NordVPN multi WAN

mazay · March 20, 2021, 2:58pm

Hi all,

I’ve just set up LtAP LTE6 kit with an additional R11e-LTE6/antenna for multi-WAN using PCC. The load balancing, failover and policy-based routing (one of the ISPs has a package for video streaming services which is a killer feature for me :)) seem to work just fine, now I’m wondering if I can make my traffic more secure with NordVPN or some other VPN, can actually setup an EC2 instance but that would be more expensive (though still would do that probably to use as a VPN gateway for getting into local net remotely).

So my thinking is that I need to spin up 2 IPSec tunnels for each WAN channel and use PCC for balancing/prioritising traffic between ISPs but I’m not sure if that’s possible and what kind of issues to expect from that before I start ordering some services.

Grateful for any bits of advice on the topic.

Cheers,
Yev

erkexzcx · March 20, 2021, 9:40pm

Not sure what is exactly you are asking.

mazay · March 22, 2021, 8:08am

Sorry, I guess the main question was - will IPSec/IKEv2 work fine on mikrotik device which has multi WAN connections.

Additionally, my ISPs provide different benefits, so I route youtube/netflix to one of them, the rest of the traffic is splitted between two (2/1). Will I be able to spin up two IPSec/IKEv2 connections and follow the described above logic?

For the reference my mangle rules look as follows:

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=plus new-connection-mark=plus_conn passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=orange new-connection-mark=orange_conn passthrough=no
add action=mark-routing chain=output connection-mark=orange_conn new-routing-mark=to_orange
add action=mark-routing chain=output connection-mark=plus_conn new-routing-mark=to_plus
add action=mark-connection chain=prerouting comment="Plus PCC 3/0" connection-mark=no-mark dst-address-list=!LAN dst-address-type=!local in-interface-list=LAN new-connection-mark=plus_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting comment="Plus PCC 3/1" connection-mark=no-mark dst-address-list=!LAN dst-address-type=!local in-interface-list=LAN new-connection-mark=plus_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting comment="Orange PCC 3/2" connection-mark=no-mark dst-address-list=!LAN dst-address-type=!local in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-connection chain=prerouting comment=youtube dst-address-list=youtube in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=youtube.com
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=*.youtube.com
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=googlevideo.com
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=*.googlevideo.com
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=youtu.be
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=*.youtu.be
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=ytimg.com
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=*.ytimg.com
add action=mark-connection chain=prerouting comment=Netflix dst-address-list=netflix in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=netflix.com
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=*.netflix.com
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=*.nflxext.com
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=*.nflxvideo.net
add action=mark-connection chain=prerouting dst-port=443 in-interface-list=LAN new-connection-mark=orange_conn passthrough=yes protocol=tcp tls-host=*.nflxso.net
add action=mark-connection chain=prerouting comment="NordVPN Poland #136" disabled=yes dst-address-list=pl136_vpn dst-address-type=!local new-connection-mark=orange_conn passthrough=yes
add action=mark-routing chain=prerouting comment="Plus Routing Mark" connection-mark=plus_conn in-interface-list=LAN new-routing-mark=to_plus passthrough=no
add action=mark-routing chain=prerouting comment="Orange Routing Mark" connection-mark=orange_conn in-interface-list=LAN new-routing-mark=to_orange passthrough=no

msatter · March 22, 2021, 8:48am

The IKEv2 implementation by Mikrotik binds to the WAN and only one. Once the traffic is in the tunnel you can’t see anything anymore.

However you could look at balancing the tunnels UDP/4500 in which your traffic is transported.

mazay · March 22, 2021, 9:49am

Thanks msatter. Can I somehow bind IKEv2/IPSec peer to a specific WAN?

msatter · March 22, 2021, 11:50am

I never tried it so this is all from how I think it up right now.

Mark routing in Mangle UDP/4500 for wan1 and wan2 and then in IP Routes set the route…no my specialty. I think you use Rules in this case to direct to the wished wan port.

Looking in ip route rules you can only give one source and destination address and I hope only routing mark and interface

Update, you can’t change the gateway in the current setup by Mikrotik. Only thing I can think of is copy the current line in routes and set that one to second wan. Then you have only to mark and create a rule for wan2. This ‘can’t’ be a static route, every time IKEv2 connects a new source IP is possible, and if it works this way?..let me now in this forum.