Mikrotik - Windows NLB - VPN traffic

gogotha · November 16, 2021, 1:39am

We hired a 3rd party Network Engineer to see why incoming VPN traffic cannot complete connection to a Windows NLB with 2 balanced servers. We can see the traffic hit the MT router and just die there. The engineer stated it was because Mikrotik gets confused because IP 10.255.252.13’s endpoint on 2 servers have different MACs.

Can I get a second opinion or Is there a way to spoof MAC address in hand shake or set connection to ignore mac changing and pass it anyways.

NAT Rule
add action=dst-nat chain=dstnat dst-port=25 in-interface=EyeL2TP protocol=tcp
to-addresses=10.255.252.13 to-ports=25

and

add action=dst-nat chain=dstnat dst-port=25 in-interface=EyeSSTP protocol=tcp
to-addresses=10.255.252.13 to-ports=25

tdw · November 16, 2021, 7:16pm

Nothing to do with the Mikrotik, you would have the same problem with other vendors routers. You can’t have the same IP address used by different MAC addresses - any host will send IP traffic to whichever MAC it currently has learned and cached in its ARP table.

In any case different MACs for the same IP sounds wrong for NLB, see https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-network-to-support-nlb-operation-mode