Routes fail-over

Jacka · January 13, 2011, 9:43am

can smb help me configuring routes for fail-over for two providers ? Both providers should be active at the same time (balancing)
if one route fails all the traffic should go through the other one.
some times it happens that both routes are reachable, but there is internet only with one provider, and when you try to go to a webpage it is not loading because it is going trough that one that doesn’t have internet, what to do in this cases ?
ty

Caci99 · January 13, 2011, 12:53pm

For the failover to work properly you would need a script. The script will be executed every, say, 10s or 15s
and it will discover if google.com (or any other webpage or server) is reachable or not.

What kind of connection to the ISP do you have? Static IP or PPPoE.
You can post at least your routes configuration and addresses to have a better view.

Jacka · January 13, 2011, 4:03pm

Hi Caci99,

First provider[SETI] is PPPoE (but I get a static IP) and second Provider[Orange] is a static IP.
This is my actual configuration:

[admin@MikroTik] > ip route export
# jan/13/2011 12:11:18 by RouterOS 4.11
# software id = HT2T-Y3XQ
#
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Orange,SETI \
    scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=73.88.149.0/24 gateway=SETI \
    scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=88.230.11.0/24 gateway=Orange \
    scope=30 target-scope=10
[admin@MikroTik] >

Caci99 · January 14, 2011, 11:18am

I will post a script which I found in this forum a couple of years ago, a little modified.

Fail Down
:local i 0; {:do {:set i ($i + 1)} while=(($i < 5) \
&& ([/ping 74.125.87.147 size=72 interval=2\
count=1]=0))}; :if ($i=5 && [/ip route get [find comment="Default \
Route"] distance]=1) do={:log info "Main Gateway down"; /ip route set \
[find comment="Default Route"] distance=3; /ip firewall nat set \
[find comment="Default Masquerade"] out-interface=ether2}

Fail Up
:local i 0; {:do {:set i ($i + 1)} while=(($i < 5) \
&& ([/ping 74.125.87.147 size=72 interval=2 \
count=1]=1))}; :if ($i=5 && [/ip route get [find comment="Default \
Route"] distance]=3) do={:log info "Main Gateway up"; /ip route set \
[find comment="Default Route"] distance=1; /ip firewall nat set \
[find comment="Default Masquerade"] out-interface=ether12}

You should add comment=Default Route in the route you want to back up (the one that fails)
and add comment=Default Masquerade in the masquerade rule in ip firewall nat if you are using
masquerade with out-interface specified. Both this comments are used in the script.
Then, you need to mark the ping used in the script. As you can see the ping packet size is 72, so it
does not get confused with any other ping that may be used in the router. Add the following rule in firewall mangle:

ip firewall mangle
add chain=output protocol=icmp packet-size=72 action=mark-routing new-routing-mark=fail_ping

Now in the ip route you should add the following

ip route
add dst-address=0.0.0.0/0 gateway=(the backup gateway) distance=2
add dst-address=0.0.0.0/0 gateway=(the monitoring gateway) routing-mark=fail_ping

In the script you see that we are pinging address 74.125.87.147. This is the address resolved for http://www.google.com in a router.
You can substitute that with another one, say 8.8.8.8 which is the dns server of google, assuming this server never goes down.

At the end, you add in the scheduler the scripts to be executed every 10s or 15s, it’s up to you.
Hope this can help.

Jacka · January 14, 2011, 2:47pm

You, see both routes are MAIN/Primary, thank you very much for your script but I would like to use routing firewall without scripting and today I’ve found this article: http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting

Here is my config now:

add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Orange,SETI \
    scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=73.88.149.0/24 gateway=SETI \
    scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=88.230.11.0/24 gateway=Orange \

Here is the config from the wiki:

Here everything is clear, just changed with my addresses:

/ip route
add dst-address=73.88.149.0/24 gateway=SETI scope=10
add dst-address=88.230.11.0/24 gateway=Orange scope=10

Clear…except “routing-mark=ISP1” in place of ISP1 could be any word, yes ? not so important ?.

/ip route
add distance=1 gateway=SETI routing-mark=ISP1 check-gateway=ping
add distance=2 gateway=Orange routing-mark=ISP1 check-gateway=ping

Same thing…

/ip route
add distance=1 gateway=Orange routing-mark=ISP2 check-gateway=ping
add distance=2 gateway=SETI routing-mark=ISP2 check-gateway=ping

Here, I kind of don’t understand what should be instead of Host1A, Host2B…?

