Bridging Remote Networks

If you have a MikroTik Router with two Ethernet-type interfaces, you can easily put them into one bridge, by

1. Creating the bridge interface
2. Assigning the Ethernet interfaces to the bridge

However, you should be very careful about what are you bridging, because bridge creates one big broadcast domain, i.e., broadcast traffic is sent over from hosts connected on one physical interface to hosts on another interface.

For example, you have two LANs connected to your router with two Ethernet interfaces. The networks are 192.168.1.0/24 and 192.168.2.0/24, connected to ether1 and ether2, respectively.

Apparently, you are using routing between those networks, and bridging them right away how they are wouldn't be such a great idea at all. If you need to bridge those networks however, you need to change IP addressing. You may

• increase the network size by making the network mask one bit shorter, i.e., use /23 network, and changing network mask on all hosts from /24 to /23, or,
• leave one network intact, say 192.168.1.0/24, and change the hosts on another network to IP addresses that are free (not used) on 192.168.1.0/24, like in the drawing example below:

Once you get traffic passed over from one interface to another, you can analyze it and implement control measures. You can use Torch tool to analyze the traffic, see all connections, IP addresses, protocols, ports, and traffic speed used. You can implement IP or MAC address filtering, as well as data rate management.

Before we proceed with configuration, there is a question for you:

Imagine you have a MikroTik router with three Ethernet interfaces. Interfaces ether1 and ether2 are bridged to monitor traffic between two segments of LAN connected to them. Do you need an IP address assigned to ether1, ether2 or to the bridge interface itself, if you are connecting to the router over ether3, which is on the 10.1.2.0/24 network?

Now lets create a bridge between ether1 and ether2
interfaces of your MikroTik router to monitor traffic between two segments of LAN.

Let us assume you have IP address 10.1.0.208 with /24 bit network mask assigned to the ether1 interface of the MikroTik router. ether2 interface has no address assigned to it. The default gateway is 10.1.0.1.

First we should create a bridge interface. In winbox GUI, go to the interface menu and press '+' button to add an interface, select 'Bridge':

Just click 'OK' to confirm adding bridge interface with name 'bridge1':

Now you should add interfaces to the bridge. Open up the Bridge menu and select the Ports tab. All interfaces that can possibly be added to the bridge are listed there. Double click on ether1 and select bridge1 for the Bridge argument:

Do the same for ether2, and get the following setup:

If you prefer using command line interface instead of winbox GUI, below are commands to be issued at the command prompt:

/interface bridge add
/interface bridge port add interface=ether1 bridge=bridge1
/interface bridge port add interface=ether2 bridge=bridge1

We have created a new virtual interface bridge1 and assigned two physical interfaces ether1 and ether2 to it. Check the routing table, it shows bridge1 as the interface for accessing the network 10.1.0.0/24.


The router can be accessed by the IP address 10.1.0.208 from either side of the LAN, since the IP address belongs to the bridge interface now. The address move from ether1 to bridge1 is done internally and it is not reflected in the address table. If you remove the bridge or just ether1 from it, the IP address 10.1.0.208 would be reassigned to ether1.

What happens, if you have IP address assigned to the bridge1 interface, and you remove the bridge interface, i.e., the interface is deleted?

The following types of interfaces can be bridged:

• Ethernet
• VLAN. Note, that VLAN is a virtual interface belonging to an
  Ethernet or Wireless connection. Do not bridge VLAN with the physical interface it is attached onto! You should bridge the VLAN interfaces instead.
• Wireless. You can bridge
  wireless interface, only if it is configured in 'ap-bridge' or 'bridge'
  mode. If the interface is in 'station' mode, it cannot be bridged due
  to the limitations of IEEE 802.11 protocol. However, you can use 'station wds' mode to establish a [bridgeable] WDS connection.
• WDS. Wireless Distribution System interface can be bridged.
• EoIP. Ethernet over IP interface encapsulates Ethernet frames into IP packets and it can be bridged. Just like with VLANs, you should not try to bridge EoIP tunnel with the physical interface, the tunnel is run on top of.

You
cannot bridge any other interfaces types, like synchronous, IPIP, PPTP
PPPoE, and so on. However, you can use EoIP tunnel over those
interfaces to achieve what you need. EoIP works only between MikroTik
routers, it does not work with Cisco and other equipment.

In previous part of the Lesson, we have discussed creating a bridge interface between two Ethernet interfaces. Creating a bridge between Ethernet and wireless interface is very similar. Just remember, that you can bridge only wireless interface, if it is configured to 'mode=ap-bridge', or 'mode=bridge'.

The difference between 'ap-bridge' and 'bridge' is only in number of clients/stations it can register. 'bridge' can register only one station, whereas 'ap-bridge' is limited by the max-station-count only. Level 3 software license is sufficient for wireless 'mode=bridge', but Level 4 license is required for 'mode=ap-bridge'.

