Another query here that needs your expertise. May I ask for your analysis and suggestions please on how to fix (if there is something wrong) or improve below recursive routing configuration? This sample config was made by someone and I want to understand how this config works. I don’t understand why there is no target scope set on the default routes. And what are those virtual routes for? Also, with the policy based routing included, would the traffic under routing-marks “to-gw2” or “to-gw3” automatically rerouted to other ISP should the corresponding assigned ISP went down?
Note: ISP1 and ISP2 have public static IP addresses ,hence, I replaced them with xxx.xxx for security purposes.
The most logical thing you need to do is write on the topic where you found those rules,
or ask whoever wrote it.
On the forum are already present dozen of examples and some are well explained.
Thank you for the response. This existing routing config in a running (production) MT was done by someone who is no longer reachable right now, hence, the non-techie owner of the network has ask me for help to check if the said config is correct or needs to improve.
Would appreciate if you can point me to specific links with almost same scenario (3 ISPs and 3 routing-mark assigned to each WAN) using PBR and Recursive Routing failover.
Thanks.
After reading your routing guide, I was able to come up with this trial config. Would appreciate much if you can help me check for possible errors before I will implement this to the production MT and change its current routing configuration.
By the way, the expectation is that all three marked-routing traffic should maintain their internet access even if their default assigned ISP/WAN is down.
for example:
TRAFFIC#1: “to-gw1 traffic to ISP1” or “to ISP2 if ISP1 is down” or to ISP3 if both ISP1 & ISP2 are down.
TRAFFIC#2: “to-gw2 traffic to ISP2” or “to ISP1 if ISP2 is down” or “to ISP3 if both ISP1 & ISP2 are down”
TRAFFIC#3: “to-gw3 traffic to ISP3” or “to ISP1 if ISP3 is down” or “to ISP2 if both ISP3 & ISP1 are down”
Thank you.
+++TRIPLE WAN FAILOVER THREE RECURSIVE ROUTES (NESTED) WITH PBR+++
Thank you Sir Anav.
Aside from your guide/tutorial, i also read Chupaka’s thread and other similar threads regarding recursive failover routing.
Most of the examples are dual WAN only, hence, i need to be sure if what i am doing for a triple WAN recursive failover is correct.
Unfortunately, i don’t have a bench MT units to experiment right now.
In addition to my questions above, i noticed in your sample config that the target-scope of the secondary ISP (back-up) is 30. May i know what’s the rational explanation why it should be target-scope=30 and not 20 or 17 or 15 or lower? In a Triple WAN recursive failover scenario, what should be the target scope of the secondary and tertiary routes? In my Triple WAN recursive (nested) config above, the scope and target-scope settings are just identical to each other for the three ISP routes. Is my config wrong?
Also, with regards to the distances, I only set the distance (based on priority 1, 2, 3) on the resolving routes and not on the monitoring (recursive) routes. Is my config correct?
What is the difference between simply using distances 1, 2 & 3 for the primary, secondary and tertiary routes respectively and by using other higher numbers for the distance like for example 5, 10, 15 or 1, 10, 20 or 100, 200, 300? does the numbers really matter? does it affect the length of time to shift from a broken route to a good route?
Looking forward to your analysis and recommendations.
Thank you and have a good sleep.
Just to confirm you have three groups of users, each should use a different wan as their primary.
There is no concern for incoming traffic externally originated, this setup is for outgoing traffic originated on the LANs?
Also , what I dont understand is why are you mangling if all the groups of users involved are whole subnets?
One should be able to avoid mangling and use routing rules etc…
Are all the addresses on the lists above local subnets behind the router ? Assuming yes.
ANother question, do any of the users need to access other subnets on the router. Since we are directing all users out a specific wan, we need to know if there any exceptions, when going outside ones own subnet. For example is their a shared printer or a local server that users will be crossing over in terms of subnets to get to…???
Yes Sir, users were grouped into three and each group has assigned primary route/WAN/ISP to access the internet. And yes the concern is the traffic from LANs going to the internet.
I am sorry but i really don’t fully understand yet how to use the routing rules in lieu to mangle rules. most of the video tutorials i found in youtube are using firewall address list and then mangle rules. would highly appreciate if you can teach me how to properly do it (routing rules) to be able to separate each group of users.
Yes, all addresses in the address lists are local subnets behind the router.
No shared printers nor servers, preferably each user should not be able to communicate each other locally.
Yes Sir, users were grouped into three and each group has assigned primary route/WAN/ISP to access the internet. And yes the concern is the traffic from LANs going to the internet.
I am sorry but i really don’t fully understand yet how to use the routing rules in lieu to mangle rules. most of the video tutorials i found in youtube are using firewall address list and then mangle rules. would highly appreciate if you can teach me how to properly do it (routing rules) to be able to separate each group of users.
Yes, all addresses in the address lists are local subnets behind the router.
No shared printers nor servers, preferably each user should not be able to communicate each other locally.
You can use any numbers for distance as long as they are separated.
I setup the scope and target scope numbers such that they are also legal for Vers7 when you switch.
The only difference between V6 and V7 for this particular config would be the need to create 3 tables and
on the second IP route for each ISPX, use table= vice routing-mark=
…
This should do it. All standard users will follow the route rules and go out ISP1, all vip users will go out ISP2 and all others users will go out ISP3.
Case1: IF ISP1 goes down the router will look for the next available route and will find it in the main table and since ISP2 is lower in distance it will be chosen and if ISP2 is not available it will choose ISP3. IF ISP2 comes back on line the users will be directed back through ISP2 and if ISP1 comes back on line the users will go to their original ISP1.
Case2: IF ISP2 goes doen the router will look for the next available route and it will be ISP1, and then ISP3 etc.
Case3: IF ISP3 goes down, the router will look for the next available route it will e ISP1, and then ISP2 etc.
Thank you very much for pointing me to the right tab Sir. I surely overlooked it.
Now i just need to understand how to properly use the Routing Rules to replace my Mangle Rules.
By the way, may i know why Anav and the other experts here preferred to use the routing rules instead of mangling? What are the advantages and disadvantages between the two?
jajajaja I’m not an expert and that is the reason I personally avoid mangling, its more complex and since normally one cannot use fastrack with mangling, (sometimes one can work around mangling but often not) and thus performance will be slower (although probably a home user would never notice). I use it when I dont have another choice. Keep it simple!!
…
Hi Sir, noted on this. Will try to implement this config ASAP once my client (the network owner) has already sent an advisory to their subscribers for a scheduled system maintenance. This is to ensure the end users are aware of a possible service downtime.
Just a little clarification, i have noticed you only used the same set of external dns or ip addresses (9.9.9.9 & 1.0.0.1) for all the three WAN routes as well as the bogus IP address (10.10.10.10). What if for some weird instances, those two dns ip addresses are not available or down? Is it ok if we use different set of dns addresses for each WAN route like what i did in my trial config posted earlier ( 2 dns addreses and 1 bogus address per WAN) What would be the disadvantage of using different sets of external ip addresses for the recursive route?
