Community discussions

MikroTik App
 
kbch
just joined
Topic Author
Posts: 16
Joined: Tue Dec 24, 2019 1:20 am

Dual WAN Failover Script Ping Command

Sun Jul 18, 2021 11:43 pm

Hello

I have a setup with Dual WAN. I would like to replicate the current EdgeRouter based setup. The current EdgeRouter Setup pings one IP on the Internet from both Interfaces. It automatically creates two internal Routing Tables with one or the other Interfaces Gateway as Default Gateway. It then uses these two internal Routing Tables to run Pings for one or the other WAN Interface.

My way to solve this now would be to write a Mikrotik Script which on every run does housekeeping on two internal Routing Tables. Housekeeping in terms of creating these internal Routing Tables according to the Default Gateway of both WAN Interfaces. After doing this I can ping the IP on the Internet with internal Routing Table 0 and afterwards with the internal Routing Table 1.

With the results of this I then can run my logic to select the desired WAN and modify the main routing Table.

Is this how this should be done or is there a way easier approach? Both my WAN Interfaces have dynamic IP addresses. I also want to ping the same target from both WAN Interfaces.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 2:26 am

Your problem is you have no clue of the requirement and stuck in another routers method.

Define in terms of functionality without discussing config.
It simply sounds like you want the router to check if the WANS are up or not for example.
 
kbch
just joined
Topic Author
Posts: 16
Joined: Tue Dec 24, 2019 1:20 am

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 2:07 pm

Yes, I want a Dual WAN Setup. Both WAN have dynamic IP. It should ping e.g. 8.8.8.8 to check if the WAN interfaces are healthy.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 3:00 pm

Your topic title is "Dual WAN Failover"

You must use search before open new topic, with same words and...

viewtopic.php?f=2&t=176574&p=865665&hil ... er#p865665
 
kbch
just joined
Topic Author
Posts: 16
Joined: Tue Dec 24, 2019 1:20 am

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 3:18 pm

I already searched for hours for a ready solution, but didn't find any ready made solution. I get the IP + Gateway dynamically via DHCP for both WAN. Thus this solution won't work. Also I don't want to Ping the Gateway, I want to ping an Endpoint in the Internet. Pinging the Gateway won't guarantee Internet access!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 3:44 pm

Pinging the Gateway won't guarantee Internet access!
Do not try to explain that to me, instead read...

You have not even read what I linked, it does not ping the Gateway, but only the remote Endpoint ...

>>>check ping 1.1.1.1 instead of ISP1 IP<<<

That methot perfectly work, simply put (already writed on my other posts) a function on DHCP Client, when get an gateway, put it on route...

Easier than that...
 
kbch
just joined
Topic Author
Posts: 16
Joined: Tue Dec 24, 2019 1:20 am

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 3:51 pm

Ok, I got confused by isp1gateway and isp2gateway. But I think it still doesn't really help for my use case. I get the IP + Gateway via DHCP. IP + Gateway is dynamic. So I shouldn't hard code these into some scripts or routes. Your example hard codes the Gateway into the script, but these could change any time.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command  [SOLVED]

Mon Jul 19, 2021 4:34 pm

search tag # rextended dual dhcp wan failover

This works only on 6.46.8+ and not in v7+

REMEMBER TO REMOVE "ADD DEFAULT ROUTE" ON DHCP CLIENTs
and add those scripts on "script" section of DHCP client

script for DHCP Client 1 = MAIN
/ip route
set [find where comment~"ISP1"] gateway=$"gateway-address"

script for DHCP Client 2 = FAILOVER
/ip route
set [find where comment~"ISP2"] gateway=$"gateway-address"

This must be pasted on new terminal, better if before do that remove all non dynamic routes from routes
DO NOT CHANGE COMMENTS!!! (until keeped ISP1 and ISP2 inside...)
First time change 2.3.4.5 and 6.7.8.9 with actuals or, after paste on new terminal, disable and re-enable dhcp clients
/ip dns
set servers=1.1.1.1,8.8.8.8

/ip route
add comment="A - 1.1.1.1 must be reachable only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=2.3.4.5 scope=10
add comment="B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP" distance=10 gateway=1.1.1.1 check-gateway=ping
add comment="C - ISP2 is alternative Gateway" distance=20 gateway=6.7.8.9
Last edited by rextended on Mon Jul 19, 2021 5:12 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 4:50 pm

As rextended stated, look up recursive routing in search!!
viewtopic.php?f=23&t=157048
is a long winded thread on the topic.

