Hi all,
I have a 2 gateway setup. I have my primary gateway on ether1 and a secondary gateway on ether2. The primary gateway on ether1 has a static IP address.
The router is connected to the ISP’s DSL modem router. This connection is working. However, I am unable to connect by this gateway. I cannot see any error in the logs at least in the way they are currently configured. I had the ISP check their connection and it is working.
The secondary gateway however is working. This gateway has an IP address from a dhcp-server belonging to the ISP.
Is there something wrong with the way I have configured my router?
This configuration used to work. The only thing that I have done is to update routerOS regularly.
See below for the detailed router configuration.
Note:
I am trying to attach it to keep things clean.
Pranav all_config_nonairtel.rsc (11 KB)
Not sure how pppoe works but for security purposes, would remove any username passwords and any public IP address associated from your config.
As to the config I didnt get past your IP addressess which are wrong.
You have ONE bridge, and one subnet and pool and address associated so not sure what you are trying to do with this…
bridge should only have one address associated. if you need multiple subnets then use bridge for one address covering the applicable ports and use a separate subnet and address for each different port. OR use one bridge for all lan ports and use vlans to distribute the subnets as required.
If you have pppoe I dont think an address is appropriate
Similarly if you telll the pppoe to have default route then a manual IP route is not appropriate.
Suggest you do not apply a default route in pppoe if you want to do some recursive routing manually
Ok, let’s ignore the routes marked as DAc (Dynamic, Active, connect), they are automatically created by the settings in /ip address.
The three routes you have:
0 Xs 0.0.0.0/0 122.176.152.1
1 As 0.0.0.0/0 122.176.152.1 1
D d 0.0.0.0/0 192.168.100.1 2
the first, #0 is disabled (X) so it is like it doesn’t exist.
the second #1 is the route that can be taken (Active, static) and it is the same as the previous one with added a check gateway).
The third is “D d” a route coming from the DHCP server (Dynamic and d) which is not active (i.e. it is not DAd) because it has a greater distance (distance=2) than the route before (that has distance=1).
The second route goes through ether1.
The third route goes through a local gateway (likely your ISP’s modem/router) and is obtained by the setting:
Both ether1 and ether2 are categorized as WAN, ok.
The firewall nat is confusing:
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN > ← this should cover BOTH ether1 and ether2
add action=redirect chain=dstnat dst-port=53 protocol=udp to-addresses=
192.168.88.1 to-ports=53
add action=src-nat chain=srcnat disabled=yes ipsec-policy=out,none
out-interface=ether1 to-addresses=122.176.78.92 > ← this is disabled
add action=masquerade chain=srcnat out-interface=ether1 > ← this should be removed, as ether1 is part of WAN and first rule already covers that
So, this configuration has grown overtime. I no longer use pppoe and the user name and password have no meaning.
One thing I was told is that I could associate multiple network segments with a single interface which is why there are those multiple segments on the bridge.
Ether1 is the primary airtel gateway which has the static ip address. It has a modem from Airtel (my primary ISP) connected to it.
Ether 2 also has a ISP modem connected to it. That takes its address from dhcp. That is my secondary isp.
As for vlans, my understanding is that if I use vlans, I need to have a vlan aware switch. I do not have that. My only reason for having multiple segments is to take out devices that need static IP addresses like my NAS box and some cameras.
I know, I can use the make-static command to make a dhcp address perminant for a device. I have begun doing this now but the old configuration persists.
Here is what I have done so far.
Removed the pppoe client. It is not needed.
Disabled the third entry in /ip firewall nat
Added comments to the nat entries for ease of reference.
I have a recursive route set. Before the upgrade, I had no problem with this configuration.
I see from one of Anav’s posts that I need to set scope, distance and target but do not know what to set those values too.
I am happy to clean up this configuration as well.
Pranav
Yep, but your LAN (the bridge) has three networks (192.168.3.0, 192.168.88.0 and 192.168.89.0, with the dhcp server on 192.168.88.1), the device connected to the ether2 must be a router (as the 192.168.100.1 is a private address), the device has a dhcp server and the MIkrotik gets the address for ether2 from it, as 192.168.100.2.
