EoIP Tunnel (Ethernet over IP)
EoIP Tunnel (Ethernet over IP)
Section titled “EoIP Tunnel (Ethernet over IP)”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: basic EoIP tunnel between two sites.
Site A (Public IP: 1.1.1.1):
/interface eoip add name=eoip-siteB remote-address=2.2.2.2 tunnel-id=100/interface bridge port add bridge=bridge interface=eoip-siteBSite B (Public IP: 2.2.2.2):
/interface eoip add name=eoip-siteA remote-address=1.1.1.1 tunnel-id=100/interface bridge port add bridge=bridge interface=eoip-siteAVerify:
/interface eoip print # Check tunnel status/interface eoip monitor eoip-siteA # Monitor specific tunnelOverview
Section titled “Overview”
What this does: EoIP (Ethernet over IP) creates Layer 2 tunnels between MikroTik routers over any IP network. It encapsulates complete Ethernet frames inside GRE packets, enabling transparent bridging of remote networks as if they were connected by a physical cable.
When to use this:
- Bridge remote LANs across the internet
- Extend VLANs over WAN connections
- Overcome wireless station mode bridging limitations
- Transport non-IP protocols (IPX, AppleTalk, etc.)
- Create redundant links with bonding
When NOT to use this:
- Connecting to non-MikroTik devices (use GRE or VXLAN instead)
- When only IP routing is needed (use GRE - less overhead)
- High-security requirements without IPsec (EoIP has no encryption)
- Behind NAT with multiple tunnels to same destination
EoIP is MikroTik proprietary - it only works between RouterOS devices. For interoperability with other vendors, use standard GRE, VXLAN, or IPsec tunnels.
Prerequisites:
- IP connectivity between tunnel endpoints
- GRE protocol (IP protocol 47) allowed through firewalls
- Matching tunnel-id on both ends
- Unique MAC addresses when bridging multiple tunnels
Architecture
Section titled “Architecture”
Protocol details
Section titled “Protocol details”| Property | Value |
|---|---|
| Protocol | GRE-based (IP protocol 47) |
| Overhead | 42 bytes minimum (20 IP + 8 GRE + 14 Ethernet) |
| OSI Layer | Layer 2 (Ethernet) |
| Encryption | None (use IPsec) |
| Standards | MikroTik proprietary |
EoIP vs GRE vs IPIP
Section titled “EoIP vs GRE vs IPIP”| Feature | EoIP | GRE | IPIP |
|---|---|---|---|
| OSI Layer | 2 (Ethernet) | 3 (IP) | 3 (IP) |
| Bridgeable | Yes | No | No |
| Overhead | 42 bytes | 24 bytes | 20 bytes |
| Non-IP traffic | Yes | No | No |
| Interoperability | MikroTik only | Standard | Standard |
| Use case | L2 extension | Site routing | Simple tunnels |
Configuration Steps
Section titled “Configuration Steps”Step 1: Create EoIP tunnel
Section titled “Step 1: Create EoIP tunnel”Create the tunnel interface on both routers. The tunnel-id must match on both ends.
Site A:
/interface eoip add name=eoip-tunnel \ remote-address=2.2.2.2 \ tunnel-id=100Site B:
/interface eoip add name=eoip-tunnel \ remote-address=1.1.1.1 \ tunnel-id=100Common Mistakes
- The
tunnel-idMUST be identical on both endpoints - mismatched IDs cause silent failures - Don’t use the same tunnel-id for different tunnel pairs
- Tunnel IDs are local to each router pair, not globally unique
Step 2: Add tunnel to bridge (Layer 2 extension)
Section titled “Step 2: Add tunnel to bridge (Layer 2 extension)”To extend your LAN across the tunnel, add the EoIP interface to your bridge.
Both sites:
/interface bridge port add bridge=bridge interface=eoip-tunnelNow devices on both sites share the same Layer 2 broadcast domain.