Basically one wants to use existing DNS servers to verify not only if the connection to the ISP server is good but that the connection from the ISP server to the internet is also working.

What you haven't described as requested is a clear set of requirements.
1. Is their a primary and secondary gateway
2. Do you have one subnet that should use one gateway and use the other gateway as backup or not
3. Do you have another subnet that should use the other gateway and use the gateway in 2. as backup or not.

What type of ISP connections (same provider? different provider? static or dynamic?)


Here is an example of my setup with a primary network of Bell Fibre (1gig up/down) and a secondary Eastlink Cable.
Note that all our email is done through Eastlink.

/ip route
add check-gateway=ping distance=3 gateway=1.0.0.1
add check-gateway=ping distance=4 gateway=9.9.9.9
add comment=PrimaryRecursive distance=3 dst-address=1.0.0.1/32 gateway=\
primarygateway_IP scope=10
add comment=SecondaryRecursive distance=4 dst-address=9.9.9.9/32 gateway=\
primarygateway_IP scope=10
add comment=SecondaryWAN distance=10 gateway=secondarygateway_IP
add comment=Email_bypass distance=2 dst-address=secondaryISP-emailserver_IP gateway=\
secondarygatewayIP
Last edited by anav on Mon Jul 19, 2021 4:56 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 4:54 pm

I provide the simplest solution A-B-C and the DHCP Client scripts for "Dual DHCP WAN Failover",
no matter if one or two are static or dynamic.
 
kbch
just joined
Topic Author
Posts: 16
Joined: Tue Dec 24, 2019 1:20 am

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 4:59 pm

Thanks, this looks pretty amazing! I didn't notice that I can attach scripts to a DHCP Client, this opens whole new possibilities. I'm still a Mikrotik NOOB, sorry for my dumb assumptions.

Disabled default route on the DHCP clients + Added the three routes + Configured the two DHCP clients with the scripts. After toggling the DHCP clients, the routes updated with the correct gateways. That's already very nice.

I'm now stuck that it looks like the check-gateway fails. Thus it always prefers ISP2.

My routes:
[admin@MikroTik] > /ip/route print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
  #        DST-ADDRESS      GATEWAY       DI
;;; C - ISP2 is alternative Gateway
  0   As   0.0.0.0/0        172.16.50.1   20
;;; B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP
  1   IsH  0.0.0.0/0        1.1.1.1       10
;;; A - 1.1.1.1 must be reachabble only from ISP1
  2   As   1.1.1.1/32       77.109.171.1   1
     DAc   77.109.171.0/24  init7          0
     DAc   172.16.50.0/24   50             0
     DAc   172.16.90.0/24   90             0
     DAc   192.168.88.0/24  lan            0
  3   As   192.168.99.0/24  172.16.50.1    1

Next I checked if the static route for 1.1.1.1/32 worked. This seems to be the case compared to a traceroute with another IP (172.16.50.3 is an external NAT Router behind the same ISP for testing purposes):
[admin@MikroTik] > /tool/traceroute 1.1.1.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
  #  ADDRESS        LO  S  LAST   AVG  BES  WOR  STD
  1  77.109.183.62  0%  2  7.3ms  7.4  7.3  7.4  0.1
  2  77.109.183.61  0%  2  8ms    7.7  7.4  8    0.3
  3  82.197.168.35  0%  2  9ms    8.4  7.7  9    0.7
  4  194.42.48.14   0%  2  7.7ms  7.6  7.5  7.7  0.1
  5  1.1.1.1        0%  2  7ms    7    6.9  7    0.1

[admin@MikroTik] > /tool/traceroute 8.8.8.8
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
  #  ADDRESS         LO  S  LAST   AVG  BES  WOR  S
  1  172.16.50.3     0%  1  0.6ms  0.6  0.6  0.6  0
  2  77.109.183.62   0%  1  7.7ms  7.7  7.7  7.7  0
  3  77.109.183.61   0%  1  7.9ms  7.9  7.9  7.9  0
  4  5.180.135.161   0%  1  7.9ms  7.9  7.9  7.9  0
  5  77.109.135.214  0%  1  7.3ms  7.3  7.3  7.3  0
  6  74.125.243.161  0%  1  8.8ms  8.8  8.8  8.8  0
  7  172.253.50.19   0%  1  8.5ms  8.5  8.5  8.5  0
  8  8.8.8.8         0%  1  7.7ms  7.7  7.7  7.7  0
Did I miss something?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:03 pm

Sorry the other fella will have to help you there, I only use scripts in DHCP client when necessary. Which is mainly to fetch a new gateway IP to stick in routes rules, when my ISP changes my IP address and or power outage or reboot etc.................

