Configuring firewall clone for "warm standby"

RouterOS General
1

We are using a RouterOS (v6.38.3) firewall (hAP lite) with a basic ISP/LAN configuration for a branch office. It is working great, but we would like to configure a second device with an identical configuration as a backup they could swap out very easily (by non-technical staff).

Of course we could just configure a second firewall with an identical configuration that they could just plug in when needed, but what we would really like to do is have both firewalls online, and on-site staff could just swap the cables and be back up and running again in the event of a configuration problem or hardware failure.
example.jpg
This “warm standby” approach gives us some key advantages:

  • Allows identical configuration on both firewalls
  • Changes to both firewalls can be configured/upgraded remotely to keep them current
  • The production device can be accessed on x.x.x.1 and the backup on x.x.x.2
  • In the event of a failure, the cables can simply be swapped to the other device
  • Simpler in setup and maintenance than complex live failover configurations

The Question
What is the best way to accomplish this? My initial attempt was to simply create two interfaces with IPs on the same subnet, but this didn’t seem to work. Further research on various postings led to various methods of using routing marks or load balancing concepts, but I was hoping it might be something simple… Essentially, I just want to connect to 192.168.1.2 and be able to configure the backup router, when all the other ports are unplugged. On the production router, nothing will be plugged into port 4, so I want this to be simply ignored. By swapping the cables between the devices, the backup becomes the gateway for the network, and the production is accessible on x.x.x.2.

Am I missing something simple here? What would you recommend for reaching our goal of a simple backup device that we can maintain remotely? (I can provide more details on routing and such, but we are essentially just talking a basic setup.)

Thanks in advance!!!

2

Remove port 4 from any bridge /switch / ip configuration on both routers. Interconnect both using this interface. Do export on router 1 and import the file in router 2 after each configuration change. Both routers will look identicaly just the mac addresses will differ.

3

Thank you!!! That was a brilliant suggestion!! We are now up and running just as I had hoped.

One thing that was just a little confusing was your comment to:

…interconnect both using this interface.

In my testing, when I just plugged a network cable between port 4 of the primary and port 4 of the backup, I could only see the primary device (by IP) from the LAN (on port 2). When I plugged port 4 of both devices into the main LAN switch, I could then access the primary router via IP, or either device via MAC address using WinBox. This was perfect for what I needed and so much simpler than all the fancy routing I was trying to do to get two interfaces on the same subnet.

A little script to the complete the package makes updates a breeze! I just export the config from the main router, drop it in “Files” on the backup, kick off the script and we are good to go! (That way I don’t have to remember all the command line arguments every time I run an update.)

Thanks again for taking time to reply! You really helped me out. :smiley:

P.S.
In case others might find it helpful, this script (adapted from another post) worked great for me:

/system script
add name="Apply Config Backup" owner=tpeek policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system reset-configuration keep-users=yes no-defaults=yes run-after-reset=\
    config.rsc"
4

Glad to see you took my hint. Enjoy.