Community discussions

MikroTik App
 
zykki
just joined
Topic Author
Posts: 10
Joined: Thu Feb 03, 2022 10:29 pm

EoIP split traffic

Wed Jan 11, 2023 9:20 am

Hi everyone.

In our company we have this situation:
Head office with Mikrotik router with multiple VLANs and DHCP Relays to Windows server. Two EoIP tunnels for branch offices.
Branch offices with Mikrotik routers connected over EoIP tunnel with IPSec. All traffic over tunnel is grouped in VLANs.

In this moment, if some device is connected to MT at branch office the default gateway for this device is MT in head office and all traffic(DHCP request, HTTP/S request or internal traffic) is routed to the MT in head office.

My question: It is posible create something like split traffic?
I mean that default gateway for the devices at branch offices would be the mikrotik in that office and send only internal company traffic over EoIP. Of course I want to keep the VLANs and the DHCP server, which is the head office.
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: EoIP split traffic

Wed Jan 11, 2023 12:27 pm

to begin with, I would leave EoIP, divide the network into necessary subnets or VLANs if necessary, connect the locations with an IPIP thread e.g.
If you do that, you will have a neatly arranged network, and the problem you mention will disappear by itself...
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: EoIP split traffic

Wed Jan 11, 2023 1:49 pm

I agree, setup some IPIP-tunnels and run OSFP over them. Let each branch access Internet by themselves.

For DHCP you can use the dhcp-relay service. DNS can continue to point at the HQ.
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: EoIP split traffic

Wed Jan 11, 2023 2:48 pm

I agree, setup some IPIP-tunnels and run OSFP over them. Let each branch access Internet by themselves.

For DHCP you can use the dhcp-relay service. DNS can continue to point at the HQ.
don't you think that OSPF for 3 sites is a bit of an overkill?
a few static routes would do the job...
 
zykki
just joined
Topic Author
Posts: 10
Joined: Thu Feb 03, 2022 10:29 pm

Re: EoIP split traffic

Wed Jan 11, 2023 3:19 pm

to begin with, I would leave EoIP, divide the network into necessary subnets or VLANs if necessary, connect the locations with an IPIP thread e.g.
If you do that, you will have a neatly arranged network, and the problem you mention will disappear by itself...
Why leave EoIP and go to the IPIP when we used at all offices MT? IPIP doesnt support VLANs, right?
How to set DHCP relay on windows server in case of IPIP? Now I have multiple DHCP relay according to VLANs on head office router.
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: EoIP split traffic

Wed Jan 11, 2023 6:33 pm

I use OSPF between two locations with 3-4 subnets on each side just for simplicity.

Sure, you can use EoIP, but why would you need to carry VLANs over Internet? IPIP has lower overhead. Just point the dhcp-relay to the Windows DHCP server at HQ.

Traffic/network isolation and will be done in the nearest firewall.
 
zykki
just joined
Topic Author
Posts: 10
Joined: Thu Feb 03, 2022 10:29 pm

Re: EoIP split traffic

Fri Jan 13, 2023 1:18 am

I use OSPF between two locations with 3-4 subnets on each side just for simplicity.
So, I think I will try the IPIP tunnel at one branch office, how will it work.

How do I set up the same subnet in different places through the IPIP tunnel? I have multiple VLANs, some unique for branch offices but some are the same and I need the devices on them to communicate across branches. It is posible without OSPf?
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: EoIP split traffic

Fri Jan 13, 2023 9:37 pm

I use OSPF between two locations with 3-4 subnets on each side just for simplicity.
So, I think I will try the IPIP tunnel at one branch office, how will it work.

How do I set up the same subnet in different places through the IPIP tunnel? I have multiple VLANs, some unique for branch offices but some are the same and I need the devices on them to communicate across branches. It is posible without OSPf?
If I may suggest... take a small MIkrotik, connect it somewhere to the Internet (at home?!) and make an IPIP connection to the company... add some kind of computer to it and test everything you need until you are sure that everything works for you. ...
Why am I suggesting this to you?
If you start to change something in production and run into a problem/obstacle, you will very quickly go back to the old way - because that's what works for you and production must not stop.
Everyone answered you wisely and IPIP is indeed a better solution than EoIP.
EoIP has its purpose and there are times when it is irreplaceable, but in the environment you described, IPIP is better.

I wish you good luck and patience
 
zykki
just joined
Topic Author
Posts: 10
Joined: Thu Feb 03, 2022 10:29 pm

Re: EoIP split traffic

Fri Jan 13, 2023 10:31 pm

So today after work I tried IPIP between two branch offices... I even managed to get OSPF up and running.

OSPF worked great if I had different subnets on the branches, but I couldn't set it up for the same subnet on both branches (I have 3 vlans, which I need to repeat in all branches)

You're right that trying a functioning infrastructure is suicide :lol:

btw, at first glance I had the feeling that EoIP was a little faster than IPIP :shock:
Last edited by zykki on Mon Jan 16, 2023 12:45 pm, edited 1 time in total.
 
zykki
just joined
Topic Author
Posts: 10
Joined: Thu Feb 03, 2022 10:29 pm

Re: EoIP split traffic

Mon Jan 16, 2023 12:39 pm

After weekend and massive study of mikrotik documentation, I think the only solution is to use IPIP in combination with EOIP. Because if I need the same network on both branches, I can't do it via IPIP... or do you have some other idea?

this is our current network configuration:
network_map.png
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: EoIP split traffic

Mon Jan 16, 2023 3:03 pm

Your original question
It is posible create something like split traffic?
I mean that default gateway for the devices at branch offices would be the mikrotik in that office and send only internal company traffic over EoIP
and
Because if I need the same network on both branches
are not compatible. To be able to make routing decisions at branch offices you need different networks at each location.
 
zykki
just joined
Topic Author
Posts: 10
Joined: Thu Feb 03, 2022 10:29 pm

Re: EoIP split traffic

Mon Jan 16, 2023 3:17 pm

Your original question
It is posible create something like split traffic?
I mean that default gateway for the devices at branch offices would be the mikrotik in that office and send only internal company traffic over EoIP
and
Because if I need the same network on both branches
are not compatible. To be able to make routing decisions at branch offices you need different networks at each location.

We have multiple subnets on each sites... some subnets i need routing only on site and some need reachable over all sites...
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: EoIP split traffic  [SOLVED]

Mon Jan 16, 2023 4:06 pm

Use GRE, IPIP or other IP tunnel plus routing for any subnets which are unique to a site. For any subnets which are shared across sites you are stuck with EoIP and a single gateway.
 
zykki
just joined
Topic Author
Posts: 10
Joined: Thu Feb 03, 2022 10:29 pm

Re: EoIP split traffic

Mon Jan 16, 2023 4:10 pm

Use GRE, IPIP or other IP tunnel plus routing for any subnets which are unique to a site. For any subnets which are shared across sites you are stuck with EoIP and a single gateway.

I will probably do it this way. One more question. Use EoIP inside IPIP or create EoIP independent of IPIP?? If I use it inside, do I have to turn on IPSec or does it already encrypt IPIP?
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: EoIP split traffic

Mon Jan 16, 2023 4:37 pm

Offhand I'm not sure if multiple tunnels between the same public IP addresses will work with IPsec, the generated policies may interfere with each other so it would need testing.

If you only used IPsec for the IPIP tunnel and established the EoIP tunnel between some internal IP addresses then the EoIP tunnel traffic is protected by the IPIP tunnel IPsec, however you do have the additional encapsulation overheads.

Who is online

Users browsing this forum: Guntis, sch and 102 guests