I do understand some basic network and routing concept but not very deep, thus please be patient with my questions.
I have questions regarding Two ISPs, Load Balancing and Wireguard.
I would like to ask question about wireguard part first:
From what I read through the forum:
Using only 1 wireguard interface to accept incoming connection from 2 wans is a bad idea. Could somebody give some more insight why it should not be done? When I ask this question, I think about modem dial-in. But after thinking again, whether I use it as a client dial-in or site-to-site, Can I say that the underlying infrastructure for each wireguard interface is the whole subnet and thus should serve only 1 wan. Is this the reason why?
Creating 2 wireguard interfaces, I see that it should use different ports to accept the connection. Does this mean each wireguard interface is acting as individual virtual application server and if I set both wireguard interfaces to the same port, then it will confuse the ros of which interface will accept the incoming connections?
I see from the config that each peer configuration is config with fix ip. Is it possible to config wireguard client to receive ip from Mikrotik dhcp server?
I see many post in the form to use mangle to mark connections so that it will route back to the correct interface. I am a bit unclear between incoming ISP traffic and incominng Wireguard traffic. Does marking connections for incoming ISP traffic is enough? Do I need to manually add wireguard network routing and gateway, if yes where should I add it: - /ip/dhcp network or /ip route?
True Online provides fiber router with integrated ONU/GPON. Until recently, there is a choice of only ONU and bring your own router which I plan to do it soon. Thus, MT is behind True Router. Yes, I currently port forward from True Router to MT.
CAT Telecom provides wireless router and ONU separately, thus I remove their Wireless router and use pppoe to connect directly to their ONU.
Our company has our own direct admin server as a VPS. Thus, I currently use MT to update directadmin dns record for our current IP for both True Online and CAT Telecom. Thus, I don’t think third party VPN is needed. unless I learn something more about how things should be done properly.
2 ISPs is for both load balancing and backup.
As for VPN, I plan multiple plans ahead:
Initially, Remote in for Admin.
Create Site-to-Ste to synchronize data.
Setup Application Server and later let user remote in to update the data.
As for Wireguard, I initially think of it as a modem port where if one number is broken, I just dial in to the other number. The more I read, I feel like each wireguard interfaces should have its own subnet and listening port. Currently, my knowledge is limited, thus allowing the remote workers (initially, it will only be me) to choose what one is working is my initial plan. If I can do more dynamic script to switch/alternate the routing, it might be better to let workers remote in using only 1 settings, and I manage to alternate dns record and internal MT script.
Does, the MT wireguard still has a problem of only reply to the default internet route despite the incoming connection is marked? If yes, is there a workaround or it is the limited factor at the moment?
