What would be your choice of protocols/technologies for the most fault-tolerant, worry free and (if possible) load-balanced connection between two sites in two different locations?
The details are:
2 sites (A and B),
each site has 2 MikroTik routers connected to one or more unmanageable switches.
each MikroTik router on each site is connected to different ISP.
each ISP is providing one static public IP.
Right now I am using VRRP on both sites with IPsec tunnel that I manually reconfigure if one IPS is down. There are many disadvantages in this setup:
VRRP v3 doesn’t support authentication;
all the time only one ISP per site is utilized.
if an ISP is down, I have to manually reconfigure the IPsec tunnel.
I’ve been reading about OSPF and Wireguard, but I would appreciate best practice recommendations.
This example is clear, works as expected, but provides sharing, not balancing. In order for this approach to work, the hosts on each site’s LAN should be divided into two groups and each group should receive different VRRP gateway via DHCP Option 3 (or by manually configuring it on each host). Because of that, this approach is suitable only if the admin can split the hosts in the network in two groups by a criteria of his choice. If each site has multiple subnets and the 2 routers are connected to all of them, than one subnet can have one of the routers as a gateway, and the other subnet - the other router.
I hope the information below can give someone a direction and save him time in research. Also I will be happy for any comments and remarks.
This setup will guarantee failover and redundancy but no load balancing or load sharing. As the setup progresses I will come back and post updates.
Each pair of routers at each site will run VRRP on every LAN subnet present at that site.
Each pair of routers at each site will have a direct connection between them. This connection should be separate from any LAN subnets at the site. The purpose of this connection will be explained below.
Each router at each site will have two Wireguard VPN tunnels to both routers at the other site, resulting in a total of four tunnels. Each tunnel will have a /30 network assigned for IP addresses on both routers. The ‘Allowed address’ for each Wireguard tunnel will be set to only the single IP of the opposite end of the tunnel. These IPs on each side of the Wireguard tunnels will not be announced in any dynamic routing protocol.
Carrying traffic in a network that runs dynamic routing via a Wireguard tunnel clashes with the static ‘Allowed address’ configuration of the Wireguard. Because of that inside each Wireguard tunnel, there will be an additional tunnel of type ‘IP tunnel.’ These tunnels will have no encryption and minimal CPU and overhead footprint.
Each router will run OSPF. BGP is another option, but I consider it more difficult. Each router will announce all LAN subnets it is connected to via OSPF, except for the Wireguard tunnel networks.
Each router will have recursive routing for its default gateway.
Each router will announce its default gateway to its paired router on the same site. This is the main purpose of the direct connection between the router pairs on each site.