Hello
I have 2 LANs happily connected through EOIP. Everything works fine, machines from both LANs see each other.
I have DHCP server in each LAN and this causes a problem. DHCP requests fly through EOIP so randomly machine from LAN1 gets IP from the DHCP server in LAN2. ( and both directions happens so ).
I thought that it would be easy to filter and drop UDP packets 67-> 68 on EOIP tunnel but Mikrotik is not willing to accept that idea as EOIP is slave.
Any Ideas ?
Regards

This is bad design. You shouldn't have two independent servers assigning addresses for the same range of IP addresses if you connect the two networks together.

You should make this into a routed connection with a different IP range at each end. Use DNS to enable hosts to find each other by name across the link.

If you want to filter DHCP though, you'll need to set use-ip-firewall to 'yes' on your bridge interfaces.

Design is foolproof and simple. Prepared in case of eoip fail. When fails - both locations work independently without obstacles. ISP provider on one site is of poor quality.

you'll need to set use-ip-firewall to 'yes' on your bridge interfaces. - thanks for this hint. I'll try

Design is foolproof and simple. Prepared in case of eoip fail. When fails - both locations work independently without obstacles. ISP provider on one site is of poor quality.

No. It's not.

Routing IP solves your problem, but without the headache you're experiencing from breaking conventions.

You're experiencing a problem that shouldn't happen in the first place and looking for a solution to it. You're having to keep two sub-ranges of the LAN as separate pools in separate servers, and server 1 must give a different default GW IP address (and maybe even different dns server) etc - if hosts on the wrong side get the wrong info, then things are sub-optimal at best, broken at worst.....

If a zoo keeper came to you and said he was having problems with alligators eating his lemurs, you would say "don't put the lemurs and alligators in the same enclosure"

If you're routing between the two networks and EoIP fails, then both networks just stop being able to reach each other, but they're independent of each other for local and internet functionality. Each network is its own self-contained entity and doesn't need to balance carefully with a different location sharing the same network.


Here's how to use routing:
on R1, set 192.168.1.1/24 as the LAN, DHCP, etc. and set 192.168.255.1/24 as the IP address on EoIP interface.
(no bridging)
configure a static route: 192.168.2.0/24 gateway=192.168.255.2

On R2, set 192.168.2.1/24 as the LAN, DHCP, etc. and set 192.168.255.2/24 as the IP address on EoIP interface.
(no bridging)
configure a static route 192.168.1.0/24 gateway=192.168.255.1

Make sure that in each router, your masquerade rule does not match for traffic going across the EoIP tunnel.

Hosts at each network will be able to communicate with each other directly by internal IP address. If you want host names to work, use the DNS proxy on the Mikrotik as a simple fix - if your computers are using .local as the domain suffix, make entries in static DNS entries such as host1.local = 192.168.1.24 and host2.local = 192.168.2.99

Thanks for tip
I managed to configure both ways: yours and mine. tested.
The overall performance is the same while in you solution some Windows services were not advertised equally in both LANs.
I appreciate that your solution is more...elegant

Good to see that you got things working in both manners.

They should definitely perform the same because performance isn't the issue. It's a case of simplicity in management and troubleshooting. It is true that routing will eliminate broadcast traffic across the tunnel, but the normal background noise of ARP/host service announcements/UPnP/etc is not really significant in today's high-bandwidth world.

The routing/bridging difference is also an issue of security/policy. It's much easier to manage what traffic is/is not allowed in a routing scenario. Furthermore, a routed network limits the scope of layer 2 based attacks on your network - if someone on site 1 starts a rogue DHCP server, or does ARP poisoning/etc - this can only affect site 1 where the bad actor is connected. They will not harm the functionality of site 2 with these attacks.

As with all things, there are appropriate times to bridge, and appropriate times to route. I'm not saying to never bridge anything.... I'm just saying that your case is the latter.

No. It's not.

Routing IP solves your problem, but without the headache you're experiencing from breaking conventions.

You're experiencing a problem that shouldn't happen in the first place and looking for a solution to it. You're having to keep two sub-ranges of the LAN as separate pools in separate servers, and server 1 must give a different default GW IP address (and maybe even different dns server) etc - if hosts on the wrong side get the wrong info, then things are sub-optimal at best, broken at worst.....

If a zoo keeper came to you and said he was having problems with alligators eating his lemurs, you would say "don't put the lemurs and alligators in the same enclosure"

If you're routing between the two networks and EoIP fails, then both networks just stop being able to reach each other, but they're independent of each other for local and internet functionality. Each network is its own self-contained entity and doesn't need to balance carefully with a different location sharing the same network.


Here's how to use routing:
on R1, set 192.168.1.1/24 as the LAN, DHCP, etc. and set 192.168.255.1/24 as the IP address on EoIP interface.
(no bridging)
configure a static route: 192.168.2.0/24 gateway=192.168.255.2

On R2, set 192.168.2.1/24 as the LAN, DHCP, etc. and set 192.168.255.2/24 as the IP address on EoIP interface.
(no bridging)
configure a static route 192.168.1.0/24 gateway=192.168.255.1

Make sure that in each router, your masquerade rule does not match for traffic going across the EoIP tunnel.

Hosts at each network will be able to communicate with each other directly by internal IP address. If you want host names to work, use the DNS proxy on the Mikrotik as a simple fix - if your computers are using .local as the domain suffix, make entries in static DNS entries such as host1.local = 192.168.1.24 and host2.local = 192.168.2.99

i have setup with your routing example an EOIP from my house to my office with 2 mikrotik working in PPPOE client mode.
i can ping windows lan clients through tunnel, i can remote desktop to clients, but i cannot access shares like \\192.168.88.2\d
when i was testing EOIP with bridge interface (not routing) everything was ok. i even can see clients in WINDOWS NETWORK tab, ping them, and access shares.
what i am missing?

finally i can access shares.
windows 10 can access windows 7 shares
at windows 7 machine i added the credentials of windows 10 and now is working.