load balancing and failover on mikrotik from generic router with ppoe and static connection

frank333 · Fri Mar 13, 2020 3:02 pm

mylan.png

myconfig.txt

Good morning, everyone,
I can use a single connection at a time by configuring the connected computer now I would like to do load balancing and failover between the 2 connections.
I tried to use these instructions but I have difficulty in the firewall mangle because I can't mark the gateways because they are marked only by ip.
Can someone help me?

I've tried this previous configuration, but it's blocking the entire lan.

/ip firewall filter 

add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!WAN2_conn log=no log-prefix="" comment="defconf: fasttrack"
add chain=forward action=accept in-interface=bridge out-interface=bridge log=no log-prefix="" comment="accetta pacchetti che usano LTE come gateway"
add chain=forward action=drop

/ip firewall nat 
add chain=srcnat action=src-nat to-addresses=192.168.8.10 src-address=192.168.1.0/24 dst-address=!192.168.1.0/24 out-interface=bridge log=no log-prefix="" 
 
 
 

/ip firewall mangle
add chain=input action=mark-connection new-connection-mark=WAN1_conn connection-mark=no-mark in-interface=ether4 comment="PCC for LTE"

add chain=input action=mark-connection new-connection-mark=WAN2_conn src-address=!192.168.1.0/24 connection-mark=no-mark in-interface=bridge 

add chain=output action=mark-routing new-routing-mark=to_WAN1 connection-mark=WAN1_conn 

add chain=output action=mark-routing new-routing-mark=to_WAN2 connection-mark=WAN2_conn 

add chain=prerouting action=mark-connection new-connection-mark=WAN1_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=bridge per-connection-classifier=both-addresses-and-ports:2/0 

add chain=prerouting action=mark-connection new-connection-mark=WAN2_conn passthrough=yes dst-address-type=!local connection-mark=no-mark in-interface=bridge per-connection-classifier=both-addresses-and-ports:2/1 

add chain=prerouting action=mark-routing new-routing-mark=to_WAN1 passthrough=yes connection-mark=WAN1_conn in-interface=bridge 
add chain=prerouting action=mark-routing new-routing-mark=to_WAN2 passthrough=yes connection-mark=WAN2_conn in-interface=bridge log=no log-prefix="" 

/ip route
add dst-address=0.0.0.0/0 gateway=ether4 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.8.1 routing-mark=to_WAN2 check-gateway=ping

/ip route rule:
add action=lookup-only-in-table table=main dst-address=192.168.1.0/24
add action=lookup-only-in-table table=main dst-address=192.168.8.0/24

Sob · Fri Mar 13, 2020 3:39 pm

It seems to me that you're looking at wrong place. If both WANs are connected to Ubiquity router and RB is only bridge, it's the router that should be handling any kind of load balancing.

frank333 · Fri Mar 13, 2020 4:03 pm

It seems to me that you're looking at wrong place. If both WANs are connected to Ubiquity router and RB is only bridge, it's the router that should be handling any kind of load balancing.

I understand that the ubiquity router should handle the balancing but I can't reverse the devices because the mikrotik has only 4 ports. I thought you could handle balancing from the bridge as well.

Sob · Fri Mar 13, 2020 6:00 pm

It depends, there are many tricks, but so far I don't see any obvious solution, not even speaking about clean one. There would either have to be some cooperation from main router, it would have to be able to tell which WAN you want to use when sending packets from RB, but that's problematic. Or you could exclude it and pass connection from TLE router to RB, either separated from main LAN in VLAN, or you could just bridge it with main LAN and it would work too. But then you have another problem. RB could intercept connections from devices connected behind it, but not from other devices connected directly to main router and not passing through RB.

frank333 · Fri Mar 13, 2020 6:21 pm

But then you have another problem. RB could intercept connections from devices connected behind it, but not from other devices connected directly to main router and not passing through RB.

it might not be a problem, I am interested that on mikrotik and its wifi area there is load balancing and failover, as far as the ubiquity router can create two untagged VLANs.

Sob · Thu Mar 19, 2020 4:40 am

Sorry, I missed this one. There are two important pieces:

1) You need two distinct gateways. You have one on main router and then you need other one from LTE router. You can either connect it to RB using vlan, or you could simply bridge everything together (you'd have one L2 segment with two L3 subnets). Vlan would be cleaner solution.
2) You need to intercept traffic from connected devices. I don't use it much, but I think all you need is to enable option to use IP firewall for bridge. Then you'll see everything passing through router in IP firewall and you can select connections to internet with src-address=192.168.1.0/24 dst-address=!192.168.1.0/24, and use any kind of dual-WAN config for them.

frank333 · Thu Mar 19, 2020 10:42 am

Sorry, I missed this one. There are two important pieces:

1) You need two distinct gateways. You have one on main router and then you need other one from LTE router. You can either connect it to RB using vlan, or you could simply bridge everything together (you'd have one L2 segment with two L3 subnets). Vlan would be cleaner solution.
2) You need to intercept traffic from connected devices. I don't use it much, but I think all you need is to enable option to use IP firewall for bridge. Then you'll see everything passing through router in IP firewall and you can select connections to internet with src-address=192.168.1.0/24 dst-address=!192.168.1.0/24, and use any kind of dual-WAN config for them.

