Garrett's Mindless Rambling

Not Just another WordPress site

MikroTik, RouterOS, VLAN, VPN

MikroTik EOIP Behind a NAT

Garrett

The following is a description on how to setup an EOIP tunnel with Untagged and Tagged VLANs when one of the endpoints is behind a NAT. This guide assumes you have both a device that is accessible without a NAT as well as the appropriate firewall rules in place.

R1 Configuration WAN Facing Router

  1. Create the PPP Profile for Devices.
    • /ppp profile add change-tcp-mss=yes local-address=192.168.60.1 name=VPN use-encryption=yes
  2. Enable and configure the L2TP server. Make sure you change the IPSEC Secret.
    • /interface l2tp-server server set enabled=yes ipsec-secret=IPSECPASSWORD use-ipsec=required
  3. Create the VPN User for EOIP Access.
    • /ppp secret add local-address=192.168.60.1 name=TEST_VPN_USER profile=VPN remote-address=192.168.60.2 service=l2tp
  4. Build the Bridges for Tagged and Untagged Traffic
    • /interface bridge
    • add name=EOIP_TAGGED_BRIDGE_60
    • add name=EOIP_UNTAGGED_BRIDGE
  5. Build the EOIP Interface
    • /interface eoip add local-address=192.168.60.1 name=eoip-tunnel1 \ remote-address=192.168.60.2 tunnel-id=60
  6. Build the Tagged VLAN on the EOIP Interface
    • /interface vlan add interface=eoip-tunnel1 name=vlan60-eoip1 vlan-id=60
  7. Add the Interfaces to the Bridge for Tagged VLAN
    • /interface bridge port add bridge=EOIP_TAGGED_BRIDGE_60 interface=vlan60-eoip1
  8. Add the Interfaces to the Bridge for Untagged Traffic
    • /interface bridge port add bridge=EOIP_UNTAGGED_BRIDGE interface=eoip-tunnel1

R2 Configuration

  1. Create the L2TP/IPSEC Client
    • /interface l2tp-client add connect-to=WAN_IP_OF_R1 disabled=no name=l2tp-out1 use-ipsec=yes user=\ TEST_VPN_USER
  2. Build the Bridges for Tagged and Untagged Traffic
    • /interface bridge
    • add name=EOIP_TAGGED_BRIDGE_60
    • add name=EOIP_UNTAGGED_BRIDGE
  3. Build the EOIP Interface
    • /interface eoip add local-address=192.168.60.2 name=eoip-tunnel1 \ remote-address=192.168.60.1 tunnel-id=60
  4. Build the Tagged VLAN on the EOIP Interface
    • /interface vlan add interface=eoip-tunnel1 name=vlan60-eoip1 vlan-id=60
  5. Add the Interfaces to the Bridge for Tagged VLAN
    • /interface bridge port add bridge=EOIP_TAGGED_BRIDGE_60 interface=vlan60-eoip1
  6. Add the Interfaces to the Bridge for Untagged Traffic
    • /interface bridge port add bridge=EOIP_UNTAGGED_BRIDGE interface=eoip-tunnel1

1 thought on “MikroTik EOIP Behind a NAT

  1. An outstanding share! I have just forwarded this onto a coworker who was
    doing a little research on this. And he actually bought me
    lunch due to the fact that I found it for him…
    lol. So allow me to reword this…. Thank YOU
    for the meal!! But yeah, thanx for spending some time to discuss this matter here on your web site.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Back To Top