So I have these two netwatch rules designed to trigger failover for two different ISP that each get used for Primary WANs on different sets of routing rules
/tool netwatch
add comment="Internet Test 1.1.1.1" disabled=no down-script="/ip route disable [find where comment=WAN1]\r\
\n/ip fire conn\r\
\n:foreach idc in=[find where timeout>60] do={\r\
\n remove [find where .id=\$idc]\r\
\n}" host=1.1.1.1 http-codes="" test-script="" thr-avg=500ms thr-jitter=2s thr-max=2s thr-stdev=500ms type=icmp up-script=\
"/ip route enable [find where comment=WAN1]\r\
\n/ip fire conn\r\
\n:foreach idc in=[find where timeout>60] do={\r\
\n remove [find where .id=\$idc]\r\
\n}"
add comment="Internet Test 1.0.0.1" disabled=no down-script="/ip route disable [find where comment=WAN1-21]\r\
\n/ip fire conn\r\
\n:foreach idc in=[find where timeout>60] do={\r\
\n remove [find where .id=\$idc]\r\
\n}" host=1.0.0.1 http-codes="" test-script="" thr-avg=700ms thr-jitter=2s thr-loss-count=26 thr-loss-percent=100% thr-max=2s thr-stdev=500ms type=icmp up-script=\
"/ip route enable [find where comment=WAN1-21]\r\
\n/ip fire conn\r\
\n:foreach idc in=[find where timeout>60] do={\r\
\n remove [find where .id=\$idc]\r\
\n}"
now what my concern is that if WAN2 in which would be the primary Internet for routing table=WAN21.. if there were an issue with it.. would the net watch down script trigger the command all connections to break from even WAN1 (main routing table).. I believe it would.. is there a safe way to clear those connections that would only effect WAN2
(I did steal the
/ip fire conn\r
\n:foreach idc in=[find where timeout>60] do={\r
\n remove [find where .id=$idc]\r
\n}"
from another post.. shoutout @rextended.. so maybe its ok.. but im not sure..
I am trying to follow your netwatch script:
Simplified:
test 1.1.1.1
if down:
disable route WAN1
clear all connections (with timeout more than 60 seconds)
if up:
enable route WAN1
clear all connections (with timeout more than 60 seconds)
test 1.0.0.1
if down:
disable route WAN1-21
clear all connections (with timeout more than 60 seconds)
if up:
enable route WAN1-21
clear all connections (with timeout more than 60 seconds)
So, whatever happens, you are clearing all connections, so you want/need to select only the ones “belonging” to WAN1 or WAN1-21 routes/sets of routes, correct?
I think that a possible way would be to add a connection-mark via a mangle rule, so that you can “filter” connection that “belong” to the one or the other (ISP or route), but whether it is possible to apply correctly these connection-marks may depend on how exactly your traffic is generated.
I hope I can get some eyes on this to tell me more or less if it might work.. So I was just thinking about adding these mangles for each network and how I decide to split the WANs
And then on the netwatch rule for ISP1, change it to..
ip firewall connection remove [find where connection-mark=ISP1-1]
(along with the command to disable the route)
Instead of the other one I had before.
Now does adding these rules affect fast track at all ? (I almost think it doesnt because its only marking packets and not doing anything within the “established/related” state packets ..
Also would I need to be concerned about also excluding the more then just !local.. maybe broadcast and unicast.. I still will need things to communicate within the same broadcast domain..(which I didnt think would be effected by the router anyways.. “layer2 doesnt need a router”).
Does the !local also avoid marking packets to the local devices or just what is destined to the router. ?
Sorry I feel like im rambling on my own post.. but I wonder.. what actually happens if/after the internet connection is actually down and now the internet failover taking place.. im going to need to lab this to see the behavior of all this once the internet fails and how the markings along with fail-back work.
