Hi,

I am trying to create a hub-spoke topology using EoIP.
I have create 1 EoIP Point to point tunnel successfuly using Bridge to include both the real interface and EoIP interface.

Is it necessary to run Bridge mode for the EoIP to established tunnel successfully ?

As mentioned, in a Hub to Spoke topology, my hub only has 1 real interface. How to create multiple EoIP tunnels over that real interface ?
Bridge mode doesn;t allow me to share the real interface.

Thanks.....

Hi,

I have found a workaround way, but its ugly.

Create multiples VLANs under the real interface.

Under bridge mode, add the logical VLANs with their respective EoIP interface tunnel.

Is that the correct way to create a hub-and-spoke topology ?

There is no need to make VLANS to establish multiple EoIP tunnels as long as you specify unique tunnel-ids.

There is no need to make VLANS to establish multiple EoIP tunnels as long as you specify unique tunnel-ids.

Hi,

But does EoIP tunnel need bridge to function ? Because i cannot add the real interface to another bridge if it has been added before. Thanks

No, bridge is not required for EoIP to function. And of course you will not be able to add one physical interface to multiple bridges.

You can easily put in one bridge all EoIP tunnels and one physical interface. Or maybe I just misunderstood what you want to achieve.

No, bridge is not required for EoIP to function. And of course you will not be able to add one physical interface to multiple bridges.

You can easily put in one bridge all EoIP tunnels and one physical interface. Or maybe I just misunderstood what you want to achieve.

Hi Thanks for your reply.

I follow the example given and I cannot established EoIP without introducing Bridge.
I understand that EoIP is a stateless tunnel, so it always shows it running.

Do i need to add static route with the gateway set to the EoIP interface or the remote end IP ?

My goal is try to create multiple EoIP tunnels from one hub single interface IP to different hub sites. (Hub to spoke topology)

Thanks.

you have to set ip address of the other end of eoip tunnel and tunnel-id that is all

if you want to establish eoip tunnel from A-------B then on A you have to set up ip address of B and vice versa on B

when you create tunnel it is as if it is normal Ethernet interface.

you have to set ip address of the other end of eoip tunnel and tunnel-id that is all

if you want to establish eoip tunnel from A-------B then on A you have to set up ip address of B and vice versa on B

when you create tunnel it is as if it is normal Ethernet interface.

Yup. I tried that. But my private LAN A cannot ping to private LAN B

192.168.1.0/24 (LAN A)--->10.10.10.1/24 (WAN A)---eoip--> 10.10.10.2/24(WAN B)---->192.168.2.0/24(LAN B)

I have create a eoip between 10.10.10.1/24 and 10.10.10.2/24. But I cannot ping from 192.168.1.0/24 to 192.168.2.0/24 unless i create a bridge across. Is bridge necessary for EoIP ?

Sorry i am confused. Because i have create VPN IPSec in layer 3. EoIP in layer 2 got me confused....

all the routing and bridging apply to these tunnels, it wont miraculously guess what you want to bridge with what.

you have to configure it yourself. It is layer 2 tunnel. that is it, no magic involved

all the routing and bridging apply to these tunnels, it wont miraculously guess what you want to bridge with what.

you have to configure it yourself. It is layer 2 tunnel. that is it, no magic involved

Thanks. So i just use the same way of configuring a layer 3 tunnel to EoIP tunnel layer 2 ?
Its either I use bridging (which allows arp and broadcast to flow thru the EoIP tunnel ?)

Or

I use static routes over EoIP tunnel endpoint as gateway ? If i use static routes over EoIP layer 2, will arp packets flow thru it as well ?

The reason i ask is because I wanted multicast packets to flow thru EoIP tunnel since pure IPSec doesnt support multicast traffic.
Another option is using IPIP layer 3. But I have tried using PIM Sparse mode on IPIP interface, the multicast doesnt work. Is there any documentation i can refer to ?

Hi,

Can anyone help please ?

I cannot create an EoIP tunnel without creating a bridge over it to let traffic flow thru.

