Daul wan with failover

rpi · Tue Mar 12, 2019 9:56 am

Hi all!

I'd like to configure my RB4011 to handle dual Wan with automatic failover, but no luck.
I tried the following article: https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

Here are the details:
ISP1: UPC (static address, DHCP)
ISP2: Telekom (static address, PPPoE)

And the related part of my config:

/interface pppoe-client
add add-default-route=yes default-route-distance=2 disabled=no interface=ISP2-TELEKOM keepalive-timeout=disabled name=pppoe-telekom password=****** use-peer-dns=yes user=**********

/ip address
add address=10.0.0.1/16 interface=LAN-BRIDGE network=10.0.0.0

/ip dhcp-client
add default-route-distance=3 dhcp-options=hostname,clientid disabled=no interface=ISP1-UPC

/ip dhcp-server network
add address=10.0.0.0/16 dns-server=8.8.8.8 domain=8.8.4.4 gateway=10.0.0.1 netmask=16

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1-UPC src-address=10.0.0.0/16
add action=masquerade chain=srcnat out-interface=pppoe-telekom src-address=10.0.0.0/16

/ip route
add comment="Virtual Hop" distance=1 gateway=10.9.9.9 routing-mark=UPC scope=10
add comment="UPC > Quad9" distance=1 dst-address=9.9.9.9/32 gateway=ISP1-UPC scope=10
add comment="UPC -> OpenDNS" distance=1 dst-address=208.67.222.222/32 gateway=ISP1-UPC scope=10
add check-gateway=ping comment=Quad9 distance=1 dst-address=10.9.9.9/32 gateway=9.9.9.9 scope=10
add check-gateway=ping comment=OpenDNS distance=1 dst-address=10.9.9.9/32 gateway=208.67.222.222 scope=10

I want to use Quad9 (9.9.9.9) and OpenDNS (208.67.222.222) as GWs to test which ISP is alive, but it doesn't work. Both GWs are unreachable. Any idea?

draid · Tue Mar 12, 2019 10:46 pm

Hello, this is the configuration I'm using at the moment. I'm also using PPoE and Static address for ISP1/ISP2. Be aware that you can't use PPoE interface for recursive.

/ip route
add distance=1 gateway=10.1.1.1  //This can be any address but it has to be the same in the check-gateway //Main Link//
add distance=2 gateway=10.2.2.2 //BackUp Link//

add distance=1 dst-address=8.8.4.4/32 gateway=ISP1 scope=10      //ISP1 checks google dns1
add distance=1 dst-address=8.8.8.8/32 gateway=ISP2 scope=10	    //ISP2 checks google dns2
add distance=1 dst-address=208.67.220.220/32 gateway=ISP1 scope=10    //ISP1 checks open dns1 if google dns1 fails. 
add distance=1 dst-address=208.67.222.222/32 gateway=ISP2 scope=10    //ISP2 checks open dns2 if google dns2 fails.

add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=8.8.8.8 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=208.67.222.222 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=8.8.4.4 scope=10

This is the multiple hosts check variant of the dual wan fail over from the mikrotik wiki page. It check one DNS and if this DNS fail, then it checks the second DNS. Only if both checks fail it switches to the backup lane.

Also, I'm using src-nat instead of masquarade

/ip firewall nat
add action=src-nat chain=srcnat comment="SRC-NAT MainLink" out-interface=pppoe
    to-addresses= ISP1 Address
add action=src-nat chain=srcnat comment="SRC-NAT BackUp" out-interface=eth1
    to-addresses=ISP2 Address

As I said you have to check if the remote gateway of the PPoE is constant because if it's changing on every new connection the recursion won't work and the fail over won't work. You have to exclude the eth port which you want to use for the backup ISP from the bridge (I guess you already did that)

I'm also not deep in Mikrotik and I'm still experimenting but I hope it'll help you with your configuration.

WeWiNet · Wed Mar 13, 2019 10:35 am

Hi RPI,

the DHCP server settings, domain should be empty, not 8.8.4.4.
You put 8.8.4.4 as 2nd DNS server if you click on the winbox on the DHCP server setting , but don;t put it into domain.

In DHCP-CLIENT: you need to DISABLE "add default route" else router does always use default route!

masquerade: I don;t know why you give source address...? Is it needed? Do you have addresses that don;t need masquerade?

Your choice of "virtual hop" address of 10.xxx is dangerous as you also use 10.xxx as local address... It should work
but better use something really outside your local 10.xxx/16 subnet.

Draid:
If I look at your routes, is really only one active?

RPI/draid:
you do not need the virtual hops. The Google GW as hop by itself is enough . Check out other posts on this.

PS: You don't do any load balancing with PCC, is this on purpose or do you really just want failover?

rpi · Wed Mar 13, 2019 2:37 pm

Thanks everybody for the reply.

the DHCP server settings, domain should be empty, not 8.8.4.4.
You put 8.8.4.4 as 2nd DNS server if you click on the winbox on the DHCP server setting , but don;t put it into domain.

Oops, you're right, I'll fix this, but I guess this isn't really related to my problem.

In DHCP-CLIENT: you need to DISABLE "add default route" else router does always use default route!

Should I disable for PPPoE too?

masquerade: I don;t know why you give source address...? Is it needed? Do you have addresses that don;t need masquerade?

I read somewhere that If I don't specify the source address the router masquerades every packet even if the destination is in the same network as the source, and it means a lot more CPU usage. Isn't it true?

you do not need the virtual hops. The Google GW as hop by itself is enough . Check out other posts on this.

