EOIP over Wireguard (For RoMon purposes only)

gigabyte091 · Sun Jan 07, 2024 9:54 am

This new topic is a continuation of this topic: viewtopic.php?t=202673

Goal is to use EOIP so all future routers that are connected to the office via Wireguard are discovered by winbox. (With a use of romon) No bridging of subnets are required.

For that only thing is to create tunnels between main router and remote routers without putting eoip interface as bridge member ?

Wireguard is running at 1420 MTU but EOIP requires 1500 MTU to avoid fragmentation. How to avoid that ? Is it possible to decrease MTU of EOIP tunnel ?

Sun Jan 07, 2024 9:46 pm

No need to adjust.
Worst case there may be some fragmentation but for romon purposes, that's not a big deal.

gigabyte091 · Mon Jan 08, 2024 7:10 am

What about multiple routers that connects to central router via wireguard ? EoIP is point to point or point to multipoint is possible ?

This is what @Amm0 wrote on another topic, im posting it here so everybody can see it:

To use RoMON with WG, it's easy.
1. Add EoIP interface on BOTH routers.
2. Configure EoIP to use WG interface's IPs (e.g. EoIP address for remote/local is other/same as /ip/address for WG interface). You do NOT need IPSec (since using WG).
3. In /tool/romon, enable/check RoMON on BOTH routers. You can set a secret if you'd want, it just has to match on BOTH. Leave ID alone, should be automatic.
4. More importantly, if the goal is JUST RoMON (e.g. WG is setup/working as desired separately)... then EoIP does NOT need to be bridged for RoMON to access it. e.g. since EoIP just connects the router with a Ethernet-like interface (which RoMON will find)... all the IP/L3 LAN stuff follows IP routing/firewall as previously configured. EoIP is only used to enable RoMON over WG, but NOT normal LAN traffic.

gigabyte091 wrote: ↑Sun Jan 07, 2024 8:02 pm
What about MTU ? WG is running at 1420 but for EOIP is recommended 1500 to avoid packet fragmentation.

If the goal is RoMON, fragmentation won't matter... just not a lot of data.
Although you can set MTU to 1380 on the EoIP interface if you want*. (I'm just not sure the min packet size for RoMON — why leaving it 1500 may be safer)

gigabyte091 · Mon Jan 08, 2024 7:48 am

I tried to create EoIP tunnel between two router but it's not running. VPN is working, I can ping addresses but of WG interfaces from each router but tunnel is not running.

Here is config of R1:

