Community discussions

MikroTik App
 
mm007
just joined
Topic Author
Posts: 1
Joined: Mon Apr 23, 2018 8:49 pm

2 WAN failover stuck

Mon Apr 23, 2018 8:56 pm

Hi,
somehow my 2 wan failover does not work anymore. I might changed something in the past and I'm not sure what. I'm sure that both WAN are working fine and has working internet access.

Current always WanTelenor server the internet and if I unplug it, then there is not internet. It does not switch to WAN1.

When I specify the following where 192.168.88.254 is my ip, then I have internet access on WAN1 while others still use WanTelenor:
add action=mark-routing chain=prerouting dst-address=!192.168.87.0/24 new-routing-mark=PrimaryWan passthrough=yes src-address=192.168.88.254 src-address-list=""

The current configuration is the following:

82.000.000.5 -> WAN1 (it is a static ip, so I hide it)
82.000.000.30 -> WAN1 gateway
192.168.87.2 -> WanTelenor
192.168.87.1 -> WanTelenor gateway
/ip address
add address=82.000.000.5 interface=WAN1 network=82.000.000.30
add address=192.168.87.2 interface=WanTelenor network=192.168.87.1

/ip route
add check-gateway=ping distance=1 gateway=82.000.000.30 routing-mark=PrimaryWan
add check-gateway=ping distance=10 gateway=192.168.87.1

/ip firewall filter
add action=drop chain=input dst-address=82.000.000.5 dst-port=53 protocol=udp
add action=drop chain=input dst-address=82.000.000.5 dst-port=53 protocol=tcp
add action=accept chain=input comment="Accept Established / Related Input" connection-state=established,related
add action=accept chain=input comment="Allow Management Input - 192.168.88.0/24" src-address=192.168.88.0/24
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="PPTP VPN" dst-port=500 protocol=udp
add action=accept chain=input comment="PPTP VPN" dst-port=1701 protocol=udp
add action=accept chain=input comment="PPTP VPN" dst-port=4500 protocol=udp
add action=accept chain=input comment="PPTP VPN" protocol=ipsec-esp
add action=accept chain=input comment="PPTP VPN" protocol=ipsec-ah
add action=drop chain=input comment="Drop Input" log-prefix="Input Drop"
add action=accept chain=forward comment="Accept Established / Related Forward" connection-state=established,related
add action=accept chain=forward comment="Allow forward traffic LAN >> WAN" out-interface=WAN1 src-address=192.168.88.0/24
add action=accept chain=forward out-interface=bridge1 src-address=192.168.88.0/24
add action=accept chain=forward comment="Allow forward traffic LAN >> WAN" out-interface=WanTelenor src-address=192.168.88.0/24
add action=drop chain=forward comment="Drop Bogon Forward >> Ether1" in-interface=WAN1 log=yes log-prefix="Bogon Forward Drop" src-address-list=Bogon
add action=drop chain=forward comment="Drop Forward"


/ip firewall mangle
add action=accept chain=prerouting dst-address=82.000.000.5 in-interface=WAN1
add action=accept chain=prerouting dst-address=192.168.87.2 in-interface=WanTelenor
add action=mark-routing chain=prerouting comment="Use PrimaryWan connection" dst-address=!192.168.87.0/24 new-routing-mark=PrimaryWan passthrough=yes src-address=192.168.88.254 src-address-list=""

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WanTelenor
add action=accept chain=srcnat
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: 2 WAN failover stuck

Wed Apr 25, 2018 6:46 pm

I would say the problem is both in mangle and routing rules.
keep it simple!!!

There should be two plain routing rules without any mangling involved.
(These are similar to the functionality of the out of the box default route created by router)

IP route destination 0.0.0.0/0 gateway IP of ISP primary, check ping gateway, distance = 1
IP route destination 0.0.0.0/0 gateway IP of ISP secondary, distance =2

In this case all users will get routed out the primary ISP and if it goes down, will route traffic through secondary ISP
In your case would look like:
IP route destination 0.0.0.0/0 192.168.87.1 , check ping gateway, distance = 1
IP router destination 0.0.0.0/0 82.000.000.30, , distance = 2

IP mangle - the simple intent is to ensure that all your traffic uses WAN2 (secondary ISP).
source address your IP, use new route mark, in-interface LAN.
(source address 192.168.88.254, in-interface LAN, new router mark - name MYIP comment (useonly-WAN2)

New IP route rule (new third rule)
Destination - 0.0.0./0 gateway IP 82.000.000.30, mark route rule - MYIP

other comments.............
mangle rules are a mess, the first two don't mark anything???????????
Third rule is butt ugly and don't understand it (destination external should be stated in routing rules not mangle rules).
 
neu
newbie
Posts: 36
Joined: Sat Apr 07, 2018 9:58 pm

Re: 2 WAN failover stuck

Thu Apr 26, 2018 2:05 pm

The best choice is PCC method of load balancing cum fail over method.
Refer this link: https://aacable.wordpress.com/2011/06/0 ... t-by-zaib/
He has done a excellent documentation.
neuCRM (http://neucrm.com) is full featured ISP Billing CRM software package for Mikrotik RouterOS.
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: 2 WAN failover stuck

Thu Apr 26, 2018 4:11 pm

That's very kind neu, but the OP stated he wants to get failover working. Lets work on that and when he/she wants to get load balancing working we can deal with it then!.

To finish off the method previously described........
One needs two basic Route Rules (similar to the out of the box default rule) for Failover.
One needs a mangle rule (or as many mange rules as there are exceptions) and in this case to identify the ADMIN PC, which the OP desires to go out secondary ISP (WAN1)

In this case all users will get routed out the primary ISP WANTelnor and if it goes down, will route traffic through secondary ISP (WAN1)
In your case would look like:

Basic Route Rules:
IP route destination 0.0.0.0/0 192.168.87.1 , check ping gateway, distance = 1
IP router destination 0.0.0.0/0 82.000.000.30, , distance = 2

IP mangle - the simple intent is to ensure that all your traffic uses WAN1 (secondary ISP).
ip firewall Mangle/
add chain=prerouting src-address=192.168.88.254=mark-routing new-routing-mark=MYIP {comment: "Admin_WAN1")

Then you use the Mangle rule in IP route to tell the router where to send that particular traffic. You should note that I have created a Two rules for your admin traffic on a single IP address, in order to account for the possibility of Fail over. In other words if WAN1 is not available you would still be able to access the internet through WANTelnor.
Ip Route/
Add Dst-Address=0.0.0.0/0 Gateway=82.000.000.30 check gateway ping, distance = 1, Routing-Mark=MYIP
Add Dst-Address=0.0.0.0/0 Gateway=192.168.87.1 distance = 2, Routing-Mark=MYIP

I hope this gets you on the way to success and is understandable!

Who is online

Users browsing this forum: ashoka, bitflip and 56 guests