HI.

I'd like to make the following structure: 2 sites; one main site with servers and VoIP PBX, and one peripheral site with just few workplaces and IP phones.
2 WAN links with ADSL at each site
2 LAN (one for VoIP traffic and one for Data traffic) ate each site
1 VPN between Site 1 and Site 2 using WAN 1 lines at each endpoint
1 DMZ or port forwarding to one device on Site 2 for remote management

In a normal working scenario, data from and to S1 coming/going from/to S2 should pass through the VPN link, for security.
Web traffic should go outside the VPN to Internet from each site.
Data traffic should use WAN 1
Internal VoIP traffic (extension to extension) should go through WAN 2 (no load balancing for the time being)
External VoIP traffic can go directly to internet, but always from WAN 2.

In case of failure of WAN 1 at any endpoint, I'd like to switch the VPN traffic to WAN 2 at the site that has the failure and re-establish rigth path when the link comes back.

My questions:
- is it possible to create this scenario using 2 RB3011?
- is it possible to change the endpoint of the failed VPN from WAN 1 to WAN 2 using scripting? and it is really the right solution?
- should I create two VPN tubes between WAN 1-WAN1 and WAN 2- WAN 2, and keep them always on and the router will just address the active VPN for both LANs traffic on failure?
- do I need pubic IP addresses set on Mikrotik router (using provider router as transparent bridge or something like that)
- do anyone make this structure?
- are there any example configurations to be used ? or even scripts?
- what will happen if I add a third WAN at each side using LTE device as failover device for both ADSL lines? (extreme failure case)

I know it is a challenging set of questions but I'm sure there are valid ideas in this forum!
Thank you in advance for your support.