Community discussions

 
sheldonlendrum
just joined
Topic Author
Posts: 2
Joined: Sun Apr 15, 2018 8:44 am

Duel Firewall rule or HA failover

Sun Apr 15, 2018 1:22 pm

Hi all,
We use the MT as our firewall, and a nat rule that sends all 80/443 traffic on an external IP to a NGINX load balancer on our internal network.
This works well.

BUT - what I want to look at is adding a failover rule, maybe with a script?, If the internal Load Balancer, lets say x.x.1.2 goes down, then the firewall rule will automatically reroute traffic to x.x.1.3.
I could set up a monitor machine that pings the LB updates the rule on the MT, or the MT just always LB's that traffic to both LB's?

How would you do this?
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 962
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: Duel Firewall rule or HA failover

Mon Apr 16, 2018 5:19 pm

There is a project on Github that worked on this concept (link below) and there are a number of examples of config synch scripts out there.

https://github.com/svlsResearch/ha-mikrotik
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
2frogs
Member
Member
Posts: 402
Joined: Fri Dec 03, 2010 1:38 am

Re: Duel Firewall rule or HA failover

Mon Apr 16, 2018 6:29 pm

Netwatch to enable/disable nat rules
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 220
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Duel Firewall rule or HA failover

Mon Apr 16, 2018 6:54 pm

Netwatch to enable/disable nat rules
Netwatch only monitoring icmp.
Not monitoring TCP ports 80 or 443 either services http or https. (like F5 or A10 balancers)
I apologize my grammatical errors, my english not so good, I am not a native speaker.
Wiki is maintained in English. I use Google translator. 8)
 
sheldonlendrum
just joined
Topic Author
Posts: 2
Joined: Sun Apr 15, 2018 8:44 am

Re: Duel Firewall rule or HA failover

Tue Apr 17, 2018 7:51 am

Thanks guys, I'll look at the gibhub project, and am looking at the API and putting a service in the middle that monitors bot hand alters the rules accordingly.
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 220
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: Duel Firewall rule or HA failover

Fri Apr 20, 2018 5:17 pm

Maybe using /tool fetch script be able to perform application monitoring http / https.

I never did, it's something to develop.
I apologize my grammatical errors, my english not so good, I am not a native speaker.
Wiki is maintained in English. I use Google translator. 8)
 
pe1chl
Forum Guru
Forum Guru
Posts: 4812
Joined: Mon Jun 08, 2015 12:09 pm

Re: Duel Firewall rule or HA failover

Fri Jun 01, 2018 10:31 am

Yes you can do a scheduled script (regularly started or started at boot and then using a loop) to do much better
monitoring than netwatch can do. Not only can you use /tool fetch (use the on-error construct) but also you
could do ping and set some threshold, which netwatch cannot do!
(when using netwatch, every missed ping is considered a failure so when you have a small packet loss there will
be a lot of unnecessary alerting and switching to failover)
 
alasmar4924
just joined
Posts: 4
Joined: Mon May 21, 2018 1:46 am

Re: Duel Firewall rule or HA failover

Sat Jun 02, 2018 1:50 am

hi I need help how I can use firewall on mikrotik to block an application named (netshare). I use hotspot so people use this app to share free internet to others. you can find it on google play and how it work. I see that this app use port 8282 and it give the client a diffrent ip which is 192.168.49.1/24
and I find in netshare setting the proxy port is
1024-65563
so, please help me to block it. I used a diffrent ways but I coud not stop this application
 
Samot
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Sat Nov 25, 2017 10:01 pm

Re: Duel Firewall rule or HA failover

Sat Jun 02, 2018 3:34 am

hi I need help how I can use firewall on mikrotik to block an application named (netshare). I use hotspot so people use this app to share free internet to others. you can find it on google play and how it work. I see that this app use port 8282 and it give the client a diffrent ip which is 192.168.49.1/24
and I find in netshare setting the proxy port is
1024-65563
so, please help me to block it. I used a diffrent ways but I coud not stop this application
Please do not hijack a post about a completely different issue with your issue that is not related. Open a new forum post for your issue so it can be handled properly, otherwise you will have people trying to solve two different issues in the same thread and it will cause confusion.
 
fibernet4u
newbie
Posts: 32
Joined: Sat Dec 03, 2016 12:44 pm

Re: Duel Firewall rule or HA failover

Mon Jun 04, 2018 3:58 pm

Netwatch to enable/disable nat rules
Netwatch only monitoring icmp.
Not monitoring TCP ports 80 or 443 either services http or https. (like F5 or A10 balancers)
please take a look below link. ipgovernor tool can monitor http/ping/port monitoring for WAN website/host/port. even feature to get notified when lan host down using netwatch feature of mikrotik...

viewtopic.php?f=8&t=135227

May be this would help.

Who is online

Users browsing this forum: No registered users and 4 guests