Srcnat and WAN fallover

RouterOS General
1

I have an RB4011, 2 WAN connections and one private subnet which gets NATed for internet access.
WAN1 has a /27 range alocated from ISP, while the secondary WAN2 is mainly for backup, just one IP.


WAN1 uses srcnat ‘one-to-one’ NAT:

add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.100 to-addresses=188.110.255.100
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.101 to-addresses=188.110.255.101
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.102 to-addresses=188.110.255.102
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.103 to-addresses=188.110.255.103
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.104 to-addresses=188.110.255.104
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.105 to-addresses=188.110.255.105
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.106 to-addresses=188.110.255.106
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.107 to-addresses=188.110.255.107
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.108 to-addresses=188.110.255.108
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.109 to-addresses=188.110.255.109
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.110 to-addresses=188.110.255.110
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.111 to-addresses=188.110.255.111
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.112 to-addresses=188.110.255.112
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.113 to-addresses=188.110.255.113
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.114 to-addresses=188.110.255.114
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.115 to-addresses=188.110.255.115
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.116 to-addresses=188.110.255.116
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.117 to-addresses=188.110.255.117
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.118 to-addresses=188.110.255.118
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.119 to-addresses=188.110.255.119
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.120 to-addresses=188.110.255.120
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.121 to-addresses=188.110.255.121
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.122 to-addresses=188.110.255.122
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.123 to-addresses=188.110.255.123
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.124 to-addresses=188.110.255.124
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.125 to-addresses=188.110.255.125
add action=src-nat chain=srcnat comment="NAT" src-address=192.168.1.126 to-addresses=188.110.255.126

This works perfectly.
When I want to swap to WAN2 I do the following:

  1. Disable above rules
  2. Enable either src-nat masquerade:
add action=masquerade chain=srcnat comment="backup-NAT" out-interface=ether8 src-address=192.168.1.0/24

or src-nat:

add action=src-nat chain=srcnat comment="backup-NAT" src-address=192.168.1.0/24 to-addresses=86.123.188.201

How can I create a working automated swap from WAN1 to WAN2 and viceversa when one of the WAN connections fail on me?

Are there any mangling rules which can be applied or should I use scripting engine?

2

First of all I would say that you should have all your dst nat rules in place AND your srcnat-masquerade rule for the backup wan in place.

As for the backup rule it should look like… assuming its a static WANIP…(no requirement to state source address)
add action=src-nat chain=srcnat comment=“Backup WAN2”
out-interface=eth8 to-address=86.123.188.201

In terms of routing that is the other place to ensure things will work correctly.
However I am not conversant in how to deal with so many WANIPs for WAN1…
My guess is that all those multiple WANIPs still use a single ISP gateway and thus perhaps its still simple…

/ip route (simple)
add distance=2 check-gateway=ping gateway=gatewayIP of WAN1
add distance=10 gateway=gatewayIP of WAN2

When wan1 is not available routing switches to wan 2, and when wan1 comes back online routing switches back to wan1

/ip route (better - in that one checks if the internet is available through the ISP gateway)
add distance=2 check-gateway=ping gateway=8.8.4.4
add distance=2 dst-address=8.8.4.4/32 gateway=GatewayIP of WAN1 scope=10
add distance=10 gateway=gatewayIP of WAN2

3

Judging by how many src-nat rules I use for WAN1 (I have 29 ip interfaces for the /27 provided by the WAN1 ISP), the check-gateway option on routes is not a solution.

Checking the Mikrotik wiki I came around Netwatch which can run scripts when a target host is up/down. I will use that to swap around my config, no mangling and marking pachets involved.

Edit: I’ve given up on Netwatch, it’s too limited in my case, so I’ve cooked a script on the next post.