36
Manual:Interface/EoIP < Manual:Interface Applies to RouterOS:2.9, v3, v4+ Contents [hide ] 1 Summary 2 Properties 3 Notes 4 Setup examples Summary Sub-menu: /interface eoip Standards: GRE RFC 1701 Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP tunnel may run over IPIP tunnel, PPTP tunnel or any other connection capable of transporting IP. When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet protocols)

mikrotik

  • Upload
    maztok

  • View
    63

  • Download
    0

Embed Size (px)

Citation preview

Page 1: mikrotik

Manual:Interface/EoIP< Manual:Interface

Applies to RouterOS:2.9, v3, v4+

Contents [hide]

1 Summary

2 Properties

3 Notes

4 Setup examples

Summary

Sub-menu: /interface eoip 

Standards: GRE RFC 1701

Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two routers

on top of an IP connection. The EoIP tunnel may run over IPIP tunnel, PPTP tunnel or any other connection capable of

transporting IP. 

When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet protocols) will be bridged just as if

Page 2: mikrotik

there where a physical Ethernet interface and cable between the two routers (with bridging enabled). This protocol

makes multiple network schemes possible. 

Network setups with EoIP interfaces:

Possibility to bridge LANs over the Internet

Possibility to bridge LANs over encrypted tunnels

Possibility to bridge LANs over 802.11b 'ad-hoc' wireless networks

The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol number 47) packets (just like PPTP) and sends them

to the remote side of the EoIP tunnel.

Properties

Property Description

arp (disabled | enabled | proxy-arp | reply-only; Default: enabled)

Address Resolution Protocol mode.

disabled - the interface will not use ARP

enabled - the interface will use ARP

proxy-arp - the interface will use the ARP proxy feature

reply-only - the interface will only reply to requests originated

from matching IP address/MAC address combinations which are

entered as static entries in the "/ip arp" table. No dynamic

entries will be automatically stored in the "/ip arp" table.

Page 3: mikrotik

Therefore for communications to be successful, a valid static

entry must already exist.

keepalive (integer; Default: not set) keep-alive timer, sets time interval (seconds) in what keep-alive messages should be received. If 3 messages are missed, interface running flag is removed. For this to work, keepalive has to be set to same value on both ends of the tunnel, since one end is expecting messages from the other one and is sending keepalive messages in that direction.

l2mtu (integer; Default: ) Layer2 Maximum transmission unit. Not configurable for EoIP. Read more>>

local-address (IP; Default: ) Source address of the tunnel packets, local on the router.

mac-address (MAC; Default: ) Media Access Control number of an interface. The address numeration authority IANA allows the use of MAC addresses in the range from 00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF freely

mtu (integer; Default: 1500) Layer3 Maximum transmission unit

name (string; Default: ) Interface name

remote-address (IP; Default: ) IP address of remote end of EoIP tunnel

tunnel-id (integer: 65536; Default: ) Unique tunnel identifier, which must match other side of the tunnel

Notes

tunnel-id is method of identifying tunnel. It must be unique for each EoIP tunnel. 

Page 4: mikrotik

mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel (that allows transparent bridging of

Ethernet-like networks, so that it would be possible to transport full-sized Ethernet frame over the tunnel). 

When bridging EoIP tunnels, it is highly recommended to set unique MAC addresses for each tunnel for the bridge

algorithms to work correctly. For EoIP interfaces you can use MAC addresses that are in the range

from00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF , which IANA has reserved for such cases. Alternatively, you can set the

second bit of the first byte to modify the auto-assigned address into a 'locally administered address', assigned by the

network administrator and thus use any MAC address, you just need to ensure they are unique between the hosts

connected to one bridge.

Note: EoIP tunnel adds at least 42 byte overhead (8byte GRE + 14 byte Ethernet + 20 byte IP)

Setup examples

Let us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. By using EoIP setup can be made so that

Office and Remote LANs are in the same Layer2 broadcast domain.

Consider following setup:

Page 5: mikrotik

As you know wireless station cannot be bridged, to overcome this limitation (not involving WDS) we will create EoIP

tunnel over the wireless link and bridge it with interfaces connected to local networks.

We will not cover wireless configuration in this example, lets assume that wireless link is already established

At first we create EoIP tunnel on our gateway ...

[admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \

Page 6: mikrotik

\... remote-address=10.0.0.2

[admin@Our_GW] interface eoip> enable eoip-remote

[admin@Our_GW] interface eoip> print

Flags: X - disabled, R - running

0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0

[admin@Our_GW] interface eoip>

... and on Remote router

[admin@Remote] interface eoip> add name="eoip" tunnel-id=0 \

\... remote-address=10.0.0.1

[admin@Remote] interface eoip> enable eoip-main

[admin@Remote] interface eoip> print

Flags: X - disabled, R - running

0 name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=0

[admin@Remote] interface eoip>

Page 7: mikrotik

Next step is to bridge local interfaces with EoIP tunnel On Our GW ...

[admin@Our_GW] interface bridge> add

[admin@Our_GW] interface bridge> print

Flags: X - disabled, R - running

0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00

protocol-mode=none priority=0x8000 auto-mac=yes

admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s

transmit-hold-count=6 ageing-time=5m

[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote

[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth

[admin@Our_GW] interface bridge> port print

Flags: X - disabled, I - inactive, D - dynamic

# INTERFACE BRIDGE PRIORITY PATH-COST

0 eoip-remote bridge1 128 10

1 office-eth bridge1 128 10

[admin@Our_GW] interface bridge>

Page 8: mikrotik

... and Remote router:

[admin@Remote] interface bridge> add

[admin@Remote] interface bridge> print

Flags: X - disabled, R - running

0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00

protocol-mode=none priority=0x8000 auto-mac=yes

admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s

transmit-hold-count=6 ageing-time=5m

[admin@Remote] interface bridge> port add bridge=bridge1 interface=ether

[admin@Remote] interface bridge> port add bridge=bridge1 interface=eoip-main

[admin@Remote] interface bridge> port print

Flags: X - disabled, I - inactive, D - dynamic

# INTERFACE BRIDGE PRIORITY PATH-COST

0 ether bridge1 128 10

1 eoip-main bridge1 128 10

[admin@Remote] interface bridge>

Page 9: mikrotik

Now both sites are in the same Layer2 broadcast domain. You can set up IP addresses from the same network on both

sites.

http://blog.butchevans.com/2008/09/mikrotik_routeros_transparent_bridge_pptp_eoip/

Mikrotik RouterOS transparent bridge using PPtP and EoIP

In this article, I want to describe how to tunnel EoIP over a PPtP connection.  EoIP is a Mikrotik specific method of bridging ethernet traffic over a routed network.  The problem with using EoIP as a “VPN”, is that it is not encrypted.  The network we will build in this article will tunnel the EoIP traffic over an encrypted PPtP tunnel.  There are other methods available in later versions of Mikrotik RouterOS to accomplish this functionality (OpenVPN, for one example) and I will be adding articles on some of these at a later time.  the method described in this article will work in any version of Mikrotik RouterOS.  It has been tested under 2.8.28, 2.9.51 and 3.13.

Page 10: mikrotik

The following picture is the network layout we are shooting for:

Our goal is the build a transparent bridge over the internet. This article gives a brief how-to describing the steps necessary to accomplish this. The PPtP tunnel is only needed in order to add encryption, since EoIP is not an encrypted tunnel.

In this configuration, there are several parts, which we will discuss individually. First, there is the IP space on both the internet side of each router and the “private” side. Note that the PRIVATE range is the SAME on both sides. This is not important for the tunnel to work, but one of the purposes of EoIP is to bridge networks in this way. It should, also, be noted that a DHCP server on either end of the tunnel will be “seen” by equipment at both ends of the tunnel.

Page 11: mikrotik

The bridge interface on both ends includes the EoIP tunnel and the ethernet port that is plugged into the private network. This will be discussed in further detail in a few paragraphs.

To begin our config, we will first build the PPtP tunnel. We will set the left router (12.12.10.2) as the PPtP server and the right router (12.21.11.1) as the client.

Left router:

/interface pptp-server server set enabled=yes

/ppp secretadd name="USERNAME" service=pptp password="PASS" \local-address=192.168.10.1 remote-address=192.168.10.2 \

disabled=no

The above configuration is all that is needed on the left router. It should be noted that the IP range I chose for the tunnel is NOT in the same range as the LAN segments. This is not strictly needed, but it is good network design, since these interfaces will NOT be added to the bridge.

