Failover to LTE on ROS7 (with ping-check to remote host) ??

OlofL · November 29, 2021, 5:20pm

I have an LtAP LTE6 and run ROS v7.1rc7

I have a static default route on ether1
And dynamic IP from LTE with dynamic gateway and higher distance.

I want to ping-check a remote host (eg 8.8.8.8/1.1.1.1) via static default route. (because the default gateway can be up, and isp network down)
If ping-check fails x-amount of times, I want to failover default to whatever the gateway of LTE is.

If ping-check succeeds via ether1 again, set default route back to ether1 gateway.

I am looking at https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608
Some of the commands in ros7 doesnt exist, so I had to tweak it.

My attempt

/interface lte apn
set [ find default=yes ] add-default-route=no apn=xxx use-peer-dns=no
/ip dhcp-client
add add-default-route=no interface=ether1
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=ISP1_conn out-interface=ether1
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1 out-interface=ether1
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=ISP2_conn out-interface=lte1
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 out-interface=lte1
/ip route
add dst-address=8.8.8.8 gateway=172.16.179.1 scope=10
add dst-address=8.8.8.8 gateway=lte1 scope=10
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-table=to_ISP1
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-table=to_ISP2

===
No route becomes active

[admin@MikroTik] /ip> route/print 
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, y - COPY; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#       DST-ADDRESS       GATEWAY       DISTANCE
0  As + 8.8.8.8/32        lte1                 1
1  As + 8.8.8.8/32        172.16.179.1         1
  DAc   100.96.231.83/32  lte1                 0
  DAc   172.16.179.0/24   ether1               0
2  IsH  0.0.0.0/0         8.8.8.8              1
3  IsH  0.0.0.0/0         8.8.8.8              1

====
After this I can ping 8.8.8.8., but obviously nothing else works.

I feel its pretty close to solving this now?

anav · November 29, 2021, 6:43pm

Why posting here, its beta firmware…
https://forum.mikrotik.com/viewforum.php?f=1

Amm0 · November 29, 2021, 7:03pm

Maybe use distance=2 on the LTE /ip/route for 8.8.8.8 and 0.0.0.0. The default LTE distance is controlled by the APN Profile (/interface/lte/apn), so maybe set that to 2.

Amm0 · November 29, 2021, 7:13pm

BTW I’d guess it’s actually load balancing (called “ECMP”) the networks, that’s what the “+” means in the route table in v7 – does have A for active on both

The nitty gritty is v7 changed routing, thus @anav’s suggestion to post there. But yeah the “v7 docs” suggest distance=2:
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608

with additional subtle detail, likely around v7, they use different DNS servers to check in their examples, thus producing different routes:

/ip/route/
add dst-address=8.8.8.8 scope=10 gateway=10.111.0.1
add dst-address=8.8.4.4 scope=10 gateway=10.112.0.1

But v7 changed some properties of route selection, in subtle ways, see: https://help.mikrotik.com/docs/display/ROS/How+Packets+Are+Routed

Changing target-scope or gateway-check of a route in v7 will not affect other routes, as it does in v6. In v7 target-scope and gateway-check are properties that are internally attached to the gateway, not to the route.

So hard to know…

OlofL · November 29, 2021, 8:30pm

It didnt work to change to distance=2.
I still don’t get any of the default routes active. But yeah, now the 8.8.8.8/32 route is not load balanced.
I will repost this in beta-forum I guess.

But I found a workaround… I had to disable the mangle rules to get this working, also just enable lte apn to add default route.
I will have to do some more testing to see if this is good enough.

/ip route
add dst-address=1.1.1.1/32 gateway=172.16.179.1            scope=11 target-scope=10
add dst-address=0.0.0.0/0  gateway=1.1.1.1      check-gateway=ping  target-scope=11

This combined with an wireguard tunnel - which is stateless - will seamlessly failover very nicely for my OOB network

Amm0 · November 29, 2021, 8:47pm

If your goal is use ether1 as primary (and has static default gateway******), and you set the default route distance in the LTE APN, that may enough without any mangle rules. While “check-gateway” doesn’t check the internet is up, if you ether1’s default gateway generally goes down when the internet goes day (say a wireless link drops), it will still failover even without mangle. Those firewall manage rules and DNS-based routes, do check “the internet” works, but most of the time it the last mile that fails, not stuff within the ISP to internet (which the 8.8.8.8 “failover” stuff does do a good job of check) – but makes this very complex in v7 to think about what’s going on…

Now in v7 there may be a different approach that check 8.8.8.8, “Detect Internet”: https://help.mikrotik.com/docs/display/ROS/Detect+Internet . This does ping stuff, but not sure it effects the routing table – their smartphone apps steer people to enabling this, but AFAIK it just shows the status, and doesn’t take any action itself.

Not the expert & didn’t try it… but I suspect, since “Detect Internet” does change the /interface/list an interface belongs to based on a ping check to internet, it should move it the ether1 out of WAN if it doesn’t have internet. Now that won’t alone effect routing, but could be used somehow to (and maybe there is some technical to use Detect Internet in routing but docs are unclear on that…). Even so, you’d still like the default route distance for LTE bigger than ether1.

Note ****** For DHCP WAN address, you used to be able use this trick to add “check-gateway” to dynamically generated routes, like from DHCP client:

/routing filter add chain=dynamic-in set-check-gateway=ping

But not anymore: http://forum.mikrotik.com/t/v7-filter-dynamic-in-set-check-gateway-option-not-found/153188/4 … in your case, if LTE fails, you don’t have another option, so you don’t need ran into this, but a lot of WAN connections do use DHCP, so I mention it.[/i]

OlofL · November 29, 2021, 9:02pm

Exactly - this is a LTE router that is used for OOB mgmt. The router uses a “call home” VPN via wireguard which is stateless. The OOB network is usually stable and will be used from our DC for some monitoring on a daily basis.

When shit hits the fan (either from ISP, or from ourselves) the router will just failover to the LTE connection so that I still can VPN into the OOB network and trouble shoot!

I think this will work well

Amm0 · November 29, 2021, 9:03pm

Also, I think you want the “check-gateway” on your 1.1.1.1 route. But not sure if that’s the only issue here.

WRT to which forum group, I don’t know the etiquette re using v7 in “beginner basics” (technically v7 is released for RB5009 and Chateau) & I don’t like cross posts myself. But imagine more people using v7 follow that list.

OlofL · November 29, 2021, 9:46pm

No, the correct way is to “check-gateway” on the gateway.

And no, there are no more issues, it works fine this way.