Community discussions

MikroTik App
 
UpRunTech
Member Candidate
Member Candidate
Topic Author
Posts: 209
Joined: Fri Jul 27, 2012 12:11 pm

A Chateau LTE failover configuration that actually works - 7.1beta5

Fri Apr 30, 2021 9:02 am

I hate to quickly set up some Château units this week from scratch for LTE/4G failover if the WAN connection dies. I did try some methods to get recursive routing going that don't seem to work (and as others have noticed, if you change target-scope to 11 from 10 things get weird) in ROS7. I don't think routing is finished cooking in ROS7 by any means and the new manual suggests in ROS7 gateway ping works a bit different amongst other things.

As they were for different customers I needed something that works with different LTE carriers AND works reliably where the WAN interface picks up its address details with DHCP - so this means as little static address configuration as possible is needed.

I managed to get it going without recursive routing overtly working and some route distance tweaks and I feel like it's a bit of a Rube Goldberg machine in the way it operates but it functions just fine.

What it does:
* Uses 8.8.4.4 to test for connectivity out the WAN interface when it's running.
* Uses gateway ping to 8.8.4.4 or WAN interface going down to move the default route to the LTE interface.
* Tested with:
- WAN device not connected at boot then later plugged in.
- WAN device connected at boot and on but not issuing DHCP (like VSDL not synced).
- WAN device initially working but not responding to traffic (like VDSL not synced or resycning).
* There is no 30 second timeout like you'd expect from recursive routing gateway ping failing. Default route switching is within seconds (not such a bad thing).
* Port 5 has a filter so any traffic on this interface can't use up LTE data (needed for a guest Wifi network to not consume LTE quota).
* LEDS 1-4 are signal level and LED5 comes on when LTE default route is active.
* Works with any WAN service that uses DHCP. Nothing static needed!

It's dodgy I know so am glad for any improvements and suggestions if any.
* The LED activation script works but needs some improvement with the use of a global to keep state so the log isn't written to with LED information every few seconds.
* It works on 7.1beta5 and may not work on any other version of ROS ever.
* Winbox 3.27 doesn't seem to show route state properly in the route window when things change with this version of ROS so you need to use "/ip/route/print interval=1" to see the correct information.
* I have hand changed a few things to generalise the script to what I deployed but didn't test loading it to a blank Château as I have no more available. I hope it loads OK.
* Don't forget to update your LTE firmware.
# apr/27/2021 13:44:47 by RouterOS 7.1beta5
# software id = KBT6-0I2W
#
# model = RBD53G-5HacD2HnD

/interface bridge
add auto-mac=yes name=Bridge1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    ssid=MikroTik station-roaming=enabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    ssid=MikroTik station-roaming=enabled
/interface ethernet
set [ find default-name=ether1 ] name=EtherWAN
/interface lte
set [ find ] allow-roaming=no name=lte1
/interface list
add name=MACAllow
/interface lte apn
set [ find default=yes ] apn=connect default-route-distance=3 ip-type=ipv4 \
    passthrough-subnet-selection=p2p use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=Bridge1 lease-time=12h \
    name=dhcp1
/queue simple
add dst=EtherWAN max-limit=40M/100M name=Queue1 queue=\
    pcq-upload-default/pcq-download-default target=192.168.0.0/24
/interface bridge port
add bridge=Bridge1 interface=ether2
add bridge=Bridge1 interface=ether3
add bridge=Bridge1 interface=ether4
add bridge=Bridge1 interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=MACAllow
/interface list member
add interface=Bridge1 list=MACAllow
add interface=ether5 list=MACAllow
/ip address
add address=192.168.0.1/24 interface=Bridge1 network=192.168.0.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add default-route-distance=10 disabled=no interface=EtherWAN script=":local gw\
    \_[/ip dhcp-client get [find interface=EtherWAN ] gateway];\r\
    \n/ip route set [find dst-address=8.8.4.4/32] gateway=\$gw;\r\
    \n\r\
    \n" use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
    ntp-server=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=your.ipaddress.here list=IPALLOWLIST
/ip firewall filter
add action=accept chain=input comment="Accept ICMP Input" protocol=icmp
add action=accept chain=input comment="Accept established, related input" \
    connection-state=established,related
add action=accept chain=forward comment="Accept established, related forward" \
    connection-state=established,related
add action=accept chain=input comment="Allowlist Winbox" dst-port=8291 \
    protocol=tcp src-address-list=IPALLOWLIST
add action=drop chain=forward comment="Drop guest/hotspot using LTE" \
    in-bridge-port=ether5 out-interface=lte1
add action=drop chain=forward comment="Drop guest/hotspot using LTE" \
    out-bridge-port=ether5 in-interface=lte1
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment="Drop anything else in on WAN" \
    in-interface=EtherWAN log-prefix=DropWAN
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
/ip route
add disabled=no distance=2 dst-address=8.8.4.4/32 gateway=192.168.100.254 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=20
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Australia/Melbourne
/system identity
set name=ChateauMerde
/system leds
# using RSRP, modem-signal-threshold ignored
set 0 leds=led1,led2,led3,led4
add leds=led5 type=off
/system logging
add disabled=yes topics=debug
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=au.pool.ntp.org
/system package update
set channel=development
/system routerboard settings
set auto-upgrade=yes cpu-frequency=auto
/system scheduler
add interval=3s name=lte-led-status on-event=":local ltestate [/ip/route/find \
    where gateway ~\"lte1\" dst-address ~\"0.0.0.0/0\" active];\r\
    \n:if (\$ltestate) do={/system/leds/set [find leds=\"led5\"] type=on} else\
    \_{/system/leds/set [find leds=\"led5\"] type=off};\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/17/2021 start-time=19:49:26
/system script
add dont-require-permissions=no name=ltetest owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local ltestate [/ip/route/find where gateway ~\"lte1\" dst-address ~\"0.0.\
    0.0/0\" active];\r\
    \n:put \$ltestate;\r\
    \n:if (\$ltestate) do={/system/leds/set [find leds=\"led5\"] type=on} else\
    \_{/system/leds/set [find leds=\"led5\"] type=off};\r\
    \n"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MACAllow
/tool mac-server mac-winbox
set allowed-interface-list=MACAllow
 