# 2024-01-08 06:37:44 by RouterOS 7.12
# software id = XXXX-XXXX
#
# model = RB4011iGS+
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether4 ] comment=Trunk_SW_2
set [ find default-name=ether5 ] comment=Trunk_SW_1
set [ find default-name=ether10 ] comment=iLO_VM_srv
/interface eoip
add local-address=10.0.0.1 mac-address=XX:XX:XX:XX:XX:XX mtu=1500 name=\
    eoip-tunnel1 remote-address=10.0.0.4 tunnel-id=10
/interface wireguard
add listen-port=XXXXX mtu=1420 name=wireguard1
/interface vlan
add comment="" interface=bridge name=VLAN_100 vlan-id=100
add comment="" interface=bridge name=VLAN_150 vlan-id=150
add comment="" interface=bridge name=VLAN_200 vlan-id=200
add comment="" interface=bridge name=VLAN_210 vlan-id=210
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=DNS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=\
    192.168.100.1-192.168.100.99,192.168.100.101-192.168.100.254
add name=dhcp_pool2 ranges=\
    192.168.150.1-192.168.150.99,192.168.150.101-192.168.150.254
add name=dhcp_pool3 ranges=\
    192.168.200.1-192.168.200.99,192.168.200.101-192.168.200.254
add name=dhcp_pool4 ranges=\
    192.168.210.1-192.168.210.99,192.168.210.101-192.168.210.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN_100 lease-time=1d name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN_150 lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN_200 lease-time=1d name=dhcp3
add address-pool=dhcp_pool4 interface=VLAN_210 lease-time=1d name=dhcp4
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=150
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 pvid=100
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5,ether4 untagged=ether10,ether9 \
    vlan-ids=100
add bridge=bridge tagged=bridge,ether5,ether4 untagged=ether3 vlan-ids=150
add bridge=bridge tagged=bridge,ether5,ether4 vlan-ids=200
add bridge=bridge tagged=bridge,ether5 vlan-ids=210
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=VLAN_100 list=LAN
add interface=VLAN_150 list=LAN
add interface=VLAN_200 list=LAN
add interface=VLAN_210 list=LAN
add interface=wireguard1 list=LAN
add interface=VLAN_150 list=DNS
add interface=VLAN_200 list=DNS
add interface=VLAN_100 list=DNS
add interface=VLAN_210 list=DNS
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="laptop" interface=wireguard1 \
    public-key=""
add allowed-address=10.0.0.3/32 comment="phone" interface=wireguard1 \
    public-key=""
add allowed-address=10.0.0.4/32,192.168.88.0/24 interface=wireguard1 \
    public-key=""
/ip address
add address=192.168.100.100/24 comment="" interface=\
    VLAN_100 network=192.168.100.0
add address=192.168.150.100/24 comment="" interface=VLAN_150 network=\
    192.168.150.0
add address=192.168.200.100/24 comment="" interface=VLAN_200 \
    network=192.168.200.0
add address=PublicIP comment=WAN interface=ether1 network=PublicIP
add address=192.168.210.100/24 comment="" interface=VLAN_210 network=\
    192.168.210.0
add address=10.0.0.1/24 comment=VPN interface=wireguard1 network=10.0.0.0

/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.103 gateway=\
    192.168.100.100
add address=192.168.150.0/24 dns-server=192.168.100.103 gateway=\
    192.168.150.100
add address=192.168.200.0/24 dns-server=192.168.100.103 gateway=\
    192.168.200.100
add address=192.168.210.0/24 dns-server=192.168.100.103 gateway=\
    192.168.210.100
/ip dns
set allow-remote-requests=yes servers=PublicIP
/ip firewall address-list
add address=10.0.0.2 comment="laptop" list=Admin
add address=10.0.0.3 comment="phone" list=Admin
add address=192.168.100.92 comment=PC list=Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=\
    LAN protocol=tcp src-address-list=Admin
add action=accept chain=input comment=DNS-UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=DNS-TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=accept chain=input comment=VPN dst-port=XXXXX in-interface-list=\
    WAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Fwd to DNS" dst-address=\
    192.168.100.103 in-interface-list=LAN
add action=accept chain=forward comment="Access to R2-outgoing" \
    out-interface=wireguard1 src-address=192.168.100.0/24
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    LAN src-address-list=Admin
add action=accept chain=forward comment="Wireguard relay" in-interface=\
    wireguard1 out-interface=wireguard1
add action=accept chain=forward comment="Port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=\
    tcp src-address=!192.168.100.103 to-addresses=192.168.100.103
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=\
    udp src-address=!192.168.100.103 to-addresses=192.168.100.103
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=PublicIP routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=192.168.88.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured
/system logging
add topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

And R2:

