Secondary WAN, router on a stick?

frytex · January 31, 2019, 11:30am

Could anybody give mi an idea of how to configure such a network?
Diagram:
WAN1 — R1 — [LAN Switch1] — [LAN Switch2] — R2 — WAN2
Explanation:
Router R1 is the default GW for computers connected to the LAN Switches. It makes NAT for them and serves as a DNS server.
Now, I got a secondary (backup) WAN2 from a different provider. It is on the other end of the building where only LAN cable is available. I would like to use a R2 router connecting to this WAN2.
But I want computers (connected to the LAN Switch) to keep their configuration because some IP configuration is static. This means that they have R1 as gateway all the time.
I believe I could run a script on R1 that would detect WAN being down (I can do that) and change some routes to pass all traffic from R1 via R2.
But I have no idea how to set those routes (+ masquerade?) and IP addresses when the outcoming direction on R1 would become LAN/R2, when WAN1 goes down.

Any ideas how to set the network, masquerade, whatever? Should I create extra addresses for R1/R2 different than addresses on LAN? Or is it meaningless?
I cant use VLANS because some switches do not support VLANs.
I would like to avoid loops and other problems like that.

mkx · January 31, 2019, 11:55am

I won’t go into mechanism of making necessary changes. However, when WAN1 fails, R1 routes should get changed in a way similar to this:

/ip route
remove [ find dst-address="0.0.0.0/0" gateway="GW1" ]
add dst-address=0.0.0.0/0 gateway=R2.ip.addr.ess

Srcnat stuff should be done by R2. Be careful as well to exclude traffic towards R2 from connection tracking as return traffic will be delivered by R2 directly to LAN hosts and connection tracking on R1 will get a mess.

When WAN1 gets healthy again, revert the changes in routing.

In both cases client connections will get screwed (reset or whatever). Which is quite understandable for the moment of WAN1 dying but not so much for the moment when WAN1 gets back. To avoid the second hiccup you’d have to mangle connections with routing marks so that connections that are ongoing through R2 would keep going that way even when WAN1 gets back. I’m not sure though if that would get messy due to direct returns (bypassing R1) from R2 to LAN clients.

sebastia · January 31, 2019, 12:01pm

Hey

I could be as simple as defining a secondary/backup default route in the routing table on R1.
Distance of that secondary route should be higher than primary.
you would want to do gateway check, ex ping, so that if ISP1 fails that route becomes inactive and secondary kicks in.

Best of all: no scripting required.

See also https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting

frytex · January 31, 2019, 2:05pm

/ip route
remove [ find dst-address="0.0.0.0/0" gateway="GW1" ]
add dst-address=0.0.0.0/0 gateway=R2.ip.addr.ess
So, generally speaking, R1 wouldn’t mind if R2 added as dst-address gateway would have an address from within the LAN network address space? If R1 is for instance 10.10.1.1 and R2 is 10.10.1.2, then after changing the gateway, R1 is not actually ‘routing’ the traffic as R2 is on the same network. Are you sure it’s going to work? Or should I give both routers some extra addresses (from the same network but different from LAN network) to do actual ‘routing’ between two different networks?

mkx · January 31, 2019, 2:40pm

/ip route
remove [ find dst-address="0.0.0.0/0" gateway="GW1" ]
add dst-address=0.0.0.0/0 gateway=R2.ip.addr.ess
So, generally speaking, R1 wouldn’t mind if R2 added as dst-address gateway would have an address from within the LAN network address space? If R1 is for instance 10.10.1.1 and R2 is 10.10.1.2, then after changing the gateway, R1 is not actually ‘routing’ the traffic as R2 is on the same network. Are you sure it’s going to work? Or should I give both routers some extra addresses (from the same network but different from LAN network) to do actual ‘routing’ between two different networks?

Routing means directing traffic towards another hop. It doesn’t matter if next hop is on the same subnet as the traffic came from … the only thing that matters is that router can somehow access next hop (either through subnet or via PtP link).

The only thing I was hinting at is the following:

LAN host wants to connect WAN host. Resolves DST IP address and sees it can’t be contacted directly (out of LAN subnet mask).
so it sends the packet out to best router. As it only has defined default gateway 10.10.1.1, it’ll send the packet to that router (by sending original IP packet to router’s MAC address!)
R1 receives packet, examines dst-address and sees it’s not for it. Looks where to send and finds out that the best next hop is R2. Sends the same (original) IP packet to R2’s MAC address
R2 receives packet, examines, does the src-nat (replacing LAN host’s IP address with its own WAN address) and sends it via WAN2
returning packet from WAN host arrives to R2 through WAN2 interface. R2 receives it, does reverse src-nat and looks where to send it to. Sees LAN host, which is in the same subnet and …
… delivers return packet directly to LAN host. Lan host doesn’t care that MAC address of last hop in return path is different than MAC address of the first hop of out-bound packet.

Due to the last step in the list above connection tracking on R1 should not work for this “backup” path.

When doing the routing for a subnet, router needs address in the same subnet for only one reason: so that hosts, wanting to send packets to gateway, can to ARP resolution “who has 10.10.1.1” … received MAC address will then be used for sending actual packet - which won’t mention router’s IP address at all.