Community discussions

 
Tuchi
just joined
Topic Author
Posts: 11
Joined: Fri Dec 14, 2018 5:19 pm

Dual dynamic ISP WAN, dual LAN setup

Mon Sep 02, 2019 5:33 pm

Dear experts,
I'm asking if someone could give clear walk-through for the following scenario:

Currently I had one dynamically assigned WAN with two different LAN networks 192.168.0.0/24 and 10.0.0.0/24.
first ISP is connected to ether-1, ether 2-5 are on bridge for LAN1, 6-10 are on a second bridge for LAN2
LAN1 is our local office network, LAN 2 is for guests only and it has access only to internet.
Everything was working flawlessly for a while, until we started to have frequent issues with the connection to the ISP.
So we purchased secondary connection via different ISP and it will be connected to ether-11

I know that there are several topics on the subject, but I cannot find clear answer and example how to achieve it.
Should it be set-up as a fail-over, or is it better to use PCC?
Bot connections have enough bandwidth so it is not really a concern to balance them.
What is the most important for the office is to have stable internet connection without problem accessing and opening banks, mails, etc.

most of the examples I found were for configuration with static WAN and/or GATEWAY address.
However both of the ISP give dynamic addresses, and also the gateway changes on almost every address renewal.

So please advise what would be the best scenario and how to achieve it.
Should I use PCC, or only fail-over? If it is the second should I mark the connections or not? How I can address the dynamic gateway situation. Also what to use to check if the connection is alive? since both WAN connections are fiber and usually the DGW is the media convertor which is just next to the router. So I can access GW, but still don't have internet.
If using fail-over how to check if "primary" ISP is up and redirect again all traffic via this interface?

Thank you
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Tue Sep 03, 2019 3:47 am

I don't have step by step instructions, but one hint, dynamic config is not a problem. DHCP client can run script when it gets address, so you can use that to update any otherwise static config. See the manual: https://wiki.mikrotik.com/wiki/Manual:I ... pt_example. PPPoE has similar thing.

Load balancing or failover-only is up to you. First uses both uplinks, second just one and the other only when first fails. Or you can have one for guests and the other for office, with each having the other as backup.

There are also other interesting articles in manual, e.g.: https://wiki.mikrotik.com/wiki/Advanced ... _Scripting
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Tuchi
just joined
Topic Author
Posts: 11
Joined: Fri Dec 14, 2018 5:19 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Tue Sep 03, 2019 3:26 pm

Dear Sob,

thank you for your replay.

I read the kindly provided information, however it is still not completely clear for me.
should i perform the scrip twice for the two WAN interfaces?
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether2 script="{\r\
    \n    :local rmark \"WAN1\"\r\
    \n    :local count [/ip route print count-only where comment=\"WAN1\"]\r\
    \n    :if (\$bound=1) do={\r\
    \n        :if (\$count = 0) do={\r\
    \n            /ip route add gateway=\$\"gateway-address\" comment=\"WAN1\" routing-mark=\$rmark\r\
    \n        } else={\r\
    \n            :if (\$count = 1) do={\r\
    \n                :local test [/ip route find where comment=\"WAN1\"]\r\
    \n                :if ([/ip route get \$test gateway] != \$\"gateway-address\") do={\r\
    \n                    /ip route set \$test gateway=\$\"gateway-address\"\r\
    \n                }\r\
    \n            } else={\r\
    \n                :error \"Multiple routes found\"\r\
    \n            }\r\
    \n        }\r\
    \n    } else={\r\
    \n        /ip route remove [find comment=\"WAN1\"]\r\
    \n    }\r\
    \n}\r\
    \n"
for the ether-1 and ether- 11 (in my case) interfaces and naming them WAN1 and WAN2?

also I'm not sure how to combine it with the example for fail-over:
/ip route add gateway=192.168.1.1 check-gateway=ping
/ip route add gateway=192.168.2.1 distance=2
should i modify the script line
  /ip route add gateway=\$\"gateway-address\" comment=\"WAN1\" routing-mark=\$rmark\r\
to become something like
  /ip route add gateway=\$\"gateway-address\" comment=\"WAN1\" distance=1 check-gateway=ping routing-mark=\$rmark\r\
and then perform it for the second wan with distance=2?

and how do i implement pinging different IP (list of IPs) than the gateway?

Thank you in advance
 
anav
Forum Guru
Forum Guru
Posts: 2940
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Dual dynamic ISP WAN, dual LAN setup

Tue Sep 03, 2019 10:41 pm

This is an important topic and one that is not properly documented or easy to do. In my estimation the router OS should already be designed to deal with dynamic ISPs and not force us knowledge peons to attempt to write scripts. In other words, I should be able to check a box that says dynamic IP (YES).
The result would be.....
- upon loss of connectivity (as evident in routing rules)
- reboot ISP, when connected grab new gateway IP
- replace IP ROUTE RULE old gateway IP with new gateway IP.
DONE.

