Page 1 of 1

How to switch immediately after a failover ?

Posted: Fri Jun 28, 2019 12:34 pm
by OKNET
Usual failover without scripting:
https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

Once a virtual gateway is down due to loss of internet connectivity, the second gateway is immediately available but all old tcp connections (as seen in /ip firewall connection) are still up and your device session is stuck in trying the old gateway.

A manual flush of connections causes immediately to bring back connectivity on the new active gateway (or wait for old connections to die).

How can I get this to happen automatically when failover takes place ?

Re: How to switch immediately after a failover ?

Posted: Fri Jun 28, 2019 2:03 pm
by sebastia
The client needs to be notified that the connection is dead so it doesn't have to wait for timeout. I've something like this:
/ip firewall filter add action=reject chain=forward comment="Reject: local invalid" connection-state=invalid reject-with=icmp-network-unreachable src-address=<local ip range>
/ip firewall filter add action=drop chain=forward comment="Drop: invalid" connection-state=invalid

Re: How to switch immediately after a failover ?

Posted: Fri Jun 28, 2019 3:48 pm
by OKNET
Actually, it seems to have not a great effect....
In which position should I place it among forward chain rules ?

Rather than notify client, shouldn't be more effective to cut out dead connections ?

Re: How to switch immediately after a failover ?

Posted: Fri Jun 28, 2019 5:17 pm
by sebastia
I have these after "est-rel accept" rule in my "established-related" chain, which is one of the first one invoked.
Rather than notify client, shouldn't be more effective to cut out dead connections ?
Not necessaries: if client assumes connection is still good, it will send packets using that's state. BUT router will use other ISP with different external ip, which the target server won't have knowledge off and will reject.

Re: How to switch immediately after a failover ?

Posted: Sat Jun 29, 2019 4:38 pm
by anav
I can see this happen on my browser when I switch from vpn to non-vpn scenario. Causes confusion LOL.
So Sebastia, this seems to be a safe and useful rule to have in place in general (like part of a default). Is there any danger or potential security risk to this rule??

Re: How to switch immediately after a failover ?

Posted: Mon Jul 01, 2019 4:09 am
by stoser
Take a look at this topic, perhaps it will help:

viewtopic.php?f=2&t=139750&hilit=connection

Specifically. if you are using srcnat for outgoing traffic, only use srcnat=masquerade. When you use masquerade, the router will automatically clear the connections for you during a recursive routing failover. Do not use srcnat=scr-nat. Hope this helps, Kind regards

Re: How to switch immediately after a failover ?

Posted: Mon Jul 01, 2019 3:40 pm
by sebastia
Hey @anav

The rule
/ip firewall filter add action=drop chain=forward comment="Drop: invalid" connection-state=invalid
is part of the default configuration already.

The extra line with rejects local packets only is to inform local client of different network configuration. The src-address criterium is based on packet data, and that can be spoofed. A safer option would be to filter on incoming interface (or in-interface-list), but if RP-filter is enabled (https://wiki.mikrotik.com/wiki/Manual:IP/Settings) that's already verified.

So if RP-fitler=strict is set, it should be fine.

Re: How to switch immediately after a failover ?

Posted: Tue Jul 02, 2019 4:12 pm
by anav
I think I have RP filter loose, because my router has no morals LOL. Seriously its set to loose for some reason but heck i cant remember LOL.