Hello,
I have the following network topology, where there are two offices, and the traffic of the office 1 (R1) passes through VPN to the office 2 (R2).
In office 1 there are two WAN connections, where WAN1 is main and WAN2 is backup.
When WAN1 goes down, the VPN goes to WAN2, as desired!
However, when WAN1 is available again, the VPN does not return to WAN1 …
What to do to reverse this situation?
Can you put “export” of two routers please.
If you speak spanish, please write in spanish.
Please don’t. This is an international forum, please always use English while posting here.
I assume R1 main and backup connections does not share ip’s.
My approach in such case would be to make sure router at R2 would be the one to initiate the connection.
At R2 I would create a set of netwatch entries:
I would create scripts like these:
StabilityCheck
send x pings to R1.main.public.ip
send x pings to R1.backup.public.ip
analyse the ping response and decide which connection is the prefered
run script VpnMainInitiate or VpnBackupInitiate depending on which is prefered
/system scheduler disable initStabilityCheck
VpnMainInitiate
If mainVpn is disabled {
disable backupvpn
enable mainvpn
disable Netwatch3
}
if vpn is up {
disable Netwatch2
enable Netwatch1
disable scheduler VpnCheck
}
else
{
enable Netwatch3
enable Netwatch2
disable Netwatch1
}
}
VpnBackupInitiate
If backupVpn is disabled {
disable mainvpn
enable backupvpn
disable Netwatch3
enable Netwatch2
}
if vpn is up {
disable Netwatch2
enable Netwatch1
enable scheduler VpnCheck
}
else
{
enable Netwatch3
enable Netwatch2
disable Netwatch1
}
}
Scheduler VpnCheck: /system script run StabilityCheck
Point is: If connection inside vpn or to any of the R1 public ip’s drop, check with ping which ip at R1 is the most stable and connect using that ip. If connection fails, or backup connection becomes the active one, enable a scheduler that will repeat the check every so often. If the main connection becomes the active one, wait for netWatch to trigger any recheck.
Hello,
After a search on MikrotiK, I discovered a failover script.
I made some changes, adding a VPN, and it worked.
# ------------- start editing here -------------
# Edit the variables below to suit your needs
# Please fill the WAN interface names
:local InterfaceISP1 ether5
:local InterfaceISP2 ether6
#name l2tp
:local namevpn l2tp-r3
# Please fill the gateway IPs (or interface names in case of PPP)
:local GatewayISP1 X.X.X.X
:local GatewayISP2 Y.Y.Y.Y
# Please fill the ping check host - currently: resolver1.opendns.com
:local PingTarget Z.Z.Z.Z
# Please fill how many ping failures are allowed before fail-over happends
:local FailTreshold 3
# Define the distance increase of a route when it fails
:local DistanceIncrease 20
# Editing the script after this point may break it
# -------------- stop editing here --------------
# Declare the global variables
:global PingFailCountISP1
:global PingFailCountISP2
# This inicializes the PingFailCount variables, in case this is the 1st time the script has ran
:if ([:typeof $PingFailCountISP1] = "nothing") do={:set PingFailCountISP1 0}
:if ([:typeof $PingFailCountISP2] = "nothing") do={:set PingFailCountISP2 0}
# This variable will be used to keep results of individual ping attempts
:local PingResult
# Check ISP1
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP1]
:put $PingResult
:if ($PingResult = 0) do={
:if ($PingFailCountISP1 < ($FailTreshold+2)) do={
:set PingFailCountISP1 ($PingFailCountISP1 + 1)
:if ($PingFailCountISP1 = $FailTreshold) do={
:log warning "ISP1 has a problem en route to $PingTarget - increasing distance of routes."
:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do=\
{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
:log warning "Route distance increase finished."
#Edit l2tp
:foreach i in=[/interface l2tp-client find name=$namevpn] do=\
{/interface l2tp-client set $i disabled=yes
/interface l2tp-client set $i disabled=no}
:log warning "L2tp change gateway."
}
}
}
:if ($PingResult = 1) do={
:if ($PingFailCountISP1 > 0) do={
:set PingFailCountISP1 ($PingFailCountISP1 - 1)
:if ($PingFailCountISP1 = ($FailTreshold -1)) do={
:log warning "ISP1 can reach $PingTarget again - bringing back original distance of routes."
:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do=\
{/ip route set $i distance=([/ip route get $i distance] - $DistanceIncrease)}
:log warning "Route distance decrease finished."
#Edit l2tp
:foreach i in=[/interface l2tp-client find name=$namevpn] do=\
{/interface l2tp-client set $i disabled=yes
/interface l2tp-client set $i disabled=no}
:log warning "L2tp change gateway."
}
}
}
# Check ISP2
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP2]
:put $PingResult
:if ($PingResult = 0) do={
:if ($PingFailCountISP2 < ($FailTreshold+2)) do={
:set PingFailCountISP2 ($PingFailCountISP2 + 1)
:if ($PingFailCountISP2 = $FailTreshold) do={
:log warning "ISP2 has a problem en route to $PingTarget - increasing distance of routes."
:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do=\
{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
:log warning "Route distance increase finished."
}
}
}
:if ($PingResult = 1) do={
:if ($PingFailCountISP2 > 0) do={
:set PingFailCountISP2 ($PingFailCountISP2 - 1)
:if ($PingFailCountISP2 = ($FailTreshold -1)) do={
:log warning "ISP2 can reach $PingTarget again - bringing back original distance of routes."
:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do=\
{/ip route set $i distance=([/ip route get $i distance] - $DistanceIncrease)}
:log warning "Route distance decrease finished."
}
}
}
Thanks! However I only have access R1, so, I implemented a new solution.