/ip route
add dst-address=Host1A gateway=SETI scope=10
add dst-address=Host1B gateway=SETI scope=10
add dst-address=Host2A gateway=Orange scope=10
add dst-address=Host2B gateway=Orange scope=10

Same here what should be instead of Host1A,Host2…and what should I put instead of 10.1.1.1…? Confused.

/ip route
add dst-address=10.1.1.1 gateway=Host1A scope=10 target-scope=10 check-gateway=ping
add dst-address=10.1.1.1 gateway=Host1B scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=Host2A scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=Host2B scope=10 target-scope=10 check-gateway=ping

Same thing here…

/ip route
add distance=1 gateway=10.1.1.1 routing-mark=ISP1
add distance=2 gateway=10.2.2.2 routing-mark=ISP1
add distance=1 gateway=10.2.2.2 routing-mark=ISP2
add distance=2 gateway=10.1.1.1 routing-mark=ISP2

Here, I thing it should be like this..

/ip route
add dst-address=73.88.149.0/24 type=blackhole distance=20
add dst-address=88.230.11.0/24 type=blackhole distance=20

Any help would be most welcome.

Caci99 · January 15, 2011, 1:06pm

The article you point out at first sight describes a better way for failover than the one I recommended.
But I haven’t tested it, and do not have a way to test it now.

I can attempt to clarify some your questions.
The IP of Host1 and Host2 are not your IP-s, but rather those of http://www.google.com or http://www.yahoo.com,
so they should be sth like 74.125.87.99 and 69.147.125.65

Host1A and Host1B are again some external servers (google, yahoo, facebook, etc.) and are used to determine
if the link is up even when google is down but yahoo is up. It is just a better check of the link, using two hosts to determine
it’s status. So it is up to you to decide if you want to use it or not.

The routing marks are created in mangle. They are generally used to load balance the traffic of your LAN with your ISP connections, like
in PCC configuration http://wiki.mikrotik.com/wiki/PCC. In your configuration you are using ECMP for load balancing,
so I don’t think you do have routing-marks created.

Jacka · January 16, 2011, 1:49pm

Caci99:

The article you point out at first sight describes a better way for failover than the one I recommended.
But I haven’t tested it, and do not have a way to test it now.

I can attempt to clarify some your questions.
The IP of Host1 and Host2 are not your IP-s, but rather those of http://www.google.com or http://www.yahoo.com,
so they should be sth like 74.125.87.99 and 69.147.125.65

Host1A and Host1B are again some external servers (google, yahoo, facebook, etc.) and are used to determine
if the link is up even when google is down but yahoo is up. It is just a better check of the link, using two hosts to determine
it’s status. So it is up to you to decide if you want to use it or not.

The routing marks are created in mangle. They are generally used to load balance the traffic of your LAN with your ISP connections, like
in PCC configuration http://wiki.mikrotik.com/wiki/PCC. In your configuration you are using ECMP for load balancing,
so I don’t think you do have routing-marks created.

Thank you for explaining.
But can I use those codes without rounting marks because as you said I’m using ECMP, can I exlcude somethin`, will it work ?

Caci99 · January 17, 2011, 11:26am

First, it is a matter of choice whether you will use ECMP or PCC configuration for loadbalancing.
PCC was introduced to fix some problems with ECMP. ECMP has some problems with connections
that require authentications (MSN, facebook, etc).
In case you find no problems in your network with ECMP, and would like to stick to it, all you have
to do is to substitute the values:

/ip route
add dst-address=0.0.0.0/0 gateway=Orange, Seti

with this one

/ip route
add dst-address=0.0.0.0/0 gateway=Host1, Host2

Jacka · January 18, 2011, 8:51am

Caci99:

First, it is a matter of choice whether you will use ECMP or PCC configuration for loadbalancing.
PCC was introduced to fix some problems with ECMP. ECMP has some problems with connections
that require authentications (MSN, facebook, etc).
In case you find no problems in your network with ECMP, and would like to stick to it, all you have
to do is to substitute the values:
/ip route
add dst-address=0.0.0.0/0 gateway=Orange, Seti
with this one
/ip route
add dst-address=0.0.0.0/0 gateway=Host1, Host2

Yes I would like to stick with ECMP, so it should be like this:

add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=google.com,yahoo.com \
    scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=73.88.149.0/24 gateway=SETI \
    scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=88.230.11.0/24 gateway=Orange \
    scope=30 target-scope=10

…and that’s it ? There is not need of “check-gateway=ping” rule ?

