🌐 “Virtual address” between two MikroTiks: when L2 connectivity is needed and how to do it correctly

In today’s world of networking technologies, combining two remote offices into a single entity is a fairly routine task. Usually, L3 tunnels are used for this (for example, IPIP or IPsec). However, there are situations when simple routing is not enough and full L2 connectivity is required, as if remote devices were connected to the same switch.

Let’s figure out when this is necessary and how to configure such connectivity correctly so that it is not only working but also fault-tolerant.

🤔 Why is L2 connectivity needed?

An L2 tunnel, or a “virtual cable”, allows Ethernet frames to be transmitted directly between networks, bypassing IP routing.

Main scenarios when this is necessary:

• Unified address space: devices in both networks must be in the same IP subnet (for example, 192.168.88.0/24), which simplifies administration.
• Operation of specific protocols: some services (legacy video surveillance systems, industrial protocols, DHCP, ARP) require direct L2 access.
• Server migration: the ability to “seamlessly” move virtual or physical machines between sites without changing IP addresses.
• Creating redundant gateways: ensuring uninterrupted Internet access even if one of the routers fails.

🛠️ How to implement this: EoIP tunnel and Bridge

The simplest way to create an L2 channel between two MikroTik routers is to use EoIP (Ethernet over IP). This protocol encapsulates Ethernet frames into IP packets and transmits them over an L3 network (for example, the Internet).

Step-by-step configuration

Assume:

• Router-A (office 1): 1.1.1.1
• Router-B (office 2): 2.2.2.2
• Local network: 192.168.88.0/24

Step 1: Create the EoIP tunnel (on both routers)

/interface eoip add name=eoip-to-officeB remote-address=2.2.2.2 tunnel-id=42
/interface eoip add name=eoip-to-officeA remote-address=1.1.1.1 tunnel-id=42

Step 2: Create a Bridge and add ports

/interface bridge add name=lan-bridge
/interface bridge port add bridge=lan-bridge interface=ether2
/interface bridge port add bridge=lan-bridge interface=eoip-to-officeB

After this both local networks are combined into a single L2 segment.

🧩 Alternative: VXLAN

EoIP is reliable but aging. A modern approach is VXLAN (Virtual eXtensible LAN), available in RouterOS v7.14+.

VXLAN extends VLAN capabilities (up to 16 million segments instead of 4096), works over UDP (port 4789) and is better suited for scalable networks.

Advantages of VXLAN over EoIP

Step-by-step VXLAN configuration (RouterOS v7.14+)

Step 1: Create the VXLAN interface

/interface vxlan add name=vxlan-to-officeB vni=100 port=4789 mtu=1450
/interface vxlan add name=vxlan-to-officeA vni=100 port=4789 mtu=1450

Step 2: Configure VTEP

/interface vxlan vtep add interface=vxlan-to-officeB remote-ip=2.2.2.2
/interface vxlan vtep add interface=vxlan-to-officeA remote-ip=1.1.1.1

Step 3: Add to Bridge

/interface bridge port add bridge=lan-bridge interface=vxlan-to-officeB

Check MAC addresses:

/interface vxlan fdb print

⚡ Improving redundancy with VRRP

If you simply assign the same gateway IP on both devices, you will get a split-brain. The correct solution is VRRP (Virtual Router Redundancy Protocol).

Step 1: Unique IPs on each router

/ip address add address=192.168.88.2/24 interface=lan-bridge
/ip address add address=192.168.88.3/24 interface=lan-bridge

Step 2: Create the VRRP interface

/interface vrrp add interface=lan-bridge vrid=50 priority=254
/interface vrrp add interface=lan-bridge vrid=50 priority=100

Step 3: Virtual gateway address

/ip address add address=192.168.88.1/24 interface=vrrp1

Router-A (priority 254) will be MASTER, Router-B (priority 100) — BACKUP. If Router-A fails, the virtual IP 192.168.88.1 will move to Router-B.

🧪 Verification and testing

🔐 Security and optimization

IPsec encryption

To protect the data add IPsec:

/ip ipsec peer add address=2.2.2.2/32 secret="your-shared-secret"
/ip ipsec policy add src-address=1.1.1.1/32 dst-address=2.2.2.2/32 tunnel=yes \
  action=encrypt level=require sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2
/ip ipsec proposal set default auth-algorithms=sha256 enc-algorithms=aes-256-cbc

For VXLAN add a policy for UDP/4789.

Firewall

For EoIP

/ip firewall filter
add chain=forward in-interface=eoip-to-officeB action=accept place-before=0
add chain=forward out-interface=eoip-to-officeB action=accept place-before=0
add chain=forward in-interface=eoip-to-officeB action=drop
add chain=forward out-interface=eoip-to-officeB action=drop

For VXLAN

Similarly, replace the interface with vxlan-to-officeB.

MTU and MSS

Encapsulation adds overhead. Set MTU=1450 and MSS=1360:

/ip firewall mangle
add chain=forward action=change-mss new-mss=1360 protocol=tcp tcp-flags=syn \
  out-interface=eoip-to-officeB

Monitoring and automation

Use Netwatch to restart the tunnel:

/tool netwatch
add host=2.2.2.2 interval=10s down-script="/log warning \"Tunnel down!\"; /interface disable eoip-to-officeB" \
    up-script="/interface enable eoip-to-officeB"

DHCP and Failover

You can run DHCP on lan-bridge. For redundancy use DHCP Failover (RouterOS v7.20+):

/ip dhcp-server failover add name=dhcp-sync

Performance

🧭 Conclusion

• EoIP — for simple or legacy networks (RouterOS v6).
• VXLAN — for modern and scalable ones (RouterOS v7.14+).
• VRRP — for redundancy.
• IPsec — for security.

Using VRRP on top of a combined L2 network is a professional approach to building distributed and resilient network infrastructures based on MikroTik.