2 Wan Failover with 1:1 NAT to Internal LAN

CarulloS · March 17, 2009, 5:18am

I’ve looked at wan failover wiki and forum examples - what I am looking for is a bit different and it got complex during implementation. Any help from those with more experience with this would be great.

RB333
eth1 = WAN1 w/static IP xxx.Global1.xxx
eth2 = WAN2 w/static IP xxx.Global2.xxx
eth3 = LAN w/statis IP 10.10.10.1/24

I am only interested in failover for WAN1 & WAN2. If WAN1 has connectivity to specific Internet Host 123.123.123.123 then it should always and only use WAN1. If WAN1 looses connection to 123.123.123.123 then use WAN2 until WAN1 can reestablish connection to 123.123.123.123. Using routing marks and a host check with up/down scripts to enable or disable the mangle prerouting mark to choose the correct of two available default gateways isn’t too bad - this part should work fine.
Note: I have a static route to 123.123.123.111 (host on same subnet as 123.123.123.123 host) so I can use that for the connectivity checking so it always checks via WAN1 until it can connect then runs script to switch traffic back to WAN1 after failover event.

Now I want to have 1:1 NAT from WAN1 xxx.Global1.xxx IP and internal 10.10.10.2 host
as well as 1:1 NAT from WAN2 xxx.Global2.xxx IP and internal 10.10.10.2 host when in failover mode
That proved difficult to setup. Only way I even think I have a chance is to add additional IPs to both WAN1 & WAN2 interfaces. Thats when I come here to see if there is less complicated way to achieve this.

Thanks in advance. I’d post a config but I don’t have one and for someone who understands what I am asking for shouldn’t need any additional info. Appreciate it…

Scott

enk · March 17, 2009, 10:54am

use configuration like this

/ip route add dst-address=0.0.0.0/0 gateway=123.123.123.123 check-gateway=ping 
/ip route add dst-address=0.0.0.0/0 gateway=wan2_gateway_ip distance=2
/ip firewall nat add action=masquerade chain=srcnat comment="" disabled=no src-address=10.0.0.2

replace wan2_gateway_ip with your address.
Let me know if it is helpful.

CarulloS · March 17, 2009, 2:27pm

I can’t use gateway ping check, has to be another ip on same subnet as pbxservice. Just because I can get to gateway doesn’t mean I can get to pbxservice out on internet.

I understand default routes… I have two WAN links therefore require two default gateways that are either managed by routing marks or enabled / disabled via scripts related to pbxservice icmp check.

I also understand I need to NAT the internal 10.10.10.x subnet the issue is 1:1 NAT from both public WAN IPs back to 10.10.10.2 depending on which WAN is actively being used.

I feel this is an advanced question perhaps I located it in the wrong place?

Scott