Community discussions

MikroTik App
  4. RouterOS
  5. General

2 WAN failover

Post Reply
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

2 WAN failover

Mon Aug 30, 2010 11:25 pm

Hello,
i need to implement a simple 2 wan failover, i've been racking my brians with the following topics:
http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting
http://wiki.mikrotik.com/wiki/Two_gateways_failover
and this useful topic: http://forum.mikrotik.com/viewtopic.php ... 6&start=50

but i see some info i'm not clear about between the config done in that topic and the one in the wiki, letme do a quick recap:
1) two wan connections, one is direct eth(it has dhcp but i'm sure i can set it to manual) the other goes through a dialing adsl modem(which gives a private ip address and performas all teh dialing functions).
2) i need simple failover, no load balancing yet
3) no VPN
4) Incoming RDP connections that should be able to enter through any of the two connections

this is what i have in the box(ROs 4.11)(and only this), i'm pretty sure i'm forgetting something and this won't work:
200.80.195.26 and 200.69.193.1 are my monitoring hosts and 10.0.0.2 and 190.3.96.254 are the respective wan gateways
Code: Select all
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.80.195.26 routing-mark=telmex scope=30 target-scope=30
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=200.69.193.1 routing-mark=telmex scope=30 target-scope=30
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.69.193.1 routing-mark=arnet scope=30 target-scope=30
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=200.80.195.26 routing-mark=arnet scope=30 target-scope=30
add disabled=no distance=1 dst-address=200.69.193.1/32 gateway=10.0.0.2 scope=10 target-scope=10
add disabled=no distance=20 dst-address=200.69.193.1/32 type=blackhole
add disabled=no distance=1 dst-address=200.80.195.26/32 gateway=190.3.96.254 scope=10 target-scope=10
add disabled=no distance=20 dst-address=200.80.195.26/32 type=blackhole
Code: Select all
/ip firewall mangle
add action=mark-connection chain=input comment="IN  arnet" disabled=no in-interface=ether1-arnet new-connection-mark=arnet_conn passthrough=no
add action=mark-connection chain=input comment="IN telmex" disabled=no in-interface=ether2-telmex new-connection-mark=telmex_conn passthrough=no
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-arnet
add action=dst-nat chain=dstnat comment=rdp disabled=no dst-port=3389 protocol=tcp to-addresses=192.168.1.10
Code: Select all
/ip firewall address-list
add address=192.168.88.0/24 comment="my local network, all NATed" disabled=no list=local-addr
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment=invalids connection-state=invalid \
    disabled=no
add action=drop chain=forward comment=invalid connection-state=invalid \
    disabled=no
add action=drop chain=input comment="detect and drop port scan connections" \
    disabled=no protocol=tcp psd=21,3s,3,1
add action=accept chain=forward comment="accept new connections" \
    connection-state=new disabled=no
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no
add action=accept chain=forward comment="accept established forward" \
    connection-state=established disabled=no
add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="Accept stablished input" \
    connection-state=established disabled=no
add action=accept chain=input comment="Allow ICMP ping" connection-state=new \
    disabled=no icmp-options=8:0-255 limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="default configuration" disabled=no
add action=drop chain=forward comment=bogons disabled=no src-address-list=\
    BOGONS
add action=drop chain=input comment=bogons disabled=no src-address-list=\
    BOGONS
/ip firewall mangle
add action=mark-connection chain=input comment="IN  arnet" disabled=no \
    in-interface=ether1-arnet new-connection-mark=arnet_conn passthrough=no
add action=mark-connection chain=input comment="IN telmex" disabled=no \
    in-interface=ether2-telmex new-connection-mark=telmex_conn passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
    no out-interface=ether1-arnet
add action=dst-nat chain=dstnat comment=rdp disabled=no dst-port=3389 \
    protocol=tcp to-addresses=192.168.1.10
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
i'm pretty sutre i'm missing something, the wiki article talks about policy routing and marking the outgoing packets and the other thread talks about the incoming packets so they're routed over the correct connection, i'm at a total loss on how to do that :S.
i mean, i have the incoming connection mark rules, so the packets are marked, and now what do i do with those marks? how do i make the packets return though the originating connection? do i need to add a srcnat rule that uses the connection mark with an actiuon of masquerade over the arnet or telmex connections?

also, should i follow the thread or the wiki article?, i notice that the thread uses scope and target-scope and the wiki article only uses scope(and looks simpler overall)

also #2: since one of the gateway is a direct modem, could i simply use a: /ip route add gateway=190.3.96.254 check-gateway=ping and then all the host pinging for the other one?(a kind of hybrid solution)


thanks in advance
Top
 
Eliminateur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Thu Jun 28, 2007 7:38 am

Re: 2 WAN failover

Tue Sep 07, 2010 10:02 pm

anyone?, it still isn't working at all.

and to add, how do i make that incoming connections go back throught the correct port?(i.e. how do i operate on a packet that is marked?, or a route for that effect?).

edit, for greater simplification....:

only ONE of the gateway goes through a ADSL modem which would need the routing mojo...

so i'm testing with:
Code: Select all
/ip route add gateway=190.3.96.254 distance=2
add dst-address=200.69.193.1/32 gateway=10.0.0.2 scope=10
add distance=1 gateway=200.69.193.1 routing-mark=arnet_route check-gateway=ping
what i don't understand is how to make the system use the "arnet_route" and why do i have to use a routing mark and how to use it int eh rest of the system so that when the 10.0.0.2 link is down then it's disabled.... only that, but when it's enable i need for it to be the system default gateway.

also, incoming connections can happen through both inputs at the same time so i need a proper route back, which i have no idea on how to do
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot], sebi099 and 212 guests
  4. RouterOS
  5. General