🛠️ EoIP not connecting: Tunnel troubleshooting checklist (MikroTik)

The EoIP (Ethernet over IP) protocol from MikroTik is used to create an L2 tunnel over an IP network, allowing you to combine two remote local networks into a single broadcast domain.
If your EoIP tunnel does not establish (no “R” — Running flag), follow this step-by-step checklist.

1. Check IP connectivity (L3)

Before starting, make sure the routers see each other at the IP level.

Ping the remote side:

/ping 203.0.113.2 count=4

If ping fails — check routes and NAT:

/ip route print
/ip firewall nat print

Make sure there is a route to the remote IP and NAT is not translating GRE traffic.

Correct addresses: Check that the remote-address field in the EoIP settings contains the correct WAN IP of the opposite router:

/interface eoip print

Example:

0 name="eoip-tunnel1" mtu=1476 arp=enabled remote-address=203.0.113.2 tunnel-id=0

2. Check EoIP tunnel configuration

Tunnel ID: Must match on both sides.

/interface eoip
add name=eoip-tunnel1 remote-address=203.0.113.2 tunnel-id=0

Local Address: If the WAN is not the primary one:

local-address=192.168.1.1

Check status:

/interface print

Example:

Flags: D - dynamic, X - disabled, R - running
 #   NAME            TYPE       MTU
 0 R ether1          ether      1500
 1   eoip-tunnel1    eoip       1476

If the R flag is missing — the tunnel is not active.

3. Check Firewall (GRE and NAT) ⛔

Allow GRE:

/ip firewall filter
add chain=input protocol=gre action=accept comment="Allow GRE for EoIP"

Add this rule on both routers in the input chain.

NAT bypass: If EoIP is behind NAT or inside L2TP/IPsec, exclude it from SNAT:

/ip firewall nat
add chain=srcnat dst-address=203.0.113.2 action=accept comment="Bypass NAT for EoIP"

4. Check MTU (Maximum Transmission Unit) 📏

EoIP adds GRE and IP headers, reducing the allowable packet size.

Set MTU:

/interface eoip
set [find name=eoip-tunnel1] mtu=1400

Fragmentation diagnostic:

/tool ping 203.0.113.2 size=1500 do-not-fragment

If ping with do-not-fragment fails — lower the MTU. Recommended values:

• PPPoE — 1300–1400
• IPoE — 1450–1476

5. Check bridge and L2 connectivity

If the tunnel is up but traffic does not flow:

Add to bridge:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=eoip-tunnel1

Ether2 — local LAN, EoIP — tunnel.

Check IP:

/ip address print

Make sure both sides are in the same subnet and there are no IP conflicts.

6. Diagnostics and logs

Logs:

/log print

Check messages related to GRE and EoIP.

Traceroute:

/tool traceroute 203.0.113.2

Use to verify the path to the remote router.

⚠️ Common issues and solutions

/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1360 passthrough=yes comment="Clamp MSS for EoIP"
``` |
| GRE not allowed | Firewall blocks GRE | Allow GRE in `input` and `forward` |
| No ARP | Wrong `local-address` or NAT | Specify correct WAN-IP |

---

## 💡 Reliability tips

1. **Set MTU manually** — avoid auto-detection.  
2. **Netwatch monitoring:**
 ```bash
 /tool netwatch add host=203.0.113.2 interval=1m up-script="/interface eoip enable eoip-tunnel1" down-script="/interface eoip disable eoip-tunnel1"

3. Use IPsec when operating over public networks.

4. Log GRE packets for diagnostics:

   /ip firewall filter add chain=input protocol=gre action=log log-prefix="GRE-IN"
   

🧩 Summary

EoIP checklist:

1. Check IP connectivity.
2. Ensure tunnel-id matches.
3. Allow GRE in the Firewall.
4. Check MTU.
5. Add EoIP to the Bridge.

After fixes the interface should show the R (Running) flag and start passing traffic.

🔗 Useful links

• MikroTik Documentation: EoIP
• MikroTik Wiki: Manual / Interface / EoIP