How to force VPN over one WAN port in configuration with two WAN ports

RouterOS General
1

Hi everybody,

I have Mikrotik RouterBoard 2011UiAS, with version of RouterOS => 6.32.3.

I configured it to work with 2 WAN ports, like it is described in this video:
https://www.youtube.com/watch?v=ThYBtmo_bcs
ISP routers are working in a Router Mode. Network configuration is shown in a attached picture. Networks are:
WAN1: 192.168.101.0/24
WAN2: 192.168.102.0/24
LAN: 192.168.10.0/24

All works fine, my speed is duobled. No other problems, except VPN (IPSec)! I got it to work once, only on my computer, but not on others, and I can’t reproduced this working state. Session is established for a very short period of time, and then I get error: Sorry, your session on this machine expired. This happens immediatelly after communication attempts to use another, second WAN port. Address of VPN server is for example 75.203.11.20, and it is reached over web: https://75.203.11.20.

So, in order to solve this VPN issue, I have to force VPN traffic over one WAN port. I tried a lot of things.

  1. I tried to use NAT, with following commands:
    /ip firewall
    add action=src-nat chain=srcnat dst-address-list=75.203.11.0/24 to-addresses=192.168.101.1
    or
    /ip firewall
    add action=src-nat chain=srcnat src-address-list=75.203.11.0/24 to-addresses=192.168.101.1
    or both. I change order of NAT rules so that this new rules are on top, because I thought that then they will be applied.
    Also, in order to be sure that new NAT is applied, I closed existing connections related to VPN address.

  2. I tried with mangle and routing, with following commands:
    /ip firewall
    mangle add chain=prerouting protocol=tcp dst-address-list=75.203.11.0/24 action=mark-routing new-routing-mark=route-for-vpn passthrough=yes
    /ip route
    add comment=“vpn redirect” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.101.1 routing-mark=route-for-vpn scope=255 target-scope=10

  3. I tried also with following set of commands:
    /ip route
    add dst-address=75.203.11.20 gateway=192.168.101.1 scope=10
    add dst-address=192.168.10.254 gateway=75.203.11.20 scope=10 target-scope=10 check-gateway=ping
    add distance=1 gateway=192.168.10.254 routing-mark=na_WAN1
    This set of commands are suggested here, on the bottom of this page:
    http://hak786.blogspot.nl/2013/10/dual-wan-load-balacing-with-failover.html
    (or, at least, I understood like this), and 192.168.10.254 is LAN address of my computer.

None of it helped. The same error all the time. Please, suggest some other solution.

In addition, my internal address during VPN communication is 10.0.0.33 for example (dynamically changed), but I didn’t use that range of addresses (10.0.0.0/24) in a commands above, because it is not visible in Mikrotik Sniffer during communication. It doesn’t exist for Mikrotik. Even, I would use this address, result would be the same.

Thanks a lot!

Cheers,
Vedran

2

Now, I see that my problem maybe can be simplified. All this will work if I will be able to redirect all HTTPS traffic intended for VPN server over one WAN port!

Thanks,
Vedran

3

But, please help me with that!
Any suggestion?

Thanks,
Vedran