# 2024-01-08 06:46:20 by RouterOS 7.13
# software id = XXXX-XXXX
#
# model = L41G-2axD&FG621-EA
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-0E0DCD \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface eoip
add local-address=10.0.0.4 mac-address=XX:XX:XX:XX:XX:XX mtu=1500 name=\
    eoip-tunnel1 remote-address=10.0.0.1 tunnel-id=10
/interface wireguard
add listen-port=XXXXX mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr use-network-apn=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.100.0/24 endpoint-address=PublicIP \
    endpoint-port=XXXXX interface=wireguard1 persistent-keepalive=30s \
    public-key=""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.0.4/24 comment=VPN interface=wireguard1 network=10.0.0.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.0.2 list=Admin
add address=10.0.0.3 list=Admin
add address=192.168.88.254 list=Admin
add address=192.168.100.92 list=Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=Winbox_admin dst-port=8291 \
    in-interface-list=LAN protocol=tcp src-address-list=Admin
add action=accept chain=input comment=DNS-UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=DNS-TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Access from R1 incomming" \
    dst-address=192.168.88.0/24 in-interface=wireguard1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.100.0/24 gateway=wireguard1 \
    routing-table=main suppress-hw-offload=no
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=Europe/Zagreb
/system leds
add interface=lte1 leds=user-led type=interface-activity
/system logging
add topics=wireguard
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

anav · Mon Jan 08, 2024 3:59 pm

Dont look at me

. You need the expert and prompt advice of the perps Ammo and Holvoe to the rescue!!

gigabyte091 · Mon Jan 08, 2024 4:14 pm

Hehe, I know you are also waiting for their respose

Amm0 · Mon Jan 08, 2024 10:44 pm

Opps, firewall issue I think... Basically protocol=gre needs to be allowed on input from IP of remote in EoIP tunnel.

e.g.
R1:
/ip/firewall/filter/add chain=input protocol=gre src-address=10.0.0.4/32 action=accept
R2:
/ip/firewall/filter/add chain=input protocol=gre src-address=10.0.0.1/32 action=accept

Amm0 · Mon Jan 08, 2024 10:47 pm

FWIW...to actually use RoMON, you connect via IP/MAC one of the routers in winbox using "Connect using RoMON". THEN...a list of RoMON devices will appear & you connect again using one for the devices listed in "RoMON Neighbors".

gigabyte091 · Tue Jan 09, 2024 7:53 am

That did the trick

It's working now

Posting R1 and R2 firewall config so @anav can criticize my rule placement

R1:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=\
    LAN protocol=tcp src-address-list=Admin
add action=accept chain=input comment=DNS-UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=DNS-TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=accept chain=input comment=VPN dst-port=XXXXX in-interface-list=\
    WAN protocol=udp
add action=accept chain=input comment=EoIP protocol=gre src-address=10.0.0.4
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Fwd to DNS" dst-address=\
    192.168.100.103 in-interface-list=LAN
add action=accept chain=forward comment="Access to R2-outgoing" \
    out-interface=wireguard1 src-address=192.168.100.0/24
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    LAN src-address-list=Admin
add action=accept chain=forward comment="Wireguard relay" in-interface=\
    wireguard1 out-interface=wireguard1
add action=accept chain=forward comment="Port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

R2:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=Winbox_admin dst-port=8291 \
    in-interface-list=LAN protocol=tcp src-address-list=VPN
add action=accept chain=input comment=DNS-UDP dst-port=53 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=DNS-TCP dst-port=53 in-interface-list=\
    LAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="Access from R1 incomming" \
    dst-address=192.168.88.0/24 in-interface=wireguard1
add action=drop chain=forward comment="drop all else"

That is from one router to another, but is it possible to have multiple routers ? I presume that is not possible for one EoIP interface to have multiple connections ?

Tue Jan 09, 2024 7:58 am

EOIP is point to point but you can have multiple EOIP interfaces running on one device ( provided you take care of unique ID for each interfaces).

Look at it as a cable between 2 ether ports.

anav · Tue Jan 09, 2024 1:25 pm

Funny I log into all my routers via winbox over wireguard without ROMON.
I am not so lazy LOL. Just type in the IP address and winbox port at the top............. EOIP not required ;-PP

Tue Jan 09, 2024 1:30 pm

Yeah but ... if your IP setup is somehow bust, you're a dead fish too.
No IP access anymore.

Romon will still allow you to access those devices then via EOIP over wireguard (provided that channel is still operational).
Zerotier will work as well for the same reason (L2 access).

anav · Tue Jan 09, 2024 1:48 pm

Yeah but ... if your IP setup is somehow bust, you're a dead fish too.
No IP access anymore.