Is it a necessity to create a bridge over EoIP ?

yes, multicast will work over EoIP as it was normal ethernet.

you can configure routes for routed network, you can bridge EoIP as result you can use PPPoE through that link to authenticate users.

Also, you have some means to forward traffic through the interface - same as with ethernet. if you have no configuration - no traffic will enter it, no traffic will come out of it.

If you do not want to add ip addresses, you have to bridge it.

Imagine as if you are plugging virtual cable in virtual ethernet in 2 routers, that is that EoIP tunnel, nothing different.

Hi,

Thanks for you reply. I have try configuring IPIP using a pair of MT RB450.

As for configuring routes.....
I am confuse too. I apologize that i am CCNA and get quite use to adding static classless routes.
How do i configure the equivalent in RouterOS v3.2 ?

I am using winbox and i can only add IP address to IPIP interface in RB450. How do I route a local private subnet to this IPIP gateway ? Since i have bond 2 slave ether to the primary ether with IPIP interface.

I have to admit, the documentation is indeed lacking. Thanks for your time to explain.

I think i found the answer. The RIP is disable by default in MT. I enabled it and its works.

Most other routers do came with RIP default enabled. Time to explore more about MT routers and L3 switch.....

if you truly want to pass broadcasts and bridge the two networks you shouldnt place any IP address on the EoIP tunnel itself (other than its outside endpoints) and just bridge those interfaces to the LANs on each side. Both sides can then use the same subnets.

192.168.1.0/24 (LAN A)--->10.10.10.1/24 (WAN A)---eoip--> 10.10.10.2/24(WAN B)---->192.168.1.0/24(LAN B)

if you truly want to pass broadcasts and bridge the two networks you shouldnt place any IP address on the EoIP tunnel itself (other than its outside endpoints) and just bridge those interfaces to the LANs on each side. Both sides can then use the same subnets.

192.168.1.0/24 (LAN A)--->10.10.10.1/24 (WAN A)---eoip--> 10.10.10.2/24(WAN B)---->192.168.1.0/24(LAN B)

Thanks. I understand that. But if its a multicast traffic, EoIP+Bridge which is at layer 2 (cannot differentiate between multicast and broadcast) will flood all EoIP tunnels connecting to the same bridge. Is that true ?

Is there IGMP or PIM functioning at EoIP ?

IGMP and PIM would be functions of the bridging code not the EoIP tunnel.

if you truly want to pass broadcasts and bridge the two networks you shouldnt place any IP address on the EoIP tunnel itself (other than its outside endpoints) and just bridge those interfaces to the LANs on each side. Both sides can then use the same subnets.

192.168.1.0/24 (LAN A)--->10.10.10.1/24 (WAN A)---eoip--> 10.10.10.2/24(WAN B)---->192.168.1.0/24(LAN B)

Or make as follow:
192.168.1.0/22 (LAN A)--->10.10.10.1/24 (WAN A)---eoip--> 10.10.10.2/24(WAN B)---->192.168.2.0/22(LAN B)

if you truly want to pass broadcasts and bridge the two networks you shouldnt place any IP address on the EoIP tunnel itself (other than its outside endpoints) and just bridge those interfaces to the LANs on each side. Both sides can then use the same subnets.

192.168.1.0/24 (LAN A)--->10.10.10.1/24 (WAN A)---eoip--> 10.10.10.2/24(WAN B)---->192.168.1.0/24(LAN B)

Or make as follow:
192.168.1.0/22 (LAN A)--->10.10.10.1/24 (WAN A)---eoip--> 10.10.10.2/24(WAN B)---->192.168.2.0/22(LAN B)

see how fast time passes by. eight years later today, i still find this topic fascinating..
long story short, i want to recreate the same tunnel settings as mentioned above.

if 192.168.1.0/22 is on this part of the world and 192.168.2.0/22 is on the other far end part of the world, can i..
* share & print to remote network printer?
* sharing files & folders between the two network?
* is it really-really possible to do things like in a local (wired) networked system?

