I’m looking for just a nod in the right direction to solve a problem that I haven’t been able to figure out thus far. I have MT device setup with 3 WAN interfaces. However, they come from a single modem with a 5 static IP block. Currently, for example, I’m using 1.1.1.7/29, 1.1.1.8/29, and 1.1.1.9/29 which share the same gateway of 1.1.1.12. I’m doing this because I have services available to the outside that use the same internal and external ports which I can’t change. The problem is I can’t seem to figure out how to get traffic go out the same interface that it comes in on.
For example I’ve tried to setup an IPSEC tunnel on between 1.1.1.7/29 to another site. The tunnel established just fine, but sometime later the tunnel breaks down and it appears to because my router starts to send respond to the other side with 1.1.1.8/29 instead of .7.
Can someone point me in the right direction on how best to solve this. The fact that the wan interfaces are sharing the same gateway seems to thrwart any of the solutions I’ve tried thusfar.
Why three WAN interfaces? Why not just one with three addresses? And then for IPSec set local-address=1.1.1.x (which you can do also with your current config).
Sob - I originally had everything one interface and was having the same issue. I put them on different interfaces in attempt to follow some of the posts describing the mangle rules. What ANAV suggested works great, but if I could save a couple interface ports that would be great.
Because I am a basic untrained user who likes KISS, and what works, and really who cares about ipsec anyway, use wireguard ( and avoiding capsmans and IPV6 like the plague, keeps the hair on my head and the doctor away )
It’s just that I don’t see any advantage of this 3x1 “multi-WAN simulator” over 1x3 single WAN. And in fact, I don’t even see how this fixes the problem. Either there’s local-address=1.1.1.x for peer and then only this address should be used as source, or the router still might decide to use another 1.1.1.y. Your nice new mangle rules don’t do anything for new outgoing connections initiated by this router.
Thats a different problem, keep it straight in your mind and you wont get confused.
I’m not saying your approach is not valid and its probably better but I dont understand it nor how to config it.
Well… KISS would dictate to attach all the 3 IP addresses to a single WAN interface, so that the Tik would respond to ARP requests regarding any of them, and multiple routing tables and the associated rules woud not be necessary. The only situation where this does not work is when the gateway device cannot handle that multiple IP addresses share the same MAC address, or when it only talks to devices that got their addresses from it using DHCP. Neither of these is a usual behavior of ISP CPEs.
As I said, I am unfamiliar with the concept. I just managed to grasp the concept of having different IP addresses for a single Wireguard Interface, so this would be another leap.
