Community discussions

MikroTik App
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Apr 01, 2014 11:11 pm
Location: Rhodes - Greece

Redundancy failover ISP

Sat May 15, 2021 2:00 pm

Good afternoon,

I have a case where the ISP has the following scenario.

An optic fibre link with a speed of 150Mbps and a backup sat link in case the 1st one fails .

Both outputs belong to a /28 subnet with an ip range of xx.xx.xx.244 - xx.xx.xx.254
The gateway is xx.xx.xx.241 and if i am not mistaken the optic fibre Cisco has an ip of xx.xx.xx.242 and the backup link xx.xx.xx.243.

So the scenario is that if the optic fibre fails for some reason after a short while the backup link will kick in and give me the same address, subnet and gateway for my internet access.
So for example i have chosen to use xx.xx.xx.244 with subnet 255.255.255.240 and gateway xx.xx.xx.241.
If the Optic fibre fails the above address will continue to work from the backup link.
The Internet access goes to a CCR1009 for hotspot users.

The question is how can i have both outputs connected to a switch so that when the one fails and the other kicks in it will continue giving seamless internet output to its clients without me
having to intervene to change the outputs.

The ISP said to run both wires to a switch and then create a VLAN output but i haven't done this before so i would appreciate some help.

Thank you.
When you reach the end of your rope, tie a knot and hang on.
 
tdw
Forum Veteran
Forum Veteran
Posts: 860
Joined: Sat May 05, 2018 11:55 am

Re: Redundancy failover ISP

Sat May 15, 2021 2:29 pm

It isn't clear where VLANs come into this as none of the description mentions them other than your last sentence, a diagram may be helpful.

If the ISP is suggesting you can connect the two internet connections can simply be connected together by a switch you could configure two ports on the CCR1009 to be members of a bridge for the WAN connection and update your IP address, firewall rule, etc. interfaces accordingly.

Presumably the ISP has some mechanism to prevent network loops or switch gateways (e.g. using VRRP) if they have not said you need to configure anything (e.g. RSTP) yourself.
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Apr 01, 2014 11:11 pm
Location: Rhodes - Greece

Re: Redundancy failover ISP

Sat May 15, 2021 4:14 pm

It isn't clear where VLANs come into this as none of the description mentions them other than your last sentence, a diagram may be helpful.

If the ISP is suggesting you can connect the two internet connections can simply be connected together by a switch you could configure two ports on the CCR1009 to be members of a bridge for the WAN connection and update your IP address, firewall rule, etc. interfaces accordingly.

Presumably the ISP has some mechanism to prevent network loops or switch gateways (e.g. using VRRP) if they have not said you need to configure anything (e.g. RSTP) yourself.
They don't mention anything more other than a plain vlan if your equipment supports it.

Anyway i want to test out the redundancy link on its own first, to initiate a failover myself and see if it kicks in and then i will
add the two outputs to a bridge and try it out from there.

What i did try is that there is no output whatsoever on the backup link when it is not working and can't even ping its IP so in theory
it shouldn't conflict within the bridge interface.

Will follow up when i have some more answers after the testing.

Thank you for your time.
When you reach the end of your rope, tie a knot and hang on.
 
User avatar
jvanhambelgium
Member
Member
Posts: 479
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Redundancy failover ISP

Sat May 15, 2021 5:15 pm

Probably (but without any diagrams it are assumptions) your ISP simply has 2 devices with some HSRP/VRRP config between them.
If you can live with a single-point-of-failure on your side (= single CCR) then indeed just "group" 2 ports together and create a "bridge" (WAN) and give it an IP in the subnet allocated to it. (like you proposed x.x.x.244 255.255.255.240
Your default-gateway will be the virtual IP of HSRP/VRRP as provided by the ISP x.x.x.241
I've seen hundreds of setups like this.

Depending on the config of the devices, you *might* be able to ping from the CCR the IP's of x.x.x.242 and x.x.x.243 individually but you should not used them.
As long as you use the x.x.x.241 failover is probably pretty fast, again depending on the config on the ISP side.
HSRP/VRRP are "LAN-side" redundancy protocols, there might be some backend "convergence" but chances are you'll hardly notice if you are switching links.
 
sindy
Forum Guru
Forum Guru
Posts: 7283
Joined: Mon Dec 04, 2017 9:19 pm

Re: Redundancy failover ISP

Sat May 15, 2021 7:51 pm

They don't mention anything more other than a plain vlan if your equipment supports it.
I'd say the ISP guys use "VLAN" in the meaning of "L2 segment". So whether you install an external dumb switch and connect both uplinks and the WAN interface of the CCR1009 to it, or whether you create a separate bridge with two member ports in the CCR1009 and move the WAN IP configuration from one of those ports to the bridge and connect each uplink to one of them, or whether you create a VLAN on the single common bridge and make two WAN ports access ports to that VLAN on the bridge depends on your own decision.

