Hello!

I am in the making of a webhosting company that uses 4 servers with 2 of them working as a mirror for the first 2. I have 1 ISP connection with some public IPs and then I NAT everything to local IPs. I would like to have some kind of failover script that switch the internal LAN ip/NAT rule of the main server to the mirror server if a PING check does not succed, is this possible? In other words, the mirrors is NEVER going to be used as long as the main servers is operational.

I've read some things about PCC and such, but I do not belive that this is the same thing? Correct me if I am wrong!?

Best regards,
Mattias Nurmi

Since you are doing NAT, this is pretty simple. Typically, I see this done as a round-robin style, but you can do it as a backup route as well.

The following example would be a default route that is equally shared with 10.10.10.1 and 10.10.9.1:
/ ip route add dst-address=0.0.0.0/0 gateway=10.10.10.1,10.10.9.1 check-gateway=ping

The following example would contain two routes, one preferred:
/ ip route add dst-address=0.0.0.0/0 gateway=10.10.10.1 distance=1 check-gateway=ping
/ ip route add dst-address=0.0.0.0/0 gateway=10.10.9.1 distance=5 check-gateway=ping

If you require additional customization or you do not have the option of using the check-gateway option, look into find in combination with netwatch.

With /tools netwatch, you can specify a host IP (your transit provider's gateway), and execute a simple script on up or down events. I would use a script that uses find. For example, the following would disable a route with a certain gateway:
{/ip route set [/ip route find where gateway=10.10.9.2] disabled=yes}

note that the script is pretty much a find command from the terminal enclosed by {}'s. This makes it easy to make sure your script will work. From the terminal, you could run:
/ip route set [/ip route find where gateway=10.10.9.2] disabled=yes

Hello and sorry for the late reply, I've really been busy!

I do not understand the routes you made, are they not pointing to a outside network when using 0.0.0.0/0? I must point the public IP to 2 local IP with failover. I hope I do not missunderstand you but this is the current setup:


70.70.70.70 <-- Public IP (EXAMPLE)
|
|
NAT
|
|
192.168.10.2 (Main server)/ 192.168.10.3 (Mirror Server)

The public IP should point to Main server when a ping is active and IF the ping fails it should autochange to the Mirror server and start using that one, but when the ping gets active on the Main server it should go back as normal.

I have never done anything with netwatch and my skills is very low at that point, I would be very glad if you could explain a bit more, though I would prefer the "routing" method or some NAT rule instead.

Best regards,
Mattias

You're absolutely correct, I misunderstood what you were asking. The info I previously provided was to have an active failover between two transit providers (WAN links). What you want to do is possible with netwatch. Do you have other devices that use the public IP and exist within the 192.168.10.0/24 subnet? If not, you can just do a 1 to 1 NAT to either 192.168.10.2 or 192.168.10.3 based on netwatch reach-ability. You can use the find tool I mentioned above to change the NAT rules on up/down events.

I don't want to complicate things drastically, but I don't think that pinging the server is a great way to determine reach-ability on webservers. This is not to say that you shouldn't have netwatch running, as it can catch some customer facing outage events. It just has the potential to miss a lot as well. I do not know what web daemon/server you are using, but with apache, for instance, you would probably want to have nagios or something running to check http constantly.

I hope this helps at least a little!

Hej,

i suggest to use mikrotik scripting language and scheduler instead of netwatch.
something like:

:if ([/ping xx.xx.xx.xx count=3]=0) do {:log info "main webserver down"; /ip firewall nat set [find comment="webserver1"] disabled=yes; /ip firewall nat set [find comment="webserver2"] disabled=no}

and something reverse to check if the main webserver is up again.
this is very simple and basic.

c u

Hello and thank you all for your help!

The last post about scripting was very interesting, I am currently trying to implement the script in my router to test it.

Whould it be best to schedule the first failover script to run every minute, 5min or more.. any thoughts?

The reverse script is more complicated in my own eyes, you would have to check if the first script was active and if you are currently using the backup route, am I right? Then IF you are, the script must constantly check if the first IP is pingable, right?

Could someone help me with a revers script for this one?

The only thing I could come up with is this:


:if ([/ping 192.168.10.2 count=10]=0) do {:log info "main server down"; /ip firewall nat set [find comment="server1.example.com DST"] disabled=yes; /ip firewall nat set [find comment="server1.example.com SRC"] disabled=yes; /ip firewall nat set [find comment="server2.example.com DST"] disabled=no; /ip firewall nat set [find comment="server2.example.com SRC"] disabled=no}

:if ([/ping 192.168.10.2 count=10]=1) do {:log info "main server up"; /ip firewall nat set [find comment="server2.example.com DST"] disabled=yes; /ip firewall nat set [find comment="server2.example.com SRC"] disabled=yes; /ip firewall nat set [find comment="server1.example.com DST"] disabled=no; /ip firewall nat set [find comment="server1.example.com SRC"] disabled=no}

Or is this good enough? My mind is not working right now

Best regards,
Mattia

Bump !

put 2 RB750 before the 2 server and then setup VRRP

Hi Mattias,

Have you manage to make your scenario working? Have the same task, what need to be set...

Best regards,
Alexandr