Yes, yes, and yes. The caveat here is the latency. You need to know your apps, their usage patterns, and the effects on user interactions. For example, a user may be used to a 200ms response to an action in their accounting application, but if the connectivity carrying the EoIP link makes everything 20 times slower, then that response now takes 4 seconds and the user thinks the app is broken.

Hello team,

I am a network admin for one ISP. I'm trying to connect 24 remotes site to a HQ using EoIP for a client because the requirement is a layer2 connectivity.

1- My ISP link ends on Eth1 of each Mikrotik
2- i would like to use only 1 interface (Eth2) at HQ side.
3- At each remote site interface Eth2 has to be considered as well.
4- I'm using RB2011UiAS for all site.
5- Once EoIP config if finished, the client will connect a Cisco router to Eth2 of my Mikrotik at each site.

Question:
1-How to create multiple EoIP tunnels over that 1 interface (Eth2) at HQ?
2-Since i'm going to consider 1 interface (Eth2) at HQ, do i need to create VLANs on Eth2.?
3- If VLANs is needed, how to avoid inter-VLAN communication ?

Thanks.

Hi,

When i've tried the below, tunnels are seen to be running at remote site but not seen running at HQ.

1-I've created the EoIP tunnel at each remote and HQ with their respective tunnel ID.
2- At each remote I've created a bridge in which i've put the EoIP interface and Eth2.
3- At HQ i've bridged all EoIP tunnel created in the same bridge with Eth2.
Someone Can tell me why tunnels are not running at HQ side please?

Thanks !

Depends on the configuration but at HQ:
- Each EoIP tunnel needs a unique "remote address" and unique "Tunnel ID"
- In firewall, input chain, allow GRE protocol (if using public ip address [remember traffic is not encrypted] else if using internal ips check if the transport tunnel is running [ex if using ipsec])

Depends on the configuration but at HQ:
- Each EoIP tunnel needs a unique "remote address" and unique "Tunnel ID"
- In firewall, input chain, allow GRE protocol (if using public ip address [remember traffic is not encrypted] else if using internal ips check if the transport tunnel is running [ex if using ipsec])

Hi RhoAius,
In fact each EoIP tunnel has its unique "remote address" and unique "Tunnel ID". Which make at HQ side a total of: 24 different Tunnel.
Now what i want to know is : how to pass all the 24 tunnels through the Eth2 ?

Thank!

Now what i want to know is : how to pass all the 24 tunnels through the Eth2 ?

Supposing I've understood what you actually wanted properly, make a bridge and make eth2 and all the EoIP interfaces member ports if that bridge:

/interface bridge
add name=eoip-bridge

/interface bridge port
add bridge=eoip-bridge interface=ether2
add bridge=eoip-bridge interface=eoip1
..
add bridge=eoip-bridge interface=eoip24

Because to me, "pass all 24 tunnels through ether2" would mean the transport packets of the tunnels should be routed via ether2, but your previous posts suggest that you want to bridge ether2 with the payload of the tunnels.

Now what i want to know is : how to pass all the 24 tunnels through the Eth2 ?

Supposing I've understood what you actually wanted properly, make a bridge and make eth2 and all the EoIP interfaces member ports if that bridge:

/interface bridge
add name=eoip-bridge

/interface bridge port
add bridge=eoip-bridge interface=ether2
add bridge=eoip-bridge interface=eoip1
..
add bridge=eoip-bridge interface=eoip24

Because to me, "pass all 24 tunnels through ether2" would mean the transport packets of the tunnels should be routed via ether2, but your previous posts suggest that you want to bridge ether2 with the payload of the tunnels.

Dear Sindy,
1- I want to provide a layer2 circuit to one of my clients and for that i've decided to implement EoIP.
2- Client has 24 remotes sites + HQ
3- I've created the 24 EoIP tunnels with their appropriate infos : remote IP, local IP, tunnel id .....(no issue for that).
4- Each EoIP tunnel at remote site have been bridged with Eth2, meaning that client router will be connected to Eth2 port
5- At the HQ i want to do so. Client router will be connected to Eth2 as well.

