WAN failover script help

toxicfusion · August 10, 2016, 1:51pm

Hey everyone

So I’m growing very angry and upset, all emotions. Having issues with a WAN failover setup/script for a customer. It’s making me look like an IDIOT and fool. So many confusing options and scripts. Nearly none of them work. As people post about them and all have issues? I guess I’m looking for a silver bullet.

I followed a guide, and not having success: http://stevedischer.com/another-way-to-do-automatic-failover-with-mikrotik-routeros/

topology:

WAN1 == coax cable connection
WAN2 == some trickery… Verizon hotspot jetpack, wireless bridge to a MikroTik MAP device in pseudo-bridge mode. I have ether1 of MAP device connected to a port on the primary MikroTik Router. I have static IP assigned on both interfaces.
Also on router I assigned static ROUTE out to default gateway of the Verizion hotspot…

I can PING the internet 100% perfectly fine from the ROUTER going out the ether OUT interface (interface on router connected to MAP/verizion). Ping works great.

When I disconnect ethernet cable from WAN1, the routing distance changes to 20 (per script). However, I’m unable to access internet from traffic going OUT the MAP/Verizon ethernet interface… but ping works 100% to internet address.

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; WINBOX_REMOTE
chain=dstnat action=dst-nat to-addresses=192.168.3.254 to-ports=8291
protocol=tcp in-interface=ether10-gateway dst-port=8291 log=no
log-prefix=“”

1 ;;; STATION1 REMOTE DESKTOP
chain=dstnat action=dst-nat to-addresses=192.168.3.1 to-ports=3389
protocol=tcp in-interface=ether10-gateway dst-port=3381 log=no
log-prefix=“”

2 ;;; SLSERVER REMOTE DESKTOP
chain=dstnat action=dst-nat to-addresses=192.168.3.30 to-ports=3389
protocol=tcp in-interface=ether10-gateway dst-port=3382 log=no
log-prefix=“”

3 X ;;; REMOTE PHONE
chain=dstnat action=dst-nat to-addresses=192.168.3.121 to-ports=80
protocol=tcp in-interface=ether10-gateway dst-port=80 log=no
log-prefix=“”

7 ;;; NETWORK DVR CAMERA
chain=dstnat action=dst-nat to-addresses=192.168.3.10 to-ports=700
protocol=tcp in-interface=ether10-gateway dst-port=700 log=no
log-prefix=“”

8 chain=dstnat action=dst-nat to-addresses=192.168.3.10 to-ports=700
protocol=udp in-interface=ether10-gateway dst-port=700 log=no
log-prefix=“”

9 chain=dstnat action=dst-nat to-addresses=192.168.3.10 to-ports=2000
protocol=tcp in-interface=ether10-gateway dst-port=2000 log=no
log-prefix=“”

10 chain=dstnat action=dst-nat to-addresses=192.168.3.10 to-ports=2000
protocol=udp in-interface=ether10-gateway dst-port=2000 log=no
log-prefix=“”

11 ;;; default configuration
chain=srcnat action=masquerade src-address=192.168.3.0/24
out-interface=ether10-gateway log=no log-prefix=“”

12 ;;; default configuration
chain=srcnat action=masquerade src-address=192.168.10.0/24
out-interface=ether10-gateway log=no log-prefix=“”

/ip firewall filter print

0 ;;; allow remote winbox
chain=input action=accept protocol=tcp in-interface=ether10-gateway dst-port=8291 log=no
log-prefix=“”

1 ;;; accept established
chain=input action=accept connection-state=established log=no log-prefix=“”

2 ;;; default configuration
chain=input action=accept protocol=icmp in-interface=ether10-gateway log=no log-prefix=“”

3 ;;; default configuration
chain=input action=accept connection-state=established,related log=no log-prefix=“”

4 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no log-prefix=“”

5 ;;; allow related
chain=forward action=accept connection-state=related log=no log-prefix=“”