Right Router:

/interface pptp-clientadd name="pptp-tunnel1" connect-to=12.12.10.2 \user="USERNAME" password="PASS" \profile=default-encryption add-default-route=no \

disabled=no

This is the full configuration needed for the tunnel on the right router. The profile section is a default setting, but I generally specify it anyway.

Page 12: mikrotik

The PPtP tunnel is now set up and you should see the tunnel as running on both ends. You can see the tunnel interface in Winbox under “Interfaces” and “PPP->Interfaces”.  If you wish the see the IP addresses, you can see that under “IP->Addresses”.

Now we need to add the EoIP tunnel. This is the same on both ends, with the exception of the IP address we are connecting to.

LEFT:/interface eoip add name=eoiptunnel remote-address=192.168.10.2 \tunnel-id=101 disabled=no

RIGHT:/interface eoip add name=eoiptunnel remote-address=192.168.10.1 \tunnel-id=101 disabled=no

It is very important that the tunnel-id parameter be the same on both ends.

Next, we will add the bridge (this is the same on both ends):

/interface bridge add name=bridge1

Hard to believe it’s that easy, but it is.

Next, we set up the bridge ports. We will assume that the LAN side of the Mikrotik routers are the ether1 interface.

/interface bridge port add bridge=bridge1 interface=ether1/interface bridge port add bridge=bridge1 interface=eoiptunnel

Page 13: mikrotik

The name eoiptunnel is the “name” parameter we used in the configuration we did above for the tunnel setup.

That’s it for the config. It is very easy to set up this type of config. There are a couple of other notes I will make, but as far as the configuration on the Mikrotik, that’s about it.

Devices on the right router should use 192.168.1.254 as their default gateway. They will be able to see the 192.168.1.1, but if you use that as a default gateway for these devices, then ALL their traffic will go across the bridge. This may be your desire, but it is important to note this fact. (Reverse the above for devices on the left router.)

I’ve already mentioned the DHCP server. Note that IP addresses cannot be duplicated on either network. The EoIP tunnel will act just like a (very long) ethernet cable plugged into a switch at both ends of the tunnel. You are, literally, joining the 2 networks into ONE network.

I hope I haven’t missed anything. If so, I am sure someone will point this out. :-)  I hope you find this article useful.

hello,

can’t ping the remote computers with the one’s on the other side

i am new in setting up mikrotik routerboard, and i need some help. I have made all setting according to what you have

wrote,I have tryed to bridge two networks, but i don’t know where did i go wrong, i have 2 rb750, and i can’t ping the

Page 14: mikrotik

computers from one side to another. the config i have made on each router, in the winbox it shows that there are

conected to each other but still i can’t ping each them, i want from two computers on one side i could ping the other

computers on the other side. if i am conected through telnet on the server router i can ping the ISP public adresses

(95.77.9.206/24 and 89.39.197.248/23)the adresses i have received from my ISP’s, and can ping the tunnel private

adresses 192.168.10.1 and 192.168.10.2, but i can not ping the private adresses 192.168.1.2 attached to the

computers i work with on one side with the 192.168.1.3 from the other.

I haven’t modified anything in firewall or other rules, just setting up the internet connection and the settings above.

on one server router i have :

this router has the ip adress 95.77.9.206/24 on eth1

ip adress 192.168.1.1/24 on eth2

/interface pptp-server server set enabled=yes

/ppp secret

add name=”USERNAME” service=pptp password=”PASS” local-address=192.168.10.1 remote-address=192.168.10.2

disabled=no

/interface eoip add name=eoiptunnel remote-address=192.168.10.2 tunnel-id=101 disabled=no

