2 WAN connections with redundacy

Elliot · Tue Aug 14, 2018 12:37 pm

Hey guys,
I need help with configuration. I need to configure failover on my router but it needs to work only when one of the connection is completely lost. I have 2 ISP providers and one portion of my network is going through ISP2 and other is going through ISP2. It's kind of "load balance" but when one connection is lost, for example: ISP1 I need all traffic go through ISP2 and vice versa.
Here's my configuration:

# aug/14/2018 11:34:20 by RouterOS 6.42.6
# software id = G71R-YK4Z
#
# model = RB760iGS
# serial number = 87F209E98E8D
/interface bridge
add fast-forward=no name=bridge1-o2
/interface ethernet
set [ find default-name=ether2 ] name=ether2-LAN-wifi
set [ find default-name=ether3 ] name=ether3-isp-vybezek
set [ find default-name=ether4 ] name=ether4-isp-o2
set [ find default-name=ether5 ] name=ether5-LAN-automaty poe-out=forced-on
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.1.50-192.168.1.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2-LAN-wifi lease-time=\
    1d name=dhcp1
/interface bridge port
add bridge=bridge1-o2 interface=ether4-isp-o2
add bridge=bridge1-o2 interface=ether5-LAN-automaty
/ip address
add address=10.1.13.34/30 interface=ether3-isp-vybezek network=10.1.13.32
add address=192.168.1.1/24 interface=ether2-LAN-wifi network=192.168.1.0
add address=192.168.0.254/24 disabled=yes interface=ether1 network=\
    192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1-o2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=10.1.255.1,8.8.8.8 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=10.1.255.1,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=bridge1-o2
/ip route
add distance=1 gateway=10.1.13.33 routing-mark=isp-vybezek
add disabled=yes distance=1 gateway=192.168.0.2 routing-mark=isp-vybezek
/ip route rule
add routing-mark=isp-vybezek table=isp-vybezek
add src-address=10.1.13.32/30 table=isp-vybezek
add disabled=yes src-address=192.168.0.0/24 table=isp-vybezek
add src-address=192.168.1.0/24 table=isp-vybezek
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system routerboard settings
set silent-boot=no

Thank you guys for any advice or skripts you could provide.

sindy · Tue Aug 14, 2018 1:10 pm

This article has it all.

And this post is useful when you want to use more complex policy routing.

Elliot · Tue Aug 14, 2018 9:46 pm

This article has it all.

And this post is useful when you want to use more complex policy routing.

Thank you very much for your quick response, but those articles/topics doesn't deal with my particular situation.
I need to have some sort of load balancing using routing marks. In my case all traffic from subnet 192.168.2.0/24 goes trough ISP2 and traffic from 192.168.1.0/24 goes through ISP1. I have succefuly configured failover so when ISP2 (low agregation connectivity) goes DOWN all traffic goes through ISP1 but I can't make it work vice versa... when ISP1 goes DOWN traffic from 192.168.1.0/24 doesn't go through ISP2.

Here's my setup, I know i've made some mistage somewhere I just can't seem to find it.

# aug/14/2018 20:43:27 by RouterOS 6.42.6
# software id = G71R-YK4Z
#
# model = RB760iGS
# serial number = 87F209E98E8D
/interface bridge
add fast-forward=no name=bridge1-o2 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN-wifi
set [ find default-name=ether2 ] name=ether2-LAN-automaty
set [ find default-name=ether3 ] name=ether3-LAN-automaty
set [ find default-name=ether4 ] name=ether4-ISP-o2-WAN
set [ find default-name=ether5 ] name=ether5-ISP-vybezek-WAN poe-out=\
forced-on
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.1.50-192.168.1.200
add name=dhcp_pool1 ranges=192.168.2.50-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether1-LAN-wifi lease-time=\
1d name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge1-o2 lease-time=5d \
name=dhcp2
/snmp community
set [ find default=yes ] addresses=10.1.255.0/24
/interface bridge port
add bridge=bridge1-o2 interface=ether3-LAN-automaty
add bridge=bridge1-o2 interface=ether2-LAN-automaty
/ip address
add address=10.1.13.34/30 interface=ether5-ISP-vybezek-WAN network=10.1.13.32
add address=192.168.1.1/24 interface=ether1-LAN-wifi network=192.168.1.0
add address=xxx.xxx.xxx.186/29 interface=ether4-ISP-o2-WAN network=\
90.182.139.184
add address=192.168.2.1/24 interface=bridge1-o2 network=192.168.2.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge1-o2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=10.1.255.1,10.1.255.2 gateway=\
192.168.1.1
add address=192.168.2.0/24 dns-server=194.228.92.65,8.8.8.8 gateway=\
192.168.2.1
/ip dns
set allow-remote-requests=yes servers=10.1.255.1,194.228.92.65,194.228.92.66
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-ISP-vybezek-WAN
add action=masquerade chain=srcnat out-interface=ether4-ISP-o2-WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=2 gateway=xxx.xxx.xxx.185 routing-mark=isp-o2
add distance=1 gateway=10.1.13.33
add check-gateway=ping distance=1 dst-address=1.1.1.1/32 gateway=10.1.13.33
add check-gateway=ping distance=2 dst-address=8.8.4.4/32 gateway=\
xxx.xxx.xxx.185
/ip route rule
add routing-mark=isp-o2 table=isp-o2
add disabled=yes src-address=10.1.13.32/30 table=isp-o2
add src-address=xxx.xxx.xxx.184/29 table=isp-o2
add src-address=192.168.2.0/24 table=isp-o2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.1.255.0/24
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=most dangerous router
/system ntp client
set enabled=yes primary-ntp=10.1.255.1 secondary-ntp=10.1.255.2
/system routerboard settings
set silent-boot=no

sindy · Tue Aug 14, 2018 10:26 pm

Mně naopak připadá, že to na tu situaci sedí úplně přesně, ale třeba to blbě čtu.