Its much easier for me to do routing in the routing section and that way one can learn about routing more properly, than instituting a clever shortcut in the client settings.
Thats an advanced bit of work that one can do later once understanding the config of the router more holistically. Thus I dont condone for you doing this in dhcp client scripts.
Thats coming from a guy that is newish in the game without extensive IT experience or training. The other fella is lightyears ahead and thus he dreams this stuff and can quote MT scripts even while intoxicated. PS not insinuating he imbibes or anything just that he has neurons and synapses crammed with MT knowledge.

More importantly you didnt provide the answers to the questions posed 1.,2.3................
Last edited by anav on Mon Jul 19, 2021 5:08 pm, edited 3 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:06 pm

I like your method more,
it's the one I usually use,
but explaining and applying it on the forum is more complicated than a copy and paste... :)))
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:09 pm

Did I miss something?
Yes... you run beta 7, the script and route are for 6.46+ version,
on beta7 the routing is totally different....

You wrote in beginner basics section ,the question for 7 beta must be go on adequate section...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:18 pm

I thought it was self-explanatory LOL.
The point was read the link and then be relieved that the example provided is so simple in comparison to the Russian complex methods LOL.

Note1: Checkgateway ping has the effect of telling the router to keep checking the connection every 10 seconds or so.
If the route is down after two attempts then switch to the other route(s) available on the main table.
Keep checking the route and if it comes back up then go back to the original route.

The recursive bit basically states i want to route to the DNS1 using the gateway through MY ISP for the ping check.
If that is not working then try the alternate DNS2 using the gateway through MY ISP
If that is not working then using my secondary ISP gateway to check connectivity for routing.

They are differentiated by distance! So ISP1 DNS1 is primary, ISP1 DNS2 is secondary, and ISP2 is tertiary. ONe could get fancy and check the backup ISP through DNSs as well but I dont require that level of complication. One doesnt need to ping the backup ISP because as soon as connectivity is established via DNS1 or DNS2 on ISP1, the router will kick the routing back to ISP1.

The email bypass entry simply ensures that any traffic smtp which the router resolves to the IP address of the ISP2 mail server, bypasses ISP1.
I probably dont need the distance setting here but I put it just to amplify the priority of this traffic to myself and or the reader of the config.

/ip route
add check-gateway=ping distance=3 gateway=1.0.0.1
add check-gateway=ping distance=4 gateway=9.9.9.9
add comment=PrimaryRecursive distance=3 dst-address=1.0.0.1/32 gateway=\
primarygateway_IP scope=10
add comment=SecondaryRecursive distance=4 dst-address=9.9.9.9/32 gateway=\
primarygateway_IP scope=10
add comment=SecondaryWAN distance=10 gateway=secondarygateway_IP
add comment=Email_bypass distance=2 dst-address=secondaryISP-emailserver_IP gateway=\
secondarygatewayIP
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:21 pm

Did I miss something?
Yes... you run beta 7, the script and route are for 6.46+ version,
on beta7 the routing is totally different....

You wrote in beginner basics section ,the question for 7 beta must be go on adequate section...
Hi rextended, my ccr1009 is on version 6 LOL. The RB450Gx4 behind my hex (acting as a switch) and connected to the CCR1009 is running v7 beta6 as a wireguard router,/server mainly for the purposes of connecting to an RB4011 acting as wireguard client router, behind a Bell ISP device (combo modem/router) at a different location.
Last edited by anav on Mon Jul 19, 2021 5:23 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:22 pm

duplicate post
 
kbch
just joined
Topic Author
Posts: 16
Joined: Tue Dec 24, 2019 1:20 am

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:32 pm

I have now downgraded my RouterOS to 6 and the Solution with the DHCP Scripts from rextended works perfect. Really happy with it :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:44 pm

Thank you!!!

