Butch Evans Blog

In this article, I want to describe how to tunnel EoIP over a PPtP connection.  EoIP is a Mikrotik specific method of bridging ethernet traffic over a routed network.  The problem with using EoIP as a “VPN”, is that it is not encrypted.  The network we will build in this article will tunnel the EoIP traffic over an encrypted PPtP tunnel.  There are other methods available in later versions of Mikrotik RouterOS to accomplish this functionality (OpenVPN, for one example) and I will be adding articles on some of these at a later time.  the method described in this article will work in any version of Mikrotik RouterOS.  It has been tested under 2.8.28, 2.9.51 and 3.13.

The following picture is the network layout we are shooting for:

Our goal is the build a transparent bridge over the internet. This article gives a brief how-to describing the steps necessary to accomplish this. The PPtP tunnel is only needed in order to add encryption, since EoIP is not an encrypted tunnel.

In this configuration, there are several parts, which we will discuss individually. First, there is the IP space on both the internet side of each router and the “private” side. Note that the PRIVATE range is the SAME on both sides. This is not important for the tunnel to work, but one of the purposes of EoIP is to bridge networks in this way. It should, also, be noted that a DHCP server on either end of the tunnel will be “seen” by equipment at both ends of the tunnel.

The bridge interface on both ends includes the EoIP tunnel and the ethernet port that is plugged into the private network. This will be discussed in further detail in a few paragraphs.

To begin our config, we will first build the PPtP tunnel. We will set the left router (12.12.10.2) as the PPtP server and the right router (12.21.11.1) as the client.

Left router:

/interface pptp-server server set enabled=yes

/ppp secret
add name="USERNAME" service=pptp password="PASS" \
local-address=192.168.10.1 remote-address=192.168.10.2  \
disabled=no 

The above configuration is all that is needed on the left router. It should be noted that the IP range I chose for the tunnel is NOT in the same range as the LAN segments. This is not strictly needed, but it is good network design, since these interfaces will NOT be added to the bridge.

Right Router:

/interface pptp-client
add name="pptp-tunnel1" connect-to=12.12.10.2 \
user="USERNAME" password="PASS" \
profile=default-encryption add-default-route=no \
disabled=no 

This is the full configuration needed for the tunnel on the right router. The profile section is a default setting, but I generally specify it anyway.

The PPtP tunnel is now set up and you should see the tunnel as running on both ends. You can see the tunnel interface in Winbox under “Interfaces” and “PPP->Interfaces”.  If you wish the see the IP addresses, you can see that under “IP->Addresses”.

Now we need to add the EoIP tunnel. This is the same on both ends, with the exception of the IP address we are connecting to.

LEFT:
/interface eoip add name=eoiptunnel remote-address=192.168.10.2 \
tunnel-id=101 disabled=no

RIGHT:
/interface eoip add name=eoiptunnel remote-address=192.168.10.1 \
tunnel-id=101 disabled=no

It is very important that the tunnel-id parameter be the same on both ends.

Next, we will add the bridge (this is the same on both ends):

/interface bridge add name=bridge1

Hard to believe it’s that easy, but it is.

Next, we set up the bridge ports. We will assume that the LAN side of the Mikrotik routers are the ether1 interface.

/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=eoiptunnel

The name eoiptunnel is the “name” parameter we used in the configuration we did above for the tunnel setup.

That’s it for the config. It is very easy to set up this type of config. There are a couple of other notes I will make, but as far as the configuration on the Mikrotik, that’s about it.

Devices on the right router should use 192.168.1.254 as their default gateway. They will be able to see the 192.168.1.1, but if you use that as a default gateway for these devices, then ALL their traffic will go across the bridge. This may be your desire, but it is important to note this fact. (Reverse the above for devices on the left router.)

I’ve already mentioned the DHCP server. Note that IP addresses cannot be duplicated on either network. The EoIP tunnel will act just like a (very long) ethernet cable plugged into a switch at both ends of the tunnel. You are, literally, joining the 2 networks into ONE network.

I hope I haven’t missed anything. If so, I am sure someone will point this out.   I hope you find this article useful.

This entry was posted on Sunday, September 14th, 2008 at 11:07 pm and is filed under Mikrotik. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.