Integrated ROS OpenVPN server and Multi Wan - not working

Technetium · March 3, 2020, 6:26pm

I have set-up the OpenVPN server inside ROS for management purposes.
I have two WAN: WAN1 (10.0.1.1/24) and WAN2 (10.0.2.1/24).
The connection to OVPN works only from WAN2.
I’ve noticed that the OVPN connection isn’t marked from mangle.. can be because the interface is created dynamically? In the attached image is the selected (blue background) connection.
WAN1 has route with distance 20 and WAN2 has route with distance 1.
WAN1 is only a failover connection and i need the vpn connection when WAN2 fails.

The mangle roules are:

/ip firewall mangle
add action=accept chain=prerouting comment="Accept WAN1" dst-address=\
    10.0.1.0/24
add action=accept chain=prerouting comment="Accept WAN2" dst-address=\
    10.0.2.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-connection chain=forward in-interface=WAN1 \
    new-connection-mark=WAN1
add action=mark-connection chain=forward in-interface=WAN2 \
    new-connection-mark=WAN2

Can OVPN connection works from multiple WAN ?
connessioni OpenVPN.PNG

Technetium · March 7, 2020, 8:51am

Does anyone have an idea of why OpenVPN isn’t working with both wan?

Sob · March 7, 2020, 2:31pm

If 10.0.2.10:1200 is your OpenVPN server (even though you wrote that WAN2 is 10.0.2.1), then connections to it can’t get marked, because they won’t get past the accept rule (#2).

Technetium · March 7, 2020, 6:59pm

The OVPN connection works from WAN2 but not works when i use WAN1 to connect to the router.

Sob · March 7, 2020, 7:16pm

Still the same problem. Connection from internet to either 10.0.1.x or 10.0.2.x will match one of two accept rules at the beginning and won’t get marked, they basically “neutralize” two following mangle rules. And that’s why you needed to add other connection marking rules in forward chain.

If you check PCC example (https://wiki.mikrotik.com/wiki/Manual:PCC) which has similar mangle rules to yours, you’ll notice that accept rules at the beginning have also in-interface=LAN, unlike yours. And there’s good reason for that, you want them to apply only to connections from LAN.

Technetium · March 7, 2020, 10:53pm

I need the forward rules because i have some nat from the isp router to servers in the internal network.
But i think you see right.. the first two rules had to be limited only to LAN interface.