0

We have two offices in a single Windows 2003 domain and sharing same IP range (no overlapping). Every office has its Microtik router as gateway. Thing is, first office has a solid wired internet connection from ISP, and second office has only a 3G modem that provides no static IP.

So our first thought to bridge these networks with EoIP got stuck because RouterOS manual says we have to provide public IP's for both sides of tunnel. Any ideas to solve this issue would be highly appreciated. The final goal actually is to get 2nd office computers access to Terminal Server in first office.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Roman Doroshenko
  • 5
  • 3

1 Answers1

0

There are a couple of ways you can accomplish this using dynamic IPs.

First, I assume you are familiar with the setup described here http://wiki.mikrotik.com/wiki/Manual:Interface/EoIP

Now in order to establish an EoIP tunnel with dynamic IP(s) you can create a PPTP/L2TP/OVPN/SSTP VPN first, and then create the EoIP tunnel over the VPN.

Since those types of VPN work with the server-client model, you don't need a static IP on the 3G side (you need a static IP on the other side though).
And since you can have static IPs on the VPN endpoints you can then create the EoIP tunnel, your bridge etc.

But this method probably will cause you headaches with the MTUs and stuff, plus over 3G it will be a nightmare to pass any decent amount of traffic.

The other method - and the one which I use - is to use DDNS on the 3G side. There is a nice DDNS feature on the latest versions of MikroTik (IP > Cloud)
And then with some scripting on the other side, you periodically check the IP of the DDNS entry and update the EoIP remote address if and when it changes.

The MikroTik's DDNS TTL is 60seconds by default, so in case that 3G gets disconnected and the IP changes, it will take about 60seconds for the offices to reconnect over EoIP.

Personally I've setup my own DDNS service so for that exact purpose I use a TTL of 1second and I run the script every 3 seconds, so in about 5seconds the EoIP tunnel is reconnected after an IP change.

Cha0s
  • 2,432
  • 2
  • 15
  • 26
  • EoIP over PPTP works just fine. But i'm concerned about broadcasting traffic and other stuff that unnecessarily takes a lot of bandwidth. Since only RDP sessions to one terminal server required, is there some way to drop all other traffic? – Roman Doroshenko Feb 24 '15 at 11:09
  • If you only need RDP traffic, there is no real need to use EoIP then. You can use a standard VPN instead that does not pass broadcast traffic. Or you can simply add a drop rule in the forward chain of `/ip firewall filter` to block anything that does not have a dst-port 3389 though the EoIP tunnel. – Cha0s Feb 24 '15 at 11:13
  • For some reason I can't set up firewall rule to drop anything. Even if I drop all forward traffic - the other side is still pinging. Rule is pulled up to be the first one in priorities. – Roman Doroshenko Feb 24 '15 at 11:41
  • Please post the results of `/ip firewall filter print detail` (only the first rule) – Cha0s Feb 24 '15 at 12:13
  • chain=forward action=drop dst-address=192.168.200.0/23 out-interface=bridge1 out-bridge-port=eoip-tunnel1 ( Even if I leave only "chain=forward action=drop" without any additional info - ping to 192.168.201.88 on the other end is still working 0_0 ) – Roman Doroshenko Feb 24 '15 at 12:49
  • I think maybe you need to apply the firewall rule on the `Filter` tab of the `Bridge` (or `/interface bridge filter` from terminal) instead of `/ip firewall filter`. Or you can try without the interface ports, only with src/dst addresses. Does your current rule measure any packets at all? – Cha0s Feb 24 '15 at 17:32
  • No, it doesn't. /ip firewall filter doesn't work even with only src/dst addresses. Bridge filter works as expected but,as I can see, there's no way to make any priority in these rules, which are required as long as I need to accept packets from servers and drop everything else.Or maybe there is a better way to do that? – Roman Doroshenko Mar 04 '15 at 05:57
  • I suggest you create a new question with your full config and your network topology to be able to answer your question. – Cha0s Mar 04 '15 at 11:08