Two VPN connections by two different gateways to single destination IP

RouterOS General
1

Hi everyone. I have problem for creating this schem.
Have
two Hex Lite RB750r2,
two diferent 3G routers
One Real Ip
two 3G routers connected to one Mikrotik,

created two ovpn clients which must use each 3G routers for connect to Real IP.

I can’t creat routs for two diferent gateways. Please Help!

2

Just accurately read this https://wiki.mikrotik.com/wiki/ECMP_load_balancing_with_masquerade

If you want load-balancing use:

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1,10.112.0.1 check-gateway=ping

If you want independent using this channels:

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2

All explanations in wiki.

3

Thank You. I think this is better result for 2 hot lines

4

Hi
I have problems with oVPN server Mikrotik with 2 lines and oVPN client Mikrotik with 1 line.

This is the scheme for my tests:

  • oVPN server
  • ether 1 10.0.1.1/24 WAN1
    ether 2 10.0.11.1/24 WAN2
    ether3 192.168.1.1/24 LAN
    Mikrotik in between
  • ether 1 10.0.1.9/24
    ether1 10.0.2.9/24
    ether 1 10.0.11.9/24
    oVPN Client
  • ether1 10.0.2.1/24 WAN
    ether 3 192.168.101.1/24 LAN

TESTS:

  • ping from client to wan1 server:
  • [admin@oVPNClient] > ping 10.0.1.1
    SEQ HOST SIZE TTL TI
    0 10.0.1.1 56 63 0m

    [admin@oVPNServer] > tool sniffer quick ip-protocol=icmp
    INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
    ether1 8.762 1 ← 08:00:27:C2:06:27 08:00:27:13:2F:3D 10.0.2.1 10.0.1.1 ip:icmp 70 0 no
    ether1 8.762 2 → 08:00:27:13:2F:3D 08:00:27:C2:06:27 10.0.1.1 10.0.2.1 ip:icmp 70 0 no
    ether1 8.762 3 ← 08:00:27:C2:06:27 08:00:27:13:2F:3D 10.0.1.9 10.0.1.1 ip:icmp 98 0 no
    ping from client to wan2 server:
  • [admin@oVPNClient] > ping 10.0.11.1
    SEQ HOST SIZE TTL TIME STATUS
    0 10.0.11.1 56 63 2ms

    [admin@oVPNServer] > tool sniffer quick ip-protocol=icmp
    INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
    ether2 32.622 1 ← 08:00:27:C2:06:27 08:00:27:BB:C6:55 10.0.2.1 10.0.11.1 ip:icmp 70 0 no
    ether2 32.623 2 → 08:00:27:BB:C6:55 08:00:27:C2:06:27 10.0.11.1 10.0.2.1 ip:icmp 70 0 no
    ether2 32.623 3 ← 08:00:27:C2:06:27 08:00:27:BB:C6:55 10.0.11.9 10.0.11.1 ip:icmp 98 0 no
    telnet al port oVPN per wan1:
  • [admin@oVPNClient] > system telnet address=10.0.1.1 port=1194

    [admin@oVPNServer] > tool sniffer quick port=1194
    INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
    ether1 28.519 1 ← 08:00:27:C2:06:27 08:00:27:13:2F:3D 10.0.2.1:39343 10.0.1.1:1194 ip:tcp 74 0 no
    ether1 28.519 2 → 08:00:27:13:2F:3D 08:00:27:C2:06:27 10.0.1.1:1194 10.0.2.1:39343 ip:tcp 74 0 no
    ether1 28.52 3 ← 08:00:27:C2:06:27 08:00:27:13:2F:3D 10.0.2.1:39343 10.0.1.1:1194 ip:tcp 66 0 no
    ether1 28.521 4 → 08:00:27:13:2F:3D 08:00:27:C2:06:27 10.0.1.1:1194 10.0.2.1:39343 ip:tcp 82 0 no
    ether1 28.523 5 ← 08:00:27:C2:06:27 08:00:27:13:2F:3D 10.0.2.1:39343 10.0.1.1:1194 ip:tcp 66 0 no
    ether1 35.953 6 ← 08:00:27:C2:06:27 08:00:27:13:2F:3D 10.0.2.1:39343 10.0.1.1:1194 ip:tcp 71 0 no
    ether1 35.953 7 → 08:00:27:13:2F:3D 08:00:27:C2:06:27 10.0.1.1:1194 10.0.2.1:39343 ip:tcp 66 0 no
    telnet al port oVPN per wan2:
  • [admin@oVPNClient] > system telnet address=10.0.11.1 port=1194

