Retail ISP line Bonding

KRITS · February 24, 2022, 10:36pm

Hi folks,

i am trying to bond two isp lines. i first looked for best practises or tutorial, but i found serveral. long question short, this is my setup:

RB3011
eth1: WAN1 - dynamic ip (isp dhcp)
eth2: WAN2 - private ip (behind nat router)

CHR
eth1: WAN1 (static IP)

my idea was, to get something like l2tp to the chr with both wan interfaces from RB3011 and bond them and have the CHR as local breakout.

my question is, how do i bond those lines with the chr and route all traffic through that bond.

KRITS · February 25, 2022, 6:21pm

to be more specific, how do i get the l2tp-tunnel use different WAN interface?

sindy · February 25, 2022, 6:37pm

Indirectly - there is a parameter src-address on the /interface l2tp-client row. And then you use /ip route rule to choose a routing table.

/ip route rule
add src-address=ip.of.wan.1 action=lookup-only-in-table table=via-WAN1
add src-address=ip.of.wan.2 action=lookup-only-in-table table=via-WAN2

/ip route
add routing-mark=via-WAN1 gateway=ip.of.wan1.gw
add routing-mark=via-WAN2 gateway=ip.of.wan2.gw

KRITS · February 25, 2022, 10:56pm

Thanks for reply sindy.

Found exactly that already somewhere else. But this is not quite clear to me, like the other post, what exactly should go into src-address in l2tp-client? What single address do I use here?

Since I use Ros 7.1.3 i have to specify the route tables first I guess.

sindy · February 26, 2022, 9:53am

If the addresses assigned to your WANs are static (even if assigned by DHCP), you can use directly these addresses. If they are not, you have to use some other addresses that are active on the router; you can e.g. assign auxiliary /32 addresses to an /interface bridge with no member ports created for the purpose, and then use masquerade rules to convert them to the dynamic addresses currently assigned to the WANs.

The thing is that when the router is going to send a packet, it normally first finds a route, and only then it chooses a source address for the packet, depending on that route. If you force the source address somehow, as you do when you specify the src-address for the /interface l2tp-client, routes themselves still only look at destination address, and there is always exactly one active route for each destination in each routing table. So if a route to a given destination in routing table main goes via WAN 1, you have to use another routing table to send a packet to the same destination via WAN 2.

So assuming you have to use the auxiliary static addresses, let’s say 10.1.1.1 and 10.2.2.2, the /routing/rule rows have to match on those addresses, choosing routing table via-WAN1 for packets from 10.1.1.1 and routing table via-WAN2 for packets from 10.2.2.2.

Once the packets get routed, a chain=srcnat out-interface-list=WAN action=masquerade rule will change the original source address to the one currently assigned to the WAN through which the packet actually leaves.

Correct.

KRITS · February 28, 2022, 11:17am

thanks sindy - works like a charm! but performance is much worse then expected, even without encryption. anyway, thank you for your detailed explaination

sindy · February 28, 2022, 1:47pm

First - without which encryption, the PPP one or the IPsec? Second, have you set max-mtu, max-mru and mrru at all ends, to replace IP level fragmentation by MLPPP level splitting? It sometimes helps performance if the network between the client and the server is weird.