Let us consider the following setup, where we have a wireless AP with ether1 and wlan1 bridged:

Configure the wireless interface for mode=ap-bridge with ssid=test_net, frequency=5180


Now you can include the wlan1 interface into the bridge by specifying it under bridge ports:


Note, that there is only one IP address assigned to the bridged interfaces ether1 and wlan1! The bridged network includes all hosts on LAN where the AP is connected, and wireless interfaces of the 'stations'. You cannot extend the bridged network behind the 'stations' in the current setup.

Further on we will be creating transparent bridge across wireless
link using WDS. If you do not want to learn about it, you can skip over
to the topic about creating transparent bridge using EoIP.

Jump to the part about using EoIP to bridge remote networks:

Learn about creating encrypted PPTP tunnel and running EoIP over it.

Start learning about using WDS to bridge over wireless networks:

As stated before, you cannot directly use simple AP and station setup to create transparent bridge. It is because of limitations of the IEEE 802.11 standard. Using WDS is one of the ways how to circumvent this problem. Let us consider the following setup with two units, one is going to be configured as ap-bridge with WDS, the other one is going to be in station-wds mode: Configure the wireless interface wlan1 on APwds to ssid=test_net, frequency=5180 and mode=ap-bridge: Set the WDS mode to dynamic: Using 'dynamic' makes it easier to create the wds interface, since it is done automatically as soon as the other end of the link is configured and is within the RF range. However, changing over to 'static' is recommended, since the interface is going to be used in bridge. Sometimes the wireless link may disconnect, and the dynamic interface may disappear. That would cause bad behaviour of the bridge, since it has to re-learn all addresses. There are also some security considerations, as leaving WDS configuration dynamic, you allow anybody to get all your network traffic redirected to him and to inject packets to your network without limitations. From security point of view, it is much better to define statically all your WDS associations. Configure the other end of the link as station-wds: Check the status of wireless interface We see that our station is connected to the AP and has created a WDS link. It shows up as a virtual interface on the AP: You may create a static WDS interface if you know the MAC address of the station. In our case, just copy the MAC address of the station from the dynamic interface and paste it into the field when adding the static interface for it. Choose to add a new interface, select WDS: Then specify the master interface and WDS address: Change the WDS mode to static: You should have active (A) and running (R) WDS interface in the list We will discuss configuring the bridge in the next section.

Once the WDS link is established, we can add interfaces to the
bridges on both sides of the link. We have discussed it at the
beginning of the lesson and you should know how to add a bridge
interface and how to configure bridge ports, i.e., assign interfaces to
it. On both sides we should have 'ether1' interfaces assigned to the
bridge, if they are used to connect the LANs on both sides.

On the AP's side, we add the WDS interface to bridge.

Note
that connection to the router might be lost for a moment, if you are
connecting to it over an interface belonging to the bridge. It is
because the bridge is restarted each time an interface is added or
removed from it.

On the station's side, we add the wireless interface, which is in station-wds mode, to the bridge.

Thus
we have created a transparent bridge over wireless link. You can test
it by pinging from a host on one LAN segment over to a host on another
LAN segment. You should use the same address space for hosts on both
LAN segments, including both routers.

Using EoIP to bridge remote networks:

Ethernet over IP (EoIP) is a MikroTik RouterOS protocol that is used for creating tunnels between two MikroTik routers. The protocol encapsulates Ethernet frames into IP packets and transports them over an IP network. EoIP tunnel interface is an Ethernet-like interface and can thus be bridged. It is widely used for creating transparent bridges between remote private LANs.

EoIP tunnel is very useful for:

1. bridging LANs that are connected over multiple hops;
2. bridging over interfaces, that cannot be bridged, e.g., synchronous, wireless station.

We have previously discussed creating a transparent bridge between two wireless nodes. We had to use WDS for that. Now we will see how to create a transparent bridge between two wireless nodes using EoIP. Note, however, that the EoIP tunnels have greater overhead than WDS, so it is recommended to use WDS wherever possible.


The nodes are configured as routers, the wireless interface of one node is in ap-bridge (or in bridge) mode


that of the second node is in station mode:


Make sure the link is working, test it with ping from 10.2.0.1 to 10.2.0.2. Next will be creating the EoIP tunnel.

An EoIP tunnel can be created between two Mikrotik routers once you are able to communicate between them over the IP network. In our case, there is a point to point wireless link between the routers. Generally speaking, EoIP tunnels can be created between MikroTik routers that are interconnected by an IP network (like the Internet) by any means, for example, one router can be at the head office and connected over high speed Ethernet to the Internet backbone, the other one might be connected over and aDSL line in another city or country.

