Dual WAN Failover with VoIP

J4zen · September 18, 2013, 10:18am

Hi,

I’ve recently purchased our first Routerboard (1 RB750GL and 1x RB201 rackunit) and am very excited about it.

After several days of reading about / playing with RouterOS i’ve managed to setup 2 WAN ports and have them failover if one fails (with NAT).
This works fine for normal applications, but I believe i need something more for VoIP to properly failover.

Right now, when I make a call over WAN_1 and deliberatly take the gateway offline the outgoing RTP stream is switched over to WAN_2 properly but the inbound RTP is not arriving through WAN_2.

A packet trace shows that our PBX (hosted online) is seeing the new source address for the RTP stream and starts sending RTP back to that same address, this is as expected. However Routerboard does not seem to recognize the incoming RTP stream anymore and forward the stream to the phone.

When viewing the active connections I can see the connection to our PBX, when I delete active connection 4 (see below) the RTP starts coming back in.

I’m thinking this is a nat issue between the 2 WAN ports but cannot figure it out.

[admin@MikroTik] /ip firewall> connection print
Flags: S - seen reply, A - assured
 #    PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT
 0    igmp 192.168.1.254         224.0.0.1                         16m23s
 1 SA tcp  192.168.88.5:51624    192.168.88.1:80       established 23h43m26s
 2 SA tcp  192.168.88.5:51625    192.168.88.1:22       established 23h43m39s
 3 SA udp  192.168.88.100:3072   82.94.224.175:5060                51m45s
 4 SA udp  192.168.88.100:56917  82.94.224.175:10007               2m29s
 5 SA udp  192.168.88.100:56916  82.94.224.175:10006               2m20s
 6 SA tcp  192.168.88.5:51772    192.168.88.1:80       established 23h59m34s

Any help would be greatly apreciated.
Looking forward to your reply.

Please find my configuration export below, should anything else be required; please let me know:

[admin@MikroTik] > export compact
# jan/02/1970 21:47:47 by RouterOS 5.23
# software id = Q52D-75U0
#
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-gateway
set 2 name=ether3-master-local
set 3 master-port=ether3-master-local name=ether4-slave-local
set 4 master-port=ether3-master-local name=ether5-slave-local
/ip pool
add name=kantoor-dhcp-pool ranges=192.168.88.100-192.168.88.200
/ip dhcp-server
add address-pool=kantoor-dhcp-pool disabled=no interface=ether3-master-local name="DHCP Server"
/ip address
add address=192.168.88.1/24 comment="Lan interface" interface=ether3-master-local
/ip dhcp-client
add default-route-distance=0 disabled=no interface=ether1-gateway
add default-route-distance=0 disabled=no interface=ether2-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="BBNed Firewall" in-interface=ether1-gateway
add action=drop chain=input comment="UPC Firewall" in-interface=ether2-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT tabel BBned" out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="NAT Tabel UPC" out-interface=ether2-gateway
/ip neighbor discovery
set ether1-gateway disabled=yes
/tool mac-server
add disabled=no interface=ether2-gateway
add disabled=no interface=ether3-master-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-gateway
add interface=ether3-master-local
add interface=ether4-slave-local
add interface=ether5-slave-local

tws101 · September 18, 2013, 3:00pm

Okay, as understand your question is:

Can I have fail-over with HOT standby that will not drop a call in progress?

If that is your question the answer is NO. All connected sessions are broken when the IP address changes. Meaning all streaming music, all streaming video, all VOIP calls, and all online gaming sessions are BROKEN.

Now after being broken you simply must reestablish the session on your new WAN IP and everything starts to work again. Meaning just place your call again.

J4zen · September 26, 2013, 10:42am

Well as far as I can see there are methods to get this to work if RouterOS would allow the inbound RTP from the new address in stead of blocking it because it has no record of the connection going out of the interface.

Some basic routers such as Draytek (Dual Wan) do this by default.

As far as SIP/RTP goes there is nothing preventing this to work, both the phone and the PBX instantly see the IP has changed and starts sending the data back to that IP (by default in some platforms).
Remember, when I close the active connection from the RouterOS GUI that is still cached WAN 2 immediatly starts accepting the stream for some reason.

The issue is really that RouterOS does not allow a stream originaly send out on WAN1, to receive data on WAN2 as long as the original stream is still cached. This is what i’d need to change.

richinuk · September 28, 2013, 7:53am

/ip firewall nat
add action=masquerade chain=srcnat comment=“NAT tabel BBned” out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“NAT Tabel UPC” out-interface=ether2-gateway

I don’t know for certain, but what is the effect of not specifying the to-address on a nat rule? Maybe add to-address=0.0.0.0 to the second rule.

I wonder if RouterOS takes the interface in to account when creating new NAT table entries? ie; ROS sees there is already a UDP connection from 192.168.88.100 on port 56917 to 82.94.224.175 on port 10007 and doesn’t create a new one for the new interface? - (Speculation!) Worth an experiment I think!!

Rich

Caci99 · September 28, 2013, 8:52am

Try disabling those dropping rules in the firewall filter. The router might be considering the second connection, after wan1 fails, as invalid and thus dropping it. Also see if reducing the time-out of udp connections in connection table helps.

vexersa · September 30, 2013, 2:32pm

Hi,

I’d really like a similar setup. I’m actually just trying to get a dual wan (PPPoE and Diginet) to work at the moment. VoIP is not totally necessary.

I’d really appreciate it if you posted your config for me to test out.