I am not sure to understand which kind of device is the airtel at 122.176.152.1 .
Anyway, can you ping from the hap Ac2 the 122.176.152.1?
And what happens with a traceroute to (say) 8.8.8.8?
Hi all,
Many thanks for your advice and patience so far. I have done significant cleaning of the configuration. At one point, I did try defining a vlan but that failed so I have deleted the extra IP addresses and vlans away.
I have also cleaned things up considerably.
I am attaching the updated configuration file.
Also, see output of /ip root print and /ip address
[pranav@ConShield] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 122.176.152.1 1
D d 0.0.0.0/0 192.168.100.1 2
DAc 122.176.152.0/24 ether1 0
DAc 192.168.88.0/24 bridge 0
DAc 192.168.89.0/24 vlan10 0
DAc 192.168.100.0/24 ether2 0
[
The connection on ether 1 is ip v4. I have deleted the ip v6 interface which was cluttering things up.
One of my ISPs was going to transition to ip v6 but that did not happen. I should have cleaned it out but did not.
I am attaching the latest configuration. latest.rsc (9.81 KB)
I had added these raw rules in the belief that they will make the router less prone to attacks. Has that changed? Should I delete all the raw rules from 1 to 21?
I have also further simplified things where I have disabled the fail over completely. I am thinking it may be easier to add in the fail over from scratch. Here is the updated routing table.
[pranav@ConShield] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 122.176.152.1 1
DAc 122.176.152.0/24 ether1 0
DAc 192.168.88.0/24 bridge 0
DAc 192.168.100.0/24 ether2 0
[
As I see it, the “normal”, “default” firewall is good enough in most cases, it can be tweaked and tuned, but the base is solid, using firewall raw should be needed only in exceptional cases, and it is easy to accidentally insert in it a restrictive rule that does more than what you expect, so - at least for testing - rules in firewall raw should be removed (and if the case only added later).
Hi @jaclaz
I have read the post at http://forum.mikrotik.com/t/failover-routeros-v7/183285/1 several times but am not sure what applies to my situation. I have tried looking for documentation on targets and scopes and have found some answers but am still confused.
I understand up till the point where my default route via my primary gateway has to have a lesser distance value than that of the route from the secondary gateway.
I am however confused by scopes and targets. Still, here are the commands I plan to run.
add dst-address=8.8.8.8/32 gateway=122.176.152.1 scope=10 comment="Primary check IP via ether1"
add dst-address=208.67.222.222/32 gateway=192.168.100.1 scope=10 comment="Secondary check IP via ether2"
add dst-address=0.0.0.0/0 gateway=8.8.8.8 distance=1 target-scope=10 check-gateway=ping comment="Primary default route"
add dst-address=0.0.0.0/0 gateway=208.67.222.222 distance=2 target-scope=10 check-gateway=ping comment="Secondary default route"
No, the target scope of the “main” route (through the canary address) should be +1 of the “narrow” route, and this latter +1 of scope, (and scopes can be all the same like 10), It may not be strictly speaking 100% correct, but it is easy to remember. i.e.:
BUT, at the end of the day if Primary fails, then Secondary should be enabled but what other (Tertiary) connection do you have?
If none the above can be simplified to:
The logic is that you check Primary, and if it fails then Secondary becomes active, but since you have no other way out, checking if Secondary is working is not needed as EITHER:
it works and you have connection
OR:
it doesn’t work and you don’t have connection
checking if it has connection has no use as it doesn’t really change anything, when (if) Primary resumes, Secondary will become non active, no matter if it has connection or not.
Many thanks for your explanation. I think I understand recursive routes better and have implemented your simplified approach. However, I am considering the netwatch approach since I can get notifications. Here is my set of commands. Are they correct?
Strictly speaking you can “set scope to 10 and forget” because in the background RouterOS silently increases the scope value of the route to become at least 1 more than the scope of the gateway IP Routing - RouterOS - MikroTik Documentation
So, if we want to be explicit, your example routes should be like this:
