Simple WAN failover with VLANs

mercules · November 30, 2018, 10:37am

Hi All,

So i currently have a CCR1009 setup with combo port as WAN 1 and Eth1 as WAN 2. Eth 6 is a trunk port with several dhcp networks/VLAN and is up linked into a switch to tag the appropriate network.

Now I have it working perfect with single WAN and i have followed the guide for just a basic failover with healthcheck ping.

If i simulate WAN1 being down ie pulling the cable the router its self failsover testing by ping on terminal and can ping out of WAN2 however none of the LAN can ping out if im using my laptop.I shouldn’t need to add anything in the firewall but it looks like its a NAT issue.

/ip address
add address=172.168.0.1/22 interface=vlan300 network=172.168.0.0
add address=172.1.2.1/24 interface=vlan400 network=172.1.2.0
add address=172.1.3.1/24 interface=vlan500 network=172.1.3.0
add address=172.1.4.1/24 interface=vlan600 network=172.1.4.0
add address=172.1.5.1/24 interface=vlan700 network=172.1.5.0
add address=182.16.0.1/22 interface=vlan800 network=182.16.0.0
add address=172.1.7.1/24 interface=vlan900 network=172.1.7.0
add address=172.1.8.1/24 interface=vlan901 network=172.1.8.0
add address=172.1.9.1/24 interface=vlan902 network=172.1.9.0
add address=172.1.10.1/24 interface=vlan903 network=172.1.10.0
add address=172.1.11.1/24 interface=vlan904 network=172.1.11.0
add address=172.1.12.1/24 interface=vlan905 network=172.1.12.0
add address=172.1.13.1/24 interface=vlan906 network=172.1.13.0
add address=172.1.14.1/24 interface=vlan907 network=172.1.14.0
add address=172.1.15.1/24 interface=vlan908 network=172.1.15.0
add address=172.1.16.1/24 interface=vlan909 network=172.1.16.0
add address=172.1.17.1/24 interface=vlan910 network=172.1.17.0
add address=172.1.18.1/24 interface=vlan911 network=172.1.18.0
add address=172.1.19.1/24 interface=vlan912 network=172.1.19.0
add address=172.1.20.1/24 interface=vlan913 network=172.1.20.0
add address=192.168.1.1/24 interface=vlan100 network=192.168.1.0
add address=89.197.X.X/29 interface=combo1 network=89.197.X.X
add address=10.0.0.1/22 interface=vlan200 network=10.0.0.0
add address=82.163.X.X/24 interface=ether1 network=82.163.X.X
/ip dhcp-server lease
add address=172.1.5.21 client-id=1:d0:bf:9c:35:80:e3 mac-address=D0:BF:9C:35:80:E3 server=dhcp7
/ip dhcp-server network
add address=10.0.0.0/22 gateway=10.0.0.1
add address=172.1.2.0/24 gateway=172.1.2.1
add address=172.1.3.0/24 gateway=172.1.3.1
add address=172.1.4.0/24 gateway=172.1.4.1
add address=172.1.5.0/24 gateway=172.1.5.1
add address=172.1.7.0/24 gateway=172.1.7.1
add address=172.1.8.0/24 gateway=172.1.8.1
add address=172.1.9.0/24 gateway=172.1.9.1
add address=172.1.10.0/24 gateway=172.1.10.1
add address=172.1.11.0/24 gateway=172.1.11.1
add address=172.1.12.0/24 gateway=172.1.12.1
add address=172.1.13.0/24 gateway=172.1.13.1
add address=172.1.14.0/24 gateway=172.1.14.1
add address=172.1.15.0/24 gateway=172.1.15.1
add address=172.1.16.0/24 gateway=172.1.16.1
add address=172.1.17.0/24 gateway=172.1.17.1
add address=172.1.18.0/24 gateway=172.1.18.1
add address=172.1.19.0/24 gateway=172.1.19.1
add address=172.1.20.0/24 gateway=172.1.20.1
add address=172.168.0.0/22 gateway=172.168.0.1
add address=182.16.0.0/22 gateway=182.16.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=172.168.0.0/22
add action=masquerade chain=srcnat src-address=172.1.2.0/24
add action=masquerade chain=srcnat src-address=172.1.3.0/24
add action=masquerade chain=srcnat src-address=172.1.4.0/24
add action=masquerade chain=srcnat src-address=172.1.5.0/24
add action=masquerade chain=srcnat src-address=172.1.6.0/24
add action=masquerade chain=srcnat src-address=172.1.7.0/24
add action=masquerade chain=srcnat src-address=172.1.8.0/24
add action=masquerade chain=srcnat src-address=172.1.9.0/24
add action=masquerade chain=srcnat src-address=172.1.10.0/24
add action=masquerade chain=srcnat src-address=172.1.11.0/24
add action=masquerade chain=srcnat src-address=172.1.12.0/24
add action=masquerade chain=srcnat src-address=172.1.13.0/24
add action=masquerade chain=srcnat src-address=172.1.14.0/24
add action=masquerade chain=srcnat src-address=172.1.15.0/24
add action=masquerade chain=srcnat src-address=172.1.16.0/24
add action=masquerade chain=srcnat src-address=172.1.17.0/24
add action=masquerade chain=srcnat src-address=172.1.18.0/24
add action=masquerade chain=srcnat src-address=172.1.19.0/24
add action=masquerade chain=srcnat src-address=172.1.20.0/24
add action=masquerade chain=srcnat src-address=10.0.0.0/22
add action=masquerade chain=srcnat src-address=180.1.1.0/24
add action=masquerade chain=srcnat src-address=182.16.0.0/22
/ip route
add check-gateway=ping distance=1 gateway=89.197.X.X
add distance=2 gateway=82.163.X.X