Romon will still allow you to access those devices then via EOIP over wireguard (provided that channel is still operational).
Zerotier will work as well for the same reason (L2 access).

I have a different fear, that ROMON will allow me to connect even though my setup is wrong LOL and thus I will never know about or find my errors/

and yes I am a lazy assed biatch locally and use winbox LOL (user name and password only), so not being consistent.

I have decided to give the EOIP ROMON a go, in the near term to see it in action.

gigabyte091 · Tue Jan 09, 2024 2:29 pm

EOIP is point to point but you can have multiple EOIP interfaces running on one device ( provided you take care of unique ID for each interfaces).

Look at it as a cable between 2 ether ports.

It's not a problem to create new EoIP interface on remote routers but on main router I have only one IP on wireguard interface so i can't use it anymore. How did you manage that ?

Tue Jan 09, 2024 3:27 pm

Same as with any other IP.
Same WG IP address for the other EOIP tunnel.
Only make sure to use another unique identifier to identify the other tunnel.
(tip: starting from internal IP address of the "remote site" I use value of 3th octet x 256 + value of 4th octet as key, this is unique across the complete setup of my customer)

See screenshot.
First 2 are via Wireguard. All the rest is via MPLS, all those remote devices are terminating on the same IP address of that RB5009.

Assume you have 3 sites:
A: 10.0.0.1
B: 10.0.0.2
C: 10.0.0.3

You want to use B as pivot point
Make EOIP from 10.0.0.1 to 10.0.0.2 using ID 12345
Make EOIP from 10.0.0.3 to 10.0.0.2 using ID 45678

Same IPs where you are going to but the unique identifiers make sure those tunnels stay separate.

gigabyte091 · Tue Jan 09, 2024 3:46 pm

That's what I wanted to know, so i create as many eoip interfaces on main router as i need, for local address i put wireguard interface IP on each eoip interface and remote address is remote router wireguard interface IP.

Also on main router i presume that single address in firewall rule is not enough so address list with allowed remote eoip interface addresses need to be created.

anav · Tue Jan 09, 2024 7:33 pm

Sweet, I will be adding a remote RB4011 via WG to a ROMON list next week.
For now, I want to try it locally. I have an RB450G attached to my main router but natted and it doesnt show up on my winbox list and I would like it to!!!

No wg just Main ROUTER LAN to RB450G with local LAN address also the WANIP for the RB450G.
Can I make an EOIP connection between the two to make this winbox magic happen ( no wireguard )

Tue Jan 09, 2024 7:47 pm

You need two reachable ip addresses on both devices. They need to see each other, as a matter of speaking.
But you got it all backwards.

You may want to start with describing user requirements, drawing of your network setup and export of all related devices

Amm0 · Tue Jan 09, 2024 7:56 pm

Can I make an EOIP connection between the two to make this winbox magic happen ( no wireguard )

Sure. The remote address just needs to be routable. And protocol=gre needs to be allow (however) in the "input" chain for that address. GRE the actual protocol under-the-covers, its neither TCP nor UDP – why some treatment in the firewall (perhaps adding EoIP to the LAN interface-list work too)

Now if the EoIP remote is over the internet, you'd want to use WG as shown here. Or, instead of WG when encryption is needs, EoIP has the "Enable IPSec" (where you set same password on both) – but EoIP+IPSec requires BOTH sides to have public IPs for IPSec – EoIP+WG only requires one side to have a public IP...

gigabyte091 · Tue Jan 09, 2024 8:11 pm

GRE the actual protocol under-the-covers, its neither TCP nor UDP – why some treatment in the firewall (perhaps adding EoIP to the LAN interface-list work too)

Will test this tomorrow, instead of defining src.address in firewall rule we can put eoip as lan member and use in-interface-list=LAN instead. That would eliminate the need of address list

anav · Tue Jan 09, 2024 8:33 pm

You need two reachable ip addresses on both devices. They need to see each other, as a matter of speaking.
But you got it all backwards.

