Dual DHCP WAN interface setup

RouterOS General
1

We have a router with two WAN interface to different ISPs that use DHCP. We are unable to ping out the backup interface while the primary is up. The primary interface has a distance of 1, the backup a distance of two (configured under dhcp-client). The only address we can ping is the backup carrier default gateway. When the primary is disconnected, the backup works fine, so it does not appear to be an access-list issue.

We want to do script-based WAN failover so we need to be able to ping remote hosts out each WAN interface.

Any idea what we are missing? Any help would be greatly appreciated.

Config below.

Thanks,

  • Pete

-------------- config -------------------

Route table:

1   ADS  0.0.0.0/0                                        [gateway IP wan1]                 1
2   DS  0.0.0.0/0                                           [gateway IP wan2]                 2
3   ADC  [wan2 subnet]     [wan2 dhcp IP]   ether2-wan2                0
4   ADC [wan1 subnet]     [wan1 dhcp IP]    ether1-wan1                0
5   ADC  192.168.88.0/24    192.168.88.1    bridge-local              0


DHCP client:

ip dhcp-client add interface=ether1-wan1 disabled=no
ip dhcp-client add interface=ether2-wan2 disabled=no


ip address print detail:

 3 D address=[wan2 dhcp address] network=xxxx interface=ether2-wan2 
     actual-interface=ether2-wan2 

 4 D address=[wan1 dhcp address] network=xxxxx interface=ether1-wan1 
     actual-interface=ether1-wan1 


NAT configuration:

 0    chain=srcnat action=masquerade to-addresses=0.0.0.0 
      out-interface=ether1-wan1 log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether2-wan2 log=no 
      log-prefix=""
2

Actually, you don’t need to ping the backup.
If the primary fails, then the backup will take over.
If the backup is down also, then who cares whether you could see missed ping and disable it?

Here’s your plan:
Make a static route 8.8.6.6/32 gateway=ether1 (use the interface name, not any IP address)
Configure this route with check-gateway=ping

Next, Set admin distance on dhcp client for ISP1 = 255 (more about why in just a bit)

Then create a static primary default route 0.0.0.0/0 with gateway=8.8.6.6, scope=30, target scope=30 distance=1
This is your primary default GW. If 8.8.6.6 fails to respond to pings, then the /32 route will become inactive, and this primary will also become unreachable. Then your backup ISP’s default GW route will take over. (make sure its distance is larger than 1, but less than 255)

Now - if you’re really, really lucky, then your ISP1 supports proxy arp on their router.
Look in /ip arp - if there’s a MAC address for 8.8.6.6 and you’re surfing away at the Internet, then you’re good to go. This is actually a better solution because if the ISP changes routers or swaps a network card out on their router or something like that, your arp cache will automatically update.

If you’re not lucky, then you’re going to be surfing on ISP2 right now.
Add an arp entry manually with the same MAC address as the IP of the dynamic default GW address learned via DHCP.
(this is why you have the 255 distance - it keeps the route in memory for you to look at, but it will never work as a default GW statement)

So if the 0.0.0.0/0 route with distance=255 has a gateway=1.2.3.4, then find 1.2.3.4 in your ip arp, copy the MAC address and make the static ARP entry 8.8.6.6, MAC = the same as the above’s MAC.

At this point, the primary route should start working and you should start surfing on the primary ISP.

You can leave it like this if you like, but if the ISP ever changes the hardware of their router, then you’re going to be kicked over to ISP2 until you notice and fix it manually.

If you want this automated as well, create a script which runs periodically, and checks that the MAC address is correct.
(script should check ip routes for route with dst=0.0.0.0/0, distance=255, and capture the gateway IP into $isp1. Next it should look in ARP for address=$isp1 and capture the MAC address from this, and if the MAC address of /ip arp address=8.8.6.6 doesn’t match, then update.)

3

Thanks ZeroByte. We will test tomorrow and let you know.

Best,

  • Pete
4

I tried the settings above and it does fail over to the WAN2 interface ether2.

My relevant route table is as follows:

2 A S  dst-address=0.0.0.0/0 gateway=8.8.6.6 gateway-status=8.8.6.6 recursive via [wan2 gw] ether2-WAN2 distance=1 scope=30 target-scope=30 

 3  DS  dst-address=0.0.0.0/0 gateway=[wan2 gw] gateway-status=[wan2 gw] reachable via  ether2-WAN2 distance=2 scope=30 target-scope=10 vrf-interface=ether2-TWC 

 4  DS  dst-address=0.0.0.0/0 gateway=[wan1 gw] gateway-status=[wan1 gw] inactive distance=255 scope=30 target-scope=10 vrf-interface=ether1-WAN1 

 5 A S  dst-address=8.8.6.6/32 gateway=ether1-WAN1 gateway-status=ether1-WAN1 reachable check-gateway=ping distance=1 scope=30 target-scope=10 


10 ADC  dst-address=[wan1 subnet]/22 pref-src=[wan1 ip] gateway=ether1-WAN1 gateway-status=ether1-WAN1 reachable distance=0 scope=10 

11 ADC  dst-address=[wan2 subnet]/19 pref-src=[wan2 ip] gateway=ether2-WAN2 gateway-status=ether2-WAN2 reachable distance=0 scope=10

Two things I observed:

  1. As soon as I added the static address to 8.8.6.6 (I also tried with 8.8.8.8 ) , 8.8.6.6 became unreachable.
  2. The route to 0.0.0.0/0 through 8.8.6.6 says “recursive ether2-WAN2” under “ip route print detail”
5

Static address? You mean ARP entry? I was going to ask whether you needed to add that to make this work.
If the solution works and you never touched the ip arp menu, then you’re in fantastic shape.
Remember, this is not adding an IP address - it’s adding an ARP entry…

Basically, you’re telling a lie to the Mikrotik and telling it that the ISP1 router’s IP address is 8.8.6.6
If the router answers the ARP request automatically, then you don’t need to (and in fact should NOT) put the static ARP entry in your router.

It’s better with the dynamic functionality because if you have to manually specify your default GW’s MAC address = 8.8.6.6, then if the ISP ever changes the hardware you’re connected to, your connection will mysteriously break until you notice it, and figure out what’s happened, and then go update the MAC address.

6

ZeroByte:

Actually I meant the static route to 8.8.6.6 (or 8.8.8.8 ) via the ether1 interface.

Make a static route 8.8.6.6/32 gateway=ether1 (use the interface name, not any IP address)
Configure this route with check-gateway=ping

The relevant config item is:

 5 A S  dst-address=8.8.6.6/32 gateway=ether1-WAN1 gateway-status=ether1-WAN1 reachable check-gateway=ping distance=1 scope=30 target-scope=10

Adding that static route via the ether1-WAN1 interface makes the address unreachable. Removal of that static route makes 8.8.8.8 reachable again.

Any thoughts?



\

7

Post the routes when it’s messed up so I can compare.