WAN failover

whoknew · November 12, 2012, 4:13pm

Has anyone got the following working?

http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting

I am not following this wiki write up at all with the Host explanations. The second step is to have the host as a gateway…

Also is this really the best way to do failover? What are others using?

whoknew · November 13, 2012, 1:15pm

:bump:

tomaskir · November 13, 2012, 2:27pm

The setup works. Notice how the scope is used to recursively lookup routes.

I personally dont like this, because it makes a mess of your routing table. You can look at my failover script on the wiki http://wiki.mikrotik.com/wiki/Failover_Scripting
It monitors an IP, if that goes down, it increases the distance of the route that is down. This will give your other default route higher priority, by which, you achieve failover.

whoknew · November 13, 2012, 3:04pm

On your script for checking, are you mangling a routing mark? how does the ip route look?

tomaskir · November 13, 2012, 3:54pm

My script relies on mangle already being properly configured by you. It only works with routing tables.

These lines do the checking.
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP1]
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP2]

If the ping is not replied back a configured number of times, all routes that live on that interface have their distance increased by what you configure.

Example: here is how my routing table looks

/ip route
add distance=1 gateway=213.108.x.x comment=ISP1
add distance=2 gateway=87.149.x.x comment=ISP2
add distance=1 gateway=213.108.x.x routing-mark=WAN->ISP1
add distance=1 gateway=87.149.x.x routing-mark=WAN->ISP2

So when ISP1 is up, whole network goes through ISP1. Mangle is configured so connectivity which comes from WAN is replied to correctly in each routing table (standard mangle with no load balancing for 2 ISPs)

So the script pings and checks both ISPs. If ISP1 goes down the script increases routes which use its gateway by a certain distance. (lets say 20) So in main routing table, ISP2 now has lower distance, therefore whole network uses ISP2. This achieves failover.

whoknew · November 13, 2012, 4:16pm

Let’s see if I have this right, apologies first time doing failover, not first time doing dual WAN (route marking)

:IP routes
dst-address=0.0.0.0/0 gateway=68.68.x.x gateway-status=68.68.x.x reachable via  ether1-sv distance=1 scope=30 target-scope=10 routing-mark=sv 

dst-address=0.0.0.0/0 gateway=50.195.x.x gateway-status=50.195.x.x reachable via  ether2-cc distance=1 scope=30 target-scope=10 routing-mark=cc

dst-address=0.0.0.0/0 gateway=68.68.x.x gateway-status=68.68.x.x reachable via ether1-sv distance=1 scope=30 target-scope=10 

dst-address=0.0.0.0/0 gateway=50.195.x.x gateway-status=50.195.x.x reachable via  ether2-cc distance=1 scope=30 target-scope=10

:Mangle Rules
chain=prerouting action=mark-routing new-routing-mark=sv passthrough=no 

chain=prerouting action=mark-routing new-routing-mark=comcast passthrough=no

I have adjusted your script accordingly. Will I need to make double entries in the ip firewall filter and ip firewall nat for both WAN’s I assume. my drops are currently set to 10 drops, in the scheduler do you know the time you set for the script to run?

tomaskir · November 14, 2012, 11:07am

Your main routing table has 2 routes with distance 1, one route needs to have higher distance. Also, if that is all you have in your mangle, you need much more. Feel free to watch the video in my sig for more info on proper 2 WAN mangle. With your mangle, you will not be able to reach the router properly from the outside from both WANs.

The scheduler is up to you. I usually use 10 seconds with 4 failures. For firewall, that all depends on how you have it setup. If you only use input and forward chains, then all is taken care of. If you firewall based on incoming interface and jump to custom chains, then you need to jump from both interfaces.

whoknew · November 15, 2012, 3:44pm

ok it would appear I have this working, however I have a hang up that I completely forgot about.

I cannot only srcnat->masq

I have a ton or src/dst rules for different servers behind this.

tomaskir · November 16, 2012, 8:25am

So what is the problem with the NAT? Simply make sure you are NATing based on an “WAN_IP” address list, which contains both your WAN IP addresses. Do not NAT based on incoming interface, or you will have to have all your NAT rules multiple times.

whoknew · November 16, 2012, 5:55pm

I run 1:1 pretty much everywhere, I have not done NAT based on “WAN IP” before with address lists. Could you give me and example to work from.

Thank you so much tomaskir for your expertise on this. The video was awesome in your comment.

tomaskir · November 16, 2012, 8:16pm

If you run 1:1 then do it like this:

add action=dst-nat chain=dstnat dst-address-list=WAN_IPs_host1 to-addresses=10.0.y.x1
add action=dst-nat chain=dstnat dst-address-list=WAN_IPs_host2 to-addresses=10.0.y.x2

Then for your address list do it like

add address=87.197.y.x1 list=WAN_IPs_host1 
add address=213.108.y.x1 list=WAN_IPs_host1 

add address=87.197.y.x2 list=WAN_IPs_host2 
add address=213.108.y.x2 list=WAN_IPs_host2

So basically, both IPs from ISP1 and ISP2 are 1:1 NATed in a single NAT rule to a host. (2 hosts in upper example, x1 and x2)

whoknew · November 16, 2012, 9:00pm

Alright I’m a bit confused now, I thought I had the failover working, but it appears I don’t.