This is what I have to do manually now and its a pain.

To be clear I have no idea what thost scripts are doing, how to program them and WTF (w=why) are we marking anything?
I simply want the new gateway IP to be inserted into the route rule(s).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Wed Sep 04, 2019 5:07 am

To be honest, I was just saying that if you find some nice dual-WAN config you like, and it's made with static addresses, it's not a deal breaker, because you can use lease scripts to change config dynamically. Otherwise I don't enjoy multi-WAN configs very much and I tend to stay away. I also don't like RouterOS scripting, but in my defense, it didn't like me first. :)

Anyway, there are different ways how to do this. You can either do what example script does and add or remove items. Or you can create static config and only mark selected items with unique comments, and then use scripts to update them (change addresses, enable or disable them). If you do that, you can get away with much simpler scripts like this (from top of my head, not tested):
:if ($bound=1) do={
  /ip route set [/ip route find where comment="WAN1 route"] gateway=$"gateway-address" disabled=no
} else={
  /ip route set [/ip route find where comment="WAN1 route"] disabled=yes
}
It can really help with debugging, which is the thing I hate most. I guess I'm spoiled, but any normal code will throw syntax or runtime errors and tells user where it happened. RouterOS scripting tends to just silently fail, so the shorter script is, the easier it's to work with it, at least for me.

With that cleared up, you can check the last link I posted, it describes more reliable way how to test working connections. And try to experiment a little.

@anav: It's not that easy. RouterOS is like LEGO, you get the basic parts and it's up to you what you build. There can be some automated shortcuts, but there's only limited amount of configs that could be supported in this way. And if you would need to combine them with anything extra, it could be a problem. I'm not saying that it's impossible, maybe some nice and compatible improvements can be done, but we definitely don't want another Quick Set that works fine by itself, but doesn't play well with the rest, do we?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 2940
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Dual dynamic ISP WAN, dual LAN setup

Wed Sep 04, 2019 5:25 am

All sounds reasonable!
I understand now also that the script was to detect a lost connection and a second part is needed to reboot the ISP and a third part to grab the new gatewayip and fourth part to insert that new gateway IP into the pertinent route rules.

Can all that be done in script?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Thu Sep 05, 2019 3:34 am

I'm not sure if you're referring to the same thing, but the example lease script from wiki only handles the gateway (add/update/remove) for given connection, it doesn't check connection status or reboot anything. For that, you have different options. You can use recursive routes (see the linked article), or you can create something more advanced with Netwatch, or using some other script run from scheduler. Only your imagination is the limit. And (in)ability to write scripts too. In the end, it's difficult to make it 100% reliable anyway. Most solutions use some well-known public addresses (e.g. Google's 8.8.8.8), so it's relatively fragile. There were outages on those addresses in the past, and you never know when Google might decide to block ping to them "just because". They probably won't, but imagine how much would it break if they did.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 197
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Dual dynamic ISP WAN, dual LAN setup

Thu Sep 05, 2019 9:00 am

I created some config - test it !
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether11 use-peer-dns=no use-peer-ntp=no
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether11
/interface list add name=LANs
/interface list member 
add interface=bridge1 list=LANs
add interface=bridge2 list=LANs 
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=ether1 new-connection-mark=ether1_conn
add action=mark-connection chain=prerouting connection-state=new in-interface=ether11 new-connection-mark=ether11_conn
add action=mark-routing chain=output connection-mark=ether1_conn new-routing-mark=ISP1
add action=mark-routing chain=output connection-mark=ether11_conn new-routing-mark=ISP2
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface-list=LANs new-connection-mark=ether1_conn per-connection-classifier=both-ports:2/0
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface-list=LANs new-connection-mark=ether11_conn per-connection-classifier=both-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ether1_conn in-interface-list=LANs new-routing-mark=ISP1
add action=mark-routing chain=prerouting connection-mark=ether11_conn in-interface-list=LANs new-routing-mark=ISP2
/ip route
add dst-address=1.1.1.1 gateway=192.168.100.1 scope=10 comment=WAN-ISP1
add dst-address=8.8.8.8 gateway=192.168.200.1 scope=10 comment=WAN-ISP2
add distance=1 gateway=1.1.1.1 routing-mark=ISP1 check-gateway=ping
add distance=2 gateway=8.8.8.8 routing-mark=ISP1 check-gateway=ping
add distance=1 gateway=8.8.8.8 routing-mark=ISP2 check-gateway=ping
add distance=2 gateway=1.1.1.1 routing-mark=ISP2 check-gateway=ping
/system script
add dont-require-permissions=no name=CheckGW owner=ico policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global newgw1 [/ip dhcp-client get [find interface=\"ether1\" ] gateway ]\
    \r\
    \n:global activegw1 [/ip route get [/ip route find comment=\"WAN-ISP1\"] g\
    ateway ]\r\
    \n:if (\$newgw1 != \$activegw1) do={\r\
    \n/ip route set [find comment=\"Ether1-ISP1\"] gateway=\$newgw1\r\
    \n}\r\
    \n:global newgw2 [/ip dhcp-client get [find interface=\"ether11\" ] gatewa\
    y ]\r\
    \n:global activegw2 [/ip route get [/ip route find comment=\"WAN-ISP2\"] g\
    ateway ]\r\
    \n:if (\$newgw2 != \$activegw2) do={\r\
    \n/ip route set [find comment=\"Ether2-Wan\"] gateway=\$newgw2\r\
    \n}"
/system scheduler
add interval=10s name=schedule_GWcheck on-event=\
    "/system script run number=CheckGW" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/06/2019 start-time=06:00:00
This is not full config, but you can add or change what you need !
 