    [admin@oVPNServer] > tool sniffer quick port=1194
    INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
    ether2 7.745 1 ← 08:00:27:C2:06:27 08:00:27:BB:C6:55 10.0.2.1:48668 10.0.11.1:1194 ip:tcp 74 0 no
    ether1 7.745 2 → 08:00:27:13:2F:3D 08:00:27:C2:06:27 10.0.11.1:1194 10.0.2.1:48668 ip:tcp 74 0 no
    ether2 7.745 3 ← 08:00:27:C2:06:27 08:00:27:BB:C6:55 10.0.2.1:48668 10.0.11.1:1194 ip:tcp 66 0 no
    ether1 7.746 4 → 08:00:27:13:2F:3D 08:00:27:C2:06:27 10.0.11.1:1194 10.0.2.1:48668 ip:tcp 82 0 no
    ether2 7.747 5 ← 08:00:27:C2:06:27 08:00:27:BB:C6:55 10.0.2.1:48668 10.0.11.1:1194 ip:tcp 66 0 no

PROBLEM:
Access to oVPN server using WAN2 (ether2) returns packets by WAN1 (ether1).
Why?

NOTES:

  • There isn’t filter rules
    There isn’t NAT rules
    These are Mangle rules:
  • 0 chain=prerouting action=mark-connection new-connection-mark=cm1 passthrough=yes connection-state=new in-interface=ether1 log=no log-prefix=“”

1 chain=prerouting action=mark-routing new-routing-mark=rm1 passthrough=no connection-mark=cm1 log=no log-prefix=“”

2 chain=prerouting action=mark-connection new-connection-mark=cm2 passthrough=yes connection-state=new in-interface=ether2 log=no log-prefix=“”

3 chain=prerouting action=mark-routing new-routing-mark=rm2 passthrough=no connection-mark=cm2 log=no log-prefix=“”
Routing table

  • 0 A S dst-address=0.0.0.0/0 gateway=10.0.1.9 gateway-status=10.0.1.9 reachable via ether1 distance=1 scope=30 target-scope=10 routing-mark=rm1

1 A S dst-address=192.168.100.0/24 gateway=ether3 gateway-status=ether3 reachable distance=1 scope=30 target-scope=10 routing-mark=rm1

2 A S dst-address=0.0.0.0/0 gateway=10.0.11.9 gateway-status=10.0.11.9 reachable via ether2 distance=1 scope=30 target-scope=10 routing-mark=rm2

3 A S dst-address=192.168.100.0/24 gateway=ether3 gateway-status=ether3 reachable distance=1 scope=30 target-scope=10 routing-mark=rm2

4 A S dst-address=0.0.0.0/0 gateway=10.0.1.9 gateway-status=10.0.1.9 reachable via ether1 distance=1 scope=30 target-scope=10

5 S dst-address=0.0.0.0/0 gateway=10.0.11.9 gateway-status=10.0.11.9 reachable via ether2 distance=1 scope=30 target-scope=10

6 ADC dst-address=10.0.1.0/24 pref-src=10.0.1.1 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10

7 ADC dst-address=10.0.11.0/24 pref-src=10.0.11.1 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10

8 ADC dst-address=192.168.100.0/24 pref-src=192.168.100.1 gateway=ether3 gateway-status=ether3 reachable distance=0 scope=10

Regards.

5

Now look on these mangle chains from wiki and compare them with yours:

/ ip firewall mangle
add chain=input in-interface=wlan1 action=mark-connection new-connection-mark=wlan1_conn
add chain=input in-interface=wlan2 action=mark-connection new-connection-mark=wlan2_conn
add chain=output connection-mark=wlan1_conn action=mark-routing new-routing-mark=to_wlan1
add chain=output connection-mark=wlan2_conn action=mark-routing new-routing-mark=to_wlan2

6

Hi.
I have changed prerouting to output and the problem has solved.
Thank you very much.