One of the users I support has added an additional internet connection for fai lover. This internet connection does not connect directly to the Mikrotik, but is another gateway on the LAN with a lower priority route on the Mikrotik (Scripts adjust routes accordingly)
When in a fail over state and traffic is routing via the secondary gateway, TCP connections fail due to this rule -
I believe this is occurring because the Mikrtoik router doesn’t see the SYN ACK packet, so doesn’t believe the connection is valid. Packet flow below-
Is there anyway I can prevent these packets from being dropped, without compromising security?
Maybe you can try to reject first. The sender should realise that his connection is not established anymore and initiate a new connection instead. Ask your customer to close his invalid connections when he changes the routing. Definitely it is his fault and your drop is appropriate action anyway. He cannot complain about this.
It is me changing the routing. The ‘user’ is just a PC on the LAN. However the users device is not aware of the second gateway, traffic should continue to route to the Mikrotik which should forward traffic to the Huawei modem.
Also, this is not an existing connection, this is a new connection after failover.
Any other suggestions on this one? I could NAT the traffic behind the Mikrotik, however I don’t know how to set the rule, as I can’t specify dst-macaddress only src-macaddress.
I am unsure how to mark traffic going to the second gateway.