When the stable v7 comes out in 2023, I will update all my tagged scripts.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 5:50 pm

...read the link and then be relieved that the example provided is so simple in comparison to the Russian complex methods LOL...
Um, sometimes I take too many things for granted...
How can I explain it better?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 6:41 pm

No worries, the OP is happy with your solution, albeit the wrong choice, just kidding.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Mon Jul 19, 2021 7:06 pm

Okay I will bite, perhaps there is a better way to do what I wish.
Here is my dhcp script.........

:if ($bound=1) do={
:local iface $interface
:local gw [ /ip dhcp-client get [ find interface=$"iface" ] gateway ]
/ip route set [ find comment="PrimaryRecursive" gateway!=$gw ] gateway=$gw
/ip route set [ find comment="SecondaryRecursive" gateway!=$gw ] gateway=$gw
/tool e-mail send to="llamaworks@accesswave.ca" subject=([/system identity
get name]) body=" This is your new gateway IP: $gw";
:local sub3 ([/system clock get time])
/tool fetch "https://api.telegram.org/bot----------- ... nged+WANIP"
:log info "Telegram notification sent VlanBell IP Changed"
}

The idea here is that every time the WANIP is bounded, it will find the gateway now allocated and then place it in my routes................
This addresses the inability for the router to populate the routes otherwise, be it a WANIP change, a router reboot etc............
 
cooling
just joined
Posts: 20
Joined: Tue Aug 22, 2006 12:59 pm

Re: Dual WAN Failover Script Ping Command

Sat Jul 31, 2021 5:23 am

how to make 3 ip gateway in one comment ? 2 IP pppoe and 1 ip static

Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Dual WAN Failover Script Ping Command

Tue Aug 03, 2021 6:11 am

The WAN fail over technique works properly if I clear connection tracking. Otherwise, the network appears to timeout. I tested with a long ping session to a remote host and a VPN session. Disabling the interface will automatically clear connection tracking and makes the fail over occur right away. So, does this mean scripting is still needed?

Note, I'm testing by disabling the remote hosts to trigger a failure mode.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Tue Aug 03, 2021 10:21 am

Clear connection-tracking is needed because remote address unreachable do not cause the clear of connection-tracking.
What access method you use?

For ppp user just put one script on on down /on up
For dhcp client like the same
For other metods can be finded a solution.

For example on ppp profile or dhcp client triggered only if ppp/dhcp connection go up/down:
/ip fire conn
:foreach idc in=[find where timeout>60] do={
 remove [find where .id=$idc]
}


If the LAN is NATted or other gateway are used, for example on ppp profile
:global newIP [:tostr $"local-address"]

/ip fire conn
:foreach idc in=[find where timeout>60 and (!(reply-dst-address~$newIP))] do={
 remove [find where .id=$idc]
}
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Dual WAN Failover Script Ping Command

Tue Aug 03, 2021 9:23 pm

Clear connection-tracking is needed because remote address unreachable do not cause the clear of connection-tracking.
What access method you use?

Thank you anav and rextended for your examples and help on this subject. I'm testing in a lab using two simple MikroTik units. So, my connection method in the real world, which I am simulating here, is probably going to be an ISP bridge device of some type. Fiber to copper convertor or the like.

The R1 unit represents a router with failover. The ISP Simulator unit represents a device providing two WAN links (simulating two Internet providers in the building). On the ISP unit, I have two firewall rules that disable Host1 (8888) and Host2 (9999) to simulate network failure. R1 is checking ping access to these hosts. It works well, except that I must clear connection-tracking (on R1 which discovers the downed hosts).

If this is a requirement, I guess the question becomes, how do I know when to fire a script to do this? The WAN links are still up, the ether interfaces are still up. Is there a way to detect the Hosts are down and fire a script? The route command (/ip route add check-gateway=ping distance=1 gateway=8.8.8.8) does not have a script or event action. Likewise, for when they are back up. I realize I could program a Raspberry Pi in the rack to check for me, but was wondering if this can be done all inside the MikroTik.

