So basically I followed this for OpenServer config and for the client except that the VPN client shares the same subnet as the LAN clients: https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/
Internet and LAN access works fine through the VPN tunnel with arp-proxy on the bridge.
But in the main router, I have two ISPs, whereby I use PCC/Nth to load balance traffic originated from LAN subnet.
Follow is my load balancing config which works great for my needs:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=ISP1_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe-out2 new-connection-mark=ISP2_conn passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=\
yes per-connection-classifier=both-addresses:3/0 port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=\
yes per-connection-classifier=both-addresses:3/1 port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP1_conn passthrough=\
yes per-connection-classifier=both-addresses:3/2 port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=\
yes per-connection-classifier=both-addresses:3/0 port=80,443 protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn passthrough=\
yes per-connection-classifier=both-addresses:3/1 port=80,443 protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP1_conn passthrough=\
yes per-connection-classifier=both-addresses:3/2 port=80,443 protocol=udp
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn nth=3,1 \
passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP2_conn nth=3,2 \
passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-connection-mark=ISP1_conn nth=3,3 \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP1_conn dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_conn dst-address-list=!not_in_internet dst-address-type=!local in-interface-list=LAN new-routing-mark=to_ISP2 passthrough=no
add action=mark-routing chain=output connection-mark=ISP1_conn dst-address-list=!not_in_internet dst-address-type=!local new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2_conn dst-address-list=!not_in_internet dst-address-type=!local new-routing-mark=to_ISP2 passthrough=no
On the VPN client file I have set the “remote” value differently for each ISP in two different client files which is great, I can connect through either ISPs as per my requirements based on latency from the location that I’m at + different ISPs at said location.
Now the problem starts here, any internet traffic originating from the remote VPN client is simply routed through ISP1 due to default route having lower distance than ISP’s 2 default route. The traffic originating from the VPN client never hits the mangle rules.
Now as per my config, we can see I only accept LAN inside the mangle rules, but isn’t the VPN client a member of LAN as it’s in the same subnet?