2xWAN load balancing - how to do real failover?

surfek · December 12, 2017, 1:32pm

Hi,

I have 2xWAN (1 DSL and 1 LTE internet connections) and implemented 2xWAN load balancing using this PCC method:
https://wiki.mikrotik.com/wiki/Improved_Load_Balancing_over_Multiple_Gateways

The load balancing works ok - traffic is distributed, but…
… I undertand that RouterOS checks if default gateway for each WAN is accessible, if one is not than this routing is disabled?
In my example
add address=192.168.9.1/24 interface=LAN network=192.168.9.0 broadcast=192.168.1.255
add address=192.168.1.2/24 interface=WAN1 network=192.168.1.0 broadcast=192.168.1.255
add address=192.168.2.2/24 interface=WAN2 network=192.168.2.0 broadcast=192.168.2.255

in case ISP1 (WAN1) or ISP2 (WAN2) has problems, still addresses 192.168.1.1 (DSL router) and 192.168.2.1 will be still accessible (LTE router)

Is it possible to tell RouterOS to ping some other (external IP address e.g. 8.8.8.8 through each WAN to check if WAN is working??

Best regards,

Michal

mrz · December 12, 2017, 1:52pm

Yes, it is possible by running ping script with specific interface.

surfek · December 12, 2017, 3:54pm

could you please write a bit more how to do it? can you please refer to some example?
Thank you very much for your help,

Best regards,

Michal

HExSM · December 12, 2017, 4:45pm

Hi Michal,

I don’t know if that’s the solution you are asking for, but let’s give it a try

/ip route
add check-gateway=ping distance=1 gateway=WAN1 routing-mark=wan1_route
add check-gateway=ping distance=2 gateway=WAN2 routing-mark=wan1_route
add check-gateway=ping distance=1 gateway=WAN2 routing-mark=wan2_route
add check-gateway=ping distance=2 gateway=WAN1 routing-mark=wan2_route

surfek · December 12, 2017, 5:38pm

Hi Michal,

I don’t know if that’s the solution you are asking for, but let’s give it a try

/ip route
add check-gateway=ping distance=1 gateway=WAN1 routing-mark=wan1_route
add check-gateway=ping distance=2 gateway=WAN2 routing-mark=wan1_route
add check-gateway=ping distance=1 gateway=WAN2 routing-mark=wan2_route
add check-gateway=ping distance=2 gateway=WAN1 routing-mark=wan2_route

Hi,

thank you for reply!

I understand this does ping to the default gateway of wan1 and wan2? If yes, then I am looking for ability to ping different address to check if the wan is up or down (e.g. 8.8.8.
fragment of my config - where I do the wan load balancing below

Question how to really check if my WAN is down…

/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=wan1_con passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=wan2_con passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_con new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_con new-routing-mark=to_wan2 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=LAN in-interface-list=all
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=LAN
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=LAN new-connection-mark=wan1_con passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=LAN new-connection-mark=wan2_con passthrough=yes per-connection-classifier=both-addresses:2/1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1

HExSM · December 13, 2017, 1:06pm

Maybe this script will help you: https://aacable.wordpress.com/2014/06/12/mikrotik-wan-monitoring-script-with-multiple-host-check/

Quemel · December 13, 2017, 6:13pm

I know exactly what you are looking for:
(Check Gateway on Recursive Route)
You can find an article with this tutorial : https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting
I did a Youtube Video about this failover too, but it’s in Portuguese, maybe only watching you will be able to do this: https://www.youtube.com/watch?v=DNJeXCyrM1g

In your case, would be exactly like this:
/ip route
add distance=1 gateway=8.8.8.8 routing-mark=to_WAN1
add distance=1 gateway=8.8.4.4 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 scope=10

*You only need one check-gateway ping per gateway, if this gateway goes unreachable, all other routes with this same gateway goes unreachable too

surfek · December 31, 2017, 3:35pm

I know exactly what you are looking for:
(Check Gateway on Recursive Route)
You can find an article with this tutorial : https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting
I did a Youtube Video about this failover too, but it’s in Portuguese, maybe only watching you will be able to do this: https://www.youtube.com/watch?v=DNJeXCyrM1g

In your case, would be exactly like this:
/ip route
add distance=1 gateway=8.8.8.8 routing-mark=to_WAN1
add distance=1 gateway=8.8.4.4 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 scope=10

*You only need one check-gateway ping per gateway, if this gateway goes unreachable, all other routes with this same gateway goes unreachable too

Great thanks for your help.
I am at the moment fighting with the other strange problem: I realised that using tools I can ping external address via WAN1 but not WAN2 - and I have no clue why.
I checked my config 10x with some examples of how to implement PCC and I do not see any point I did something wrong
part of my config below

/ip address
add address=192.168.9.1/24 interface=bridge1 network=192.168.9.0
add address=192.168.1.2/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.2/24 interface=WAN2 network=192.168.2.0
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=wan1_con passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=wan2_con passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_con new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_con new-routing-mark=to_wan2 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=bridge1 in-interface-list=all
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=bridge1 in-interface-list=all
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 new-connection-mark=wan1_con passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1 new-connection-mark=wan2_con passthrough=yes per-connection-classifier=both-addresses:2/1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=1 gateway=192.168.2.1

Why I can PING externall addresses via WAN1, but not WAN2?

Best regards,

Michal

emikrotik · January 3, 2018, 8:19am

Try specifying the routing table on the advanced tab of the ping tool.

surfek · January 3, 2018, 10:13pm

from the Windows PC I am not able to ping 192.168.1.1 (WAN1 gateway) and 192.168.2.1 (WAN2 gateway)
I can ping WAN1 gateway only when I disable WAN2 interface…
so when I want to access web interface to manage ADSL WAN1 router, I have to disable WAN2 interface in RouterOS
I believe I have something wrong here but I have no idea what… Any hints what I can check?

great thanks for your help,

Best regards,

Michal

surfek · January 3, 2018, 11:45pm

ok - I found I had problem with my mangle rules.
mangle rules below are now working ok - I can ping both gateways

/ip firewall mangle
add action=accept chain=prerouting in-interface=bridge1
add action=accept chain=prerouting in-interface=bridge1
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge1 new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge1 new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge1 new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes