Hi,

I am playing with EoIP. I have two sites, let's call them CENTRAL and REMOTE. Note that this is a lab and not a production environment.

I want device in REMOTE to be on the same subnet as those in CENTRAL. I also want the device from REMOTE to go through CENTRAL to access the internet, so the last NAT is done at CENTRAL.

So far, I was able to get L2TP (over IPsec) between both site to work. EoIP inside the L2TP tunnel is also working. Device at REMOTE gets their IP from the DHCP at CENTRAL and can actually access all the subnet at CENTRAL normally. The only problem I have is that the devices at REMOTE don't get NATed by the Mikrotik at CENTRAL when accessing the Internet and I have absolutely no idea why?

Have a look at Image1 to see a packet from a device located at CENTRAL go through the Mikrotik there and get NATed normally. Now, look at Image2 to see how a packet coming in from the eoip tunnel is sent through the same external interface, but without being NATed at all? As you can guess, this just doesn't work. Here is my only masquerading, which is pretty straight forward:

Any idea what would cause that?

I've added two firewall rule with idea of logging packet:

And the result is only the forward passthrough that is actually getting logged. So, for a reason I don't get yet, the packet is not being considered by the masquerading rule:

Any tips on how to troubleshoot this is appreciated!

Why you don’t Use BCP over L2TP, it is layer 2 without the EOIp MTU Issues.

Well, I was testing with EoIP. As I was saying, this is a lab.

Also, I guess that I will have the same problem with BCP...

I switched to BCP and got it working, at least to the same point as EoIP.

Still won't NAT when going through CENTRAL....

Try a traceroute

I already did that. It all ends up at the mikrotik in CENTRAL.

Did some more testing this morning. The problem is clearly in the masquerading and I can't figure that out.

The Mikrotik at CENTRAL has a VPN to another location that can be used to route some stuff through the internet at that other location. I'm doing PBR using routing mark and mangle rules to route some specific IP or service through that location. In that case, the NAT to access the internet is being done at that other location.

I setup a rule routing an IP from REMOTE to use that other location to access the internet, and it works, because the NAT is not being done by the Mikrotik at CENTRAL.

Still no idea WHY the masquerading rule is not applied to device coming in from the BCP...

I want device in REMOTE to be on the same subnet as those in CENTRAL. I also want the device from REMOTE to go through CENTRAL to access the internet, so the last NAT is done at CENTRAL.

Correct me if I am wrong, but all you want is to add EoIP interface to a LAN bridge on each router, mark it as "trusted" and basically that's it? All devices on REMOTE router will get IP address from DHCP server hosted on CENTRAL router. All the traffic will be routed through CENTRAL router. Even multiplayer games will show "NAT type: Open" and will be able to use upnp on CENTRAL router.

My current setup. Works perfectly fine.

Yeah, that's what I am trying to do. The bridging (either with EoIP or BCP) works.

The problem is, everything located at the REMOTE site can't access the internet. From a layer 2 perspective, they access the Internet through the router at CENTRAL (by going through the bridge between site) but for a reason I don't understand, the router at CENTRAL doesn't masquerade packet coming from device on the other side of the bridge when they are sent on the Internet. As you can see in the image above, the device 10.72.0.58 is located at REMOTE and when accessing the internet, the router at CENTRAL send the packet from that device through the pppoe-bell1 interface as 10.72.0.58 insterad of masquerading it behind 70.x.x.x (which is my external IP address).

Anything coming from the same subnet but physically located at CENTRAL (therefore not going through the EoIP or BCP bridge) gets NATed correctly when accessing the internet.

Try


Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT out
chain=srcnat action=masquerade

for testing

Tried it, didn't change a thing. Except that everything between the VLAN suddenly got NATed between them.

One thing I didn't mention, thinking that it wouldn't have any impact (but it clearly has, see below) is the fact the that network that I am trying to bridge is located (L3 speaking) behind a core switch. It is not (again, L3 speaking) directly connected to the Mikrotik itself. I connected it (L2 speaking) to the Tik by using a cable between the Tik and the core switch. That interface in the Tik is the one bridged with the L2TP through BCP.

See this to have an simplified idea of how the network is built:
See this to have an idea of how the bridge is configured:
I did some more testing by creating an interface directly connected to the Mikrotik (both L2 and L3) and bridging that interface with BCP instead of the VLAN behind the core switch. Suddenly, those VM are able to access the internet, the Mikrotik is NATing as it should!

So, there is clearly something that the Mikrotik doesn't like with the fact that bridged network is not directly connected to the Tik itself. Probably has something to do with the ARP being learned by the bridge. That's the only difference I see between a device physically connected at CENTRAL and another at REMOTE is that the one at CENTRAL is behind the core switch and the Tik never learns it MAC address and the one at REMOTE gets learned by the Tik through the bridge.

I feel that this is where my problem is. I tried playing with the ARP (enabled, disabled) and the learn function of the bridge but couldn't get it to work.