Dual WAN Failover

RouterOS Beginner Basics
1

Hi, everyone
It’s my first time using a MikroTik device (and advanced network solutions) and I’m having some trouble achieving what I want. I might be missing some concepts, so any new content will be more than welcome.
I’ve already been playing around for a few days, made my configs, made a few scripts, but I can’t really reach my goal.

I have a main link coming through WAN1 interface. It’s a PPPoE Client interface. Its default route has a distance of 1.
I also have a secondary link coming through WAN2 interface. This one is a DHCP Client (and I cannot change this, ISP won’t let me change router configs) with a DMZ associated to the leased IP. Its default route has a distance of 2.
On the LAN side I have a server connected, which I want port 2222 to be accessible.

My idea is to achieve a failover in such a way that WAN1 is my default link and route, but that I could also access my server through WAN2 at any time. For now, I can only reach the server by using WAN1 public IP, but not WAN2.

My NAT rules:
#0 is a Loopback NAT, which is a src-nat with src-nat action to point my LAN IPs (from the DHCP Server) to the WAN1 or WAN2 public IP (a script does change that in case WAN1 is out);
#1 is a src-nat with masquerade action for both WAN1 and WAN2.
#2 is a dst-nat with dst-nat action to point incoming connections with port 2222 destination to my server LAN IP and port 2222.

I have no mangle rules for this as, in my thought, I could let the connection come in through WAN1 or WAN2 and leave through the active route on /ip routes. As WAN1 and WAN2 have both different distances, if WAN1 is out, WAN2 would be the in-use route. Is this failover right? Would it work at all?

Firewall also doesn’t seem to be the issue, but here are my rules:
#0 Accepts establisheds and related connections
#1 Drops invalid connections
#2 Accepts ICMP (limited)
#3 Accepts WINBOX connection through LAN IPs
#4 Drops all the rest

I’d like some advice to achieve what I want and also if something should be better, such as my firewall rules, nat/mangle rules, etc.

Also, a concept doubt I have:
Is it possible for a TCP socket to be changed from WAN1 to WAN2 without breaking the connection?

Thanks!

2

You need some mangle rules, to tell router to send reponses the same way from where requests came, it doesn’t happen automatically. Check this:

https://wiki.mikrotik.com/wiki/Manual:PCC

It’s about load balancing, but actual load balancing is only two rules with per-connection-classifier, so ignore them and examine the rest. You’re after those rules that mark connections and routing.

3

I actually think that should work for failover only, if it doesn’t then I would want to do some tests to see what’s wrong during the failover situation. I presume your two Internet connections have different public IP addresses, so you have two NATs for your internal server one from each ISP. So in my mind it should work like this ..

Normal operation ..

  • Default route points out via ISP1


  • You access the server via port 2222 on ISP1 IP address


  • Reply from server follows default route out via ISP1


  • You can’t access from ISP2 because replies will still go via the ISP1 default route

When ISP1 fails it should now work ..

  • Default route points out via ISP2


  • You access the server via port 2222 on ISP2 IP address


  • Reply from server follows default route out via ISP2

One issue might be the Mikrotik hanging onto the first NAT even during failover to the second ISP, you would see this by looking at connections during the failover test. I had that issue with SIP on my network, the UDP traffic needs to be frequent enough to keep the NAT alive, and when the Mikrotik failed over it would send the traffic via the new connection by still using the old NAT.