Dual WAN with one WAN dedicated for VPN

RouterOS General
1

Hi
I have mikrotik router CRS326-24S+2Q.
On this router I have already configuration of network from interface ether1 and SSTP VPN on port 444.
Now I have connected second wan cable to it, from my second isp provider, it’s pppoe connection.
At this point I have interface ether1 (current wan connection - static address, it’s working fine), I have connected second wan, that should be authenticated by pppoe, it’s visible as ether0 (already created pppoe-out1 and it’s authenticated correct), and I have interface ether2 this is my lan network. On my hosting I have redirect 2 domains vpn1.comapny.com to ip from first IPS (ether1) and vpn2.company.com this is pointing to external ip from second IPS (ether0). Now what I need is:

  1. when connecting to vpn1.comapny.com:444 it should go by ether1
  2. when connecting to vpn2.comapny.com:444 it should go by ether0

This is for VPN Only, all other traffic should work like to this point, by ether1.

I have tried to make masquerade, NAT rules, etc, but at this point I’m stuck.
I will be thankful for any idea, what can I do to set this up.

2

Wrong you have a mikrotik switch but it can be used a router but dont expect throughut to reach 200Mbps.

Screenshot 2025-03-13 104300.png

3
  1. Quick question, is there any reason you have to use port 444, for both VPNs?
    Assuming the SSTP VPN is being hosted on third party sites

2 a. are the SSTP clients (application) on PCs on your LANs
OR
b. are you using the router as an SSTP client

  1. Who is using the first SSTP VPN? One user, or one subnet
    Who is using the other SSTP VPN, different user, or different subnet
4

Hi
Thanks for answer
@anav

  1. SSTP is set up on port 444, because we have also OpenVPN on this switch that using port 443, on our hosting we only created dns zone to connect domain name with ip address so we can connect to vpn using for example vpn1.comapny.com:444 not the IP:444
  2. I’m using this switch as SSTP VPN server, SSTP clients are from outside the office, so they are connecting from external network.
  3. About that, we have office’s in China and Europe, main servers are in Europe, from long time we notice that this connection from China is very slow, so that’s why we organized second ISP, that should be used only for VPN for employees in China, every one else should use this first ISP. Normally we have about 25-30 VPN connections at the same time, 5 of them are from China, so we decided for tests to add this second ISP to check if using dedicated line for them will help with this connection.
5

Not being an SSTP expert by any means, but like wireguard I would separate the SSTP by port as well.
This makes it much easier to identify and segregate traffic when required in config rules.

Also we dont know how your router is setup for the two WANS,
Are they load balanced, is one primary and one backup etc…
We dont know if there are other VPNs involved
We dont know if there are LAN servers involved that external users have to be able to access through port forwarding
We dont know if specific users on the lan have to go out a specific WAN etc..

No use offering advice without context!!
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

It certainly sounds like some mangling will have to be done to ensure traffic coming to the router in ISP1 will go out ISP1 and same for ISP2 etc…