Failover script to call another script

mmayes · Wed Aug 07, 2019 3:48 am

I'm trying to modify the WAN failover script written by Tomas Kirnak on the wiki page to call another script and can't figure it out.

The script performs the first function of increasing the route depending on which WAN interface is down. In my environment, these two interfaces are Internet-Main and Internet-Backup

I've created two other scripts firewall-to-backup and firewall-to-main which look for firewall filters and nat rules matching the in-interface or out-interface of the downed interface, and will switch to the up interface.

When the failover script switches to the Internet-Backup the firewall-to-backup script should run which performs the following:

/ip firewall filter set [f w in-interface="Internet-Main"] in-interface=Internet-Backup
/ip firewall filter set [f w out-interface="Internet-Main"] out-interface=Internet-Backup
/ip firewall nat set [f w in-interface="Internet-Main"] in-interface=Internet-Backup
/ip firewall nat set [f w out-interface="Internet-Main"] out-interface=Internet-Backup
/queue simple set [f w target="Internet-Main"] target=Internet-Backup
/ip firewall connection remove [find]

When the failover script detects Internet-Main backup up or Internet-Backup is down the firewall-to-main script should run which performs:

/ip firewall filter set [f w in-interface="Internet-Backup"] in-interface=Internet-Main
/ip firewall filter set [f w out-interface="Internet-Backup"] out-interface=Internet-Main
/ip firewall nat set [f w in-interface="Internet-Backup"] in-interface=Internet-Main
/ip firewall nat set [f w out-interface="Internet-Backup"] out-interface=Internet-Main
/queue simple set [f w target="Internet-Backup"] target=Internet-Main
/ip firewall connection remove [find]

Here's the script I'm currently trying to run which increases the distance of the route but I have to manually run each script to restore routable internet to the LAN. Unfortunately, this is the only method I've found to have failover and failback and the firewall filter rules I use are rather complex due to segmented networks. Perhaps there's another way to change these in and out interface rules I'm not realizing.

# ------------------- header -------------------
# Script by Tomas Kirnak, version 1.0.7
# If you use this script, or edit and
# re-use it, please keep the header intact.
#
# For more information and details about
# this script please visit the wiki page at
# http://wiki.mikrotik.com/wiki/Failover_Scripting
# ------------------- header -------------------



# ------------- start editing here -------------
# Edit the variables below to suit your needs

# Please fill the WAN interface names
:local InterfaceISP1 Internet-Main
:local InterfaceISP2 Internet-Backup

# Please fill the gateway IPs (or interface names in case of PPP)
:local GatewayISP1 X.X.X.X
:local GatewayISP2 X.X.X.X

# Please fill the ping check host - currently: resolver1.opendns.com
:local PingTarget 8.8.8.8

# Please fill how many ping failures are allowed before fail-over happends
:local FailTreshold 5

# Define the distance increase of a route when it fails
:local DistanceIncrease 2

# Editing the script after this point may break it
# -------------- stop editing here --------------



# Declare the global variables
:global PingFailCountISP1
:global PingFailCountISP2

# This inicializes the PingFailCount variables, in case this is the 1st time the script has ran
:if ([:typeof $PingFailCountISP1] = "nothing") do={:set PingFailCountISP1 0}
:if ([:typeof $PingFailCountISP2] = "nothing") do={:set PingFailCountISP2 0}

# This variable will be used to keep results of individual ping attempts
:local PingResult



# Check ISP1
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP1]
:put $PingResult

:if ($PingResult = 0) do={
	:if ($PingFailCountISP1 < ($FailTreshold+2)) do={
		:set PingFailCountISP1 ($PingFailCountISP1 + 1)
		
		:if ($PingFailCountISP1 = $FailTreshold) do={
			:log warning "ISP1 has a problem en route to $PingTarget - increasing distance of routes."
			:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do=\
				{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
			:log warning "Route distance increase finished."
			/system script run firewall-to-backup
		}
	}
}
:if ($PingResult = 1) do={
	:if ($PingFailCountISP1 > 0) do={
		:set PingFailCountISP1 ($PingFailCountISP1 - 1)
		
		:if ($PingFailCountISP1 = ($FailTreshold -1)) do={
			:log warning "ISP1 can reach $PingTarget again - bringing back original distance of routes."
			:foreach i in=[/ip route find gateway=$GatewayISP1 && static] do=\
				{/ip route set $i distance=([/ip route get $i distance] - $DistanceIncrease)}
			:log warning "Route distance decrease finished."
			/system script run firewall-to-main
		}
	}
}



# Check ISP2
:set PingResult [ping $PingTarget count=1 interface=$InterfaceISP2]
:put $PingResult

:if ($PingResult = 0) do={
	:if ($PingFailCountISP2 < ($FailTreshold+2)) do={
		:set PingFailCountISP2 ($PingFailCountISP2 + 1)
		
		:if ($PingFailCountISP2 = $FailTreshold) do={
			:log warning "ISP2 has a problem en route to $PingTarget - increasing distance of routes."
			:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do=\
				{/ip route set $i distance=([/ip route get $i distance] + $DistanceIncrease)}
			:log warning "Route distance increase finished."
			/system script run firewall-to-main
		}
	}
}
:if ($PingResult = 1) do={
	:if ($PingFailCountISP2 > 0) do={
		:set PingFailCountISP2 ($PingFailCountISP2 - 1)
		
		:if ($PingFailCountISP2 = ($FailTreshold -1)) do={
			:log warning "ISP2 can reach $PingTarget again - bringing back original distance of routes."
			:foreach i in=[/ip route find gateway=$GatewayISP2 && static] do=\
				{/ip route set $i distance=([/ip route get $i distance] - $DistanceIncrease)}
			:log warning "Route distance decrease finished."
			/system script run firewall-to-backup
		}
	}
}

Thanks in advance for any help.

2frogs · Thu Aug 08, 2019 7:30 am

So if you put these in terminal they run, but not from the script?

/system script run firewall-to-backup

/system script run firewall-to-main

You could also change from using in/out-interface to interface-list and not have to change the firewall rules at all:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=Internet-Main
add interface=Internet-Backp
/ip firewall filter 
set [f w in-interface="Internet-Main"] in-interface-list=WAN
unset [f w in-interface="Internet-Main"] in-interface
set [f w out-interface="Internet-Main"] out-interface-list=Wan
unset [f w out-interface="Internet-Main"] out-interface
/ip firewall nat
set [f w in-interface="Internet-Main"] in-interface-list=WAN
unset [f w in-interface="Internet-Main"] in-interface
set [f w out-interface="Internet-Main"] out-interface-list=WAN
unset [f w out-interface="Internet-Main"] out-interface

And also add two sets of simple queues, one for each target=, then you could just add the line to clear connections to the failover script.

Failover script to call another script

Failover script to call another script

Re: Failover script to call another script

Who is online