Hello gentlemen,
I want some help with some different scenario..
My apology if this is a repost but I had to post here because I couldn’t see any relevant results in search engine that might help.
In our company, we have 2 WANs and both from the same ISP but different services:
Fiber optic PPP authentication plugged on ether1 .. static IP range : 82.xxx.xx.24 - 82.xxx.xx.31 Route Metric is set to 1
ADSL as a backup line plugged on ether2 also PPP .. single dynamic IP .. Route Metric is set to 2
Both WANs route on the same gateway which is 82.xx.xx.1
1- The first problem I faced is when both WANs connect through PPP and because both WANs has the same gateway address.. the last WAN to connect is used..
So if the Fiber connection is connected and then the ADSL follows.. The Fiber isn’t usable anymore and can’t ping its IPs either and all connections are routed through ADSL.
I wish there’s a solution for the problem above but doesn’t really matter because I managed to solve it by using an external ADSL modem router so it establishes the PPP connection and NATs the given address to Mikrotik’s local address on ether2 so this way both WANs connect without any issue and the ADSL is set as a backup.. but I noticed that this comes at a price of another issue.
2- Second problem I faced and still facing.. is although I have made a full-NATing from ADSL router to the Mikrotik address and set it as a DMZ host (also tried to forward all range of ports 1 - 65535) I can’t use the ADSL remote address for Mikrotik configuration through Winbox.. This is necessary for remote debugging in case the main WAN goes out..
3- Third problem and the most important one that I need to resolve asap.. Some hosts are servers that their IPs are translated to specific IPs in WAN’s side.. I used source nat and destination nat rules in firewall.. but in case the main WAN goes out, they aren’t routed to the backup wan.. Is there a way I can still use the same NAT rules for the servers and also masquerade them through the backup WAN in case the main WAN goes out? They are basically 7 servers, I tried using mark routing but it didn’t work because it’s only one gateway for several IPs.
Any help will be appreciated and thanks for taking time reading my post.
In general you need BGP to really do what you want to do. If both connections are to the same provider it would greatly simplify it. If they are not you need at the least a public ASN. You can do BGP with 2 providers using provider aggregated space but you need explicit permission from the IP for which your allocation belongs to. The other down-side is you need at least a /24 of public IPv4 space for it to work with disparate providers. Doing this you can then use typical BGP techniques like AS Path prepending to handle path preference inbound to you.
If that is not possible. Well then you’re a bit borked. An approach called BCP38, http://www.bcp38.info/index.php/Main_Page, stops you from typically being able to source traffic out to an ISP for a range they wouldn’t be expecting.
An alternative approach is to use load balancing. Even simple DNS A records that are then NAT’d from each providers IP ranges to the server would work. You of course would need to mark them with mangle in prerouting.
Thanks for your replies..
I’m not quite familiar with BCP38.. could you elaborate more please?
I don’t require the servers to still get destination nat through the backup WAN.. I don’t care about incoming connections through adsl (backup WAN) I just want them to stay online.. can still download/upload/access the internet just until the main WAN is back.. I can do this by making the masquerade rule above all source nat rules.. and then lowering its priority back again when the line is back.. I know I can keep the masquerade at 1st priority and the router decides which gateway to use with no problem.. but the router’s IP is used by hundreds of hosts and some sites think the IP is sending anonymous requests so I’m assigning source nat for each server to avoid any problem and keep router’s wan IP as a public IP for all other employees/guests..
Is there a schedule I can create that is triggered after a specific event (PPPoE disconnects) and does a specific task.. like enable/disable a firewall NAT rule? I think if there’s something like that everything will be ok
Thanks a lot for your help
Read the link I sent it. It basically explains Sob answer to #3. IP works by routing based on destination. It could care less what the source IP is. This commonly manifests itself as DDoS attacks. You create a packet with a source address for a machine you want to drown in traffic and target it a service that will send a reply to the source IP in the packet. The most common service abused by this is DNS.
Every once in a while a Network Admin wants to use the ignoring of source addressing to allow them to source traffic from an IP range of one ISP out another ISP in a fail-over situation.
While this would or at least could work most ISPs now drop this traffic and for good reason. They apply an inbound ACL and only allow traffic to be sourced from the IP address or addresses they’d expect to come in on that interface. This prevents these reflection styled DDoS attacks. The potential for becoming a target or at least a spoofed attacker is enough motivation for an ISP to implement it and I’d expect nothing less.
In your case. If this is the same ISP they should be able to help you perform dual link redundancy better. Particularly by providing you say a unique /30 to each physical connection and routing your larger prefix using say OSPF between you and them. This would make redundancy work seamless and super smooth.
Alternatively, implement routing marks. The mangle takes affect before NAT and will mark the packet for the correct connection. You can use this routing-mark in your NAT statements for your 1:1 static NATs. This will allow them to fall through (not match) until the generic SRC NAT MASQUERADE for the second ISP.