I'd be careful with a common bridge as the ISP may be running some STP flavour and you could get funny effects, but if both parties set the ports as edge ones, disable BPDU sending and activate BPDU guard, it should be safe.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Apr 01, 2014 11:11 pm
Location: Rhodes - Greece

Re: Redundancy failover ISP

Sun May 16, 2021 11:29 am

or whether you create a VLAN on the single common bridge and make two WAN ports access ports to that VLAN on the bridge depends on your own decision.
Good morning Sindy,

I think that this is probably what they want to be done from my side.
The problem is that i don't know how to do it.
Would it be possible to show me or point me on how to do it via the CCR1009?

Thank you
When you reach the end of your rope, tie a knot and hang on.
 
sindy
Forum Guru
Forum Guru
Posts: 7283
Joined: Mon Dec 04, 2017 9:19 pm

Re: Redundancy failover ISP  [SOLVED]

Sun May 16, 2021 12:41 pm

As you haven't posted your current configuration, let me assume that
  • sfp-sfpplus1 is your current single WAN interface
  • ether1 is free
So copy the code below, substitute sfp-sfpplus1 and ether1 by the actual names of the interfaces, and paste the result on a command line:
/system script add name=reconfigure-wan source="/interface bridge add name=br-wan admin-mac=[/interface ethernet \
    \get sfp-sfpplus1 mac-address] auto-mac=no protocol-mode=none\
    \n/interface list {:if ([:len [find name=WAN]] > 0) do={member add list=WAN interface=br-wan}}\
    \n/ip firewall filter set [find in-interface=sfp-sfpplus1] in-interface=br-wan\
    \n/ip firewall filter set [find out-interface=sfp-sfpplus1] out-interface=br-wan\
    \n/ip firewall mangle set [find in-interface=sfp-sfpplus1] in-interface=br-wan\
    \n/ip firewall mangle set [find out-interface=sfp-sfpplus1] out-interface=br-wan\
    \n/ip firewall raw set [find in-interface=sfp-sfpplus1] in-interface=br-wan\
    \n/ip firewall raw set [find out-interface=sfp-sfpplus1] out-interface=br-wan\
    \n/ip firewall nat set [find in-interface=sfp-sfpplus1] in-interface=br-wan\
    \n/ip firewall nat set [find out-interface=sfp-sfpplus1] out-interface=br-wan\
    \n/ip route rule set [find interface=sfp-sfpplus1] interface=br-wan\
    \n/ip dhcp-client set [find interface=sfp-sfpplus1] interface=br-wan\
    \n/ip address set [find interface=sfp-sfpplus1 !dynamic] interface=br-wan\
    \n/interface bridge port\
    \nadd bridge=br-wan interface=ether1 horizon=1\
    \nadd bridge=br-wan interface=sfp-sfpplus1 horizon=1\
    \n"
Then, use /system script run reconfigure-wan to execute the script.

If you are going to do this remotely, while connected via the WAN uplink in question, don't forget to activate safe mode before running the script. If you still have access to the router after this and you can enter a few harmless commands like /ip route print, you can exit the safe mode; if you lose access, it means that something wasn't correct in the script, so you have to wait until safe mode detects the loss of the management session and reverts the changes, log in again and try to find out what was wrong.

As there should be no traffic between the two external ports of the bridge, setting the same horizon value at both of them will prevent any loops and so protocol-mode can be set to none on the bridge itself.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Apr 01, 2014 11:11 pm
Location: Rhodes - Greece