Caci99 · January 18, 2011, 10:36am

I think it should look like this:

/ip route
add dst-address=8.8.8.8 gateway=Orange scope=10 check-gateway=ping
add dst-address=8.8.4.4 gateway=Seti scope=10 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=8.8.8.8, 8.8.4.4

The scope value is important. The IP 8.8.8.8 and 8.8.4.4 are those of the
google dns servers. You can choose another if you like

Jacka · January 19, 2011, 7:15am

Caci99:

I think it should look like this:
/ip route
add dst-address=8.8.8.8 gateway=Orange scope=10 check-gateway=ping
add dst-address=8.8.4.4 gateway=Seti scope=10 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=8.8.8.8, 8.8.4.4
The scope value is important. The IP 8.8.8.8 and 8.8.4.4 are those of the
google dns servers. You can choose another if you like

Thank you for your help, much appreciated.

Jacka · January 21, 2011, 3:05pm

Unfortunately it doesn’t work.

I get unreachable message for: add dst-address=0.0.0.0/0 gateway=8.8.8.8,8.8.4.4

add dst-address=8.8.8.8 gateway=WAN2 scope=10 check-gateway=ping - reachable
add dst-address=8.8.4.4 gateway=Arax scope=10 check-gateway=ping - reachable

Caci99 · January 22, 2011, 6:05pm

You shouldn’t be using interfaces as gateways, like in:

add dst-address=8.8.8.8 gateway=WAN2 scope=10 check-gateway=ping - reachable
add dst-address=8.8.4.4 gateway=Arax scope=10 check-gateway=ping - reachable

The interfaces as gateways are not used as nexthop gateway.
Instead of interface value you should use IP, like, for example:

add dst-address=8.8.8.8 gateway=90.90.90.90 scope=10 check-gateway=ping - reachable
add dst-address=8.8.4.4 gateway=80.80.80.80 scope=10 check-gateway=ping - reachable

Jacka · February 4, 2011, 1:12pm

Had other troubles on my mind, didn’t have the time to work with the router…now back to what I was testing…

I tried the rules you gave me, I’ve change the interface to IP:

[admin@MikroTik] /ip route> add dst-address=8.8.8.8 gateway=73.88.149.13 scope=10 check-gateway=ping
[admin@MikroTik] /ip route> add dst-address=8.8.4.4 gateway=88.230.11.92 scope=10 check-gateway=ping
[admin@MikroTik] /ip route> add dst-address=0.0.0.0/0 gateway=8.8.8.8, 8.8.4.4

But I’m getting this error: expected interface value (line 1 column 43) ..it doesn’t like the IP, wants the interface name.
What’s wrong ?
Thank you.

Caci99 · February 4, 2011, 1:21pm

What are IP-s 73.88.149.13 and 88.230.11.92?
I have the impression those are the IP-s assigned to you by your ISP.
Or are they the gateways?

Jacka · February 4, 2011, 2:31pm

Yes, my fault.

Just one thing, for one provider I know the gateway, for the second I don;t have it because I don’t know it, it’s a PPPoE connection, only login and pass (and maybe DNS) is needed, nothing else.

Jacka · February 4, 2011, 2:35pm

The dst-address is set like this for both provider:

73.88.149.0/24
88.230.11.0/24

gateway: WAN1 and WAN2

Caci99 · February 4, 2011, 2:59pm

I assume you have static IP assigned to you by your ISP.
For the ISP you don’t know the gateway, try the following.
Activate the option to assign automatically the gateway in the pppoe-client interface,
which is “add default route”. Then, go to /ip route and look for a route
DAS with dts-address=0.0.0.0/0 gateway=x.x.x.x
That is the gateway for your ISP.

Go back again to the pppoe-client interface and deactivate the option “add default route”

Jacka · February 4, 2011, 3:15pm

I’ve called my provider and they said that I don’t need a gateway so they didn’t want to give me, I know why, because the gateways are dynamic so it keeps on changing…

I did what you said, it gave me this gateway : 217.XX.164.44 but it was unreachable

Another thing looked into Addresses list, the provider with PPPoE connection has:

Address: 88.230.11.92 Network: 217.XX.164.171

You see: 217.XX.164.44 / 217.XX.164.171

so what to do in the case when the gateway is not static ?

Caci99 · February 4, 2011, 4:05pm

In case it will be dynamic, it will require a script. I am not good at scripts,
so can not be very helpful here.