Step 3: Configure firewall (if needed)
Section titled “Step 3: Configure firewall (if needed)”Allow GRE protocol through your firewall:
/ip firewall filter add chain=input protocol=gre action=accept \ comment="Allow GRE for EoIP tunnels" place-before=0Configuration Variants
Section titled “Configuration Variants”EoIP for Layer 3 routing (no bridge)
Section titled “EoIP for Layer 3 routing (no bridge)”
Use EoIP as a point-to-point link for routing instead of bridging:
Site A:
/interface eoip add name=eoip-tunnel remote-address=2.2.2.2 tunnel-id=100/ip address add address=172.16.1.1/30 interface=eoip-tunnel/ip route add dst-address=192.168.20.0/24 gateway=172.16.1.2Site B:
/interface eoip add name=eoip-tunnel remote-address=1.1.1.1 tunnel-id=100/ip address add address=172.16.1.2/30 interface=eoip-tunnel/ip route add dst-address=192.168.10.0/24 gateway=172.16.1.1EoIP with IPsec encryption
Section titled “EoIP with IPsec encryption”Add encryption using the built-in ipsec-secret property:
/interface eoip add name=eoip-secure \ remote-address=2.2.2.2 \ tunnel-id=100 \ ipsec-secret="YourStrongPassword123" \ allow-fast-path=noEoIP with unique MAC addresses
Section titled “EoIP with unique MAC addresses”When bridging multiple EoIP tunnels, use unique MACs to avoid conflicts:
/interface eoip add name=eoip-site2 remote-address=2.2.2.2 tunnel-id=100 \ mac-address=00:00:5E:80:00:01
/interface eoip add name=eoip-site3 remote-address=3.3.3.3 tunnel-id=101 \ mac-address=00:00:5E:80:00:02IANA reserved range for documentation/private use: 00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF
EoIP with VLAN transport
Section titled “EoIP with VLAN transport”
Transport tagged VLANs through the tunnel:
Both sites:
# Create EoIP tunnel/interface eoip add name=eoip-tunnel remote-address=2.2.2.2 tunnel-id=100
# Add to VLAN-aware bridge/interface bridge port add bridge=bridge interface=eoip-tunnel frame-types=admit-only-vlan-tagged
# Configure VLANs on bridge/interface bridge vlan add bridge=bridge tagged=eoip-tunnel,ether2 vlan-ids=10,20,30Bonding multiple EoIP tunnels
Section titled “Bonding multiple EoIP tunnels”
Aggregate bandwidth using bonding (useful over multiple wireless links):
# Create two EoIP tunnels over different paths/interface eoip add name=eoip1 remote-address=10.0.1.1 tunnel-id=1/interface eoip add name=eoip2 remote-address=10.0.2.1 tunnel-id=2
# Create bonding interface/interface bonding add name=bond-eoip slaves=eoip1,eoip2 mode=balance-rr \ link-monitoring=arp arp-ip-targets=192.168.0.2
# Assign IP to bonding/ip address add address=192.168.0.1/24 interface=bond-eoipCommon Mistakes
- Always enable link monitoring on bonded EoIP tunnels
- Without monitoring, bonding won’t detect failed tunnels
- Use
arp-ip-targetspointing to the remote bonding IP
Verification
Section titled “Verification”Check tunnel status
Section titled “Check tunnel status”# List all EoIP interfaces/interface eoip print# Expected: Flags show 'R' for running
# Detailed tunnel info/interface eoip print detail# Expected: Shows remote-address, tunnel-id, actual-mtu
# Monitor specific tunnel/interface eoip monitor eoip-tunnel# Expected: Shows status, actual-mtu, tx/rx ratesCheck bridge ports
Section titled “Check bridge ports”/interface bridge port print# Expected: EoIP interface listed with correct bridgeTest connectivity
Section titled “Test connectivity”# Ping through tunnel/ping 192.168.10.2 interface=eoip-tunnel
# Check ARP entries (for bridged mode)/ip arp print where interface=bridge# Expected: Remote devices appear in ARP tableExpected result: Tunnel shows as running (‘R’ flag), pings succeed, remote devices visible in ARP table when bridged.
Common Scenarios
Section titled “Common Scenarios”Scenario: Remote office LAN extension
Section titled “Scenario: Remote office LAN extension”Connect a small remote office to headquarters as if on the same LAN.
Headquarters (1.1.1.1):
/interface eoip add name=eoip-remote remote-address=2.2.2.2 tunnel-id=50/interface bridge port add bridge=bridge interface=eoip-remoteRemote Office (2.2.2.2):
/interface eoip add name=eoip-hq remote-address=1.1.1.1 tunnel-id=50/interface bridge port add bridge=bridge interface=eoip-hqBoth offices now share the same subnet and broadcast domain.