You may want to start with describing user requirements, drawing of your network setup and export of all related devices

Glad to see the brainwashing is working!! Now send chocolates will send address in email!!

gigabyte091 · Wed Jan 10, 2024 3:41 pm

Tested today, added eoip to LAN list and replaced src address with in-interface-list=LAN, works without a problem.

Connected few more remote routers, created eoip tunnels, works like a charm.

anav · Wed Jan 10, 2024 6:54 pm

Do you set GRE protocol or not?

gigabyte091 · Wed Jan 10, 2024 7:46 pm

Yes, gre is set as protocol. On remote router i left src address. I was lazy...

Amm0 · Wed Jan 10, 2024 8:51 pm

Yes, gre is set as protocol. On remote router i left src address. I was lazy...

@gigabyte091's firewall is pretty restrictive, why a specific rule is needed. But imagine in most cases...the WG peer is already broadly allowed on "input" chain to router.

They key part is WG peer is accept somehow on input filter chain – that's all that's needed. Since some folks use interface-list, that works. But the specific peer IP as src-address and protocol=gre is what's strictly needed for EoIP+WG for RoMON.

Keep in mind where talking about the OUTER tunnel traffic here (e.g. before decapsulation), why GRE is needed since that's what the EoIP tunnel uses. The traffic INSIDE the tunnel is the EoIP interface itself (after decapsulation). But since RoMON doesn't use IP, no firewall changes are needed to allow the RoMON ether-type packets that live INSIDE the tunnel, since there is no IPv4 at that point.

anav · Thu Jan 11, 2024 2:28 am

Yes, gre is set as protocol. On remote router i left src address. I was lazy...

Showing the config or pertinent parts thereof would be nice!

gigabyte091 · Thu Jan 11, 2024 2:15 pm

No problem, here is FW rule on main router:

 ;;; EoIP
      chain=input action=accept protocol=gre 
      in-interface-list=LAN log=no log-prefix=""

Can't put in code because function doesn't work for some reason...

EDIT: Thank you @holvoetn

Amm0 · Thu Jan 11, 2024 9:58 pm

No problem, here is FW rule on main router:
Code: Select all
 ;;; EoIP
      chain=input action=accept protocol=gre 
      in-interface-list=LAN log=no log-prefix=""

And that works because wiregard1 is a member of LAN. e.g. @gigabyte091 has the following:
/interface list member add interface=wireguard1 list=LAN

Basically you need to combine protocol=gre with either src-address= or in-interface-list= or in-interface= in a /ip/firewall/filter chain=input you should be good.

FWIW, With the default firewall and BTH... I'm not sure any firewall changes be needed to use EoIP+WG (other than enabling RoMON and using WG address in an EoIP interface as described above).

gigabyte091 · Fri Jan 12, 2024 6:00 am

@Amm0

Thank you for your help, on my side everything is working.

@anav is it working on your side ?

anav · Fri Jan 12, 2024 4:30 pm

I am hoping to get time this weekend. Nothing as extravagant, just Main Router to natted router and if successful will do wireguard to remote router next.

anav · Sat Jan 13, 2024 3:01 pm

Okay I think I have EOIP setup not sure if its working but I see traffic pings on the direction natted RB450G to the CCR but not the reverse.
Doesnt make sense for both to have a keep alive?? Enabled romon, no ID, no password. On new winbox hit the romon box and NOTHING..............

Okay it was me not reading right on how to get the RBG450 to show up............
Sadly then my hex switch and capac disappeared....... I wanted ALL to show up on one list........

Also, when I open winbox I wanted all to show up, without having to select one with the right password and then hit ROMON.

Sat Jan 13, 2024 4:17 pm

Make a new thread and post your config so we can check

You always have to select one known router in Winbox (through MAC or IP) and then select "Connect to ROMON".
Then the rest will appear (but not the one you're using as Romon-pivot).

