Hi.

I have 1 big network 10.0.0.0/8, вut computers out there quite a bit.

For each group of ip addresses (10.1.1.xxx/8, 10.1.2.xxx/8) have to Mikrotik.
Each Mikrotik gateway in the network part and has IP-address of the form 10.1.xxx.1.
All Mikrotiks connected with one using l2tp/ipsec (192.168.1.xxx/32, 192.168.2.xxx/32) via the Internet.

I connect the network elements using EoIP.

Central router filters very much of anything by the bridge filter (broadcast etc).


However, there is a problem.

Some routers begin to behave strangely (loop?..)

For example, greatly reduced the speed of the Internet and no longer open some random sites... I noticed that if you turn off eoip (or delete them), then restarting the router speed returns (although it lost not always), but it does not solve the problem with the site.

If i reboot the router, and only then turn on eoip (or l2tp, after the eoip which starts to work), problem with speed solve. Problems with the site in question, because they do not work in a random order and determine whether all is well is not possible, but I think they are.

Solve the problem with the site (and speed) is possible only after the "reset configuration" and setting all over again - without eoip. Once set up eoip described prolemy returned.

[admin@MikroTik] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 79.111.88.1 1
1 ADC 10.0.0.0/8 10.1.3.1 bridge-local 0
2 ADC 79.111.88.0/21 79.111.91.218 ether10-gateway 0
3 ADC 192.168.2.1/32 192.168.2.2 2CentralMikroTik 0


I'm not good in networking and obviously somewhere mistakes. Can you help me?

I think it should be noted that in this way they behave different models of Mikrotiks.

I think most people would advise you break that /8 down a bit.

i.e.
"For each group of ip addresses (10.1.1.xxx/8, 10.1.2.xxx/8) have to Mikrotik."

Those should be /24s if I'm reading this right. Then route those /24s back to their respective local routers?

Yes, but then disappear eoip meaning and use all of its advantages. I would like to see a "transparent" network ...

One big flat network being one big broadcast domain is usually a very bad idea.
It's like a submarine with no bulkheads to seal off compartments if the hull is breached.....

Some end user accidentally plugging a loop into your network could flood all of your WAN links, for instance, taking down all sites and not just the local site.... and in my experience, users find VERY CREATIVE ways to do things they shouldn't do.

(I saw a local fiber-based network services provider brought to its knees for 3 hours because a tech plugged a fiber in wrong in a very small POP - they have layer2 everywhere and the loop nuked their Cisco7600 core switches (plural!!) Broadcast storms over bonded ten-gig bundles tend to be quite ugly)

Reasonable.

I hope for your advice about how everything is a little altered.

Objective:
Multiple networks in different offices.
In some offices of network devices will be small (5-20), in the other - a lot, mostly phones, some other network equipment.
I need to get all these networks easily communicate with a range of 10.1.1.x and 10.1.2.x, but not with each other. Well, let's create a route to these networks.

Now pitfall.
If I make a network, such as 10.1.55.x / 24 and I have run out of IP addresses, I would have just changed the mask to /23 and add addresses 10.1.56.x. But suppose 10.1.56.x range already occupied.

How do I make a transparent network in this case?

There is an option to reserve for each office a couple of addresses, for this example it will 10.1.55.x, 10.1.58.x and 10.1.57.x mask /22.Other options do not see ...

P.S.: I use Google translator, so sorry if something is not clear where it is written.

What you are doing is not recommended. If you have a 10.0.0.0/8 subnet and you want it flat layer2 across your network, then why are you even using routers? You should have one core router with your internet connection and then just uplink to a switch and build off that across wireless links. Bear in mind that you cannot build loops in your links (unless you trust RSTP). Please understand that I am not recommending this course of action at all.

Based on what you are stating and the degradation in the performance, it sounds like a loop is what you already have.

EoIP is limited to what it can do, and can be a life saver in certain circumstances, but should not be relied on for crucial network traffic.

As the other poster stated, you need to break your /8 into smaller subnets and then assign each router a different subnet. For your links, simply use /29's.

