Problem with dual wan failover not moving back to primary.

tricksol · December 19, 2015, 2:53pm

Backgound: A remote site of mine has two connections

Connection 1: Att Uverse DSL
Connection 2: Verizon LTE service on cradlepoint in bridge mode.

IP’s have been change for privacy reasons.

Because the uverse can’t be put into bridge mode we had to configure it with the public statics on it’s lan side and turn on cascading router. This option gives is our /29 to use but also breaks the check gateway because the gateway is always up even if we have a provider cut. The lte gateways is far off the device so it would work as expected but I don’t want it to be a provider unless the primary has gone down.

I have setup mangle rules to tag traffic so the come in and out on the same provider and found a wan failover script on the wiki that sorta works.

If I am on the primary I can select ping and choose an interface and pings are normal times, if I select the secondary interface the pings are long like they should be on a lte connection.

Script runs every 10 seconds and will fail over to the secondary when it fails but will not bring up the primary once its restored. Once it’s failed over I can no longer ping out the primary interface so the ping are not restored and the script doesn’t return the distance on the gateways.

Can someone help me correct this issue?

/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1-WAN
new-connection-mark=isp1-in
add action=mark-routing chain=output connection-mark=isp1-in
new-routing-mark=isp1-out passthrough=no
add action=mark-connection chain=input in-interface=ether2-WAN
new-connection-mark=isp2-in
add action=mark-routing chain=output connection-mark=isp2-in
new-routing-mark=isp2-out passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat out-interface=ether2-WAN
/ip route
add distance=1 gateway=10.0.0.1 routing-mark=isp1-out
add distance=2 gateway=172.16.0.1 routing-mark=isp2-out
add distance=2 gateway=172.16.0.1
add distance=1 gateway=10.0.0.1

/system scheduler
add interval=10s name=DualWanFailover on-event=DualWanFailover policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=
nov/18/2015 start-time=21:51:02
/system script
add name=DualWanFailover owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=“# ----
--------------- header -------------------
\n# Script by Tomas Kirnak, version 1.0.7
\n# If you use this script, or edit and
\n# re-use it, please keep the header intact.
\n#
\n# For more information and details about
\n# this script please visit the wiki page at
\n# http://wiki.mikrotik.com/wiki/Failover_Scripting\
\n# ------------------- header -------------------
\n
\n
\n
\n# ------------- start editing here -------------
\n# Edit the variables below to suit your needs
\n
\n# Please fill the WAN interface names
\n:local InterfaceISP1 ether1-WAN
\n:local InterfaceISP2 ether2-WAN
\n
\n# Please fill the gateway IPs (or interface names in case of PPP)
\n:local GatewayISP1 10.0.0.1
\n:local GatewayISP2 172.16.0.1
\n
\n# Please fill the ping check host - currently: resolver1.opendns.com
\n:local PingTarget 208.67.222.222
\n
\n# Please fill how many ping failures are allowed before fail-over happe
nds
\n:local FailTreshold 20
\n
\n# Define the distance increase of a route when it fails
\n:local DistanceIncrease 2
\n
\n# Editing the script after this point may break it
\n# -------------- stop editing here --------------
\n
\n
\n
\n# Declare the global variables
\n:global PingFailCountISP1
\n:global PingFailCountISP2
\n
\n# This inicializes the PingFailCount variables, in case this is the 1st
_time the script has ran
\n:if ([:typeof $PingFailCountISP1] = "nothing") do={:set PingFailCoun
tISP1 0}
\n:if ([:typeof $PingFailCountISP2] = "nothing") do={:set PingFailCoun
tISP2 0}
\n
\n# This variable will be used to keep results of individual ping attempt
s
\n:local PingResult
\n
\n
\n
\n# Check ISP1
\n:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP1]
\n:put $PingResult
\n
\n:if ($PingResult = 0) do={
\n\t:if ($PingFailCountISP1 < ($FailTreshold+2)) do={
\n\t\t:set PingFailCountISP1 ($PingFailCountISP1 + 1)
\n\t\t
\n\t\t:if ($PingFailCountISP1 = $FailTreshold) do={
\n\t\t\t:log warning "ISP1 has a problem en route to $PingTarget - incr
easing distance of routes."
\n\t\t\t:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do
=\
\n\t\t\t\t{/ip route set $i distance=([/ip route get $i distance] + $D
istanceIncrease)}
\n\t\t\t:log warning "Route distance increase finished."
\n\t\t}
\n\t}
\n}
\n:if ($PingResult = 1) do={
\n\t:if ($PingFailCountISP1 > 0) do={
\n\t\t:set PingFailCountISP1 ($PingFailCountISP1 - 1)
\n\t\t
\n\t\t:if ($PingFailCountISP1 = ($FailTreshold -1)) do={
\n\t\t\t:log warning "ISP1 can reach $PingTarget again - bringing back
original distance of routes."
\n\t\t\t:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do
=\
\n\t\t\t\t{/ip route set $i distance=([/ip route get $i distance] - $D
istanceIncrease)}
\n\t\t\t:log warning "Route distance decrease finished."
\n\t\t}
\n\t}
\n}
\n
\n
\n
\n# Check ISP2
\n:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP2]
\n:put $PingResult
\n
\n:if ($PingResult = 0) do={
\n\t:if ($PingFailCountISP2 < ($FailTreshold+2)) do={
\n\t\t:set PingFailCountISP2 ($PingFailCountISP2 + 1)
\n\t\t
\n\t\t:if ($PingFailCountISP2 = $FailTreshold) do={
\n\t\t\t:log warning "ISP2 has a problem en route to $PingTarget - incr
easing distance of routes."
\n\t\t\t:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do
=\
\n\t\t\t\t{/ip route set $i distance=([/ip route get $i distance] + $D
istanceIncrease)}
\n\t\t\t:log warning "Route distance increase finished."
\n\t\t}
\n\t}
\n}
\n:if ($PingResult = 1) do={
\n\t:if ($PingFailCountISP2 > 0) do={
\n\t\t:set PingFailCountISP2 ($PingFailCountISP2 - 1)
\n\t\t
\n\t\t:if ($PingFailCountISP2 = ($FailTreshold -1)) do={
\n\t\t\t:log warning "ISP2 can reach $PingTarget again - bringing back
original distance of routes."
\n\t\t\t:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do
=\
\n\t\t\t\t{/ip route set $i distance=([/ip route get $i distance] - $D
istanceIncrease)}
\n\t\t\t:log warning "Route distance decrease finished."
\n\t\t}
\n\t}
\n}”