I can unplug ether1 = ISP1 and it fails over to ether2 = ISP2. When I plug ether1 = ISP1 back in, it does not fail back to ISP1.

whoknew · November 16, 2012, 9:16pm

tomaskir:

If you run 1:1 then do it like this:
add action=dst-nat chain=dstnat dst-address-list=WAN_IPs_host1 to-addresses=10.0.y.x1
add action=dst-nat chain=dstnat dst-address-list=WAN_IPs_host2 to-addresses=10.0.y.x2
Then for your address list do it like
add address=87.197.y.x1 list=WAN_IPs_host1 
add address=213.108.y.x1 list=WAN_IPs_host1 

add address=87.197.y.x2 list=WAN_IPs_host2 
add address=213.108.y.x2 list=WAN_IPs_host2
So basically, both IPs from ISP1 and ISP2 are 1:1 NATed in a single NAT rule to a host. (2 hosts in upper example, x1 and x2)

How does the above work for a srcnat rule. I have a /27 on both ISP’s that I srcnat the servers to.

tomaskir · November 17, 2012, 2:41pm

For src-nat you will have to have 2 src NAT rules for each server unfortunatelly. Or you can just masq both outgoing interfaces and all servers will share a single IP for outgoing traffic only. Incoming traffic, thanks to dst-nat rules will be replied with correct IP however. In case you want src-nats for each server, do it like this:

add chain=srcnat src-address-list=LAN_IP_host1 out-interface=ISP1 action=src-nat to-addresses=ISP1_IP1
add chain=srcnat src-address-list=LAN_IP_host1 out-interface=ISP2 action=src-nat to-addresses=ISP2_IP1

add chain=srcnat src-address-list=LAN_IP_host2 out-interface=ISP1 action=src-nat to-addresses=ISP1_IP2
add chain=srcnat src-address-list=LAN_IP_host2 out-interface=ISP2 action=src-nat to-addresses=ISP1_IP2

whoknew · November 19, 2012, 2:49pm

I have something very broken with your script.

I edited only what I needed to.

# ------------- start editing here -------------
# Edit the variables below to suit your needs

# Please fill the WAN interface names
:local InterfaceISP1 ether1
:local InterfaceISP2 ether2

# Please fill the gateway IPs (or interface names in case of PPP)
:local GatewayISP1 68.*.*.1
:local GatewayISP2 50.*.*.1

# Please fill the ping check host - currently: google public dns
:local PingTarget 8.8.8.8

# Please fill how many ping failures are allowed before fail-over happens
:local FailTreshold 3

# Define the distance increase of a route when it fails
:local DistanceIncrease 2

ip route print:

 0 A S  dst-address=0.0.0.0/0 gateway=68.*.*.1 
        gateway-status=68.*.*.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 routing-mark=sv 

 1 A S  dst-address=0.0.0.0/0 gateway=50.*.*.1 
        gateway-status=50.*.*.1 reachable via  ether2 distance=1 
        scope=30 target-scope=10 routing-mark=cc 

 2 A S  dst-address=0.0.0.0/0 gateway=68.*.*.1 
        gateway-status=68.*.*.1 reachable via  ether1 distance=1 scope=30 
        target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=50.*.*.1 
        gateway-status=50.*.*.1 reachable via  ether2 distance=2 
        scope=30 target-scope=10

Firewall Mangle:

0   chain=prerouting action=accept src-address-list=connected 
     dst-address-list=connected 

 1   chain=input action=mark-connection new-connection-mark=wan1 passthrough=n>
     in-interface=ether1 connection-mark=no-mark 

 2   chain=input action=mark-connection new-connection-mark=wan2 passthrough=n>
     in-interface=ether2 connection-mark=no-mark 

 3   chain=output action=mark-routing new-routing-mark=sv passthrough=no 
     connection-mark=wan1 

 4   chain=output action=mark-routing new-routing-mark=cc passthrough=no 
     connection-mark=wan2 

 5   chain=forward action=mark-connection new-connection-mark=wan1->lan 
     passthrough=no in-interface=ether1 connection-mark=no-mark 

 6   chain=forward action=mark-connection new-connection-mark=wan2->lan 
     passthrough=no in-interface=ether2 connection-mark=no-mark 

 7   chain=prerouting action=mark-routing new-routing-mark=sv passthrough=no 
     src-address-list=LAN connection-mark=wan1->lan 

 8   chain=prerouting action=mark-routing new-routing-mark=cc 
     passthrough=no src-address-list=LAN connection-mark=wan2->lan

When I look @ the Environment tab in Script List, I can see PingFailCountISP2 and 1. If I unplug ISP1 it now is not failing over to ISP2 and when I plug ISP1 back in it does not faill back to ISP1.

whoknew · November 21, 2012, 2:08pm

:bump: