachability over a WAN segment. If you use EoIP, you do not need a routing protocol as all of your network branches would be in the same Layer 2 segement i.e. they should use the same subnetwork Layer 3 address.

Cheers,
Boyan
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Mon Mar 16, 2015 10:29 am

OSPF is a routing protocol which in general distributes IP Layer 3 information in your routing domain i.e. reachability information for all of the subnetworks you have in your network.
How to use it? - just enable the process and advertise all of the subnetworks that you want to distribute, even the those used for the VPN tunnels.
EoIP is another matter. It provides Layer 2 reachability over a WAN segment. If you use EoIP, you do not need a routing protocol as all of your network branches would be in the same Layer 2 segement i.e. they should use the same subnetwork Layer 3 address.

Cheers,
Boyan
Thank you for your good explanation, I just tried using EoIP, but when I add the EoIP on the bridge, my remote network become unreachable, the weird thing is all of it's subnet become request timed-out. So I need to contact my remote network admin to undo the last action. Any idea what's wrong with it?
[ IMikroTik ] >
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Linking 3 LAN through WAN (Internet)

Tue Mar 17, 2015 10:46 am

Hm... that's strange, could you post an excerpt from the EoIP and the related configs?
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Thu Mar 19, 2015 1:20 am

Hm... that's strange, could you post an excerpt from the EoIP and the related configs?
I'm following exactly like explained on http://wiki.mikrotik.com/wiki/Manual:Interface/EoIP

When I do this (port add bridge=bridge1 interface=eoip-remote) my public network and it's subnet all become unreachable:
[admin@Our_GW] interface bridge> add 
[admin@Our_GW] interface bridge> print
Flags: X - disabled, R - running
 0  R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 
      protocol-mode=none priority=0x8000 auto-mac=yes 
      admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s 
      transmit-hold-count=6 ageing-time=5m 
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth
[admin@Our_GW] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE      BRIDGE  PRIORITY PATH-COST
 0    eoip-remote    bridge1 128      10
 1    office-eth     bridge1 128      10
[admin@Our_GW] interface bridge>
[ IMikroTik ] >
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Linking 3 LAN through WAN (Internet)

Thu Mar 19, 2015 8:15 pm

I wouldn't use bridges with the EoIP tunnels - each site already has a seperate subnet.
if you have this:
A <--eoip--> B <--eoip--> C
Then in site A, add static routes for B lan and C lan with gateway=eoip-interface-name
In site C, static routes for A lan and B lan, gateway=eoip-interface-name
In site B, static route for A lan, gateway=eoip-A-interface, and C lan, gateway=eoip-C-interface

That will get you up and running - but remember that this is not encrpyted. You'll want to use encryption for your final installation.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Thu Mar 19, 2015 9:23 pm

I wouldn't use bridges with the EoIP tunnels - each site already has a seperate subnet.
if you have this:
A <--eoip--> B <--eoip--> C
Then in site A, add static routes for B lan and C lan with gateway=eoip-interface-name
In site C, static routes for A lan and B lan, gateway=eoip-interface-name
In site B, static route for A lan, gateway=eoip-A-interface, and C lan, gateway=eoip-C-interface

That will get you up and running - but remember that this is not encrpyted. You'll want to use encryption for your final installation.
Hi ZeroByte,

Good idea, I will try it..

No need OSPF, just static route?

And in EoIP Remote Address should I fill respectively VPN remote IP or Local IP?


---


Update: Just tried with static routing not working:

Tried from 1.0.3.1/24:
[admin@MikroTik] > too trace 1.0.0.2
 # ADDRESS                                 RT1   RT2   RT3   STATUS              
 1 0.0.0.0                                 0ms   0ms   0ms                       
 2 x.x.x.x                         1ms   0ms   0ms   host unreachable    
 3 x.x.x.x                         0ms   6ms   0ms   host unreachable    
 4 x.x.x.x                         0ms   0ms   6ms   host unreachable    
 5 0.0.0.0                                 0ms   0ms   0ms                       
 6 x.x.x.x                         6ms   0ms   0ms   host unreachable    
 7 x.x.x.x                         0ms   6ms   0ms   host unreachable    
 8 x.x.x.x                         0ms   0ms   7ms   host unreachable    

[admin@MikroTik] > 
Where x.x.x.x is 10.0.3.1's public IP Address.

Possible routing looping issue with 0.0.0.0/0 (default route)
Last edited by yacsap on Thu Mar 19, 2015 9:39 pm, edited 1 time in total.
[ IMikroTik ] >
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Linking 3 LAN through WAN (Internet)

Thu Mar 19, 2015 9:35 pm

And in EoIP Remote Address should I fill respectively VPN remote IP or Local IP?
You know, I was thinking to use just the interface itself, but maybe GRE interface would be better for such a thing than EoIP interface (I think it secretly uses GRE anyway). GRE is natively a point-to-point style of interface, so specifying the interface name as the "next hop" of a route is completely valid.

If you want IP addresses on the tunnel interfaces, that's easy too - just use something like 10.255.255.x/30 on each of your two links.

A (.2) <-- {10.255.255.0/30}-->(.1) B (.5) <-- {10.255.255.4/30} --> (.6) C

Then the gateway= for each static route would be the IP of the far side of the tunnel -
so on A:
B lan, gateway=10.255.255.1
C lan, gateway=10.255.255.1

on B:
A lan, gateway=10.255.255.2
C lan, gateway=10.255.255.6

on C:
A lan, gateway = 10.255.255.5
B lan, gateway = 10.255.255.5

It takes a lot of typing to explain like this, but it's actually quite simple and makes a lot of sense when you set it up.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Thu Mar 19, 2015 9:52 pm

And in EoIP Remote Address should I fill respectively VPN remote IP or Local IP?
You know, I was thinking to use just the interface itself, but maybe GRE interface would be better for such a thing than EoIP interface (I think it secretly uses GRE anyway). GRE is natively a point-to-point style of interface, so specifying the interface name as the "next hop" of a route is completely valid.

If you want IP addresses on the tunnel interfaces, that's easy too - just use something like 10.255.255.x/30 on each of your two links.

A (.2) <-- {10.255.255.0/30}-->(.1) B (.5) <-- {10.255.255.4/30} --> (.6) C

Then the gateway= for each static route would be the IP of the far side of the tunnel -
so on A:
B lan, gateway=10.255.255.1
C lan, gateway=10.255.255.1

on B:
A lan, gateway=10.255.255.2
C lan, gateway=10.255.255.6

on C:
A lan, gateway = 10.255.255.5
B lan, gateway = 10.255.255.5

It takes a lot of typing to explain like this, but it's actually quite simple and makes a lot of sense when you set it up.
Tried with GRE (GRE local IP using VPN local IP, GRE remote IP using VPN remote IP)

But not working either:
[admin@MikroTik] > too trace 1.0.0.2
 # ADDRESS                                 RT1   RT2   RT3   STATUS              
 1 0.0.0.0                                 0ms   0ms   0ms                       
 2 0.0.0.0                                 0ms   0ms   0ms                       
 3 0.0.0.0                                 0ms   0ms   0ms                       
 4 0.0.0.0                                 0ms   0ms   0ms                       

[admin@MikroTik] > 
Any idea what's wrong?

This is more interesting now.. :lol:
[ IMikroTik ] >
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Wed Mar 25, 2015 12:00 am

test..
[ IMikroTik ] >
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Linking 3 LAN through WAN (Internet)

Wed Mar 25, 2015 12:13 am

My, but this thread has gotten long. :)

If this is still not working, then you should probably start attacking small subsets of the goal.
Make a GRE tunnel from A to B, put an IP address on each end, and then be able to ping across it successfully.
If you're trying to use IPSec to protect the GRE, or anything else, turn that off while getting started.

Your goal is to make this:
Router1 -
create gre tunnel interface "gre-to-R2" with local IP = R1's wan IP, and remote IP = R2's wan IP.
If the IP of Router1 or Router2 is dynamic, then you will not be able to use GRE.
You should use L2TP or PPTP.
Of course, just to make it work right now just to see it, that's fine. When the IP changes, the tunnel will break....
Anyway, step 2 is to put an IP on the 'inside' of the tunnel. (the addresses above are 'outside' of the tunnel)
/ip address add address=10.10.10.1/30 interface=gre-to-R2

On Router2
create gre tunnel interface "gre-to-R1" with local IP = R2's wan IP, and remote IP = R1's wan IP.
Then add IP address 10.10.10.2/30 to interface gre-to-R1

Make sure that in both routers, in the ip firewall filter, input chain will allow packets from the other rotuer's wan IP.

With those conditions met, you should be able to ping 10.10.10.2 from R1 and see the traffic counters showing activity on the interface.

After that works, simply create static routes as discussed previously in the thread.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
yacsap
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Wed Dec 17, 2014 11:44 am
Location: Auckland, New Zealand
Contact:

Re: Linking 3 LAN through WAN (Internet)

Wed Mar 25, 2015 11:31 am

My, but this thread has gotten long. :)

If this is still not working, then you should probably start attacking small subsets of the goal.
Make a GRE tunnel from A to B, put an IP address on each end, and then be able to ping across it successfully.
If you're trying to use IPSec to protect the GRE, or anything else, turn that off while getting started.

Your goal is to make this:
Router1 -
create gre tunnel interface "gre-to-R2" with local IP = R1's wan IP, and remote IP = R2's wan IP.
If the IP of Router1 or Router2 is dynamic, then you will not be able to use GRE.
You should use L2TP or PPTP.
Of course, just to make it work right now just to see it, that's fine. When the IP changes, the tunnel will break....
Anyway, step 2 is to put an IP on the 'inside' of the tunnel. (the addresses above are 'outside' of the tunnel)
/ip address add address=10.10.10.1/30 interface=gre-to-R2

On Router2
create gre tunnel interface "gre-to-R1" with local IP = R2's wan IP, and remote IP = R1's wan IP.
Then add IP address 10.10.10.2/30 to interface gre-to-R1

Make sure that in both routers, in the ip firewall filter, input chain will allow packets from the other rotuer's wan IP.

With those conditions met, you should be able to ping 10.10.10.2 from R1 and see the traffic counters showing activity on the interface.

After that works, simply create static routes as discussed previously in the thread.
Hi, thank you for your answer.

Is it possible to use VPN IP address with this condition?

Because the R2 doesn't have public IP address. How do we overcome this?
[ IMikroTik ] >
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Linking 3 LAN through WAN (Internet)

Wed Mar 25, 2015 2:30 pm

Is it possible to use VPN IP address with this condition?

Because the R2 doesn't have public IP address. How do we overcome this?
As long as the network knows to route correctly between the two sites, then they don't need public IP addresses.
Just use the "upstream" interface IPs as the GRE / L2TP / PPTP endpoint addresses.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Linking 3 LAN through WAN (Internet)

Thu Mar 26, 2015 1:52 pm

Wow, this thread has gotten quite long...
What is the situation right now? Did you get it working?

Who is online

Users browsing this forum: No registered users and 116 guests