Thanks in advance

Ben

anav · November 30, 2018, 1:13pm

You have two WANS = two masquerade (or source nat) rules generally speaking.
The key is to indicate what outgoing interface is going to be translating your private IP to a public IP.
It does not dictate the routing of traffic which one has to really pay attention to if you want something other than simple fail over.

(here is my dual wan configuration - for simple failover)
/ip firewall nat
add action=masquerade chain=srcnat comment=“SCR_NAT for LAN Users”
ipsec-policy=out,none out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment=“SCR_NAT FOR LAN USERS”
out-interface=vlanbell

If you have fixed static WAN IPs, then source nat is more appropriate.
/ip firewall nat
add action=src-nat chain=srcnat comment=“SCR_NAT for LAN Users”
out-interface=wan1 to-address=82.163.x.x
add action=masquerade chain=srcnat comment=“SCR_NAT FOR LAN USERS”
out-interface=wan2 to adress=89.197.x.x

mercules · November 30, 2018, 1:54pm

You have two WANS = two masquerade (or source nat) rules generally speaking.
The key is to indicate what outgoing interface is going to be translating your private IP to a public IP.
It does not dictate the routing of traffic which one has to really pay attention to if you want something other than simple fail over.

(here is my dual wan configuration - for simple failover)
/ip firewall nat
add action=masquerade chain=srcnat comment=“SCR_NAT for LAN Users”
ipsec-policy=out,none out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment=“SCR_NAT FOR LAN USERS”
out-interface=vlanbell

If you have fixed static WAN IPs, then source nat is more appropriate.
/ip firewall nat
add action=src-nat chain=srcnat comment=“SCR_NAT for LAN Users”
out-interface=wan1 to-address=82.163.x.x
add action=masquerade chain=srcnat comment=“SCR_NAT FOR LAN USERS”
out-interface=wan2 to adress=89.197.x.x

Ok thank you for responding, i will configure the extra NAT rules and retest failover.

It does make sense but because i wasn’t specifying the primary WAN on any of the NAT rules and it works i just assumed that it would automatically overload on the backup WAN when the routing changes.

anav · November 30, 2018, 10:01pm

Yes, give it a shot, use only the two rules and remove the rest (or at least disable for now).

sindy · December 2, 2018, 4:28pm

action=masquerade has two effects:

it automatically uses the IP address assigned to the out-interface of the packet as its new source address, so no need to configure it using the to-addresses parameter of the rule like you have to if you use action=src-nat, so you actually can have a single masquerade rule for both WAN interfaces,
if the interface mentioned above goes down, all connections src-nated using the masquerade rule are removed from the connection tracker’s table, which means that the next packet of each of them will create a new connection with a new source address locally, but the remote end’s firewall is unlikely to let the packets sent with a new source address through, and when the initially used WAN recovers, the connections continue being src-nated to the address of the other one because it didn’t go down. So whilst the failover may succeed if the remote end is tolerant, the fallback is unlikely to succeed unless the ISP on WAN 1 lets through packets with source IP address from a subnet unrelated to that ISP (some don’t mind, though)

So the above explains your issue provided that you start the ping and disconnect WAN1 while it is running. The source address of each connection is assigned to the whole connection when its first packet is processed; a continuous ping is considered a single connection. If you disconnect WAN1, start a new ping from the laptop, and it doesn’t get through, the issue is not in the masquerading but something else in your configuration because a new ping creates a new connection in the firewall which uses WAN 2 and so it gets masqueraded to its IP address.

Btw, you can simplify your masquerade rules a lot - you can use intervals rather than subnets as src-address (so you may reduce the number of rules significantly if you keep using src-address to choose packets for masqueradingg), or you can say that whatever goes out via either WAN should be masqueraded no matter what the source address was, so you’d replace src-address by out-interface (ending up with one rule per WAN) or you could use /interface list to create a list named WAN and make both WAN interfaces members of this list, so you would then use a single masquerade rule referring to out-interface-list=WAN rather than src-address.