Re: Redundancy failover ISP

Mon May 17, 2021 11:33 am

As you haven't posted your current configuration, let me assume that
  • sfp-sfpplus1 is your current single WAN interface
  • ether1 is free
So copy the code below, substitute sfp-sfpplus1 and ether1 by the actual names of the interfaces, and paste the result on a command line:
/system script add name=reconfigure-wan source="/interface bridge add name=br-wan admin-mac=[/interface ethernet \
    \get sfp-sfpplus1 mac-address] auto-mac=no protocol-mode=none\
    \n/interface list {:if ([:len [find name=WAN]] > 0) do={member add list=WAN interface=br-wan}}\
    \n/ip firewall filter set [find in-interface=sfp-sfpplus1] in-interface=br-wan\
    \n/ip firewall filter set [find out-interface=sfp-sfpplus1] out-interface=br-wan\
    \n/ip firewall mangle set [find in-interface=sfp-sfpplus1] in-interface=br-wan\
    \n/ip firewall mangle set [find out-interface=sfp-sfpplus1] out-interface=br-wan\
    \n/ip firewall raw set [find in-interface=sfp-sfpplus1] in-interface=br-wan\
    \n/ip firewall raw set [find out-interface=sfp-sfpplus1] out-interface=br-wan\
    \n/ip firewall nat set [find in-interface=sfp-sfpplus1] in-interface=br-wan\
    \n/ip firewall nat set [find out-interface=sfp-sfpplus1] out-interface=br-wan\
    \n/ip route rule set [find interface=sfp-sfpplus1] interface=br-wan\
    \n/ip dhcp-client set [find interface=sfp-sfpplus1] interface=br-wan\
    \n/ip address set [find interface=sfp-sfpplus1 !dynamic] interface=br-wan\
    \n/interface bridge port\
    \nadd bridge=br-wan interface=ether1 horizon=1\
    \nadd bridge=br-wan interface=sfp-sfpplus1 horizon=1\
    \n"
Then, use /system script run reconfigure-wan to execute the script.

If you are going to do this remotely, while connected via the WAN uplink in question, don't forget to activate safe mode before running the script. If you still have access to the router after this and you can enter a few harmless commands like /ip route print, you can exit the safe mode; if you lose access, it means that something wasn't correct in the script, so you have to wait until safe mode detects the loss of the management session and reverts the changes, log in again and try to find out what was wrong.

As there should be no traffic between the two external ports of the bridge, setting the same horizon value at both of them will prevent any loops and so protocol-mode can be set to none on the bridge itself.
Good morning and thank you for your answer Sindy.

Sorry from my behalf i failed to mention that there is no sfp in this scenario and the current single WAN config is set at ether5.
Both outputs come as ethernet outputs RJ45 from the ISP so do i substitute what ever i see SFP to ether5?
When you reach the end of your rope, tie a knot and hang on.
 
tdw
Forum Veteran
Forum Veteran
Posts: 860
Joined: Sat May 05, 2018 11:55 am

Re: Redundancy failover ISP

Mon May 17, 2021 7:10 pm

As there should be no traffic between the two external ports of the bridge, setting the same horizon value at both of them will prevent any loops and so protocol-mode can be set to none on the bridge itself.
Surely that is not correct if the ISP is using VRRP, or similar, for failover as this relies on communications between the two devices.
 
sindy
Forum Guru
Forum Guru
Posts: 7283
Joined: Mon Dec 04, 2017 9:19 pm

Re: Redundancy failover ISP

Mon May 17, 2021 11:02 pm

Surely that is not correct if the ISP is using VRRP, or similar, for failover as this relies on communications between the two devices.
That's disputable - as it works when the OP manually changes cables, I'd assume it doesn't depend on the links to be bridged together at the client side.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
jvanhambelgium
Member
Member
Posts: 479
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Redundancy failover ISP

Mon May 17, 2021 11:11 pm

A simple schematic would have made things much easier to interpret....
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Apr 01, 2014 11:11 pm
Location: Rhodes - Greece

Re: Redundancy failover ISP

Tue May 18, 2021 8:59 am

That's all the ISP shared with us and how it works so far.

I am going to try Sindy's solution today as i will visit the site.
You do not have the required permissions to view the files attached to this post.
When you reach the end of your rope, tie a knot and hang on.
 
User avatar
jvanhambelgium
Member
Member
Posts: 479
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Redundancy failover ISP

Tue May 18, 2021 9:21 am

Ok then this confirms what most of us have been thinking.
You create 1 new bridge on the CCR-side and put 2 ports in it (ether5 + something else of your choice)
You assign any of the available IP's to this newly created "WAN-bridge" (x.x.x.244-254 with mask 255.255.255.240)
1 static route on the CCR pointing to x.x.x.241

Then all the usual stuff like NAT, DHCP, FW-rules etc,etc See things that Sindy posted

Alternative is to put 1 small L2 non-managed 10 euro 5-port LAN-switch in front of it, connect ISP1/ISP2/Ether5 and proceed with regular config (static-route etc) on the CCR. Result is the same.
Sure you introduce another single-point-of-failure, but your CCR is also not redundant anyway so...
 
User avatar
spr41178
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Apr 01, 2014 11:11 pm
Location: Rhodes - Greece

Re: Redundancy failover ISP

Tue May 18, 2021 12:14 pm

The procedure was successful...

Thank you all for your contribution and effort and especially @sindy for the code.

One more (tick) for the knowledge book.

Have a nice day
When you reach the end of your rope, tie a knot and hang on.

Who is online

Users browsing this forum: anschluss, Google [Bot], Kindis, timofey and 234 guests