Community discussions

MikroTik App
 
HughPH
newbie
Topic Author
Posts: 45
Joined: Sat Feb 13, 2016 2:55 am

One interface out, another interface in?

Sun May 28, 2017 9:32 pm

So this might sound a bit mad, but I want to send my outbound traffic through one interface and receive traffic through another interface. I'm using an RB2011. I do have the luxury of a CHR in AWS, and one static IP here.

I have two lines, one is VDSL (with static IP), the other is LTE (with dynamic IP)

The LTE line is much faster than the VDSL line:
LTE - 30Mbps down, 5-6Mbps up
VDSL - 25Mbps down, 1.5Mbps up

However, it costs A LOT to use data on the LTE line.

I'd like to use LTE for my uplink, and VDSL for my downlink.

Is this possible? Can I trick loadbalancing into doing the dirty work for me, by each end using a different line/tunnel/interface as primary?

Thanks!
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 3042
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: One interface out, another interface in?

Sun May 28, 2017 9:53 pm

Globally no.

Sending data via LTE implies that traffic leaves your router with LTE IP so the receiver sends it back to this address. Even if you manage to fool the reciver and "persuade" it to send such traffic to VDSL line then it's or your router firewall should block such traffic at least as "suspected" or "untrusted". How do you want to distinguish good traffic from the dangerous one if there is no connection match of source and destination addresses ?

You should consider routing traffic to resource/traffic heavy addresses via non-LTE interface so if you load page with eg. YouTube content embedded then that contenet should go via VDSL. The problem is to identify all "heavy" traffic.
 
HughPH
newbie
Topic Author
Posts: 45
Joined: Sat Feb 13, 2016 2:55 am

Re: One interface out, another interface in?

Sun May 28, 2017 11:58 pm

I was hoping to leverage the CHR in AWS as a connection aggregation point. Something like:

LTE -> CHR
VDSL -> CHR

CHR -> Rest of World
 
HughPH
newbie
Topic Author
Posts: 45
Joined: Sat Feb 13, 2016 2:55 am

Re: One interface out, another interface in?

Mon May 29, 2017 10:47 am

What if I used Broadcast bonding but blocked outbound traffic from the VDSL interface to the bonding interface here, and outbound traffic from the bonding interface to the LTE line at the CHR?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 3042
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: One interface out, another interface in?

Mon May 29, 2017 11:10 am

Better one is TLB https://wiki.mikrotik.com/wiki/Manual:I ... alance-tlb
balance-tlb

This mode balances outgoing traffic by peer. Each link can be a different speed and duplex mode and no specific switch configuration is required as for the other modes. Downside of this mode is that only MII link monitoring is supported and incoming traffic is not balanced. Incoming traffic will use the link that is configured as "primary".
 
HughPH
newbie
Topic Author
Posts: 45
Joined: Sat Feb 13, 2016 2:55 am

Re: One interface out, another interface in?

Mon May 29, 2017 12:57 pm

Thanks Bartosz

With VDSL being primary, I would get my wish to have inbound traffic only on VDSL.

Do you know if I could cleanly force all traffic to use LTE for outgoing? Or would I need to block traffic between the bonding interface and physical interface, and rely on fallback? I imagine that could add some delay to connection initiation? Could I set opposite primary interfaces at each end, and would that do it?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: One interface out, another interface in?

Mon May 29, 2017 1:34 pm

I would set up two tunnels, one on each WAN interface, of your preferred flavor to your CHR. (As you are using a MIPSBE device on your local end, I wouldn't use IPsec here because of its b/w limitations on that hardware platform)
Then set routes with according distances in both directions:

2011 to CHR via LTE tunnel distance=10
2011 to CHR via VDSL tunnel distance=20
CHR to 2011 via VDSL tunnel distance=10
CHR to 2011 via LTE tunnel distance=20

And let the CHR do all the NAT and firewalling job. Just route your traffic through the tunnels and you have a perfect asymmetric traffic (and even failover if one WAN interface goes down).
-Chris
 
HughPH
newbie
Topic Author
Posts: 45
Joined: Sat Feb 13, 2016 2:55 am

Re: One interface out, another interface in?

Mon May 29, 2017 4:26 pm

Brilliant, thanks Chris! This seems like exactly what I was looking for.

Bearing in mind my b/w is unlikely to increase from ~25-30Mbps in the foreseeable future, is ipsec overhead really a concern?

Cheers
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: One interface out, another interface in?

Mon May 29, 2017 4:47 pm

Glad to hear that helps.
Yes, ipsec is a concern on mipsBE - I haven't seen any of those doing more than 5 (8 under really good conditions) MBit of IPsec :-/
-Chris
 
HughPH
newbie
Topic Author
Posts: 45
Joined: Sat Feb 13, 2016 2:55 am

Re: One interface out, another interface in?

Mon May 29, 2017 8:00 pm

OK, thanks for that!

I guess I could create two unencrypted tunnels and run OVPN over the asymmetric "line" if I wanted it to be secure.