/interface bridge add name=bridge1

/interface bridge port add bridge=bridge1 interface=ether1

/interface bridge port add bridge=bridge1 interface=eoiptunnel

on routes it has

AS 0.0.0.0/0 95.77.9.1 reachable bridge1 distance 1

DS 0.0.0.0/0 89.137.205.193 reachable bridge1 distance 1

DAC 95.77.9.0/24 bridge1 reachable distance 0 pref source 95.77.9.206

DAC 182.168.1.0/24 ether2 reachable distance 0 pref source 192.168.1.1

Page 15: mikrotik

and on the other remote router:

this router it has 89.39.197.248/23 on eth1

it has 192.168.1.254/24 on eth2

/interface pptp-client add name=”pptp-tunnel1″ connect-to=95.77.9.206 user=”USERNAME” password=”PASS”

profile=default-encryption add-default-route=no disabled=no

interface eoip add name=eoiptunnel remote-address=192.168.10.1 \ tunnel-id=101 disabled=no

interface bridge add name=bridge1

interface bridge port add bridge=bridge1 interface=ether1

/interface bridge port add bridge=bridge1 interface=eoiptunnel

on routes it has

AS 0.0.0.0/0 89.39.196.1 reachable bridge1 distance 1

DAC 89.39.196.0/23 bridge1 reachable distance 0 pref source 89.39.197.248

DAC 182.168.1.0/24 ether2 reachable distance 0 pref source 192.168.1.254

please help me ,

good day and happy holydays,

1. Jagugo  Says: March 24th, 2011 at 10:08 pm

I need help with a configuration of two RB750G.

Page 16: mikrotik

I try to make a connection like this post about EoIP-PPtP, but failed to establish the PPTP tunnel. There is no way

to connect the tunnel. If you configure each router as a client to connect to another VPN (not MikroTik/RouterOS)

the conecction can be done, but if configure one or the other router as the PPTP server can not connect clients

with either a RB750G or Windows client.

Both RB750G are connected to the LAN ports of a router D-Link Dir 300, which provides internet service, only for

setup and testing, then go with fixed IP on the Internet.

Left side (PPTP Server):

Router 1:

IP WAN (ether1): 192.168.0.51

Gateway: 192.168.0.1

LAN IP (ether2): 192.168.88.1

Tunnel IP EoIP (Local side): 192.168.10.1

PC 1:

IP: 192.138.88.10

Mask: 255.255.255.0

Gateway: 192.168.88.1

DNS: 192.168.88.1

Right side (PPTP client):

Router 2:

IP WAN (ether1): 192.168.0.52

Gateway: 192.168.0.1

Page 17: mikrotik

LAN IP (ether2): 192.168.88.2

EoIP IP tunnel (Remote side): 192.168.10.2

PC 2:

IP: 192.168.88.12

Mask: 255.255.255.0

Gateway: 192.168.88.2

DNS: 192.168.88.2

Any PPP server that enable (PPTP (PPTP, L2TP, OVPN, or whatever) does not work. No client is able to connect.

I want to know what I’m doing wrong, because I follow the example of this blog and the MikroTik Wiki, but

nothing works. I tried with RouterOS 4.17 and now 5.0rc11, but no way. The scripts are simmilar to this post.

I would appreciate any help on this case.

2. Jagugo  Says: March 27th, 2011 at 9:33 pm

I had found a solution, you must open ports 1723 in TCP and UDP in the Firewall Filter Rules, uffff….!!!

3. Jagugo  Says: March 28th, 2011 at 5:40 pm

Hi Alexandru MARIN. The correct line in the scrip is:

/interface bridge port add bridge=bridge1 interface=ether2

Page 18: mikrotik

Look, ether2, not ether1. You are bridging the LAN interface (ether2) not the WAN interface (ether1). I had the

same problem and when changed the script to ether2 it worked.

You must add two Firewall Filter Rules, in the PPtP server, the ports 1723 in TCP and UDP in the default

configuration in the ether1-gateway, Chain: input, Protocol: 6 (tcp) and 17 (udp), Dst Port: 1723, Action: accept.

4. Jagugo  Says: July 3rd, 2011 at 2:37 pm

Butch, I have a question: Why I can´t setup DHCP server in neither Mikrotik when I use transparent bridge using

PPtP and EoIP?