Tuchi
just joined
Topic Author
Posts: 11
Joined: Fri Dec 14, 2018 5:19 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Thu Sep 05, 2019 11:43 am

I created some config - test it !
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether11 use-peer-dns=no use-peer-ntp=no
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether11
/interface list add name=LANs
/interface list member 
add interface=bridge1 list=LANs
add interface=bridge2 list=LANs 
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=ether1 new-connection-mark=ether1_conn
add action=mark-connection chain=prerouting connection-state=new in-interface=ether11 new-connection-mark=ether11_conn
add action=mark-routing chain=output connection-mark=ether1_conn new-routing-mark=ISP1
add action=mark-routing chain=output connection-mark=ether11_conn new-routing-mark=ISP2
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface-list=LANs new-connection-mark=ether1_conn per-connection-classifier=both-ports:2/0
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface-list=LANs new-connection-mark=ether11_conn per-connection-classifier=both-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ether1_conn in-interface-list=LANs new-routing-mark=ISP1
add action=mark-routing chain=prerouting connection-mark=ether11_conn in-interface-list=LANs new-routing-mark=ISP2
/ip route
add dst-address=1.1.1.1 gateway=192.168.100.1 scope=10 comment=WAN-ISP1
add dst-address=8.8.8.8 gateway=192.168.200.1 scope=10 comment=WAN-ISP2
add distance=1 gateway=1.1.1.1 routing-mark=ISP1 check-gateway=ping
add distance=2 gateway=8.8.8.8 routing-mark=ISP1 check-gateway=ping
add distance=1 gateway=8.8.8.8 routing-mark=ISP2 check-gateway=ping
add distance=2 gateway=1.1.1.1 routing-mark=ISP2 check-gateway=ping
/system script
add dont-require-permissions=no name=CheckGW owner=ico policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global newgw1 [/ip dhcp-client get [find interface=\"ether1\" ] gateway ]\
    \r\
    \n:global activegw1 [/ip route get [/ip route find comment=\"WAN-ISP1\"] g\
    ateway ]\r\
    \n:if (\$newgw1 != \$activegw1) do={\r\
    \n/ip route set [find comment=\"Ether1-ISP1\"] gateway=\$newgw1\r\
    \n}\r\
    \n:global newgw2 [/ip dhcp-client get [find interface=\"ether11\" ] gatewa\
    y ]\r\
    \n:global activegw2 [/ip route get [/ip route find comment=\"WAN-ISP2\"] g\
    ateway ]\r\
    \n:if (\$newgw2 != \$activegw2) do={\r\
    \n/ip route set [find comment=\"Ether2-Wan\"] gateway=\$newgw2\r\
    \n}"
/system scheduler
add interval=10s name=schedule_GWcheck on-event=\
    "/system script run number=CheckGW" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/06/2019 start-time=06:00:00
This is not full config, but you can add or change what you need !
Thank you for the config. i guess the line add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0 should be for bridge2?
Also it seems to me to be config for PCC, is this correct?
also do I understand correctly that in the lines
add dst-address=1.1.1.1 gateway=192.168.100.1 scope=10 comment=WAN-ISP1
add dst-address=8.8.8.8 gateway=192.168.200.1 scope=10 comment=WAN-ISP2
the gateways 192.168.100.1 and 192.168.200.1 are used as "placeholders"?
and then the script at the and will dynamically populate the real gateway address via the DHCP?


Thank you
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 197
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Dual dynamic ISP WAN, dual LAN setup

Thu Sep 05, 2019 11:47 am

Yes for all questions !
 
