Mikrotik: How to configure server availability through 2 providers?

S

SoluS2018-10-14 21:14:15

Computer networks

SoluS, 2018-10-14 21:14:15

There are 2 sites, each with a Mikrotik. Each is connected to the local network of the same provider (WAN1 and WAN2). Each has Internet access via VPN L2TP (VPN1 and VPN2). Mikrotiks are connected to each other via an EoIP tunnel through the provider's local network. The server is connected to the 2nd Mikrotik.

Task: it is necessary that the server be accessible from the Internet through both VPNs and from the local network of the provider through both WANs.
What we have: on Mikrotik1, the rules
Forward, TCP, dst.port = 80, Accept
Dst.NAT, TCP, dst.port = 80, dst-nat, to
192.168. , but he answers, apparently, through VPN2.
And then I got stuck. I read about setting up 2 providers on one Mikrotik, that packets need to be somehow marked using mangle and then routed based on this label, but I could not shift it to my configuration.
On which router from which interface to mark packets, where to route?
Currently, VPN2 is offline. Both sites work through VPN1, the server is available at least through VPN1. Knowledge in Mikrotik like an advanced housewife :)
Thank you for your help :)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

athacker, 2018-10-15
@SoluS

Valentin correctly writes above - the simplest scheme is to also do SNAT for traffic that has passed through the 1st Mikrotik to the server. But keep in mind that with this scheme, you will lose information about the client's SRC IP, because from the server's point of view, requests will come from Mikrotik.
And the knowledge of Mikrotik has nothing to do with it, figure out how routing works.
The fact is that on the server connected to Mikrotik2, this Mikrotik is the default gateway. When you do DNAT on Mikrotik1, you get the following:
If you also make SRC NAT of the client packet, i.e. change the client address (1.2.3.4) to the address of Mikrotik1 (192.168.3.1), then the server will respond to this address, and the server’s response will reach Mikrotik1, and he, in in turn, having made a reverse translation through the NAT table, it will return a response to the client. But, I repeat, according to this scheme, you will not see real IP clients in the server logs, for requests that came through Mikrotik1, the client IP will be 192.168.3.1
P/S/: You should not have made EoIP and one flat client network behind Mikrotik. This will only lead to confusion.

V

Valentin, 2018-10-14
@vvpoloskin

A) in order for the server to be accessible through two Internet connections with the same IP address, the operator must give you a separate grid for the server (well, and route it accordingly).
B) There are a lot of options for how to do what you want. Label with braids (mangle actually), different IP addresses on the server for different tunnels, different vrf on the server in the end. But it seems to me here is the simplest version of NAT. When traffic from the Internet comes to your Mikrotik, you DNAT a gray IP address. And also do SNAT on Mikrotik's IP in the same place. Then a packet with srs of the first microt will come to microt2 (and to the server), the server will give the answer to it. The only point is that on the server then you will not evaluate the traffic on incoming white IP addresses.
C) If you take the Internet from the same provider, then get ready for the fact that the main node for providing the Internet from this provider is one. If it fails (well, or planned work will be carried out on it), the Internet will fail on both Mikrotiks.