6 ;;; allow established
chain=forward action=accept connection-state=established log=no log-prefix=“”

7 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2 log=no log-prefix=“”

8 ;;; Drop excess pings
chain=input action=drop protocol=icmp log=no log-prefix=“”

9 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

10 ;;; Drop Bad DNS requests
chain=input action=drop protocol=udp in-interface=ether10-gateway dst-port=53 log=no log-prefix=“”

11 chain=input action=drop protocol=tcp in-interface=ether10-gateway dst-port=53 log=no log-prefix=“”

12 ;;; BLOCK GUEST WIFI FROM LOCAL
chain=forward action=accept src-address-list=VLAN10 dst-address-list=VLAN20 log=no log-prefix=“”

13 chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp dst-address=192.168.10.>
src-address-list=GUESTWIFI out-interface=bridge1_guestwifi log=no log-prefix=“”

14 chain=forward action=drop src-address-list=VLAN20 dst-address-list=VLAN10
in-interface=bridge1_guestwifi out-interface=bridge-local log=no log-prefix=“”

15 chain=forward action=reject reject-with=icmp-net-prohibited src-address-list=VLAN20
dst-address-list=VLAN20 in-interface=bridge1_guestwifi log=no log-prefix=“”

16 chain=forward action=reject reject-with=icmp-net-prohibited protocol=icmp
src-address=192.168.10.0/24 log=no log-prefix=“”

17 chain=input action=drop src-address=192.168.10.0/24 dst-address=192.168.3.254
src-address-list=VLAN20 log=no log-prefix=“”

18 chain=forward action=reject reject-with=icmp-net-prohibited protocol=icmp
src-address=192.168.10.0/24 dst-address=192.168.3.254 src-address-list=VLAN20 log=no log-prefix=“”

19 chain=input action=drop protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.1
src-address-list=VLAN20 dst-port=8291,8080 log=no log-prefix=“”

20 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat
in-interface=ether10-gateway log=no log-prefix=“”

21 ;;; Dont Filter DVR Camera
chain=forward action=accept connection-state=new protocol=udp dst-address-list=DVRCAMERA
in-interface=ether10-gateway dst-port=700 log=no log-prefix=“”

22 chain=forward action=accept connection-state=new protocol=tcp dst-address-list=DVRCAMERA
in-interface=ether10-gateway dst-port=700 log=no log-prefix=“”

23 ;;; drop invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=“”

24 ;;; drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

25 ;;; Drop pings to 4.2.2.4 if they go through VERIZON
chain=output action=drop dst-address=4.2.2.4 out-interface=ether9_verizon log=no log-prefix=“”

/ip route
add comment=WAN1 distance=1 gateway=67.78.248.25
add comment=“Test pings from WAN1” distance=1 dst-address=8.8.8.8/32 gateway=67.78.XXX.XX
add comment=VERIZON distance=10 dst-address=192.168.99.12/32 gateway=ether9_verizon

cdiedrich · August 10, 2016, 2:14pm

From first sight I don’t see a masq rule for the verizon link.
Both masquerade rules are using ether10. Is this by design?

This additional info would be great to see:

your IP addresses and which interface they’re bound to.
Which link goes into which physical port - I assume the coax link goes into ether10 and verizon into ether9, correct?

-Chris

toxicfusion · August 10, 2016, 3:49pm

Hi Chris

thanks for reply.

At first was by design for masquerade out ether10-gateway.

During testing, I removed the ‘out interface’ so would masquerade out any interface – i could still ping websites from both WAN interfaces (ether9 & ether10). But trying to visit websites from ether9 route wouldnt work/

assume the coax link goes into ether10 and verizon into ether9, correct?

This is correct

Verzon MAP AP pseudo-bridge: IP 192.168.99.12
ether9_verzon: IP 192.168.99.13

ip routing:

dst-address 192.168.99.12
gateway: ether9
distance = 2