Failover

dobledosis · January 10, 2025, 2:59pm

I’ve been racking my brain over this for a while and can’t find a solution.

I need to create a failover with two WANs, which I successfully achieve in the following way:

/ip route
add comment=“ISP1 Route IP-DNS” disabled=no distance=2 dst-address=1.0.0.1/32
gateway=10.2.2.1 pref-src=“” routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add comment=“ISP2 Route IP-DNS” disabled=no distance=2 dst-address=8.8.4.4/32
gateway=10.1.1.1 pref-src=“” routing-table=main scope=10
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=“ISP1 WAN Routing 1” disabled=no distance=9
dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment=“ISP2 WAN Routing 2” disabled=no distance=10
dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=11

However, using this method, if I try to access the router externally through WAN2 (for monitoring, for example), I can’t.

I’ve tried different methods with a separate routing table and mangle rules, and I can successfully connect externally through WAN1 and WAN2, but I can’t get the failover to work for the endpoints connected to the LAN network.

anav · January 10, 2025, 3:08pm

In the case of Primary WAN1 and Secondary or Backup WAN2: In this case all traffic exits the router via WAN1 and one thinks primarily of LAN traffic. However, any external originated traffic arriving at the router will go in the appropriate WAN ( by IP address or dyndns url) but will exit WAN1.
To ensure traffic to WAN1 (ping the router or VPN) and to WAN2, go back out the same WAN we typically have to mangle traffic.

dobledosis · January 10, 2025, 7:07pm

Hi, yes, and the way to send traffic to a specific WAN you have to use route tables. As soon as I configure a specific Routing Table for WAN2, failover stops working. I tryed diferent mangle rules but I cant figure out how to route traffic to WAN2 when WAN1 is down, it keeps using main Routing table.

anav · January 10, 2025, 8:18pm

If WAN1 is primary,

/routing table
add fib name=via-WAN2
/ip firewall mangle
add chain=input action=mark-connection connection-mark=no-mark in-interface=WAN2
new-connection-mark=incoming-wan2 passthrough=yes
add chain=output action=mark-routing connection-mark=incoming-wan2
new-routing-mark=via-WAN2 passthrough=no
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=wan1-gateway-IP routing-table=main
add distance=2 dst-address=0.0.0.0/0 gateway=wan2-gateway-ip routing-table=main
add dst-address=0.0.0.0/0 gateway=wan2-gateway-ip routing-table=via-WAN2

If you are doing recursive routing… ( ensure recursive dns addresses are different from ip dns ones )
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=10 target-scope=12
add distance=2 dst-address=0.0.0.0/0 gateway=8.8.4.4. routing-table=main scope=10 target-scope=12
++++++++++
add dst-address=1.0.0.1/32 gateway=wan1-gateway-ip routing-table=main scope=10 target-scope=11
add distance=2 dst-address=8.8.4.4/32 gateway=wan2-gateway-ip routing-table=main scope=10 target-scope=11
+++++++++++
add dst-address=0.0.0.0/0 gateway=wan2-gateway-ip routing-table=via-WAN2