I found this in wiki: https://wiki.mikrotik.com/wiki/Advanced ... _Scripting
Can you send me the links of those other posts? Thanks.

PS: You don't do any load balancing with PCC, is this on purpose or do you really just want failover?

Yes, I only want failover, no load balancing.

WeWiNet · Wed Mar 13, 2019 3:19 pm

yes you also need to disable the default route for PPPoE.
else the failover will not work and it will always use the default PPPoE route.
You will define the routes later on "by hand". But those added routes always have a higher
distance than the default routes...thus do not create default route.

masquerading on out interface WAN_xxx is done only for packets leaving the router via the defined interface.
Local traffic will not get masqueraded and will not create any additional CPU load.

Check out this post for more background on the failover setup.
viewtopic.php?f=2&t=145970&p=719949#p719949

draid · Wed Mar 13, 2019 7:52 pm

Hi RPI,

the DHCP server settings, domain should be empty, not 8.8.4.4.
You put 8.8.4.4 as 2nd DNS server if you click on the winbox on the DHCP server setting , but don;t put it into domain.

In DHCP-CLIENT: you need to DISABLE "add default route" else router does always use default route!

masquerade: I don;t know why you give source address...? Is it needed? Do you have addresses that don;t need masquerade?

Your choice of "virtual hop" address of 10.xxx is dangerous as you also use 10.xxx as local address... It should work
but better use something really outside your local 10.xxx/16 subnet.

Draid:
If I look at your routes, is really only one active?

RPI/draid:
you do not need the virtual hops. The Google GW as hop by itself is enough . Check out other posts on this.

PS: You don't do any load balancing with PCC, is this on purpose or do you really just want failover?

Hello WeWiNet ,

Well the route with distance 2 is for sure inactive. The fail-over works like a charm however I can't say with a 100% certenty that it's the best way or that it lacks any flows as I'm still trying different things with the Tik. The configuration was taken from the wiki so I guess it has to be verified. I've checked if one of the DNS servers fails and it for sure keeps the link until both are down. Aslo I'm not using PCC as initially I needed only fail-over but I'm yet to test load balancing just for the sake of it.

rpi · Thu Mar 14, 2019 9:23 am

yes you also need to disable the default route for PPPoE.
else the failover will not work and it will always use the default PPPoE route.
You will define the routes later on "by hand". But those added routes always have a higher
distance than the default routes...thus do not create default route.

Oh, I see, thanks for the clarification.

masquerading on out interface WAN_xxx is done only for packets leaving the router via the defined interface.
Local traffic will not get masqueraded and will not create any additional CPU load.

So I need one rule for ISP1-UPC (DHCP) interface, and one for pppoe-telekom, right?

Check out this post for more background on the failover setup.
viewtopic.php?f=2&t=145970&p=719949#p719949

Hmm. I read the whole thread, but it's still not clear to me why I don't need to use a virtual hop. Can you show me an example route config for this?

WeWiNet · Thu Mar 14, 2019 12:30 pm

here is the route description

/ip route
add check-gateway=ping comment="ping-tested GW-1" distance=1 gateway=8.8.8.8 routing-mark=to_WAN1 
add check-gateway=ping comment="ping-tested GW-2" distance=1 gateway=8.8.4.4 routing-mark=to_WAN2 
add check-gateway=ping comment="Backup onto GW1 all GW2 connections" distance=2 gateway=8.8.8.8
add check-gateway=ping comment="Backup onto GW2 all GW1 connections" distance=3 gateway=8.8.4.4
add comment="route to reach ping-test-GW-2" distance=1 dst-address=8.8.4.4/32 gateway=YOUR_WAN_IP_GW1 scope=10 
add comment="route to reach ping-test-GW-1" distance=1 dst-address=8.8.8.8/32 gateway=YOUR_WAN_IP_GW2 scope=10

isn't this beautiful.

(it's based on original idea from Chupaka)

rpi · Thu Mar 14, 2019 6:16 pm

But it only tests one host per WAN (8.8.8.8 for WAN1 and 8.8.4.4 for WAN2), doesn't it? So if 8.8.8.8 is down, all traffic goes to WAN2. So it's not too robust. How can I check 2 hosts per WAN without the virtual hops?

WeWiNet · Thu Mar 14, 2019 7:52 pm

You just add more (copy the rules and add which target you want) ...

rpi · Fri Mar 15, 2019 10:36 am

Hmm. Sorry, but it's not clear to me. Can you show me an example with two host checks without virtual hops?
I could manage to create a working setup with virtual hops:

nomarks.png

But If I add the routing marks (from the wiki page) it doesn't work anymore:

marks.png

Why? Should I create some firewall rules (mangle)?
Other topic: I'd like to setup an email alert if the second line will be active? Is it possible?

anav · Fri Mar 15, 2019 1:18 pm

/ip route
add check-gateway=ping distance=3 gateway=8.8.4.4
add distance=3 dst-address=8.8.4.4/32 gateway=NNN.yy.rrr.ttt scope=10
add check-gateway=ping distance=4 gateway=NNN.yy.rrr.ttt
add distance=4 dst-address=208.67.220.220/32 gateway=156.57.160.1 scope=10
add distance=10 gateway=BB.xxx.cc.dd

Primary has gateway NNN.yy.rr.ttt
Secondary (back-up) has gateway BB.xxx.cc.dd

Daul wan with failover

Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Re: Daul wan with failover

Who is online