I need to use a VPN connection for my setup. However, one VPN account (e.g. NordVPN, Private Internet Access) gives around 50 MBps in download speed. This is not enough. Thus, we need to use 2-3 VPN accounts at the same time to achieve desirable data speed. However, these VPN connections have to be configured on one uplink Ethernet port.
There is one Mikrotik router with router OS7.
There is only one uplink Ethernet connection that Mikrotik router has. Capacity of the Ethernet uplink is not an issue. It can be 1 Gbps.
There is one switch connected to one of the downlink Ethernet ports of the Mikrotik router.
There is one WI-FI access point connected to another downlink Ethernet port of the Mikrotik router.
There are multiple devices connected both to the switch and the WI-FI AP. They access internet via VPN.
How to configure Mikrotik router so that devices from one downlink port (connected to switch) use one VPN account and devices from another downlink port (connected to WI-FI AP) use another VPN account?
How should the configuration look like?
Ideally, I would like to load-balance traffic evenly between 2-3 VPN accounts. I do not really need to differentiate between downlink devices. If automatic load-balancing is not possible, then I could simply distribute devices roughly evenly between the switch and WI-FI AP.
Okay as I understand it you wish to force
ALL USERS through vpn for internet
Preferably PCC load balancing access so the load is shared equitably between users.
OR
Subnets X,Y to vpn1, AB, to vpn2, CD to vpn3
(assuming all from same vpn provider and thus failover means nothing.
a. confirm all subnets/vlans/users need to be forced out wireguard for internet.
b. if not identify which do not.
c. identify if there is any lan to lan traffic required and if so between which subnets.
d. Should any users/subnets be allowed to use local internet if the VPNS are not working…
What do you have so far to build on…
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc. )
We would prefer load balancing access so that the load is shared equitably between VPN accounts, but if it is not possible then it is fine to have “Subnets X,Y to vpn1, AB, to vpn2, CD to vpn3”. With load balancing one would also expect that vpn1 and vpn2 would take additional load if vpn3 fails.
A. I confirm that all subnets/vlans/users need to be forced out Wireguard for internet. We are interested only in VPN.
B. not applicable
C. Lan to lan traffic is required between subnets. In WI-FI only subnet, we have two servers that need to communicate with other devices across all internal subnets. These servers speak only to internal devices and do not communicate with internet.
D. If there is no active VPN, there is no need for the devices to communicate with external world.
The quick and dirty method would be subnets out specific VPNs but failover is not in the cards.
Also you failed to note if the VPNs were all from the same provider ???, if so, talk about failover is moot.
Great, thank you for your help!
If needed, we could get two different VPN providers just to make sure that we have a failover.
Do I understand correctly that to achieve failover, we would need to have another Ethernet uplink, so that there is one VPN configured per one uplink? Then we could differentiate default and failover routes using “distance=”.
Well, if you only have one uplink provider then if that provider goes down, it doenst matter how many vpns you have going through it.
Just logic, and thus multiple internett connections from different providers gives one overall more throughput but more important redundancy.
As for VPNS, yes, different providers would give actual redundancy, again this is simple logic.
So it depends what you want and what the budget is.
Hi anav,
the question was not whether having multiple providers gives redundancy. It is rather obvious, or as you mentioned “simple”.
The question was whether under the “quick and dirty method” configuration suggested above (with “subnets out specific VPNs”) having two uplinks was the only (or the most simple) way to achieve failover between two different VPNs. Reminder, it was mentioned by the author of this configuration that “failover is not in the cards”.
More detailed explanation:
One can easily imagine a situation when the uplink (to internet provider) is working but one of the two VPNs stopped working. You would not want half of your devices (connected to the unlucky subnet and routed to the broken VPN) to be without connectivity. In this situation, it would be desirable to automatically reroute all 100% of devices from all subnets to the remaining VPN connection. Under the “quick and dirty” subnet configuration method it is not possible. PCC load balancing is also not supported with this configuration. However, it may be quite easy to get additional link to the same internet provider. Having two uplinks should potentially allow having failover between VPNs even with “quick and dirty” subnet configuration method.
Of course, it would be more desirable to have two different VPNs and two different Internet providers, but not always there is a possibility to get a secondary link to another provider. And if it is very simple to get a secondary link to the same provider (even though this does not protect you from the failure of the internet provider), it should be done because then you can have at least failover in the VPN level.
Besides, two cables is still better than one. Redundancy can be present on multiple layers.