Community discussions

MikroTik App
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Dual WAN failover using recursive routing

Wed Apr 07, 2021 12:00 pm

I've googled for a while about how to make dual WAN failover and I think one of the good ways I've found is using recursive routing.
I'm currently following this guide, and it suggests adding these routes (I've adjusted gateway to meet my config):
/ip route
add dst-address=8.8.8.8/32 gateway=ether1 scope=10 comment="Validate Primary Cable ISP"
add gateway=8.8.8.8 distance=1 check-gateway=ping comment="Primary ISP Route"
add gateway=lte1 distance=2 comment="Secondary ISP"
However, route with comment `Primary ISP Route` is invalid and I can't wrap my head around - why?
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Dual WAN failover using recursive routing

Mon Apr 12, 2021 5:24 pm

Would really like some advice here :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN failover using recursive routing

Mon Apr 12, 2021 6:07 pm

The best guide is reading this thread! It seems you have half an implementation there of using recursive. The Thread will help sort you out.
viewtopic.php?f=23&t=157048
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Dual WAN failover using recursive routing

Tue Apr 13, 2021 11:50 am

The best guide is reading this thread! It seems you have half an implementation there of using recursive. The Thread will help sort you out.
viewtopic.php?f=23&t=157048
Thanks for link.
I've reread it and I do have everything configured, except for routing-mark part in rules which is seemed to be removed(?) as my RouterOS 7.0 highlights this parameter as invalid.
What half implementation did you mean that I haven't done?

Here's screenshot to illustrate what routes I have and that invalid one that doesn't work for some reason https://i.imgur.com/S5dSY8d.png
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN failover using recursive routing

Tue Apr 13, 2021 2:51 pm

If you are using version 7 BETA firmware you are in the wrong forum.
Please post here...................
viewforum.php?f=1

and search for your issue or start a new thread.

(ps your gateway has to be an IP address).
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Dual WAN failover using recursive routing

Mon Apr 19, 2021 12:50 pm

I am not using beta firmware, this is a version it came out of the box with.

Here https://mikrotik.com/product/chateau_lt ... ifications it says `Operating System RouterOS (v7 only)`

I also figured that changing target scope to 11 (default is 10) marks this route as valid. However still nothing makes it recursive route.
As for the gateway that has to be IP address - apparently it doesn't have to, as route is marked as valid when I use interface name. And dynamic routes are using interfaces name too.
I've tried to switch it to IP just in case but nothing changes - that route still works but again nothing makes this route (or it's 'parent') recursive.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN failover using recursive routing

Mon Apr 19, 2021 3:39 pm

The only thing I would focus in on is distance and not scope. Which was missing in your first rule.
I tend to not box myself into corner Nothing lower than one, so I use 5, and 10

/ip route
add dst-address=8.8.8.8/32 gateway=ether1 distance=1 comment="Validate Primary Cable ISP"
add gateway=8.8.8.8 distance=1 check-gateway=ping comment="Primary ISP Route"
add gateway=lte1 distance=2 comment="Secondary ISP"

/ip route
add dst-address=8.8.8.8/32 gateway=ether1 distance=5 comment="Validate Primary Cable ISP"
add gateway=8.8.8.8 distance=5 check-gateway=ping comment="Primary ISP Route"
add gateway=lte1 distance=10 comment="Secondary ISP"
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Dual WAN failover using recursive routing

Mon Apr 19, 2021 5:21 pm

The only thing I would focus in on is distance and not scope. Which was missing in your first rule.
I tend to not box myself into corner Nothing lower than one, so I use 5, and 10
Well, that surely makes sense but.. there are dynamically created routes with distance 0, 1 and 2
So I'd assume my custom routes with distance 5 and higher would just never be used, right?

Also, I've managed to make these routes 'work' and with that I mean none of them are marked as invalid anymore by tweaking scope of one route and target scope of the other.
However, they are not marked as recursive. Any idea why?
https://i.imgur.com/1M0vPkk.png
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN failover using recursive routing

Mon Apr 19, 2021 6:27 pm

Okay I see the problem,
I wasnt specific in my example because I made an assumption of you were simply using gateway1 to hide your WANIP gateways but apparently you think the name of the interface suffices, not so, you need the actual IP address.
So let me rephrase my Suggestions.