A quick example using two routers would be:

Router A
ETHER1 - ISP - public IP address
ETHER2 - LOCAL NETWORK - 10.0.0.1/24
ETHER3 - LINK TO ROUTER B - 192.168.0.1/29

Router B
ETHER2 - LOCAL NETWORK - 10.0.1.1/24
ETHER3 - LINK TO ROUTER A - 192.168.0.6/29

Link
Root End at Router A - 192.168.0.2
Remote End at Router B - 192.168.0.3

Routing
Use static, RIP or OSPF.

Now pitfall.
If I make a network, such as 10.1.55.x / 24 and I have run out of IP addresses, I would have just changed the mask to /23 and add addresses 10.1.56.x. But suppose 10.1.56.x range already occupied.

How do I make a transparent network in this case?

Good point.

You should start with a general IP layout plan that suits your needs.

Big picture:
I would block out large ranges for each site, even if they only have one PC and one phone. It's not like you have to conserve private IP space the same way you conserve public IP addresses.

Do you now, or do you expect to ever have more than 255 sites?
If not, then I recommend each site be allocated a /16
E.g. Site1 = 10.1.0.0/16, Site2 = 10.2.0.0/16, etc...

Standardize the layout for all sites:
Break down the 3rd octet into similar ranges for all sites
e.g.
0-3 = secure network for device management / protected servers / etc...
4-7 = trusted networks (admin workstations, network managment servers, etc)
8-15 = public server networks / printers / etc...
16-247 = general-purpose standard security level LANs / phones / etc..
248-254 = untrusted/low-security/guest networks
255 = infrastructure links, point-to-point networks, transit networks, etc.

Make actual assignments for your sites as needed:

Go ahead and make the LANs large enough to hold any conceivable number of hosts - /22 is about 2k hosts. So what if the network is actually small? This way, you'll never have to re-configure a network/DHCP scope just because a site suddenly grew.

Example workstation LAN for site 14:
10.14.16.0/22 -> wkstation LAN 1
10.14.20.0/22 -> reserved (expansion of wkstation LAN 1)
10.14.24.0/22 -> phone LAN 1
10.14.28.0/22 -> reserved (expansion of phone LAN 1)

Second LAN at site 14:
10.14.64.0/22 -> wkstation LAN 2
10.14.68.0/22 -> reserved.

See how I skipped right over 32-63? Make your assignments far away from each other (sparse) so that you can easily expand any network you want to just by changing the netmask. If you ever assign all of the free space at a site, that's when you start assigning from reserved space.

Make the routing work

Finally, you should make sure that all routers know the routes to all sites, and then use filters to limit access.
Keep all functionality within its natual OSI layer - so don't make something 'secure' by breaking layer3 (not routing an address) because 3 years later, you may forget why a certain network is not in the routing table. If you need to block a kind of access, create a rule, and mark it with a comment explaining the rule's purpose.

You can easily implement this without dynamic routes if you need to - on every site, route 10.0.0.0/8 across the EoIP tunnel, and then route the local /16 to unreachable by default. (so packets sent to unused addresses won't bounce back and forth across the tunnel over and over until TTL expires, wasting bandwidth)

Example at site 4:
/ip route add dst-address=10.0.0.0/8 gateway=Tunnel1
/ip route add dst-address=10.4.0.0/16 type=unreachable
----
At main site:
/ip route add dst-address=10.0.0.0/8 type=unreachable
/ip route add dst-address=10.1.0.0/16 gateway=TunnelSite1
/ip route add dst-address=10.2.0.0/16 gateway=TunnelSite2
etc....
(use GRE or IPIP tunnels, not EoIP, so you don't need IP addresses on the tunnel interfaces)

This is just one example, and you don't need to follow it exactly - I just give this as an example of a scalable IP plan. Your needs may be different. It may seem like overkill but it gives you lots of room to grow into. If a site only has 9 computers and phones, just choose the first "standard LAN" assignment there and don't worry that the rest is just dead space.

Conclusion:

The primary purpose of this design is to keep topology and layout very simple and easily extended. If you're more interested in keeping policy simple, you may choose to make the second octet be used for security/purpose, and then the 3rd octet gets assigned for sites:
(10.0-31.x.x = high security, 10.32-191.x.x = standard security, 10.192-255.x.x = untrusted, then assign blocks from each security level to a site as needed, then route them. In this model, I would not try to make octet 3 have any special meaning, and would be more conservative with how much space I assigned to each LAN)

I hope this helps and is not too confusing.