Scenario: Wireless bridge replacement
Section titled “Scenario: Wireless bridge replacement”Overcome wireless station mode bridging limitations:
# On both wireless routers (already connected as station/AP)# Wireless interface has IP: 10.255.0.x/30
/interface eoip add name=eoip-bridge remote-address=10.255.0.2 tunnel-id=1/interface bridge port add bridge=bridge interface=eoip-bridgeScenario: Multi-site VLAN extension
Section titled “Scenario: Multi-site VLAN extension”Extend VLANs 10, 20, 30 to remote site:
Both sites:
/interface eoip add name=eoip-vlan-trunk remote-address=REMOTE_IP tunnel-id=100/interface bridge port add bridge=bridge interface=eoip-vlan-trunk/interface bridge vlan add bridge=bridge vlan-ids=10,20,30 \ tagged=eoip-vlan-trunk,ether1/interface bridge set bridge vlan-filtering=yesTroubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| Tunnel not running (no ‘R’ flag) | Mismatched tunnel-id | Verify tunnel-id matches on both ends |
| Tunnel up but no traffic | Bridge not forwarding | Check bridge port config; verify STP state |
| Duplicate MAC errors in logs | Default MACs conflict | Assign unique MACs from IANA range |
| Slow speeds (~20Mbps vs 100Mbps) | MTU fragmentation | Set mtu=1500; ensure path MTU > 1542 |
| IPsec not working | Fast-path enabled | Set allow-fast-path=no with ipsec-secret |
| Only one tunnel works behind NAT | GRE has no ports | Use IPsec transport mode; different public IPs |
| Intermittent connectivity | FastTrack bypassing tunnel | Exclude GRE from FastTrack rules |
| Broadcast storm | Bridge loop | Enable RSTP: /interface bridge set bridge protocol-mode=rstp |
| Keepalive failures | Network instability | Increase keepalive interval or retries |
| Firewall blocking tunnel | GRE not allowed | Add /ip firewall filter add chain=input protocol=gre action=accept |
Common Mistakes
- Don’t create bridging loops - EoIP + physical connection to same network = storm
- Don’t use EoIP behind NAT for multiple tunnels to same destination (GRE can’t be NATed properly)
- Don’t forget firewall rules allowing GRE (protocol 47)
- Don’t mix tunnel-ids between different router pairs
MTU Considerations
Section titled “MTU Considerations”EoIP adds overhead that affects maximum frame size:
| Component | Bytes |
|---|---|
| IP Header | 20 |
| GRE Header | 8 |
| Ethernet Header | 14 |
| Total Overhead | 42 |
Calculations:
- Standard path (MTU 1500): Inner MTU = 1458 bytes
- Jumbo frames (MTU 9000): Inner MTU = 8958 bytes
# Set MTU explicitly if needed/interface eoip set eoip-tunnel mtu=1500
# Enable TCP MSS clamping (default)/interface eoip set eoip-tunnel clamp-tcp-mss=yesProperties Reference
Section titled “Properties Reference”| Property | Type | Default | Description |
|---|---|---|---|
name | string | eoip-tunnelN | Interface name |
remote-address | IP | - | Remote tunnel endpoint (required) |
tunnel-id | 0-65535 | - | Unique tunnel identifier (must match both ends) |
local-address | IP | auto | Local source address |
mtu | integer | auto | Layer 3 MTU |
mac-address | MAC | auto | Interface MAC address |
arp | enum | enabled | ARP mode: disabled/enabled/proxy-arp/reply-only |
keepalive | time,retries | 10s,10 | Health check: interval,retry-count |
dscp | 0-63 | inherit | DSCP marking for tunnel packets |
clamp-tcp-mss | yes/no | yes | Adjust TCP MSS for tunnel MTU |
dont-fragment | inherit/no | no | DF bit handling |
allow-fast-path | yes/no | yes | Fast path processing (disable for IPsec) |
ipsec-secret | string | - | Pre-shared key (auto-creates IPsec peer) |
disabled | yes/no | no | Disable interface |
comment | string | - | Description |
Related Topics
Section titled “Related Topics”Prerequisites
Section titled “Prerequisites”- IP Address Configuration - endpoints need IP connectivity
- Firewall Basics - allow GRE protocol
Layer 2 infrastructure
Section titled “Layer 2 infrastructure”- Bridge Configuration - bridging EoIP tunnels
- Bridge VLAN Filtering - VLAN transport over EoIP
- Bonding - aggregate multiple EoIP tunnels
Alternative tunnels
Section titled “Alternative tunnels”- GRE Tunnel - Layer 3 tunnel (standards-based)
- IPIP Tunnel - simple IP-in-IP tunneling (documentation in progress)
- VXLAN - standards-based L2 overlay (documentation in progress)
- WireGuard - modern encrypted VPN
IPv6 transport
Section titled “IPv6 transport”- EoIPv6 (
/interface eoipv6) - Same Layer 2 tunneling over IPv6 transport instead of IPv4
Security
Section titled “Security”- IPsec - encryption for EoIP tunnels
Reference
Section titled “Reference”- MikroTik EoIP Documentation
- MikroTik Bonding Examples
- RFC 1701 - Generic Routing Encapsulation (GRE)