dareru · January 1, 2016, 2:05pm

Remove all your mangle and only use this routing. The distance 1 will be your primary.

/ip route
add gateway=10.0.0.1 scope=10
add gateway=172.16.0.1 scope=10

add distance=1 gateway=10.0.0.1 check-gateway=ping
add distance=2 gateway=172.16.0.1 check-gateway=ping

plisken · January 8, 2016, 8:31pm

See on my website

Failover and load balancing configuration.

See configuration5

You can edit the IP-addresses and use this code.

Made for RB2011 UAS-RM and RB951G 2HnD

http://www.wirelessinfo.be/index.php/mikrotik/pages/confige

tricksol · January 27, 2016, 4:26pm

Do i still need the scrip to move them or just dump it all and use your example?

tricksol · January 27, 2016, 4:30pm

I don’t want load balancing only failover jut FYI.

scampbell · February 2, 2016, 10:51pm

dareru’s excellent answer is for failover only and will work well.

If you use a dynamic protocol on your WAN such as DHCP or PPPoE you will need to ensure you set the default-route-distance to something other than 0 on your backup wan for this to work

If you want to be able to manage your router via either wan for whatever reason then you would need your mangle rules to mark new-connections from both wan interface’s and then add a routing mark to the output chains to ensure the reply packet goes out the correct wan.

This would allow you to send all outbound through WAN1, connect to your router from the world via either WAN.

/ip route add gateway=1.1.1.1 distance=1 check-gateway=ping
/ip route add gateway=2.2.2.2 distance=30 check-gateway=ping
/ip route add gateway=1.1.1.1 routing-mark=wan1
/ip route add gateway=2.2.2.2 routing-mark=wan2

/ip firewall mangle
add chain=prerouting in-interface=wan1 connection-state=new action=mark-connection new-connection-mark=wan1
add chain=prerouting in-interface=wan2 connection-state=new action=mark-connection new-connection-mark=wan2
add chain=output connection-mark=wan1 action=mark-routing new-routing-mark=wan1
add chain=output connection-mark=wan2 action=mark-routing new-routing-mark=wan2

and if required for inboubd dst-nat rules …

add chain=prerouting in-interface=bridge-lan connection-mark=wan1 action=mark-routing new-routing-mark=wan1
add chain=prerouting in-interface=bridge-lan connection-mark=wan2 action=mark-routing new-routing-mark=wan2

Hope this helps

tricksol · February 3, 2016, 1:28am

Thanks I will try it tonight.

brwainer · February 5, 2016, 2:52am

the problem I see with both of these posted replies is that both use “check-gateway = ping” but OP stated that the Uverse (primary gateway) is always up because it can’t be bridged.

tricksol · February 5, 2016, 3:01am

Thanks your the first one to notice that… The check gateway work correctly in GNS3 with CHR images so what they are saying works. If only I had bridge mode we’d be good.

I just want someone to tell me why the config can ping out both interfaces when it’s on 1 and 2 default routes but when 1 moves to 3 it can’t send a ping out its interface. If this would happen it would fail back over and all would be good.

keithy · February 5, 2016, 7:04pm

Try this method. Works well when you cant bridge devices

http://blog.ispsupplies.com/mikrotik-automatic-failover-two-gateways/

HTH

tricksol · February 6, 2016, 4:59am

Oh snap where have you been…I’ve been fighting with this for a month now. Thank you very much for stopping by and helping me with my issue. Works perfect, just tested in gns3 with CHR images.