I’m attempting to set up a mixed-use wireless network, no RADIUS (or at least not client-side) and no encryption so guests can join. That means I’d need a tunnel so domain users can be authenticated, managed and have their traffic encrypted. It also needs to adapt quickly/be always-on. A couple of protocols offer this, IKEv2 and OpenVPN. IKEv2 doesn’t support multicast though. I’m not sure about OpenVPN since L2 is not supposed to be supported on mobile clients. But for some reason ZeroTier does it, and supports multicast on top of that, so I’m testing it out.
For the gateway I chose OPNsense, because it’s the easiest. I deployed two routers from scratch and added them both to the all the networks involved. I got sidetrack trying to get OSPF (FRR) on to run on OPNsese, the FreeBSD version. Then I thought on a few options I think I could use to set this up (your advice/opinion/comment is welcome):
Dual independent gateways
Option one: setting both routers as default gateways (0.0.0.0/0) in the virtual network. They’d be in positions .1 and .2. And of course working in layer 3.
Gateways with conflicting address
Option two: setting them both with the same ZeroTier virtual address but I don’t know if that’s allowed. This is in part why I need OSPF in them.
Gateways with shared virtual address
Option three; similar to the previous one, have the same network address, but instead of actually having the same address they would share the network address of a virtual VRRP router.
L2 + Spanning Tree Protocol
For the fourth option I’m a bit more hesitant because it involves setting both routers in L2 mode and put the gateway in a third router in the physical network. The I’d just have *STP shut down one of the link to prevent a broadcast storm — I only need HA, since it’s for mobile clients, I don’t expect a high enough load to balance.
CARP
And just now, I’m thinking on a fifth option: CARP. Which I’m already using in these exact two routers; I set it up temporarily to help replicate settings among the two.
That is a lot of testing that probably I should not need to run if I knew beforehand what’s supported (or what’s not) in the VL2 layer. On Multipath, all cases/examples appear to apply to VL1, one a single host, even “peer-specific bonds” is VL1-centric.
Could you help me with a little insight on this? Please? 
Thanks.