i need to implement a simple 2 wan failover, i've been racking my brians with the following topics:
http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting
http://wiki.mikrotik.com/wiki/Two_gateways_failover
and this useful topic: http://forum.mikrotik.com/viewtopic.php ... 6&start=50
but i see some info i'm not clear about between the config done in that topic and the one in the wiki, letme do a quick recap:
1) two wan connections, one is direct eth(it has dhcp but i'm sure i can set it to manual) the other goes through a dialing adsl modem(which gives a private ip address and performas all teh dialing functions).
2) i need simple failover, no load balancing yet
3) no VPN
4) Incoming RDP connections that should be able to enter through any of the two connections
this is what i have in the box(ROs 4.11)(and only this), i'm pretty sure i'm forgetting something and this won't work:
200.80.195.26 and 200.69.193.1 are my monitoring hosts and 10.0.0.2 and 190.3.96.254 are the respective wan gateways
Code: Select all
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.80.195.26 routing-mark=telmex scope=30 target-scope=30
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=200.69.193.1 routing-mark=telmex scope=30 target-scope=30
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.69.193.1 routing-mark=arnet scope=30 target-scope=30
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=200.80.195.26 routing-mark=arnet scope=30 target-scope=30
add disabled=no distance=1 dst-address=200.69.193.1/32 gateway=10.0.0.2 scope=10 target-scope=10
add disabled=no distance=20 dst-address=200.69.193.1/32 type=blackhole
add disabled=no distance=1 dst-address=200.80.195.26/32 gateway=190.3.96.254 scope=10 target-scope=10
add disabled=no distance=20 dst-address=200.80.195.26/32 type=blackhole
Code: Select all
/ip firewall mangle
add action=mark-connection chain=input comment="IN arnet" disabled=no in-interface=ether1-arnet new-connection-mark=arnet_conn passthrough=no
add action=mark-connection chain=input comment="IN telmex" disabled=no in-interface=ether2-telmex new-connection-mark=telmex_conn passthrough=no
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-arnet
add action=dst-nat chain=dstnat comment=rdp disabled=no dst-port=3389 protocol=tcp to-addresses=192.168.1.10
Code: Select all
/ip firewall address-list
add address=192.168.88.0/24 comment="my local network, all NATed" disabled=no list=local-addr
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment=invalids connection-state=invalid \
disabled=no
add action=drop chain=forward comment=invalid connection-state=invalid \
disabled=no
add action=drop chain=input comment="detect and drop port scan connections" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=accept chain=forward comment="accept new connections" \
connection-state=new disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
add action=accept chain=forward comment="accept established forward" \
connection-state=established disabled=no
add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="Accept stablished input" \
connection-state=established disabled=no
add action=accept chain=input comment="Allow ICMP ping" connection-state=new \
disabled=no icmp-options=8:0-255 limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="default configuration" disabled=no
add action=drop chain=forward comment=bogons disabled=no src-address-list=\
BOGONS
add action=drop chain=input comment=bogons disabled=no src-address-list=\
BOGONS
/ip firewall mangle
add action=mark-connection chain=input comment="IN arnet" disabled=no \
in-interface=ether1-arnet new-connection-mark=arnet_conn passthrough=no
add action=mark-connection chain=input comment="IN telmex" disabled=no \
in-interface=ether2-telmex new-connection-mark=telmex_conn passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-arnet
add action=dst-nat chain=dstnat comment=rdp disabled=no dst-port=3389 \
protocol=tcp to-addresses=192.168.1.10
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
i mean, i have the incoming connection mark rules, so the packets are marked, and now what do i do with those marks? how do i make the packets return though the originating connection? do i need to add a srcnat rule that uses the connection mark with an actiuon of masquerade over the arnet or telmex connections?
also, should i follow the thread or the wiki article?, i notice that the thread uses scope and target-scope and the wiki article only uses scope(and looks simpler overall)
also #2: since one of the gateway is a direct modem, could i simply use a: /ip route add gateway=190.3.96.254 check-gateway=ping and then all the host pinging for the other one?(a kind of hybrid solution)
thanks in advance