Sob, I'd already lost all hope, thank you for the answer.
The management of VLANs on the ubiquity router is very limited (I'll send you a screenshot), maybe you can configure it from the command line but I'm not able.
If I understood correctly, to solve my particular situation, on the bridge, you should mark the traffic coming from ISP1 and another one on all the traffic except ISP1.
Can you give me a hand? mikrotik routers are very versatile but very complex and I don't have enough experience to do it alone.

Schermata del 2020-03-19 09.19.27.png

Sob · Fri Mar 20, 2020 2:48 am

Let's start with RouterOS, this is basic bridge config, pretty much what you have now:

/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
...
/ip address
add address=192.168.1.170/24 interface=bridge
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1

You need second gateway. Let's assume you were able to get it here in VLAN, so you can add it as another interface:

/interface vlan
add interface=bridge name=vlan-lte vlan-id=8
/ip address
add address=192.168.8.X/24 interface=vlan-lte

Now you have two available gateways, so you can add dual-WAN config. It's all private addresses, so you probably don't need to care about incoming connections (unless you're forwarding ports to connected devices). Simple example:

/ip route
add gateway=192.168.1.1 routing-mark=wan1
add gateway=192.168.8.1 routing-mark=wan2
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.8.0/24
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=wan1conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-state=new new-connection-mark=wan2conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1conn new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2conn new-routing-mark=wan2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan-lte

But it won't work, because connected devices use 192.168.1.1 as gateway, so the bridge's routing won't be interested in them. You can change that with:

/interface bridge nat
add action=redirect chain=dstnat dst-address=!192.168.0.0/16 mac-protocol=ip

It will redirect all IP packets with non-local destination to RB, as if device used RB as gateway, so there will be standard routing for them. I originally thought that it could be done with bridge's use-ip-firewall=yes, but it doesn't work.

-

Now for the main router, the goal is very simple, connect interface with LTE router with tagged VLAN in main LAN. I don't know this UI, and it's not very clear how it's done, but it must be possible. My guess is that if you have LAN0 (main LAN) and LAN1 (interface with LTE router), you should define VLAN (I used id 8 in example) on LAN0, and then make another bridge containing LAN1 and LAN0.8. You'll know that it's correct when you're able to ping 192.168.8.1 from RB (after you added VLAN interface and its IP address there).

frank333 · Fri Mar 20, 2020 5:20 pm

Hi, Sob,
your configuration is brilliant, I tried to create a vlan on the ubiquity router, but this is not possible because it hasn't the possibility to tag ports .practically it can do two vlan but only with LAN, WAN, WLAN interfaces it can't assign a vlan to a port .

Sob · Fri Mar 20, 2020 5:33 pm

I don't know Ubiquity's VLAN config, but it sounds almost unbeliveable. Why would it even be there, if it couldn't do such simple thing? So what exactly e.g. LAN0.10 in screenshot does? I'd expect it to be tagged VLAN 10 on top of LAN0 interface.

frank333 · Fri Mar 20, 2020 5:38 pm

associates only the prefixed interfaces to the vlan does not tag the individual port

So what exactly e.g. LAN0.10 in screenshot does? I'd expect it to be tagged VLAN 10 on top of LAN0 interface.

yes

Schermata del 2020-03-20 16.47.09.png

the LAN0 is practically a whole block of 4 non-tackable ports

Sob · Fri Mar 20, 2020 5:59 pm

I'm still lost, I'm affraid.

Where exactly is LTE modem connected to? Does it have some LAN1 on router?

Assuming that it does and that LAN0 is your main LAN with 192.168.1.0/24, what happens if you add VLAN with id 8 in "VLAN Network" on top of LAN0 and then create new BRIDGE2 containing LAN0.8 and LAN1? Is it possible?

frank333 · Fri Mar 20, 2020 6:08 pm

I'm still lost, I'm affraid.

Where exactly is LTE modem connected to? Does it have some LAN1 on router?

Assuming that it does and that LAN0 is your main LAN with 192.168.1.0/24, what happens if you add VLAN with id 8 in "VLAN Network" on top of LAN0 and then create new BRIDGE2 containing LAN0.8 and LAN1? Is it possible?

LAN0 is the main LAN 192.168.1.1/24 .
You can define a LAN0.8 by assigning an ip 192.168.8.x, but the port to which the LTE is connected remains untagged.

anav · Fri Mar 20, 2020 6:13 pm

If this is a ubiquiti issue you are in the wrong forum.

https://help.ubnt.com/hc/en-us/articles ... g-Hardware
https://www.youtube.com/watch?v=grg8TxsSops

https://community.ui.com/questions/Begi ... e81f7da55c
https://community.ui.com/questions/Pass ... 592c883111
https://community.ui.com/questions/A-no ... 9f44e194cb

Sob · Fri Mar 20, 2020 6:28 pm

Port with LTE should be untagged and you want same network segment tagged on the port with RB.

