I’m looking for a direction to solve this:
In a router, I would like to setup a “conditional” dst-nat for some ports when a packet is received that would
normally be forwarded to another router. When there is a /32 route present to that IP address, nothing
special should happen (the packet should just be forwarded), but when the route (that is received via BGP)
is not present, the packet instead should be dst-nat’ted to some other address.
I think it is a bit like how “anycast” is often implemented, but in an asymmetric way: the address is existing
and it would normally be routed without any NAT, but in case it is unreachable some other server would
take over the services.
Of course I can setup some static route to that address with a higher distance. But I don’t see a way yet
to do the same with a dst-nat entry, or to link one to that route. For a dst-nat the destination address would
normally have to be local to the router, and of course that would break things when the destination system
is up.
I prefer some solution that does not involve a script that repeatedly checks the situation and re-configures
the router accordingly…
Not true. The only thing that matters is packet coming to router, it’s not important why it did that. If it was just routed there, it’s fine too and you can dstnat it. Same works for srcnat, you can change packet’s source to address that router does not have and it will work.
Whole thing depends on details. I can’t think of any scriptless solution how to make a relation between (non)existing route and dstnat rule. But if backup server is able to give a helping hand, you can do this on router:
/ip route
add distance=250 dst-address=<original address>/32 gateway=<backup server>
And then server can do something like:
iptables -t nat -A PREROUTING -d <original address> -j REDIRECT
This assumes router and backup server in same subnet. If there were more routers between main router and server, it could get more complicated. Or possibly not, if the first one (between main and backup) could do dstnat (that would be possible if would otherwise not be routed through this router in this direction):
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<original address> in-interface=<from first router> to-addresses=<backup server>
Well, that is actually a nice idea, I can try to put the address of the main system as a second address on
the backup system and put a static route like that. Will have to check if that will not disturb other things.
That could work too. Backup server won’t be able to communicate with main system on this address, but that’s probably acceptable. And you should make sure that it won’t try to use it as source for outgoing connections when main system is alive.
I like the approach with redirection better, because there’s no duplicate address anywhere. Backup system would be even able to connect to this address on main one. Of course not everything is Linux or equally equipped system, so it might not be possible with it.
That is right, that is an issue. I’ll experiment a little.
It is intended for a fallback RADIUS server in case the primary one is down.
These are freeradius under Linux. MikroTik AP can have multiple RADIUS servers configured but Ubiquiti cannot.
Even for MikroTik it can be desirable to have fast response in case the primary server is down.
I can also still consider to make a new address that is the RADIUS server and can be dst-nat to both the
primary and secondary server. That would be more like what is often done with anycast.
I have been able to make a working solution but without the dst-nat…
I now use a separate “anycast address” for the service, separate from the real server’s addresses.
I put a /32 static route to each server on the router where it is connected, with ping check.
Also, the /32 route is put in BGP Networks with synchronization:
/ip route
add check-gateway=ping distance=1 dst-address=anycastaddr/32 gateway=localserver
/routing bgp network
add network=anycastaddr/32
Instead of doing the dst-nat, I have put the anycastaddr as a second address on the servers.
This configuration is in place at multiple locations in the network. Well, it is just the anycast solution.
(dst-nat would have been nice, but it is apparently not possible to make it conditional without scripting)