02-12-2019 12:15 PM - edited 02-13-2019 06:32 AM
Hi, I encountered a problem which I cannot find an elegant solution:
I managed some sites with EdgeRouters and dual-wans and to reach them from the outside our DNS provider is configured to do failover with round-robin or 50-50.
The problem is that some sites have one or both ISPs in common and as they are in the same city sometimes they are also on the same WAN network segment. It hapens that SITE-A can't connect to SITE-B because for example packets start from WAN1 / ISP-1 (by load-balance policy) with destination SITE-B on WAN2 / ISP-2 (what the DNS resolved), but SITE-B realizes that it can respond directly through WAN1 / ISP-1, so a new connection arrived on WAN2 but it is responded using WAN1 and fails.
- I can't configure (A.K.A haywire) the EdgeRouter to resolve the DNS itself where this happens, every time the configured remote site's ISP goes down I would have to reconfigure. And the IPs can be dynamic.
- I also can't configure the PBR / load-balance modify rules to solve this problem because I can't know in advance what WAN is up on the remote site and which is working on the origin.
- I thought of writing load-balance groups that pings the remote sites IPs to use on the modify rules. It could work, but imagine I have N sites and writing (N-1) load-balance groups in each one. Not elegant (And also N-1 different scripts, because it is not possible to configure route tests to hostnames only to IPs).
- I don't want to pay for a cloud to connect every site with a VPN or tunnel through it, this is what this post is all about.
I tried creating a modify rule that marks new packets based on WAN origin, using the WAN1 in direction and WAN2 in direction, but I cannot modify local-WAN traffic because there is no option on the CLI to do that so local services like SSH or VPN are still not working with this solution.
Anyone with a clever idea here? Thanks!!!