Hi everyone,
I'm trying to establish a double VPN over two different internet connections between two routerboard750GL.
I'm using two EoIP tunnels (that will be encrypted afterward with IPsec, but i'm not there yet). For testing purposes, I've used one direct link (an rj45 cord between two ports, one on each router) and an other one really going through Internet. The reason I use two EoIP tunnels is to take advantage of the bonding of those kinds of tunnels which enables load balancing and failover ability.
My problem is that only the direct EoIP tunnel is used when both are on. However, if I deactivate bonding and only use the Internet EoIP tunnel, the connection between the two networks is working fine.
I've noticed in the firewall connections window that the Internet EoIP Tunnel is never assured (A) but that there are two unreplied connections (U) even if the tunnel seams to work without bonding and with the direct link deactivated.
I have also to mention that the two LANs are on two different IP networks (192.168.88.0/24 and 192.168.44.0/24)
I hope, you can help me.
Johan.
Re: EoIP Issues
All right, I made it work without your help...
It's not very complicated, you just have to know what you need to configure and how to do it right.
For anyone interested, here is what I've done :
-Making sure both wan connections are working, (don't forget mascarading)
-Adding two EoIP Tunnels each configured with one of the WANs public addresses as Local and one of the other router's Public addresses as Remote Address.
-Don't forget to set two different Tunnel ID (I also think they have to match on both routers, meaning tunnel 0 has same two Addresses on each routers, only inverted)
-Set the keepalive interval to default (10 sec)
-Add a bonding interface with both tunnels as Slaves (It's better to use the arp Link Monitoring to be sure that the binding is operating, for that you will have to put the other router's binding IP address in "ARP IP Targets" (see next step).
-Configure an IP Address for each Binding interface. I used a different subnet than the router LAN's ones but I guess that if you where bridging the two networks, you could use the same for everything.
-If you did not bridge the two LANs, you should add a static route with the other router's binding address as the Gateway.
-Add two static routes with two different routing marks. and then two rules forcing packets with a certain Source Address to go through the right WAN (maybe there is a better solution but couldn't find one).
-Add A firewall rule to accept connections on the input string from both Public IPs of the other router (you can specify port TCP 47 if you want to only let EoIP pass).
You're done!
PS : I've added IPsec encryption over that because everything going trough EoIP tunnels is unencrypted.
It's not very complicated, you just have to know what you need to configure and how to do it right.
For anyone interested, here is what I've done :
-Making sure both wan connections are working, (don't forget mascarading)
-Adding two EoIP Tunnels each configured with one of the WANs public addresses as Local and one of the other router's Public addresses as Remote Address.
-Don't forget to set two different Tunnel ID (I also think they have to match on both routers, meaning tunnel 0 has same two Addresses on each routers, only inverted)
-Set the keepalive interval to default (10 sec)
-Add a bonding interface with both tunnels as Slaves (It's better to use the arp Link Monitoring to be sure that the binding is operating, for that you will have to put the other router's binding IP address in "ARP IP Targets" (see next step).
-Configure an IP Address for each Binding interface. I used a different subnet than the router LAN's ones but I guess that if you where bridging the two networks, you could use the same for everything.
-If you did not bridge the two LANs, you should add a static route with the other router's binding address as the Gateway.
-Add two static routes with two different routing marks. and then two rules forcing packets with a certain Source Address to go through the right WAN (maybe there is a better solution but couldn't find one).
-Add A firewall rule to accept connections on the input string from both Public IPs of the other router (you can specify port TCP 47 if you want to only let EoIP pass).
You're done!
PS : I've added IPsec encryption over that because everything going trough EoIP tunnels is unencrypted.