hEX - Unable to ping outside of backup internet connection

McAnix · July 25, 2018, 6:48am

I have a hEX RB750GR3 router with the following setup:

ether1-fibre → fibre router (CISCO) - Intended as primary internet
ether2-lte → LTE router (Huawei B618) - Intended as backup internet
ether3-master → POE switch - For SIP phones and Wifi POE - Intended to be master-port
ether4 → Gigabit switch - For PCs

ADDRESSES

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge1                                  
 1 X 192.168.55.1/24    192.168.55.0    *1                                       
 2   192.168.8.2/24     192.168.8.0     ether2-lte                               
 3 D 10.0.0.3/24        10.0.0.0        ether1-fibre

ROUTES:

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; Default Route
        0.0.0.0/0                          ether1-fibre              1
 1   S  0.0.0.0/0                          ether2-lte                2
 2 ADC  10.0.0.0/24        10.0.0.3        ether1-fibre              0
 3 ADC  192.168.8.0/24     192.168.8.2     ether2-lte                0
 4 ADC  192.168.88.0/24    192.168.88.1    bridge1                   0

NAT:

Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=ether1-fibre log=no 
      log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=ether2-lte log=no 
      log-prefix=""

INTERFACES:

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  R  ether1-fibre                        ether            1500  1596       2026
 1  R  ether2-lte                          ether            1500  1598       2026
 2  RS ether3-master                       ether            1500  1598       2026
 3  RS ether4                              ether            1500  1598       2026
 4     ether5                              ether            1500  1598       2026
 5  R  ;;; created from master port
       bridge1                             bridge           1500  1598

PROBLEM:
The primary internet works fine and I have gateway-check=“ping”, however when attempting to fail over to the backup internet the routing breaks.

DIAGNOSIS:

I can ping the LTE router (192.168.8.1) from the Mikrotik and my internal network
I can ping the outside network from the LTE router so the internet connection is working (via the browser interface)
I see connection probes coming through the LTE router from the internet to the Mikrotik firewall
I cannot ping outside network from the Mikrotik when specifying the ether2-lte interface. It returns “timeout” then intermittently “192.168.8.2 host unreachable”
If I adjust the distance on the ether1-fibre route so the ether2-lte becomes active then nothing works

SUMMARY:
This should be working and I don’t understand why it’s not. I suspect it may be due to me importing the config from a hEX LITE router which caused some issues with the master-port and switching ports.

If there is any other information I can provide please ask

CZFan · July 25, 2018, 9:44pm

The first thing you should correct is your default routes should not point to interface, but to IP of gateway

McAnix · July 27, 2018, 7:39am

Thanks for the advice CZFan.

I don’t think it relates to my issues though.

skylark · July 27, 2018, 12:10pm

Routes with interface name as the value of gateway are not used for nexthop lookup!

McAnix · August 2, 2018, 1:11pm

I understand and will sort out the routes. The issues exist even when I plug the LTE router into ether-fibre to be the first hop.

There is something going on between the Mikrotik and the Huawei router.

bramwittendorp · August 2, 2018, 5:44pm

Can you post your firewall config as well? You can anonimize it, but maybe there’s something in the firewall that’s missing the correct interface?

McAnix · August 7, 2018, 7:27am

So there was a red-herring in the fact that the mikrotik could not ping through the interface. After fixing my IP address and setting the interface through the nexthop IP everything worked.

Thanks guys…