Hi All,
I’ve just set up two CRS125s (r1 and r2) with the intent of having:
- Each has their own ADSL uplink to separate providers (PPPoE with NAT).
- Traffic on each going via their respective ADSL connection by default.
- If the ADSL connection fails on r1, route Internet via r2 and vice-versa (I’ve done this with a script that monitors the connections with a bit more sophistication than the check gateway option).
- VRRP configured to fail over L3 gateway if a CRS should fail
- Destination NAT to a number of machines on the inside LAN (SSH, FTP, HTTPS).
All of this works with one annoyance on the last item.
Assuming the host running SSH has a gateway (VRRP master) on r1, I can’t use DNAT via r2’s ADSL connection to connect to the host. The reason for this is that the return traffic comes back via r1 and attempts to go through its ADSL connection (asynchronous routing with NAT). This doesn’t work for obvious reasons.
I understand that under ideal circumstances, the two devices would synchronise NAT sessions and forward packets via the right interface (i.e. forward the traffic back to r2 to be NATed out of its ADSL connection), however MikroTik doesn’t have anything like pfSync - that’s fine.
I was wondering if it’s perhaps somehow possible to achieve this with some creative connection or packet marking?
One idea I had (and failed) was to:
- Mark all inbound connections from the PPPoE interface of each router with “net_local”.
- All “NEW” connections initiated from the LAN are marked “net_local”.
- Everything else that doesn’t have an existing connection marking is assumed to be an asynchronous return packet and needs to be forwarded to r2.
Is this a viable approach? Is there any other trickery I can use with Mikrotik to achieve the level of active/active HA I’m trying to do?
Many thanks!
Jonathan