Router with Failover
#
# software = RouterOS 6.47.10
# model    = RouterBOARD 952Ui-5ac2nD (hAP AC Lite)

###########################################################
# A router with WAN failover to two uplinks on 
# ether2 and ether3.
###########################################################

/system identity set name=R1

# The two ISP WAN connections
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 use-peer-dns=no comment="ISP1"
add add-default-route=no disabled=no interface=ether3 use-peer-dns=no comment="ISP2"

# Route failover by checking two hosts
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8                comment=Host1
add check-gateway=ping distance=2 gateway=9.9.9.9                comment=Host2
add distance=1 dst-address=8.8.8.8/32 gateway=10.3.30.1 scope=10 comment=ISP1_check
add distance=2 dst-address=9.9.9.9/32 gateway=10.3.30.1 scope=10 comment=ISP1_check
add distance=3 gateway=10.4.40.1                                 comment=ISP2


###########################################################
# Example LAN environment
###########################################################

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan add interface=BR1 name=VLAN1 vlan-id=44
/interface bridge port add bridge=BR1 interface=ether5 pvid=44
/interface bridge vlan add bridge=BR1 tagged=BR1 vlan-ids=44

/ip address add address=10.44.40.1/24 interface=VLAN1 network=10.44.40.0
/ip pool add name=POOL1 ranges=10.44.40.2-10.44.40.254
/ip dhcp-server add address-pool=POOL1 disabled=no interface=VLAN1 name=DHCP1
/ip dhcp-server network add address=10.44.40.0/24 dns-server=10.44.40.1 gateway=10.44.40.1

/interface list
add name=WAN
add name=VLAN
add name=BASE

/interface list member
add interface=ether2 list=WAN
add interface=ether3 list=WAN
add interface=VLAN1  list=VLAN

/ip dns set allow-remote-requests=yes servers=9.9.9.9,8.8.8.8

/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Allow Estab & Related"
add action=accept chain=input in-interface-list=VLAN comment="Allow VLANs"
add action=drop chain=input comment=Drop
add action=accept chain=forward connection-state=established,related comment="Allow Estab & Related"
add action=accept chain=forward connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="Allow VLANs"
add action=drop chain=forward comment=Drop

/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN comment="Default masquerade"

ISP Simulator
#
# software = RouterOS 6.47.10
# model    = RouterBOARD 750UP r2 (hEX PoE Lite)

###########################################################
# Test router representing two ISP providers.
# ISP1 on ether3 and ISP2 on ether4
# See the two firewall rules that simulate network down.
###########################################################

/system identity set name=ISP_Provider

/interface ethernet
set [ find default-name=ether3 ] comment=ISP1
set [ find default-name=ether4 ] comment=ISP2



###########################################################
# Example environment provided by this Test ISP
###########################################################

/interface bridge
add fast-forward=no name=BR1 protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=BR1 name=VLAN_ISP1 vlan-id=30
add interface=BR1 name=VLAN_ISP2 vlan-id=40

/interface list
add name=WAN
add name=VLAN
add name=BASE

/ip pool
add name=POOL1 ranges=10.3.30.2-10.3.30.254
add name=POOL2 ranges=10.4.40.2-10.4.40.254

/ip dhcp-server
add address-pool=POOL1 disabled=no interface=VLAN_ISP1 name=DHCP1
add address-pool=POOL2 disabled=no interface=VLAN_ISP2 name=DHCP2

/interface bridge port
add bridge=BR1 interface=ether3 pvid=30
add bridge=BR1 interface=ether4 pvid=40

/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=40

/interface list member
add interface=ether1 list=WAN
add interface=VLAN_ISP1 list=VLAN
add interface=VLAN_ISP2 list=VLAN

/ip address
add address=10.3.30.1/24 interface=VLAN_ISP1 network=10.3.30.0
add address=10.4.40.1/24 interface=VLAN_ISP2 network=10.4.40.0

/ip dns set allow-remote-requests=yes
/ip dhcp-client add dhcp-options=hostname disabled=no interface=ether1

/ip dhcp-server network
add address=10.3.30.0/24 dns-server=10.3.30.1 gateway=10.3.30.1
add address=10.4.40.0/24 dns-server=10.4.40.1 gateway=10.4.40.1

/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Allow Estab & Related"
add action=accept chain=input in-interface-list=VLAN comment="Allow VLANs"
add action=drop chain=input comment=Drop

