Improvments for WAN-Backup Script

n4p · July 19, 2017, 12:03pm

Hi,
we got a cloud core router with 2 wan connections. Connection type is LTE. As known there are sometimes troubles with the LTE connection so i made a backup for those connection (also LTE, but on a different location).
The script is currently working as expected, but it would be great if anybody can help me to improve the script.

The biggest problem is the flapping from netwatch. So if there any troubles on connection A netwatch detects that connection A is down and switch to B. But if connection A is back again in 1 minute it will imitiadly switch back.

My suggest is, that it only switch back if there are troubles with connection B. So i wouldn’t prefer to use always connection A.

The lot of switches kills everytime my ipsec tunnels.

/tool netwatch
add down-script=WAN1_Down host=172.28.xxx.xxx interval=10s timeout=800ms up-script=WAN1_UP

WAN1_Down

interface ethernet enable WAN2
ip route set [/ip route find dst-address=0.0.0.0/0] gateway=192.168.20.1
:foreach i in [/ip firewall nat find] do={
  :if ("." . [:find [/ip firewall nat get $i comment] "WAN1"] . "."!="..") do={
    /ip firewall nat set $i disabled=yes
  }
}
:foreach i in [/ip firewall nat find] do={
  :if ("." . [:find [/ip firewall nat get $i comment] "WAN2"] . "."!="..") do={
    /ip firewall nat set $i disabled=no
  }
}
:foreach i in [/ip firewall filter find] do={
  :if ("." . [:find [/ip firewall filter get $i comment] "WAN1"] . "."!="..") do={
    /ip firewall filter set $i disabled=yes
  }
}
:foreach i in [/ip firewall filter find] do={
  :if ("." . [:find [/ip firewall filter get $i comment] "WAN2"] . "."!="..") do={
    /ip firewall filter set $i disabled=no
  }
}
:foreach i in [/ip ipsec policy find] do={
  :if ("." . [:find [/ip ipsec policy get $i comment] "normal"] . "."!="..") do={
    /ip ipsec policy set $i disabled=yes
  }
}
:foreach i in [/ip ipsec policy find] do={
  :if ("." . [:find [/ip ipsec policy get $i comment] "backup"] . "."!="..") do={
    /ip ipsec policy set $i disabled=no
  }
}
ip ipsec remote-peers kill-connections

And currently i have added a route that the ping to the check-host can only go trough wan1 and not wan2. So i can ping instead if WAN2 is the primary connection. To prefent that ping goes trough wan2 i also installed a firewall rule.

So thats it,
i hope anybody can help me.

Thanks!

n4p · July 22, 2017, 9:20am

Nobody got an improvment?

n4p · August 6, 2017, 5:16pm

Push,
no one got an idea for improvment?

aacable · August 8, 2017, 10:38am

why not monitor at least 2 different hosts to get accurate result ? better to use some script with scheduler to get better & customized results. you can modify this scrtip/scheduler to suite your need. like once shifting is done to B, then it should not move back to A untill it detect no link with B.

cmaney · August 12, 2017, 1:19pm

Here’s something to think about, but please remember that I haven’t tested it!

Instead of just disabling and enabling default routes, why not change their administrative distances when the gateway changes?

So: Connection A has a default gateway of 1.1.1.1 with an administrative distance of 1 and Connection B has a default gateway of 2.2.2.2 with an administrative distance of 10.

If A goes down, B takes over, but to prevent A from flipping back automatically, have the script change the administrative distance of A to 20 (or something higher than 10).

If and when B goes down, it will automatically flip back to A, and just reset the A administrative distance to 1 (default).

Note: Your NAT modification rules will remain the same as you currently have them.