To create an EoIP tunnel between two routers, you should add EoIP interfaces for it.

1. Specify the IP address of the remote router for the Remote Address argument.
2. There might be more than one EoIP tunnel for a router; therefore, a unique tunnel ID is required for each tunnel.
3. Make sure the MAC addresses differ for the tunnel interfaces, if they are going to be used in a bridge.

EoIP interface is added for the AP router as follows


Modify the MAC Address when adding the EoIP interface for the station router:


Next, we will be adding the EoIP interfaces to the bridge.

Once the EoIP tunnel has been created, we need to configure the bridging to make the link 'transparent':

It has been discussed previously how to add a bridge interface and specify bridge ports. If there is no bridge interface present, just add it to the router. When specifying bridge ports, make sure to include the ether1 and eoip-tunnel1. You should NOT add wireless interface to the bridge! For the AP router:

For the station router:

Thus, we have created a transparent bridge over the wireless network using EoIP tunnel. However, the EoIP protocol does not provide encryption. It is not a real VPN without encryption. We need to discuss, how to make it 'secure', so the packets are encrypted when sent over public networks.

Let us consider the following example, where we have two routers connected over a wireless link:

Our goal is to make the communication between two LAN segments 'secure', i.e., encrypt the data, when it is sent over the wireless link between two routers. Configuration of the wireless interfaces is the same as discussed previously, when we were making the EoIP tunnel interface.

We already mentioned that the EoIP protocol does not provide data encryption. Apparently, we need to use something else to encrypt the data. We can use encrypted IPPsec, L2TP, PPTP or PPPoE tunnel for that. Once we create the encrypted tunnel, all data should be sent over that tunnel.

We assume, that the link is configured and running as described previously. Please go back to the previous parts of the course if you need to refresh you knowledge about setting up wireless point to point link.

We will be making encrypted PPTP tunnel between the AP and the station (note that L2TP configuration is the same as for PPTP, just replace 'pptp' to 'l2tp' in all configuration strings). One unit should be PPTP server, and the other one should be PPTP client. It does not really matter which one is the server.

To start PPTP server, open up PPP menu, select PPTP Server and check
the Enable box. You may want to have default profile with encryption
and leave only mschap2 for authentication (note that PAP and CHAP authentication protocols do not support encryption, and MS CHAP version 1 has security flaws, the second version was designed to fix; that is why it is recommended to only use MSCHAP version 2 in modern networks), click OK:

Next, open up the Secrets tab in the PPP window and add authentication information for ppp client:

1. Name the client will be using
2. Password for the client
3. Service you can leave any, or specify pptp
4. Profile should be with encryption
5. Local Address is the address that will be assigned to the created pptp tunnel interface when the client has logged in
6. Remote Address is the address that will be assigned to the pptp tunnel interface at the client's end.

Add the PPTP client interface at the other router. Select PPP from the main menu and click '+' to add PPTP Client, specify:

1. Server Address where the client should be connecting to
2. User name
3. Password as it was specified under PPP Secret for this user on the server
4. Profile with encryption
5. Allow mschap2 only for authentication

Click 'Apply' and check status of the added interface


We see, that an encrypted PPTP link has been established and IP address 10.3.0.2/32 has been assigned to the pptp client interface pptp-out1.

Check the status of PPP connections on the server (AP)


Next, we are going to make EoIP tunnel over the established PPTP tunnel. If you do not require bridging of the remote networks, you do not need the EoIP tunnel. All you have to do is make sure the routing sends packets from one network to the other one over the encrypted link, i.e., gateway should be the remote IP address on the tunnel interface (10.3.0.1 or 10.3.0.2), not on the wireless interface (10.2.0.1 or 10.2.0.2).

 We have the PPTP tunnel established between two routers.



Next, we need to add the EoIP tunnel between the routers in such a way
that it goes over the encrypted tunnel. It is very similar to what we
did previously, when the EoIP tunnel was made directly over the
wireless link.

Add the EoIP interface on the AP side


Add the EoIP Tunnel interface on the station:

Note, that we have specified IP addresses of the encrypted tunnel interface rather than the IP addresses of the wireless interface when creating the EoIP tunnel.

All we have to do now is to include the eoip-tunnel1 interface into the bridge1. We have done this before. Add the bridge interface, if you do not have it already. You should:

1. Select Bridge menu
2. Open up Ports tab within the Bridge window
3. Select eoip-tunnel1 interface
4. Specify bridge1 for the Bridge argument
5. Select ether1 interface
6. Specify bridge1 for the Bridge argument

This should be done both on the AP and on the station units.

Thus
we have created a transparent bridge between two LAN segments. All
traffic between the segments is passed over the encrypted tunnel making
this connection 'secure'.