So I do understand how to make failover or ecmp lb, but can’t understand how to make this scheme to work.
We have one ISP, but two connections from it. (limited failover, but this is the only ISP in this building), so two separate PPOE accounts.
- 40 L2TP Server bindings
- 1 L2TP Client binding (to Partner Nerwork) with configured OSPF, without us sending them any routing information.
- 2 Separate LAN segments (one for office, and one for server room)
- Various routes to public IP’s that are accessible only from 1st PPOE IP (10.10.10.1)
So what I can’t understand is how to get my L2TP server bindings get to 2nd PPOE IP (10.10.10.2), and after that use 1st PPOE IP (10.10.10.1) to get to the Internet.
When I do mangle like everything from ISP1 goes back to ISP1, and ISP2 to ISP2, l2tp clients traceroute is going mad, they get to local lan via ISP routers, smth like this:
Tracert from L2TP Client (192.168.0.202) to Server#1 192.168.0.11
1: 192.168.0.1
2: 10.10.10.2
3: some isp address, concentrator perhaps
4: 10.10.10.2
5: 192.168.0.11
So I can’t undersand neither how to bind L2TP to secondary ISP IP, neither how to prevent that tracert issue when mangling.
Any advise would be helpful.
Thanks in advance.
Routing marks happen before a routing decision is made (because the decision is made based on the routing marks) - so even if the dst IP is in your local LAN, it will be marked to be routed via the dedicated ISP.
Add routes to your LAN side with the same routing marks as for your ISPs and it should work.
Like this:
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=myLANinterface routing-mark=ISP1
add distance=1 dst-address=192.168.0.0/24 gateway=myLANinterface routing-mark=ISP2
As a side note, I’d refrain from using the same address space for VPN and local LAN - you would need proxy-arp on your LAN-facing interface as well to make the rest of the network aware of the VPN client.
I’d suggest to use a completely dedicated pool for VPN (like 172.16.10.0/24) and let the router do its job.
-Chris
Thank you for your answer. I did what u supposed and it worked, had to make it a little bit different, but now everything works. VPN users connect to 2nd ISP Pppoe address, but get first ISP address. So they access external resources they we need. Thanks for suggestion though, which led me into the right way!
Also we are too small for multiple lan masks. We are only 50 people in a company, wih three rooms and server room. So, I would keep it that simple way until we grow as big, as I would need to have more ips for l2tp clients and internal pcs.