Problem with failover routing without scripting

MythosGR · May 23, 2013, 5:11am

Hi to all,

I cannot have failover routing with recursive nexthop resolution working on a 751U-2HnD although I have spent several hours to find out what I’m doing wrong…

I’am trying the “Advanced routing failover without scripting” configuration but without the routing marks as follows:

/ip route
add dst-address=8.8.4.4 gateway=192.168.0.254 scope=10
add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
add distance=1 gateway=8.8.4.4 check-gateway=ping
add distance=2 gateway=8.8.8.8 check-gateway=ping

I have two gateways:

adsl router 1: 192.168.0.254 (my LAN 192.168.0.0/24, connecting using my mikrotik’s eth port 5)
and
adsl router 2: 192.168.1.1 (neighbour’s net 192.168.1.0/24, connecting using my mikrotik’s wifi iface)

The iface setup on my router:

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                          
 0   192.168.0.251/24   192.168.0.0     ether5-slave-local                                                                                                                 
 1   192.168.1.251/24   192.168.1.0     wlan1

My PC is at 192.168.0.4

The routing table:

[admin@MikroTik] /ip route> print detail 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 A S  dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.0.254 ether2-master-local check-gateway=ping distance=1 scope=30 target-scope=10 

 1   S  dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.1.1 wlan1 check-gateway=ping distance=2 scope=30 target-scope=10 

 2 A S  dst-address=8.8.4.4/32 gateway=192.168.0.254 gateway-status=192.168.0.254 reachable via  ether2-master-local distance=1 scope=10 target-scope=10 

 3 A S  dst-address=8.8.8.8/32 gateway=192.168.1.1 gateway-status=192.168.1.1 reachable via  wlan1 distance=1 scope=10 target-scope=10 

 4 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.251 gateway=ether2-master-local gateway-status=ether2-master-local reachable distance=0 scope=10 

 5 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.251 gateway=wlan1 gateway-status=wlan1 reachable distance=0 scope=10

Masquerading rule only for wifi iface:

[/code]
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade to-addresses=192.168.1.251 out-interface=wlan1
[/code]

What happens is that I am able to access the internet from 192.168.0.4 (my PC) when 192.168.0.254 (local adsl router) is connected to the internet (and 8.8.4.4 is reachable). When I disconnect 192.168.0.254 (adsl router / bring down its PPPoE connection), I can see the failover route becoming active with ‘A’, but 192.168.0.4 (my PC) is not able to connect to the internet through 192.168.1.1 (neighbour’s adsl router). However, if I set 192.168.1.1 as the only gateway to the mikrotik, 192.168.0.4 is able to connect to the internet without problem (which means that the masqerading and the routing to 192.168.1.1 over my wifi iface works). Also, if 8.8.8.8 (gw 192.168.1.1) route is set with distance 1 and 8.8.4.4 route (gw 192.168.0.254) is set with distance 2 (swap distance values), then I can connect through 192.168.1.1 but when it fails, I cannot connect through 192.168.0.254 although the 8.8.4.4 route has become active.

I have no problem with route activation. When 8.8.4.4 is not accessible, route 1 becomes active. I am even able to ping adresses and ssh to hosts but not able to browse the web (seems like some connection oriented problem).

Clearly I am missing something here or there is a bug?
RouterOS: 5.25
firmware 3.07

Caci99 · May 23, 2013, 5:21pm

The load balancing configuration looks ok. Can you post the gateway of your PC? I think the problem is in how the PC connects, and the router itself connects, to the two adsl routers. Normally, you should have two masquerade rules, each for every adsl router, and the network of the PC should be different from that of the interfaces connected to the adsl routers. Is the bridge interface from the default configuration still active? If yes, is ether5 still part of that bridge interface?

MythosGR · May 24, 2013, 10:50am

Can you post the gateway of your PC?

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.251   0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0

Is the bridge interface from the default configuration still active? If yes, is ether5 still part of that bridge interface?

I have removed all interfaces from the default configuration’s bridge. ether5-slave-local interface (which connects the mikrotik to my home net 192.168.0.0/24) had the “Master port” set to “ether2-master-local”, which I changed to null, but this didn’t make it work.

I think the problem is in how the PC connects, and the router itself connects, to the two adsl routers. Normally, you should have two masquerade rules, each for every adsl router, and the network of the PC should be different from that of the interfaces connected to the adsl routers.

My home adsl router (Siemens) has IP 192.168.0.254 and masqurades everything going out from its adsl iface.
The Mikrotik router has an eth iface 192.168.0.251 and a wifi iface on the neighbour’s network 192.168.1.251
My PC is at 192.168.0.4 with gateway the Mikrotik iface 192.168.0.251.
When my ADSL is up the mikrotik routes all traffic through 192.168.0.254 (no masquerading is necessary for my PC since it belongs to the same subnet, right?). This works so far. All service work (icmp,dns,ssh,http etc.)
When my ADSL is down, the failover route which makes 192.168.1.1 default gateway for the mikrotik, is activated (all traffic coming out of mikrotik’s wifi iface is masqueraded to 192.168.1.251). My PC can also ping outside, resolve DNS and even ssh, but it cant browse the web (chrome, wget etc.). Traceroute from the Pc to an internet IP also works. This makes me crazy, why ping,dns,ssh, traceroute and not http???

Caci99 · May 24, 2013, 11:24am

I think here is the problem. Your PC is connected on ether2, right? Or on any of the switch ports on your routerboard. Since they are on the same switch, the connections from your PC are considered to be from the router itself, rather from a network, and are routed through the connected routes. That’s why it didn’t worked when you detached the ether5 from the switch group (master port=none). In other words, it is as if your router is acting like a switch and PC is routed directly by your adsl router, bypassing the routerboard.
In my opinion, what you should is:

/ip address
add address=192.168.0.251/24 interface=ether5
add address=192.168.1.254/24 interface=wlan1
add address=192.168.2.254/24 interface=ether2
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether5
add chain=srcnat action=masquerade out-interface=wlan1

I would consider also to configure the adsl router as birdge, so that you would have one NAT only

MythosGR · May 27, 2013, 7:41am

Since they are on the same switch, the connections from your PC are considered to be from the router itself, rather from a network, and are routed through the connected routes. … In other words, it is as if your router is acting like a switch and PC is routed directly by your adsl router, bypassing the routerboard.

You are so right!

I corrected the topology and now works perfectly.

Thanks a lot for your help, I really appreciate it.

Caci99 · May 27, 2013, 7:54am

Glad to hear it worked and was of help.