Greetings.

First let me give a little background on where I'm at. I basically fell into this job head first with my eyes closed because the last guy left (leaving no up-to-date documentation, no network diagrams, and no method of contact) and I just happen to be the guy who knows a little about Linux and computers. I have no formal training in system or network administration, except for two years of high-school CCNA courses. Sadly, I haven't used that knowledge for several years and much of it is gone from memory. I have insisted several times that I am not qualified, yet here I am... Is it trust? Ignorance? (I don't know for sure)

Anyway, we are a small town WISP with about 30 customers. At the office, there is a single ADSL line going to the MT box, which serves DHCP leases to two private networks: office and customer. The last MikroTik box that ran the show crashed shortly after I started helping out at the office (no redundancy). One technician replaced MT with Smoothwall, which didn't work out so well. My "on-the-job training" consisted of learning enough about MikroTik from the manuals to piece together a spare server, install MT on it, configure the interfaces and DHCP server, set up a basic firewall, and swap out the Smoothwall server live during the afternoon. I can safely say I was stressed out, but everything worked just fine.

So, now I am here asking how to implement a hardware failover setup after dealing with a motherboard failure today. I would like to have two MT boxes, both hot, with the same configuration. I plan to implement Hotspot authentication and accounting by MAC address soon, mainly for the security (we're wide open), but also to help ease the burden of per-user bandwidth control (mangling and queue trees work, but are not ideal). The version of MT I'm running is 2.9.49.

Is there a simple way to maintain the same configuration between the two boxes, including Hotspot user lists, and also provide a failover solution in case one dies? I've read about VRRP in the manuals and forums, but it seems to deal mainly with situations where there are two Internet connections. We only have the one DSL line.

How can I ensure a quick re-authentication of clients after a failover? With our current DHCP setup, even after I remove a DHCP lease, the client must either reboot their CPE or wait for the lease to expire. Shouldn't it expire immediately upon removing the lease? More to the point, is Hotspot any better at releasing and renewing?

I'm am sure there will be scripts to write to implement this. That is fine. I just need some pointers to get me started.

Any help is appreciated. If more information is needed, let me know. I'll make sure my replies are less verbose.

I'm finding myself in a situation where I need some redundancy as well. I run PPPoE for my authentication and bandwidth control, so I believe that it won't be too hard to accomplish some redundancy. The nice thing that I think PPPoE will allow me to do is have 2 PPPoE servers running at the same time. They will both take connections and will actually load balance themselves. If one box dies, everyone should failover to the other one.

If anyone thinks that wouldn't work, please let me know... otherwise that may be a solution for you instead of doing MAC based authentication (since they can be spoofed anyway).

Joe

i think u'r suggestion will work if u configure tow pppoe servers with same service name the user will conect regardles of it's ip configuration

but i did work with MK bourds for a long time and i'm not experiancing any hardware failure
about hotspot i don't think it's secure enogh even if u make mac filter also u can control user bandwidth easly by configuring hotspot profile

in our network we use the EOIP tunnel feature we configure tow servers and both conected to a MK bourde configured as bridge in case of failure we just switch the tunnel remote adress in da bridge to the second server .

i work in an WISP with more than 3000 registred clients half of our network is MK based , don't histate to contact me i will not let u down

it is impossible with MT i thnik

I have done this with pfsense, give it a try it is a free project

Thanks for the replies.

I like the idea of two load balanced PPPoE servers. The main problem I have with PPPoE at this time is the fact that we run quite a conglomeration of client radios of varying age, some of which do not have remote admin capabilities. We also have a few customers using static private IP's (for reasons unknown to me). We only have around 35 customers, though, so it wouldn't be a complete nightmare to implement.

Hotspot authentication and accounting by MAC address ... mainly for the security

I'll bet a few people rolled their eyes at that. That statement was not well thought-out. I understand the problems inherent in MAC authentication. I was looking for something that could be tested in the office, then applied to the wireless network without having to reconfigure each client's radio. If we can switch customers over to PPPoE incrementally -- i.e. authenticate those customers whose radios we reconfigure, and allow others "anonymous access," -- I will happily forget about Hotspot. Otherwise, the downtime caused by the transition would certainly make some customers leave.

From what I gather reading these forums, failover of the type I want is either difficult to implement or impossible. If nothing else, I should at least be able write a script to export the configuration from the primary server and ftp it over to the backup on a daily basis. The backup server would then verify that it received the configuration and import it. In case of hardware failure, we would just have three cat5 cables to switch manually. Not failover by any means, but better than what we've got.

I'll study PPPoE and EOIP tunneling some more. I'll also take a look at pfsense. Any other ideas are welcome.

marc321 -
There are at least three ways I see to accomplish what you are looking for - all with MT.....

First let me say that I am NOT paid by MT, I do NOT sell equipment - just to get that out of the way - some folks wonder about that when I answer questions.....

I understand you experience level is 'novice', so I will just try and give you the terms and a short what it is for now - you let me know what you are interested in and we'll see if we can help you along the right path.

There is VRRP Very Reliable Router Protocol, basically you have a master and a slave router, when the master fails the slave takes over. It takes a little work to get it right and is not fool proof.

There is mutliple gateways scheme. Easy to implement, takes a little time to get the scripting right but will work good.

Lastly there is a bonding scheme where by the typical failover over is about 10ms, it is similiar to the multi-gateway scheme. Again, takes a little work but can be implemented with good results.

In all of the above, it will require two cpus' to accomplish your goal. Now these can be 'real' cpus or you can use RB500, RB300 or RB600 series Mikrotik Routerboards.... If you have no plans to use any type of cache then anyone of the above will do. If you think you may want to try caching then the RB500 series is out. For the all the rest I HIGHLY reccommend that you use a master drive (or flash in the RBs) for your MT software, and a secondary drive to handle the caching server.

Be prepared to spend a little time at 'school' learning MT software.... It is easy to setup the basics, it can take a long time to learn it all - kinda of like chess, learning the capabilities of the chess pieces is easy - mastering the game...well you get the point.......

My email address is at the bottom...drop a line if you have any questions...