Tuchi
just joined
Topic Author
Posts: 11
Joined: Fri Dec 14, 2018 5:19 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Thu Sep 05, 2019 11:56 am

To be honest, I was just saying that if you find some nice dual-WAN config you like, and it's made with static addresses, it's not a deal breaker, because you can use lease scripts to change config dynamically. Otherwise I don't enjoy multi-WAN configs very much and I tend to stay away. I also don't like RouterOS scripting, but in my defense, it didn't like me first. :)

Anyway, there are different ways how to do this. You can either do what example script does and add or remove items. Or you can create static config and only mark selected items with unique comments, and then use scripts to update them (change addresses, enable or disable them). If you do that, you can get away with much simpler scripts like this (from top of my head, not tested):
:if ($bound=1) do={
  /ip route set [/ip route find where comment="WAN1 route"] gateway=$"gateway-address" disabled=no
} else={
  /ip route set [/ip route find where comment="WAN1 route"] disabled=yes
}
It can really help with debugging, which is the thing I hate most. I guess I'm spoiled, but any normal code will throw syntax or runtime errors and tells user where it happened. RouterOS scripting tends to just silently fail, so the shorter script is, the easier it's to work with it, at least for me.

With that cleared up, you can check the last link I posted, it describes more reliable way how to test working connections. And try to experiment a little.

@anav: It's not that easy. RouterOS is like LEGO, you get the basic parts and it's up to you what you build. There can be some automated shortcuts, but there's only limited amount of configs that could be supported in this way. And if you would need to combine them with anything extra, it could be a problem. I'm not saying that it's impossible, maybe some nice and compatible improvements can be done, but we definitely don't want another Quick Set that works fine by itself, but doesn't play well with the rest, do we?
Thank you for pointing me in direction.

I guess I'll need to get a spare device and experiment and test various configurations.
 
Tuchi
just joined
Topic Author
Posts: 11
Joined: Fri Dec 14, 2018 5:19 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Thu Sep 05, 2019 12:00 pm

Yes for all questions !
Perfect
Thank you so much for taking your time to create and post a code for all necessary configuration and settings.
Really appreciate that.

I'll find (obtain) a spare device to check and test configuration as I'm not really wanting to put the network connectivity at risk while experimenting
 
Tuchi
just joined
Topic Author
Posts: 11
Joined: Fri Dec 14, 2018 5:19 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Thu Sep 05, 2019 12:29 pm

This is an important topic and one that is not properly documented or easy to do. In my estimation the router OS should already be designed to deal with dynamic ISPs and not force us knowledge peons to attempt to write scripts. In other words, I should be able to check a box that says dynamic IP (YES).
The result would be.....
- upon loss of connectivity (as evident in routing rules)
- reboot ISP, when connected grab new gateway IP
- replace IP ROUTE RULE old gateway IP with new gateway IP.
DONE.

This is what I have to do manually now and its a pain.

To be clear I have no idea what thost scripts are doing, how to program them and WTF (w=why) are we marking anything?
I simply want the new gateway IP to be inserted into the route rule(s).
This is an important topic and one that is not properly documented or easy to do. In my estimation the router OS should already be designed to deal with dynamic ISPs and not force us knowledge peons to attempt to write scripts. In other words, I should be able to check a box that says dynamic IP (YES).
The result would be.....
- upon loss of connectivity (as evident in routing rules)
- reboot ISP, when connected grab new gateway IP
- replace IP ROUTE RULE old gateway IP with new gateway IP.
DONE.

This is what I have to do manually now and its a pain.

To be clear I have no idea what thost scripts are doing, how to program them and WTF (w=why) are we marking anything?
I simply want the new gateway IP to be inserted into the route rule(s).
Thank you. I understand the whole complexity of the underlying structure, but thinking from my experience that a lot of people on the targeted SOHO market would be happier with a cleaner and simpler config. At least for the basic tasks - pointing one or few interfaces and dedicate them as WAN (static, PPoe, Ethernet) and same for the LAN ad the system to be able to create all the firewall and routing rules automatically.....
The learning curve is kinda too steep without extensive network background in Linux enviroment
 
Sob
Forum Guru
Forum Guru
Posts: 4549
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dual dynamic ISP WAN, dual LAN setup

Sat Sep 07, 2019 12:47 am

Two things:

- JohnTRIVOLTA's solution is fine, except that running the script from scheduler every 10 seconds is waste of resources. It's better to move it to DHCP's lease script, where it will be run only when address (and possibly gateway) actually changes.

- I'm not trying to ruin MikroTik's sales, but instead of buying another device, I'd start with CHR (virtual RouterOS). You can have as many as you want, run them in VirtualBox, VMware Player or whatever, build any kind of network you need for your experiments, and it won't cost you anything. And when you discover how good it is, you'll buy other device(s) later.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Bing [Bot] and 21 guests