This is the IP addresses list in the Mikrotik-2 that connect to the Mikrotik-1 pptp server:

Address Network Interfase

190.254.xxx.xx3/29 190.254.xxx.200 ether1-gateway

190.168.10.2 192.168.10.1 pptp-tunnel1

192.168.15.253/24 192.168.15.0 ether2-local-master

I can´t setup DHCP server in the Mikrotik-2 (or Mikrotik-1), when use WinBox interfase and I give the ether2-

local-master and the IP 192.168.15.253, the DHCP server turn red and don´t work. Or when I configure it in

terminal mode I receive those messages:

_____________________________________

[admin@MikroTik-2] > ip dhcp-server

[admin@MikroTik-2] /ip dhcp-server> setup

Select interface to run DHCP server on

Page 19: mikrotik

dhcp server interface: ether2-local-master

Select network for DHCP addresses

dhcp address space: 192.168.15.0/24

Select gateway for given network

gateway for dhcp network: 192.168.15.253

If this is remote network, enter address of DHCP relay

There is no such IP network on selected interface

interrupted 192.168.15.253

[admin@MikroTik-2] /ip dhcp-server>

_____________________________________

Why?

5. hitham_adel2004 Says: October 20th, 2012 at 8:22 pm

hello

if i want to enter to local network mikrotik from normal pc in other internet network by vpn

In this case, what are the settings in mikrotik v3.30

thanks

Leave a Reply

You must be logged in to post a comment.

Page 20: mikrotik

http://basic-mikrotik.blogspot.com/2011/01/manualinterfaceeoip.html

Manual:Interface/EoIP

www.basic-mikrotik.blogspot.com on 09.04. VPN -

Summary

Sub-menu: /interface eoip

Standards: GRE RFC 1701

Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection. The EoIP tunnel may run over IPIP tunnel, PPTP tunne or any other connection capable of transporting IP. 

Page 21: mikrotik

When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet protocols) will be bridged just as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled). This protocol makes multiple network schemes possible. 

Network setups with EoIP interfaces:

Possibility to bridge LANs over the Internet

Possibility to bridge LANs over encrypted tunnels

Possibility to bridge LANs over 802.11b 'ad-hoc' wireless networks

The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol number 47) packets (just like PPTP) and sends them to the remote side of the EoIP tunnel.

Properties

Property Description

arp (disabled | enabled | proxy-arp | reply-only; Default: enabled)

Address Resolution Protocol mode

l2mtu (integer; Default: ) Layer2 Maximum transmission unit. Not configurable for EoIP. Read more>>

mac-address (MAC; Default: ) Media Access Control number of an interface. The address numeration authority allows to use MAC addresses in the range

Page 22: mikrotik

from00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF freely

mtu (integer; Default: 1500) Layer3 Maximum transmission unit

name (string; Default: ) Interface name

remote-address (IP; Default: ) IP address of remote end of EoIP tunnel

tunnel-id (integer: 65536; Default: ) Unique tunnel identifier, which must match other side of the tunnel

Notes

tunnel-id is method of identifying tunnel. It must be unique for each EoIP tunnel. 

mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel (that allows transparent bridging of Ethernet-like networks, so that it would be possible to transport full-sized Ethernet frame over the tunnel). 

When bridging EoIP tunnels, it is highly recommended to set unique MAC addresses for each tunnel for the bridge algorithms to work correctly. For EoIP interfaces you can use MAC addresses that are in the range from00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF , which IANA has reserved for such cases. Alternatively, you can set the second bit of the first byte to mark the address as locally administered address, assigned by

Page 23: mikrotik

network administrator, and use any MAC address, you just need to ensure they are unique between the hosts connected to one bridge.

Setup examples

Let us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. By using EoIP setup can be made so that Office and Remote LANs are in the same Layer2 broadcast domain.

Consider following setup:

Page 24: mikrotik

As you know wireless station cannot be bridged, to overcome this limitation (not involving WDS) we will create EoIP tunnel over the wireless link and bridge it with interfaces connected to local networks.

We will not cower wireless configuration in this example, lets assume that wireless link is already established

At first we create EoIP tunnel on our gateway ...

[admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \

\... remote-address=10.0.0.2

[admin@Our_GW] interface eoip> enable eoip-remote

[admin@Our_GW] interface eoip> print

Flags: X - disabled, R - running

0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0

[admin@Our_GW] interface eoip>

... and on Remote router

[admin@Remote] interface eoip> add name="eoip" tunnel-id=0 \

\... remote-address=10.0.0.1

[admin@Remote] interface eoip> enable eoip-main

Page 25: mikrotik

[admin@Remote] interface eoip> print

Flags: X - disabled, R - running

0 name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=0

[admin@Remote] interface eoip>

Next step is to bridge local interfaces with EoIP tunnel On Our GW ...

