I have two routers connected with an EoIP tunnel and am trying to add a third. The issue is that I cannot get the tunnel to pass traffic on any ID other than 0. I have went as far as changing the tunnel ID for the existing EoIP connection and lost the ability to pass traffic across it until returning it to 0. I have upgraded all three routers to 6.13 and still have the same issue. Here is the current configuration:

Router 1

ros code

/ppp secret
add local-address=192.168.254.1 name=vc password=*** profile=default-encryption remote-address=192.168.254.2 service=pptp
add local-address=192.168.254.3 name=vp password=*** profile=default-encryption remote-address=192.168.254.4 service=pptp

/interface eoip
add mac-address=02:F4:5F:8B:79:B3 name=eoip-vc remote-address=192.168.254.2 tunnel-id=0
add mac-address=02:F4:5F:8B:79:B3 name=eoip-vp remote-address=192.168.254.4 tunnel-id=101

/interface bridge
add l2mtu=1598 name=Bridge protocol-mode=none

/interface bridge port
add bridge=Bridge interface=ether4
add bridge=Bridge interface=ether5
add bridge=Bridge interface=eoip-vc
add bridge=Bridge interface=eoip-vp

/ip address
add address=192.168.9.1/24 interface=Bridge network=192.168.9.0

Router 2 (Working connection):

ros code

/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=x.x.x.x dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1460 max-mtu=1460 mrru=disabled name=pptp-vc password=*** profile=default-encryption user=vc

/interface eoip
add mac-address=02:40:37:EE:3C:B3 name=eoip-vc remote-address=192.168.254.1 tunnel-id=0

/interface bridge
add l2mtu=1598 name=Bridge protocol-mode=none

/interface bridge port
add bridge=Bridge interface=eoip-vc
add bridge=Bridge interface=ether5

/ip address
add address=192.168.9.254/24 interface=Bridge network=192.168.9.0

Router 3 (not working):

ros code

/interface bridge
add l2mtu=1598 name=Bridge protocol-mode=none

/interface pptp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=x.x.x.x dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1460 max-mtu=1460 mrru=disabled name=pptp-vp password=*** profile=default-encryption user=vp

/interface eoip
add mac-address=02:0D:08:BB:62:9F name=eoip-vp remote-address=192.168.254.3 tunnel-id=101

/interface bridge port
add bridge=Bridge interface=ether4
add bridge=Bridge interface=ether5
add bridge=Bridge interface=eoip-vp

/ip address
add address=192.168.9.2/24 interface=Bridge network=192.168.9.0

All three routers are working fine independently and I was able to connect the third over the tunnel after temporarily changing it's tunnel id to 0.

/interface eoip
add mac-address=02:F4:5F:8B:79:B3 name=eoip-vc remote-address=192.168.254.2 tunnel-id=0
add mac-address=02:F4:5F:8B:79:B3 name=eoip-vp remote-address=192.168.254.4 tunnel-id=101


Same MAC address on both interface.

the second MAC address must be 04:F4:5F:8B:79:B3

Same MAC address on both interface.

the second MAC address must be 04:F4:5F:8B:79:B3

Thank you for the response. I've changed the MAC as suggested with no change in the link. Any more ideas?

Same MAC address on both interface.

the second MAC address must be 04:F4:5F:8B:79:B3

Thank you for the response. I've changed the MAC as suggested with no change in the link. Any more ideas?

One hint: set MRRU to 1614 on both server and client side of pptp tunnel for make EoIP work correctly with 1500 MTU packet...


Use local-address=192.168.254.5 and remote-address=192.168.254.6 on pptp server, and change EoIP on both side accordingly.

Insert also local ip on EoIP and not use on both the tunnel Id 0.

One hint: set MRRU to 1614 on both server and client side of pptp tunnel for make EoIP work correctly with 1500 MTU packet...

Use local-address=192.168.254.5 and remote-address=192.168.254.6 on pptp server, and change EoIP on both side accordingly.

Done

Insert also local ip on EoIP

I am a little confused by the wording here. Both ends of the EoIP tunnel are attached to a bridge with proper local IPs on them.

not use on both the tunnel Id 0.

One of the tunnels is currently running on ID 101 and NOT passing traffic. The other is running on ID 0 currently, but data still stops as soon as I change the ID to any number (used 200 for testing).

Thank you for your suggestions and help. I spent some extra time today and recreated this setup from scratch in an "offline lab" so I wasn't messing with live routers and to see where the tunnels broke.

I found the issue during testing. We use the following firewall script for our routers to keep them secure, opening ports when needed:

ros code

/ip firewall filter
add chain=input comment="accept established connection packets" connection-state=established
add chain=input comment="accept related connection packets" connection-state=related
add action=drop chain=input comment="drop invalid packets" connection-state=invalid
add chain=input comment="Allow Access from known IPs" src-address-list=safe
add action=drop chain=input comment="drop excessive icmp traffic for 12 hours" protocol=icmp src-address-list=icmp-attack
add chain=input comment="start of greg rules up to 5 pings in 5 seconds" limit=5,5 protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=input comment="add all other icmp input into icmp-attack address list." protocol=icmp
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="add port scannes to port-scan list" in-interface=ether1-WAN protocol=tcp psd=21,3s,3,1 src-address-list=!safe
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=tarpit chain=input comment="tarpit port-scan address list to router" protocol=tcp src-address-list=port-scan
add action=drop chain=input comment="drop port-scan address list to our router" src-address-list=port-scan
add action=drop chain=forward comment="drop port-scan address list to our infrastructure" src-address-list=port-scan
add chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
add chain=input comment="allow winbox (8291), bandwidth Server (2000)" dst-port=8291,2000 protocol=tcp
add chain=input comment="MAC Winbox (20561), Discovery (5678)" dst-port=20561,5678 protocol=udp
add action=drop chain=input comment="drop everything else"

I had added our routers internal and WAN IPs to the safe list in this case to allow PPTP and traffic to flow through them. I, however did not add the IPs associated to the PPTP clients/server to the list. The tunnels were being established, but wouldn't let anything flow through because GRE traffic on the 192.168.254.0 subnet was being blocked. After adding the IPs to the safe list, they are able to pass traffic on any EoIP Tunnel ID.

Thanks again for your help!