/ip route
add dst-address=8.8.8.8/32 gateway=IP of_GW_ISP1 distance=5 comment="Validate Primary Cable ISP"
add gateway=8.8.8.8 distance=5 check-gateway=ping comment="Primary ISP Route"
add gateway=IP of_GW_ISP2 distance=10 comment="Secondary ISP"

PS. I use distance 5 and 10 so that if the case arises I can put in distance before, between, or after the ones already in play. Max flex!!
For example I ended up using two external addresses to check connectivity, also 9.9.9.9 and thus used a distance in between to differentiate between the two DNS address i was checking.


PPS. I looked at my Route results in the config and my first route.......
add dst-address=1.1.1.1/32 gateway=IP of my primary, distance=5 and the scope=10 and the target scope=10

The second rule where one only checks ping results and in my config displays 0.0.0.0/0 for destination and a scope of 30 and a target scope of 10

The third rule for the secondary wan, also results in a destination address of 0.0.0.0/0 and a scope of 30 and a target scope of 10.

Conclusion I don't know now, why I set on the first rule a scope and target scope of 10 to match??????????? But it works.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Dual WAN failover using recursive routing

Tue Apr 20, 2021 11:41 am

I copy-pasted rules you proposed - they do not work https://i.imgur.com/Ii8GTkh.png
The reason why my routes from previous screenshot work is because these two (scope of one and target scope of the other) - match https://i.imgur.com/7qFVnsl.png
I am still not sure why they are not marked as recursive routes.

On a side note, I am not sure why are you so convinced that gateway is 100% has to be ip address. Because it is not. Interface's name does work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN failover using recursive routing

Tue Apr 20, 2021 2:49 pm

add dst-address=8.8.8.8/32 gateway=IP of_GW_ISP1 distance=5 comment="Validate Primary Cable ISP"
add gateway=8.8.8.8 distance=5 check-gateway=ping comment="Primary ISP Route"
add gateway=IP of_GW_ISP2 distance=10 comment="Secondary ISP"


On the first rule did you try a setting the scope and target scope both to 10??
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Dual WAN failover using recursive routing

Tue Apr 20, 2021 4:14 pm

Yes, it doesn't work either. https://i.imgur.com/WuSRpHF.png
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN failover using recursive routing

Tue Apr 20, 2021 8:38 pm

Something else then please post your complete config.

/export hide-sensitive file=anynameyouwish
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Dual WAN failover using recursive routing

Thu Apr 22, 2021 6:11 pm

Something else then please post your complete config.

/export hide-sensitive file=anynameyouwish
Here's https://pastebin.com/fWgCkDrC
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN failover using recursive routing

Thu Apr 22, 2021 6:59 pm

(1) Get rid of this.... set to NONE.
/interface detect-internet
set detect-interface-list=all

(2) FIX THIS,
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
SHOULD BE
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0

(3) Duplicate rule remove........ (the first rule covers this).
add action=masquerade chain=srcnat comment="default rule" out-interface=\
ether1


(4) Why are you using a whole bunch of netmap rules. Are you mapping public IPs to private IPs??

(5) It appears they are for port forwarding and if so DO NOT USE netmap. USE dstnat!!!

ex.
add action=dst-nat chain=dstnat comment=\
"Radmin port forwarding (from mikrotikwan:48991 to 192.168.1.2:4899" \
dst-port=48991 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 \
to-ports=4899

(6) What is this for........
/ip service
set www address=192.168.1.0/24 port=33388

SHOULD BE DISABLED and is a Security RISK.
NO ACCESS TO THE ROUTER ITSELF SHOULD BE DONE FROM THE WAN SIDE. The safe way to access the router is to VPN into the LAN and then access the router.

(7) AND THEN the FW rules..................... A mess!!
SAME ISSUE. You have the default winbox port (which you should change anyway) BEING OPENED UP to the internet and regardless if you a WANIP allowed list is NOT SECURE and a terrible security practice. Have the admin access the router via VPN to be able to modify the config IF NOT ON SITE.