[admin@Our_GW] interface bridge> add

[admin@Our_GW] interface bridge> print

Flags: X - disabled, R - running

0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00

protocol-mode=none priority=0x8000 auto-mac=yes

admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s

transmit-hold-count=6 ageing-time=5m

[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote

[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth

[admin@Our_GW] interface bridge> port print

Page 26: mikrotik

Flags: X - disabled, I - inactive, D - dynamic

# INTERFACE BRIDGE PRIORITY PATH-COST

0 eoip-remote bridge1 128 10

1 office-eth bridge1 128 10

[admin@Our_GW] interface bridge>

... and Remote router:

[admin@Remote] interface bridge> add

[admin@Remote] interface bridge> print

Flags: X - disabled, R - running

0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00

protocol-mode=none priority=0x8000 auto-mac=yes

admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s

transmit-hold-count=6 ageing-time=5m

[admin@Remote] interface bridge> port add bridge=bridge1 interface=ether

[admin@Remote] interface bridge> port add bridge=bridge1 interface=eoip-main

Page 27: mikrotik

[admin@Remote] interface bridge> port print

Flags: X - disabled, I - inactive, D - dynamic

# INTERFACE BRIDGE PRIORITY PATH-COST

0 ether bridge1 128 10

1 eoip-main bridge1 128 10

[admin@Remote] interface bridge>

Now both sites are in the same Layer2 broadcast domain. You can set up IP addresses from the same network on both sites.

Ethernet over IP (EoIP) Tunnel Interface Document revision 1.2 (30-May-2003)

This document applies to the MikroTik RouterOS V2.7

Page 28: mikrotik

Network setups with EoIP interfaces: • Possibility to bridge LANs over the Internet • Possibility to bridge LANs over encrypted tunnels • Possibility to bridge LANs over 802.11b 'ad-hoc' wireless networks

SpecificationsPackages required : NoneLicense required : Basic (DEMO license is limited to 4 tunnels)Home menu level : /interface eoipStandards and Technologies : GRE (RFC1701)Hardware usage: not significantRelated DocumentsSoftware Package Installation and UpgradingIP Addresses and Address Resolution Protocol (ARP)Bridge InterfacesPPTP (Point to Point Tunnel Protocol) Interface

Page 29: mikrotik

DescriptionAn EoIP interface should be configured on two routers that have the possibility for an IP level connection. The EoIP tunnel may run over an IPIP tunnel, a PPTP 128bit encrypted tunnel, a PPPoE connection, or any connection that transports IP. Specific Properties: • Each EoIP tunnel interface can connect with one remote router which has a corresponding interface configured with the same 'Tunnel ID'. • The EoIP interface appears as an Ethernet interface under the interface list. • This interface supports all features of and Ethernet interface. IP addresses and other tunnels may be run over the interface. • The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol number 47) packets (just like PPTP) and sends them to the remote side of the EoIP tunnel. • Maximal count of EoIP tunnels is 65536. EoIP SetupSubmenu leve : /interface eoip Property Descriptionname (name; default: eoip-tunnelN)- interface name for referencemtu (integer; default: 1500) - Maximum Transmission Unit. The default value provides maximal compatibilityarp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocoltunnel-id (integer; default: 0) - a unique tunnel identifierremote-address - the IP address of the other side of the EoIP tunnel – must be a MikroTik routerNotestunnel-id is method of identifying tunnel. There should not be tunnels with the same tunnel-id on the same router. tunnel-id on both participient routers must be equal. mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel (that allows transparent bridging of ethernet-like networks, so that it would be possible to transport full-sized ethernet frame over the tunnrl). 