neman
just joined
Posts: 1
Joined: Fri Apr 30, 2021 11:59 am

Re: A Chateau LTE failover configuration that actually works - 7.1beta5

Fri Apr 30, 2021 12:29 pm

Hi! Thanks for the script. I'm using 7.1beta5 because my USB LTE Modem is supported only from version 7. I'm looking for failover solution like this one, read a lot of threads here. Nowadays 30 seconds timeout is some kind of nonsense, and you are first who mention this. I'm a beginner so please help me understand your script.
1. How exactly default route switching within seconds is achieved? You are using check-gateway=ping witch pings only once in 10 seconds.
2. You wrote Nothing static needed but you use IP address 192.168.100.254. Could you please fix this?
3. Don't we need to drop already established connections when default route changes for LTE and back?
4. It would be very useful to have minimal needed configuration only for failover. And more comments to understand how it work.
Thanks!
Last edited by neman on Fri Apr 30, 2021 12:31 pm, edited 1 time in total.
 
UpRunTech
Member Candidate
Member Candidate
Topic Author
Posts: 209
Joined: Fri Jul 27, 2012 12:11 pm

Re: A Chateau LTE failover configuration that actually works - 7.1beta5

Tue May 04, 2021 5:10 am

Hi! Thanks for the script. I'm using 7.1beta5 because my USB LTE Modem is supported only from version 7. I'm looking for failover solution like this one, read a lot of threads here. Nowadays 30 seconds timeout is some kind of nonsense, and you are first who mention this. I'm a beginner so please help me understand your script.
1. How exactly default route switching within seconds is achieved? You are using check-gateway=ping witch pings only once in 10 seconds.
2. You wrote Nothing static needed but you use IP address 192.168.100.254. Could you please fix this?
3. Don't we need to drop already established connections when default route changes for LTE and back?
4. It would be very useful to have minimal needed configuration only for failover. And more comments to understand how it work.
Thanks!
1) Check gateway pings once a second I noticed in ROS7.
2) The script executed in the DHCP client updates the gateway address for 8.8.4.4 in the routing table. This address 192.168.100.254 happened to be the DHCP server address in my router which I used to test it, but it worked without modification with a clients ISP. Definitely don't modify or remove the route for 8.8.4.4 in the table as it's needed and the script looks for it.
3) Established connections are not going to work after the route transitions - they will need to be reestablished. At the hotel their VoIP system seemed to recover quickly after each route change.
4) If the ping to 8.8.4.4 fails the "recursive" route fails and LTE becomes the default route. I don't have any Chateau's at the moment so can't run it again and comment.

Who is online

Users browsing this forum: amt, Erbit, jaclaz, lurker888, smirgo, TheCat12 and 104 guests