WIPE IT CLEAN START NEW.
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment={ADD ANY RULES REQUIRED FOR VPN INPUT PORTS}
add action=accept chain=input comment="Allow ADMIN to Router"=\
    AdminAccess src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
{NOTE:  Only put the last rule (drop all) when the admin access rule is in place!!}
...
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN  to WAN" \
    in-interface=bridge1 out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \
 connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "DROP ALL other  FORWARD traffic" 
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Dual WAN failover using recursive routing

Mon Apr 26, 2021 9:25 am

(1) Get rid of this.... set to NONE.
/interface detect-internet
set detect-interface-list=all
Why? It doesn't look like something that will brake stuff for me, so might as well leave it on default value. Or am I wrong?
(4) Why are you using a whole bunch of netmap rules. Are you mapping public IPs to private IPs??
(5) It appears they are for port forwarding and if so DO NOT USE netmap. USE dstnat!!!
ex.
add action=dst-nat chain=dstnat comment=\
"Radmin port forwarding (from mikrotikwan:48991 to 192.168.1.2:4899" \
dst-port=48991 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 \
to-ports=4899
Whats the difference between those approaches?
I would assume dstnat only maps port while netmap does whole destination host? Or something different?
(7) AND THEN the FW rules..................... A mess!!
Well, someone else's rules always look like a mess if there are many :)


(2), (3) and (6) fixed, thanks.

Anyways, from what I see - none of those fixes are related to recursive routing, right? And that is the problem I want to solve.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Dual WAN failover using recursive routing

Mon Apr 26, 2021 4:55 pm

Try to paste this on terminal
{
:global isp1gateway ether1
:global isp2gateway lte1

/ip dhcp-client
set [find] add-default-route=no

/interface lte apn
set [ find ] add-default-route=no

/ip route
remove [find where dynamic=no]

add comment="ISP1 is preferred Gateway" distance=1 gateway=$isp1gateway
add comment="ISP2 is alternative Gateway" distance=2 gateway=$isp2gateway

add comment="1.1.1.1 must be reachabble only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=$isp1gateway scope=10
add comment="8.8.8.8 must be reachabble only from ISP2" distance=1 dst-address=8.8.8.8/32 gateway=$isp2gateway scope=10

add check-gateway=ping comment="Check if reachable 1.1.1.1 = ISP1 Working" distance=1 gateway=1.1.1.1
add check-gateway=ping comment="Check if reachable 8.8.8.8 = ISP2 Working" distance=1 gateway=8.8.8.8

add check-gateway=ping comment="If ISP1 fail, still check when is reachable again 1.1.1.1" distance=2 gateway=1.1.1.1
add check-gateway=ping comment="If ISP2 fail, still check when is reachable again 8.8.8.8" distance=2 gateway=8.8.8.8

add comment="Virtual ping to maintain router calc for ISP1" distance=20 dst-address=1.1.1.1/32 type=blackhole
add comment="Virtual ping to maintain router calc for ISP2" distance=20 dst-address=8.8.8.8/32 type=blackhole
}
 
batarang
just joined
Posts: 4
Joined: Wed Oct 26, 2016 6:08 am
Location: Manila

Re: Dual WAN failover using recursive routing

Tue Jun 15, 2021 9:31 am

- moved to separate thread -
Last edited by batarang on Wed Jun 16, 2021 2:19 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dual WAN failover using recursive routing

Tue Jun 15, 2021 4:51 pm

Edit: Thanks!
 
mahesharu
just joined
Posts: 8
Joined: Fri Sep 03, 2021 12:24 pm

Re: Dual WAN failover using recursive routing

Wed Oct 20, 2021 9:57 am

I am facing similar issue, I want to set a recursive fail over for 3 ISP. Tried with two ISP to test, but the route rule which uses goes "static" state.

/ip route
add check-gateway=ping distance=1 gateway=8.8.4.4 scope=10
add check-gateway=ping distance=2 gateway=1.1.1.1 scope=10
add check-gateway=ping comment="LTE Mangle" disabled=yes distance=3 gateway=192.168.1.1
add check-gateway=ping comment="ISP1 Mangle" disabled=yes distance=1 gateway=vlan-173
add disabled=yes distance=1 gateway=192.168.5.1
add check-gateway=ping comment="ISP2 Mangle" disabled=yes distance=2 gateway=pppoe-BSNL
add distance=1 dst-address=1.1.1.1/32 gateway=pppoe-BSNL scope=10
add distance=1 dst-address=8.8.4.4/32 gateway=10.10.173.1 scope=10

If someone could help me to sort out the issue, it would be really helpful

Who is online

Users browsing this forum: DanMos79 and 61 guests