I have two locations. At each location is a VM running RouterOS, and one interface (ether1), plus a "VLAN" interface with ID 401, on top of ether1.

My goal is to have a small stretched VLAN between the two, VLAN ID 401.

Every single guide I've ran across online talks about how to bridge the local ethernet ports to the EoIP interface. I only have one ethernet interface, happens to have the 'remote-address' that the other end uses. No way am I going to bridge that to the EoIP, creating some snake eating it's own tail.

Here's my config. I have no experience creating VLANS on RouterOS, so perhaps I've messed up there?

Legend:
* 10.212.1.103 and 10.200.11.163 are the two 'external' IPs that belong on their respective networks. These are the "Remote Addresses" configured in the EoIP tunnel which is up and running.
* The 10.40.1.0 network is what I'd like to stretch across the two sites. This is VLAN 401.

Interfaces:
- eoip-tun1 (on both devices) configured. Up and running from what I can tell.
- ether1 (default config on both devices, "external" IPs)
- "Test 401" added on top of ether1, via "VLAN" tab and ID set to 401. Same on both devices.
- "bridge1", same on both devices

Bridges:
- bridge1, added ports "eoip-tun1" and "Test 401". Same on both ends.

Result: I can see traffic "flashing" on the Test 401 interface and on the EoIP tunnel, but I can't ping any 10.40.1.X addresses that are on the opposing site.

Does anyone have any guidance or have run across any guides on how to do an EoIP tunnel connecting two VLANs that are physically on the same interface as the "external" addresses?

Just to be clear, both sites have other routers and public internet IPs. The RouterOS 'External IPs' are not PUBLIC IP addresses, but are routed via other devices so they can always communicate.

I feel embarrassed asking for help with what seems like such a basic question! I've used Mikrotik physical devices for a long time, but have never had to configure them for more than basic routing and switching.

Thank you ahead of time!

{edit}
I feel like this should be in the beginner section. Totally forgot that Hyper-V has only one adapter by default, and does not see VLAN tagged traffic unless explicitly set that way in Hyper-V VM settings.

-- Added a new interface in both VM settings, set to VLAN 401.
-- In RouterOS, moved "Test 401" to the ether2 interface (corresponds to the 401 tagged port in VM settings)
-- Still can't ping devices on the opposing site in the 10.40.1.0 network, but that might have to do with the VLAN tagging in the bridge1?
-- I'll play around with VLAN ports in the bridge1 and see if I can get it to work
{/edit}

Ok, I think it SHOULD be working, but have not been able to track down WHY it fails. I can see the broadcasts for ARP via TORCH in the bridge and on ether2 on both CHRs, but never see any replies (thus the ARP entries on the External routers remain (incomplete).

Setup in site #1:
External router
- 10.40.1.2 w/ VLAN 401 (trying to bridge this VLAN)
- 10.212.1.101 w no VLAN

Hyper-V VM settings
- interface #1, no VLAN
- Interface #2, VLAN 401 set.

CHR #1 with EoIP
- Interface #1 w/ IP 10.212.1.203 (connected to VM interface #1)
- Interface #2 w/ no IP, in bridge1
- EoIP interface in bridge1 (EoIP connected to CHR #2)


Setup in Site #2:
CHR #2 with EoIP
- Interface #1 w/ IP 10.200.11.163 (connected to VM interface #1)
- Interface #2 w/ no IP, in bridge1
- EoIP interface in bridge1 (EoIP connected to CHR #1)

Hyper-V VM settings
- interface #1, no VLAN
- Interface #2, VLAN 401 set.

External router
- 10.40.1.1 w/ VLAN 401
- 10.200.1.1 w no VLAN

Tests when trying to ping 10.40.1.1 from 10.40.1.2:
- "From 10.40.1.2 icmp_seq=XX Destination Host Unreachable"
- ```ip route get 10.40.1.2``` : local 10.40.1.2 dev lo table src 10.40.1.2 uid 0
- ```arp | grep 10.40.1.1``` : 10.40.1.1 (incomplete) br401

Packets captured on ether2 of the FAR CHR clearly show broadcasts coming from the external router at one site, do ARP requests like "who has 10.40.1.2" when trying to ping 10.40.1.2. But they don't show any replies.

Thus it seems the packets are making it ALMOST all the way to the external router (or perhaps they are), but no replies are seen. I'm am curious if anyone's run into this weird issue with Hyper-V and VLANs with CHR?

A packet capture on FAR external router's "br401" port does indeed show NONE of the ARP broadcasts asking for it's MAC address.

I've also tried a full packet capture on the far external router and did filters for 10.40.1.2 in src or dst, and couldn't see any of the broadcasts from ARP. So the broadcasts are visible in the bridge and on ether2 on both CHRs, but not on the target external router. Any suggestions on where to dig next?

By default, the virtual switches of most virtualisation platforms only forward frames whose source MAC address matches the one of the virtual NIC sending them. This has to be changed in the NIC settings in order that the vswitch would accept the frames that came via the EoIP tunnel and forward them. I don't remember the VMware name for this setting.

Ahh, thanks for pushing me in a direction I would not have thought of.

I'm using two Hyper-V 2019 hosts, and enablign the 'MAC ADDRESS CLONING' brought up the link!

Oddly though, I get random timeouts (every 10 seconds or so) when pinging across the link from router-to-router as s well as pinging from devices behind the VPN hosts that use the VPN link. Not sure if this is a EoIP issue, or because I'm using the 100mb only licenses. I'll reach out to their support team and see if they have other restrictions in place, or if they can give me a time-limited license so I can test it.