Hello,
The company I work for bought two CCR2004 routers to be used in a small deployment of servers at a colocation center. I have been tasked to set them up, and have managed to get most things to work as we want. So far I am quite impressed with the routers and routeros software, even if it requires quite some knowledge some of the time to get right.
A brief overview of the setup is that we have 3 external ips, router-01 is on ext.2, router 2 is on ext.3 and they have VRRP on ext.1. Internally we have a VLAN with a similar setup, router-01 is on 192.168.1.2, router-02 is on 192.168.1.3 and they have VRRP on 192.168.1.1. There is also a second VLAN internally with a similar setup.
Each router is also running a OpenVPN server which can be accessed by connecting to its external IP. Router-01 has a OpenVPN ip at 192.168.101.1/24 and a pool for clients on the same subnet. This is mirrored on router-02, but the network used is 192.168.102.0/24. To allow packets to reach back to the vpn clients from the main VLAN, I have put a route on each router, router-01 routes 192.168.102.0/24 to 192.168.1.3, i.e. router-02 and router-02 routes 192.168.101.0/24 to 192.168.1.2, i.e. router-01. All corresponding to which router the vpn client would be on.
This works fine when I am connected to the router that is currently VRRP master on the internal network. However, when I connect to the one that is currently backup, the packages do not find their way back to me. If router-01 is master, I connect over OpenVPN to router-02, and ping something on 192.168.1.123, the ping reply gets stuck on router-01 and dropped as invalid. Looking at the package log I can see that it had vlan2 (i.e. the one that has no route for vpn) as out-interface.
My questions are; Is this a sound setup overall? Am I doing something wrong in terms of having two routers with VRRP but also running OpenVPN on each of them? How can I get routing to work such that both OpenVPN servers work? Let me know if I should supply more information, I am a bit new to all this, so not completely sure which part of information to include.
Best regards, Jon