###########################################################
# These two rules test causing failover to occur
###########################################################
add action=drop chain=forward disabled=yes dst-address=8.8.8.8 src-address=10.3.30.0/24 comment="Enable to test Host1 Failure"
add action=drop chain=forward disabled=yes dst-address=9.9.9.9 src-address=10.3.30.0/24 comment="Enable to test Host2 Failure"

add action=accept chain=forward connection-state=established,related comment="Allow Estab & Related"
add action=accept chain=forward connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="Allow VLANs"
add action=drop chain=forward comment=Drop

/ip firewall nat add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Wed Aug 04, 2021 2:47 am

how do I know when to fire a script to do this?
When the failover is active... and when go back online the main line, and the failover is not active
:global something

:if ([:len [/ip route find where comment="ISP2" and active=yes]] > 0) do={
    :if ($something != true) do={
        /ip fire conn
        :foreach idc in=[find where timeout>60] do={ remove [find where .id=$idc] }
        :set something true
    }
} else={
    :if ($something != false) do={
        /ip fire conn
        :foreach idc in=[find where timeout>60] do={ remove [find where .id=$idc] }
        :set something false
    }
}
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Dual WAN Failover Script Ping Command

Wed Aug 04, 2021 3:56 am

rextended,

Oh my goodness. This is awesome! It works excellent. You should make a separate post about WAN Failover and update the link in your signature to point to that new dedicated topic. It takes a good while to write up topics, so no pressure. Just a grateful user.

Note, I changed the timeout to 0, vs 60. This is because ping sessions timeout at 10s by default. I suppose people could tune the value to their application behavior.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Wed Aug 04, 2021 4:21 am

NO, leave it to 60 seconds, or at least 20 seconds (check gateway 10 ping off, 10 ping on)
I do not write the things without reason.
If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean,
the script stop with error because when try the connection is already closed, and do not finish his works.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Dual WAN Failover Script Ping Command

Wed Aug 04, 2021 6:52 am

If just one connection on connection tracking is already closed for timeout (or other reasons) during the execution of the clean,
the script will stop with error because the connection is already closed, and do not finish his works.

Okay, if that is the case, would it be possible to close connections in a sub function? Perhaps store in memory (whatever MikroTik scripting calls it) a list of all connections, then loop over that list closing them down? If the connection is no longer present, move on to the next item in the list? I need > 9 seconds of closing capability.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN Failover Script Ping Command

Wed Aug 04, 2021 10:00 am

I need > 9 seconds of closing capability.
???

I do not insist further, I have already written you the script that does the right job,
based on the real traffic of equipment in production and not only theoretically simulated.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Dual WAN Failover Script Ping Command

Wed Aug 04, 2021 10:05 pm

I do not insist further, I have already written you the script that does the right job,
based on the real traffic of equipment in production and not only theoretically simulated.

Its okay, I can sort it out. If you have a ping session, not stop (ping 8.8.8.8 -t), when the change over occurs it will hang because it is on a 9s timeout.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN Failover Script Ping Command

Wed Aug 04, 2021 10:30 pm

pcunite, I do not understand what you are discussing regarding clearing connections.
Is this something I should be worried about on my setup???
Typically my issue is not failover perse but when the primary come back online, the router was not able to route the traffic properly if the gateway had changed.
THus my script is to ensure that the new gateway is used for routing.

Where does your connection revelation belong in this??
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Dual WAN Failover Script Ping Command

Thu Aug 05, 2021 5:07 am

pcunite, I do not understand what you are discussing regarding clearing connections. Is this something I should be worried about on my setup?

Well, I don't know. It comes down to how ISP1 fails and the applications you are using. After the failover to the different ISP, if your application times out on its own, you'll be fine. However, if you have long running applications (VPN or a never ending ping session), those packet flows will not automatically change over if the interface is still up. At least in my testing they did not. So, I just go ahead and clear out any and all connections. This provides the same effect had you disabled the interface.

I think most people must test their failover by unplugging a cable or disabling an interface. In my case, I'm testing hosts that go down, and that is why I want the change over to occur. For all intents, the first ISP still works, in some ways. However, I want to fail over because the second ISP gives me access to those hosts. Changing the route out from under all the other connections leaves them in an unstable state. So, I close them out. Then the applications reconnect on their own.

Who is online

Users browsing this forum: Ahrefs [Bot], JSpazP and 50 guests