Community discussions

 
2dfx
just joined
Topic Author
Posts: 22
Joined: Tue Mar 05, 2013 6:30 pm

Dual WAN and OpenVPN (UDP) behind RouterOS.

Sun Dec 07, 2014 10:03 pm

Hi all!
I Have RB2011UiAS-2HnD-IN and next config:

ISP1 - low cost, high speed, address 3.3.3.90/30 nexthop 3.3.3.89
ISP2 - high cost, low speed, address 5.5.5.98/30 nexthop 5.5.5.97
LocalLan - 172.16.0.0/24
PC with OpenVPN - 172.16.0.25
OpenVPN server - 9.9.9.188:1194
/ip address
add address=3.3.3.90/30 interface=ether1-gateway network=3.3.3.88
add address=5.5.5.98/30 interface=ether2-gateway network=5.5.5.96
add address=172.16.0.1/24 interface=ether10 network=172.16.0.0

/ip route
add distance=1 gateway=3.3.3.89
add distance=1 gateway=5.5.5.97
add distance=1 gateway=3.3.3.89 routing-mark=ISP1
add distance=1 dst-address=3.3.3.88/30 gateway=ether1-gateway pref-src=3.3.3.90 routing-mark=ISP1
add distance=1 gateway=5.5.5.97 routing-mark=ISP2
add distance=1 dst-address=5.5.5.96/30 gateway=ether2-gateway pref-src=5.5.5.98 routing-mark=ISP2
add distance=1 gateway=3.3.3.89 routing-mark=INET
add distance=10 gateway=5.5.5.97 routing-mark=INET
add distance=1 dst-address=3.3.3.88/30 gateway=ether1-gateway pref-src=3.3.3.90 routing-mark=INET
add distance=1 dst-address=5.5.5.96/30 gateway=ether2-gateway pref-src=5.5.5.98 routing-mark=INET

/ip route rule
add action=lookup-only-in-table routing-mark=ISP1 table=ISP1
add action=lookup-only-in-table routing-mark=ISP2 table=ISP2
add action=lookup-only-in-table routing-mark=INET table=INET

/tool netwatch
add comment=ISP1 down-script="/ip route set disabled=yes [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ]" host=8.8.8.8 up-script=\
    "ip route set disabled=no [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ]"
add comment=ISP2 down-script="/ip route set disabled=yes [ find gateway=\"5.5.5.97\" and routing-mark=\"INET\" ]" host=8.8.4.4 up-script=\
    "/ip route set disabled=no [ find gateway=\"5.5.5.97\" and routing-mark=\"INET\" ]"

/ip firewall address-list
add address=172.16.0.0/24 list=Local-Lan

/ip firewall filter
add chain=input comment="ICMP Accept" protocol=icmp
add chain=input comment=Established connection-state=established
add chain=forward connection-state=established
add chain=input comment=Related connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment="ISP1 Default DROP" in-interface=ether1-gateway
add action=drop chain=input comment="ISP2 Default DROP" in-interface=ether2-gateway
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=output comment="Connection status ISP1" dst-address=8.8.8.8 new-routing-mark=ISP1 passthrough=no protocol=icmp
add action=mark-routing chain=output comment="Connection status ISP2" dst-address=8.8.4.4 new-routing-mark=ISP2 passthrough=no protocol=icmp
add action=mark-connection chain=input comment="IN-OUT ISP1" in-interface=ether1-gateway new-connection-mark=ISP1-INPUT passthrough=no
add action=mark-routing chain=output connection-mark=ISP1-INPUT new-routing-mark=ISP1 passthrough=no
add action=mark-connection chain=input comment="IN-OUT ISP2" in-interface=ether2-gateway new-connection-mark=ISP2-INPUT passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-INPUT new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=prerouting comment="Inet-Routing" dst-address-list=!Local-Lan in-interface=ether10 new-routing-mark=INET passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="ISP1 NAT" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="ISP2 NAT" out-interface=ether2-gateway
Behind Mikrotik I have computer with OpenVPN client (UDP + LZO 8) )
It use routing with routing mark "INET"

Then I try failover:
NetWatch down route with "nexthop 3.3.3.89, distance 1, routing mark INET" and all start working via route "nexthop 5.5.5.97, distance 10, routing mark INET".
OpenVPN success reconnect and all work via second ISP.
After ISP1 up – OpenVPN client still work over ISP2

In firewall connection I see:
/ip firewall connection print detail where protocol="udp"
0 SA protocol=udp src-address=172.16.0.25:49551 dst-address=9.9.9.188:1194 reply-src-address=9.9.9.188:1194 reply-dst-address=5.5.5.98:49551 timeout=23h25m48s 
      p2p=none
As I understand it, when restoring first ISP, all already established connections continue to work through the second provider.
Quick solution that I came up with:
/tool netwatch
add comment=ISP1 down-script="/ip route set disabled=yes [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ]" host=8.8.8.8 up-script=\
    "ip route set disabled=no [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ]"
Replace with
/tool netwatch
add comment=ISP1 down-script="/ip route set disabled=yes [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ]" host=8.8.8.8 up-script=\
    "/ip firewall connection remove [ find reply-dst-address~\"5.5.5.98\" ];\r\
    \n/ip route set disabled=no [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ]"
Also possible solution:
In routing table INET use only one nexthop without a second nexthop with higher distance like this
/tool netwatch
add comment=ISP1 down-script="/ip route set disabled=yes [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ]" host=8.8.8.8 up-script=\
    "ip route set disabled=no [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ]"
Replace with
/tool netwatch
add comment=ISP1 down-script="/ip route set disabled=yes [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ];\r\
    \n/ip route set disabled=no [ find gateway=\"5.5.5.98\" and routing-mark=\"INET\" ]" host=8.8.8.8 up-script=\
    "/ip firewall connection remove [ find reply-dst-address~\"5.5.5.98\" ];\r\
    \n/ip route set disabled=no [ find gateway=\"3.3.3.89\" and routing-mark=\"INET\" ];\r\
    \n/ip route set disabled=yes [ find gateway=\"5.5.5.98\" and routing-mark=\"INET\" ]"
The essence of this topic - this is the right way?

Who is online

Users browsing this forum: No registered users and 118 guests