Amm0 · Sat Jan 13, 2024 4:24 pm

Also, when I open winbox I wanted all to show up, without having to select one with the right password and then hit ROMON.

That be nice, but not how it works. RoMON is a poor mans substitute for Zerotier, which get you all your neighbors showing up on the "normal" winbox list. But RoMON require the two-step "Connect to RoMON" dance. Basically RoMON is same idea your "off-bridge management port": you hope not have to use it, but nice it's there when you do.

Behind the scenes, RouterOS acts as RoMON "proxy" for winbox – winbox doesn't "speak" RoMON directly (e.g. use packets with RoMON L2 ether-type). Thus need to connect somehow to one router, anywhere to get the RoMON neightbors and it's the first router that then "proxies" winbox protocol over RoMON ethernet. Now, the "Connect to RoMON" can happen by MAC address, but winbox does need to be connect to somehow to some router on the "RoMON network".

anav · Sat Jan 13, 2024 5:27 pm

holvoe, you doth create more work than necessary LOL.
Got it, will try creating EOIP on switch and capac to see if they show up as well..........

gre47 · Sun Feb 16, 2025 7:58 am

hi, i want the similar setup, differences is the wireguard connect to my cloudflare zero trust tunnel. had try all the options in this post, not shown anything in Romon Discover, but the EOIP packet traffic seems in the counter. is there specific setup if use WG for Cloudflare?

Amm0 · Sun Feb 16, 2025 8:45 pm

hi, i want the similar setup, differences is the wireguard connect to my cloudflare zero trust tunnel. had try all the options in this post, not shown anything in Romon Discover, but the EOIP packet traffic seems in the counter. is there specific setup if use WG for Cloudflare?

No, it be very similar. If the tunnel is up, you should be able to Argo/ZeroTrust tunnel IPs in the /interface/eoip/add. Basically far end Mikrotik has to ping'able via your tunnel, and it should work. Now, stuff like allowing GRE through any firewall rules on the Argo/ZeroTrust might have include "gre".

Cloudflare has an article on GRE, which is what EoIP uses here: https://www.cloudflare.com/learning/net ... tunneling/

Now, MTU with EoIP is a different set of concerns. I'd start with 1500 for testing. But you, essentially, got two choices – at high level:
- leave EoIP MTU to 1500, accept potential fragmentation, but maxize compatibility, especially with UDP
- adjust MTU based loss from BOTH EoIP and tunnel headers (and perhaps add adjust-mss rule for TCP).
One MTE approach is not necessarily "better" than other... your exact uses cases and traffic. But if you see performance issue with EoIP over Cloudflare(/WG), MTU be the place to look first IMO.

gre47 · Mon Feb 17, 2025 10:15 am

im super newbie for this kind thing, also limited by my lack of English, but i've tried MTU to 1500 on both side, no working, even the "R" status of the EOIP not shown.
But ping for both sides result normal.
is it needed for me to share my firewall rules here or full config? and what command to do in the terminal?

flipy · Wed Mar 12, 2025 9:37 pm

I have a WAP60G connected to a HAP AC3 on a remote location and lost access to it due to a bad firmware upgrade.
The WAP60G was rebooting into etherboot.
The HAP AC3 did not have container mode enabled to be able to deploy a netinstall container.
I had a WG tunnel between both sites.
I was able to enable EoIP on both routers (HAP AC3 and local router) and run netinstall successfully.

Hopefully it helps on understanding the feasibility of EoIP over WG.

As a note, on the local device I had to create a new bridge and assign a local ethernet along with the EoIP interface. On the remote site I only had to enable the EoIP and add it to the existing bridge, because it was a flat network with a single CIDR.

EOIP over Wireguard (For RoMon purposes only) [SOLVED]

EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only) [SOLVED]

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)

Re: EOIP over Wireguard (For RoMon purposes only)