Now, to make client traffic passing through Eth2 at HQ, do i have to bridge all 24 EoIP interface with the Eth2? or what has to be done at HQ side to allow client traffic passing through Eth2 port?

Thank !

Now, to make client traffic passing through Eth2 at HQ, do i have to bridge all 24 EoIP interface with the Eth2?

Yes, exactly, as suggested above. Add-ons can be applied:

• if the client eventually wants each BO site to be reachable via a different VLAN at ether2 of the HQ site, you would activate vlan-filtering on the bridge and make the individual EoIP interfaces access ports of the individual VLANs
• if the client eventually wants all sites in the same LAN segment but he wants the traffic to pass only between ether2 of the HQ site and a particular BO site but not between two BO sites, you can use the bridge horizon function.

Now, to make client traffic passing through Eth2 at HQ, do i have to bridge all 24 EoIP interface with the Eth2?

Yes, exactly, as suggested above. Add-ons can be applied:

• if the client eventually wants each BO site to be reachable via a different VLAN at ether2 of the HQ site, you would activate vlan-filtering on the bridge and make the individual EoIP interfaces access ports of the individual VLANs
• if the client eventually wants all sites in the same LAN segment but he wants the traffic to pass only between ether2 of the HQ site and a particular BO site but not between two BO sites, you can use the bridge horizon function.

It's clear for me now.
For the bridge horizon function, kindly provide one config example please. I'm not familiar to such configuration. Thank

To prevent traffic from being forwarded between two ports of the same bridge, set the same horizon value for both. E.g.:
/interface bridge port set [find where interface~"eoip[23]"] horizon=1
will prevent traffic forwarding between eoip2 and eoip3.

To prevent traffic from being forwarded between two ports of the same bridge, set the same horizon value for both. E.g.:
/interface bridge port set [find where interface~"eoip[23]"] horizon=1
will prevent traffic forwarding between eoip2 and eoip3.

It's well noted.

At the HQ, below is the EoIP tunnel config for two sites. Both tunnels are running but cannot send traffic through.
(Do i have to set up horizon on Eth2 please? )

/interface bridge
add admin-mac=2C:C8:1B:1D:2A:96 auto-mac=no comment=defconf name=bridge
add name=bridge_EoIP

/interface eoip
add allow-fast-path=no ipsec-secret=32gT8L104 !keepalive mac-address=\
02:72:13:AF:06:9B mtu=1500 name=eoip_1 remote-address=\
10.31.146.6 tunnel-id=1
add allow-fast-path=no ipsec-secret=6VbzZh105 !keepalive local-address=\
10.31.0.72 mac-address=02:2B:C6:3B:E3:44 mtu=1500 name=eoip_2 \
remote-address=10.31.0.73 tunnel-id=2

/interface bridge port
add bridge=bridge_EoIP horizon=1 interface=ether2
add bridge=bridge_EoIP horizon=1 interface=eoip_2
add bridge=bridge_EoIP horizon=1 interface=eoip_1

It may be counter-intuitive, but same horizon value on a pair of ports means that traffic can not be forwarded between them. So set horizon at the ether2 row of /interface bridge port to none and see whether it helps. Or, if you do not need to prevent forwarding from one tunnel to another, set horizon to none everywhere - it was an option, not a mandatory step.

Other than that, since you have disabled keepalive in the EoIP configuration, the EoIP interfaces will indicate to be up (Running) regardless the actual transparency between the peers. So if the traffic doesn't pass through even when horizon is none on all ports, something else is wrong.

@sindy

correct if i'm working.
Split horizon works only between virtual interfaces

/interface bridge add name=A
/interface bridge port add bridge=A interface=A1toA2 horizon=1
/interface bridge port add bridge=A interface=A1toA3 horizon=1

[*]if the client eventually wants all sites in the same LAN segment but he wants the traffic to pass only between ether2 of the HQ site and a particular BO site but not between two BO sites, you can use the bridge horizon function.[/list]

Dear sindy,

I've checked my configuration again. I'm now able to communicate between HQ LAN and the 24 remote LANs. I didn't yet configure bridge horizon function. But it's fine for me now.

Thank a lot for your support.