But do you mean that both LTE and RB are on LAN0, i.e. there are two L3 subnets in same L2 segment? In that case, forget VLANs and simply add 192.168.2.x/24 on bridge. The only thing you'll need to tweak is srcnat rule. I'll think about that if you confirm this.

frank333 · Fri Mar 20, 2020 6:29 pm

If this is a ubiquiti issue you are in the wrong forum.
https://help.ubnt.com/hc/en-us/articles ... g-Hardware
https://www.youtube.com/watch?v=grg8TxsSops

https://community.ui.com/questions/Begi ... e81f7da55c
https://community.ui.com/questions/Pass ... 592c883111
https://community.ui.com/questions/A-no ... 9f44e194cb

ihhh I know I'm trying to make two different routers get along, only the ubiquity router is really lame.
I'll write a bit on the ubi forum and ask for opinions.

frank333 · Fri Mar 20, 2020 6:37 pm

But do you mean that both LTE and RB are on LAN0, i.e. there are two L3 subnets in same L2 segment? In that case, forget VLANs and simply add 192.168.2.x/24 on bridge. The only thing you'll need to tweak is srcnat rule. I'll think about that if you confirm this.

yes, RB and LTE are on the same network segment

Sob · Fri Mar 20, 2020 6:56 pm

So on RB, scrap VLAN interface and move 192.168.8.X/24 to bridge. You should be able to reach 192.168.8.1 directly (do a traceroute to it from RB and it should be first hop). The rest of config remains, only srcnat needs to be different. I don't have much time now, but as a quick way you can use:

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24 dst-address=!192.168.0.0/16

It will apply also to connections it wouldn't necessarily have to, but that can be fixed later.

frank333 · Fri Mar 20, 2020 8:47 pm

mythical Sob,
works well , I am very happy , for the failover as you could do since the two gateways to the two gateways can not ping.

Sob · Fri Mar 20, 2020 9:38 pm

I'm not sure I understand the last part. Both 192.168.1.1 and 192.168.8.1 should be pingable from RB. If not, on Ubi router it would be caused by your config. And for LTE it's unlikely that manufacturer would block ping from LAN.

For failover, there are different methods. You can add route via LTE also to main routing table (without routing mark) with higher metric, add check-gateway option (ping or arp) for all four routes and you have the simplest config. Or you can go for Advanced Routing Failover without Scripting or anything else you like.

And you can use this as optimized srcnat rule, because you can keep original source addresses for connections using WAN1:

/ip firewall nat
add action=masquerade chain=srcnat connection-mark=wan2conn

You could also get rid of it completely, if you merged both subnets. Since there no separation anyway, LTE could be e.g. 192.168.1.2/24 (if it's not already used by something else).

frank333 · Fri Mar 20, 2020 10:44 pm

that's just what I wanted to say, 'add check-gateway option (ping or arp) for all four routes' if I ping e.g. gateway 192.168.1.1 this will always be up even without connection from wisp1

Sob · Fri Mar 20, 2020 11:07 pm

That's common problem. Because even with lines connected directly to router, availability of gateway doesn't guarantee anything, because it can be dead right after that. That's why people came up with more advanced solutions, like the one in linked thread.

frank333 · Sat Mar 21, 2020 10:45 am

for the failover I modified the routes as you suggested I added these rules and the screenshot of how the routes changed.

/ip route
add dst-address=88.149.128.12 gateway=192.168.1.1 scope=10
add dst-address=8.8.8.8 gateway=192.168.8.1 scope=10

/ip route
add distance=1 gateway=88.149.128.12 routing-mark=wan1 check-gateway=ping
add distance=2 gateway=8.8.8.8 routing-mark=wan1 check-gateway=ping

/ip route
add distance=1 gateway=8.8.8.8 routing-mark=wan2 check-gateway=ping
add distance=2 gateway=88.149.128.12 routing-mark=wan2 check-gateway=ping

routes changes.png

In your opinion, is everything correct?
I don't understand if the first rule in the list screenshot, automatically created by the bridge, should be maintained or deleted.

Sob · Sat Mar 21, 2020 11:45 pm

I don't use this config often, but it seems ok. First route is probably from dhcp client, and it's what RB itself will use, if it needs to access internet. You can disable it and add same two routes like you have for wan1 and wan2, but without routing mark, and it will give you the same failover.

frank333 · Sun Mar 22, 2020 12:24 am

I tried, unfortunately it doesn't work, the wifi connects for a few seconds and then disconnects, same thing for ethernet connections.

Sob · Sun Mar 22, 2020 2:39 am

Try to provide more details, what exactly did and didn't work?

- Original config without recursive routes
- Recursive routes for clients
- Recursive routes for router

frank333 · Sun Mar 22, 2020 9:30 am

I went back to the default bridge configuration, because I couldn't connect to mikrotik via cable or wifi.
I can't clearly tell you what doesn't work, but on mikrotik I did this: I deleted the failover routes back to the previous configuration (as you can see in the previous screenshot) and then to the default ones but it still didn't work.
So I assume there is some problem with the rules in the firewall.

load balancing and failover on mikrotik from generic router with ppoe and static connection

load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Re: load balancing and failover on mikrotik from generic router with ppoe and static connection

Who is online