Page 30: mikrotik

ExampleTo add and enable an EoIP tunnel named to_mt2 to the 10.5.8.1 router, specifying tunnel-id of 1: [admin@MikroTik] interface eoip> add name=to_mt2 remote-address=10.5.8.1 \\... tunnel-id 1[admin@MikroTik] interface eoip> printFlags: X - disabled, R - running0 X name="to_mt2" mtu=1500 arp=enabled remote-address=10.5.8.1 tunnel-id=1

[admin@MikroTik] interface eoip> enable 0[admin@MikroTik] interface eoip> printFlags: X - disabled, R - running0 R name="to_mt2" mtu=1500 arp=enabled remote-address=10.5.8.1 tunnel-id=1

[admin@MikroTik] interface eoip>EoIP Application ExampleLet us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. The networks are connected to an IP network through the routers [Our_GW] and [Remote]. The IP network can be a private intranet or the Internet. Both routers can communicate with each other through the IP network. Our goal is to create a secure channel between the routers and bridge both networks through it. The network setup diagram is as follows: 

To make a secure Ethernet bridge between two routers you should: 1. Create a PPTP tunnel between them. Our_GW will be the pptp server: 2. [admin@Our_GW] interface pptp-server> /ppp secret add name=joe service=pptp \3. \... password=top_s3 local-address=10.0.0.1 remote-address=10.0.0.24. [admin@Our_GW] interface pptp-server> add name=from_remote user=joe5. [admin@Our_GW] interface pptp-server> server set enable=yes

Page 31: mikrotik

6. [admin@Our_GW] interface pptp-server> print7. Flags: X - disabled, D - dynamic, R - running8. # NAME USER MTU CLIENT-ADDRESS UPTIME ENC...9. 0 from_remote joe10. [admin@Our_GW] interface pptp-server>The Remote router will be the pptp client: [admin@Remote] interface pptp-client> add name=pptp user=joe \\... connect-to=192.168.1.1 password=top_s3 mtu=1500 mru=1500[admin@Remote] interface pptp-client> enable pptp[admin@Remote] interface pptp-client> printFlags: X - disabled, R - running0 R name="pptp" mtu=1500 mru=1500 connect-to=192.168.1.1 user="joe"password="top_s2" profile=default add-default-route=no

[admin@Remote] interface pptp-client> monitor pptpstatus: "connected"uptime: 39m46sencoding: "none"

[admin@Remote] interface pptp-client>See the PPTP Interface Manual for more details on setting up encrypted channels. 11. Configure the EoIP tunnel by adding the eoip tunnel interfaces at both routers. Use the ip addresses of the pptp tunnel interfaces when specifying the argument values for the EoIP tunnel: 12. [admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \13. \... remote-address=10.0.0.214. [admin@Our_GW] interface eoip> enable eoip-remote15. [admin@Our_GW] interface eoip> print

Page 32: mikrotik

16. Flags: X - disabled, R - running17. 0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=018. [admin@Our_GW] interface eoip>19. 20. [admin@Remote] interface eoip> add name="eoip" tunnel-id=0 \21. \... remote-address=10.0.0.122. [admin@Remote] interface eoip> enable eoip-main23. [admin@Remote] interface eoip> print24. Flags: X - disabled, R - running25. 0 name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=026. 27. [Remote] interface eoip>28. Enable bridging between the EoIP and Ethernet interfaces on both routers. On the Our_GW: [admin@Our_GW] interface bridge> add forward-protocols=ip,arp,other \\... disabled=no[admin@Our_GW] interface bridge> printFlags: X - disabled, R - running0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00forward-protocols=ip,arp,other priority=1

[admin@Our_GW] interface bridge> port printFlags: X - disabled# INTERFACE BRIDGE0 eoip-remote none1 office-eth none2 isp none

Page 33: mikrotik

[admin@Our_GW] interface bridge> port set "0,1" bridge=bridge1And the same for the Remote: [admin@Remote] interface bridge> add forward-protocols=ip,arp,other \\... disabled=no[admin@Remote] interface bridge> printFlags: X - disabled, R - running0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00forward-protocols=ip,arp,other priority=1

[admin@Remote] interface bridge> port printFlags: X - disabled# INTERFACE BRIDGE0 ether none1 adsl none2 eoip-main none

[admin@Remote] interface bridge> port set "0,2" bridge=bridge129. Addresses from the same network can be used both in the Office LAN and in the Remote LAN ________________________________________© Copyright 1999-2003, MikroTik