The first article explains how to create routes which are only active if internet is really reachable through their physical gateways (it happens sometimes that the connection to the ISP works but he ISP's own connection further to the internet doesn't). You can use these routes in several routing tables, and in these tables they can be used with different priorities (distances), so you can prioritize WAN1 over WAN2 for one group of clients, prioritize WAN2 over WAN1 for another group of clients, and permit only use of WAN1 for yet another group even if it is down and WAN2 could be used.

The second article explains how to use mangle rules to mark connections, and subsequently packets, depending on your intentions. So maybe explain the intentions using a table so that we could put together the necessary routing tables and the connection marking rules necessary to use them

Elliot · Tue Aug 14, 2018 11:04 pm

Máš pravdu, že první článek častečně sedí na failover. Chyba je nejspíš někde v záložce IP route, ale nevim kde a jakou hodnotu musím nastavit pro ISP2, aby když vypadne spojeni s ISP1, tak mi veškerý provoz pojede přez konektivitu od o2. Paradoxně mi toto úplně nevadí vzhledem k tomu, že linka od o2 má velmi malou agregaci a pokud by spadl ISP1, tak by koentivita od o2 nestíhala provoz. Každopádně chci vědět jak to nastavit a kde dělám chybu, abych veděl do budoucna a případně implementoval i load balancing.

Opět děkuji za rychlou odpověď a pokud by ses mohl mrknout na moji konfiguraci byl bych ti vděčný

sindy · Wed Aug 15, 2018 12:34 am

This forum is an English one so relevant information should be in English - someone else may be interested.

From your configuration it seems to me you mix together two things, the routing-mark and the distance:

/ip route
add distance=2 gateway=xxx.xxx.xxx.185 routing-mark=isp-o2 #route A
add distance=1 gateway=10.1.13.33 #route B
add distance=2 gateway=xxx.xxx.xxx.185 #route C
add check-gateway=ping distance=1 dst-address=1.1.1.1/32 gateway=10.1.13.33
add check-gateway=ping distance=2 dst-address=8.8.4.4/32 gateway=xxx.xxx.xxx.185

The distance is the least important parameter of the route, it only decides which one out of several routes with the same routing-mark and same length of dst-address prefix will be used if all of them are otherwise eligible (i.e. matching best the dst-address of the packet and having the same routing-mark as the packet and not down). A route with longer (more exactly matching) dst-address prefix always wins over a route whose prefix also matches the packet's dst-address but is shorter, even if the one with a shorter prefix would have a lower value of distance.

So if a packet has got no routing-mark, according to your existing configuration it will only use the route B, it won't use route A even while 10.1.13.33's physical interface is down. To make packets without a routing-mark take a backup route via isp-o2 if the primary one is down, you have to add such a lower priority route with the same prefix length (0 here) to the default routinig table, which would be route C in green which is missing in your configuration.

If a packet does have a routing-mark, the situation is a bit more complex - such packets use only routes with the same routing-mark value, but if no such route is available, they get routed using the default routing table (consisting of routes with no routing-mark or with routing-mark=main). So in your case, if a packet has a routing-mark=isp-o2 and the o2 interface is active, the packet will take route A even though its distance value is higher (thus priority is lower) than that of route B, and only if the o2 interface goes down, it will take route B.

Elliot · Wed Aug 15, 2018 2:30 pm

Thanks a lot. As DJ Khaled would say "you da best".
Now I can see the fallacy in my understanding. It is actualy pretty obvious when I think about it..nevertheless thank you again for pointing out my mistake in configuration. Everything is working as it should now and I'll make sure to use it in the future.
I hope this will help others that have same problem with configuration.

have a nice day, you're a legend

Katy0128 · Mon Aug 27, 2018 5:49 pm

Hi I really need help with this!
I have 2 ISP and I need to configure Failover or Load Balancing so when one link goes down, the second ISP provides the internet service.
Just so you know, VoIp goes just in ISP 1.

sindy · Tue Aug 28, 2018 1:12 pm

Hi I really need help with this!

"Help" means that you do something yourself and someone else (the "helper") does the part you were unable to do yourself or tells you how to do it. So if you "need help", you have to first show what you have already done yourself.

2 WAN connections with redundacy [SOLVED]

2 WAN connections with redundacy

Re: 2 WAN connections with redundacy

Re: 2 WAN connections with redundacy

Re: 2 WAN connections with redundacy

Re: 2 WAN connections with redundacy

Re: 2 WAN connections with redundacy [SOLVED]

Re: 2 WAN connections with redundacy

Re: 2 WAN connections with redundacy

Re: 2 WAN connections with redundacy

Who is online