Community discussions

 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

"Official" 2 WAN Failover Script not working

Fri Apr 12, 2013 10:32 pm

Hi Guys,

So my query is regarding the fail-over script over at http://wiki.mikrotik.com/wiki/Failover_Scripting. While I'm sure this isn't the "official" script, it sure is entered into the Wiki, which does make it more official than a forum thread.

Anywhoo, The script seems awesome enough, but while on WAN2 (aka ISP2 in the script) - After WAN1 (aka ISP1) died, and the script failed over - when the script pings for the gateway of WAN1, the actual ping still goes out of WAN2, resulting in the script never reverting back to WAN1 once it's back up again.

I cannot use 'check gateway' as I want to failover based on logical failures (WAN routing) instead of physical failures, as check gateway and arp would provide.

I've tried this several times now, each time with a clean RouterOS (RB750) install (both v5.23 and RC13), no firewall or mangle rules, but for two masquerade rules.

I executed the script in the terminal, and each time I can see the only ping response was from WAN 2, while the routing table shows WAN1 as unreachable, even though I plugged the cable back in. The only way I was able to force traffic over WAN1 again, was to change the distance to lower than WAN2, as expected.

Any advise would be greatly appreciated!
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Sun Apr 14, 2013 9:40 pm

After carefully watching the script in action for a couple minutes, I've found that it DOES work, BUT, it does not automatically revert back to ISP1 when it's reachable again, instead it will stay on ISP2 until it goes down, then only revert back to ISP1.

I noticed that the script increases the route distance of the ISP that's down, as it should, but in doing so, pinging ISP1 won't work, unless it's possible to "force" ping out of ISP1's interface, regardless of distance.
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Mon Apr 15, 2013 4:04 am

Its not official. Its just included on the wiki under user submitted scripts.

As the script is mine, I should be able to help you. Are you sure its not a problem with your mangle / route setup?
Please post "/export compact" from your mangle and routes.

Also, yes, the script actually forces respective pings to go out respective interfaces.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Mon Apr 15, 2013 7:15 am

Hi tomaskir! Thanks for getting back to me!

I started with a blank configuration, no rules, no routes (besides two Gateway routs) or mangles. Only two NAT rules for masquerade.

Would you mind giving a couple tips on what my routing table should look like initially? - What firewall/mangle routes should be present?

Thanks in advance for your assistance!
You do not have the required permissions to view the files attached to this post.
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Mon Apr 15, 2013 10:44 am

Here is the exported config, as requested.

I noticed, even before running the script, with GW1 and GW2 distanced set to 1 and 2 respectively, I cannot ping an IP over GW2 until I change the distances to 2 and 1 (making GW2 the priority) - why is this?


# apr/15/2013 09:35:25 by RouterOS 6.0rc13
#
/interface bridge
add l2mtu=1524 name=bridge-lan3-5
/interface ethernet
set 0 auto-negotiation=no l2mtu=1524 name=P1VOXSAT
set 1 auto-negotiation=no name=P2XPRESS
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/interface bridge port
add bridge=bridge-lan3-5 interface=ether3
add bridge=bridge-lan3-5 interface=ether4
add bridge=bridge-lan3-5 interface=ether5
/ip address
[b]add address=172.20.0.1/24 interface=bridge-lan3-5 network=172.20.0.0
add address=193.168.0.3/24 interface=P2XPRESS network=193.168.0.0
add address=10.10.0.2/24 interface=P1VOXSAT network=10.10.0.0[/b]
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=P2XPRESS src-address-list=""
add action=masquerade chain=srcnat out-interface=P1VOXSAT src-address-list=""
/ip route
[b]add distance=1 gateway=10.10.0.1
add distance=2 gateway=193.168.0.1[/b]
/ip service
set www port=8765
/system clock
set time-zone-name=Africa/Johannesburg
/system ntp client
set enabled=yes mode=unicast primary-ntp=196.4.160.4 secondary-ntp=\
    64.90.182.55
/system scheduler
add name=failover-schedule on-event=failover-script policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    start-date=apr/12/2013 start-time=09:26:56
/system script
add name=script1 policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source="\r\
    \n# Edit the variables below to suit your needs\r\
    \n\r\
    \n# Please fill the WAN interface names\r\
    \n:local InterfaceISP1 P1VOXSAT\r\
    \n:local InterfaceISP2 P2XPRESS\r\
    \n#P1VOXSAT=ETH1\r\
    \n#P2XPRESS=ETH2\r\
    \n\r\
    \n# Please fill the gateway IPs (or interface names in case of PPP)\r\
    \n:local GatewayISP1 192.168.0.254\r\
    \n:local GatewayISP2 193.168.0.1\r\
    \n\r\
    \n# Please fill the ping check host\r\
    \n:local PingTarget 8.8.8.8\r\
    \n\r\
    \n# Please fill how many ping failures are allowed before fail-over happen\
    ds\r\
    \n:local FailTreshold 3\r\
    \n\r\
    \n# Define the distance increase of a route when it fails\r\
    \n:local DistanceIncrease 2\r\
    \n\r\
    \n# Editing the script after this point may break it\r\
    \n\r\
    \n# Declare the global variables\r\
    \n:global PingFailCountISP1\r\
    \n:global PingFailCountISP2\r\
    \n\r\
    \n# This inicializes the PingFailCount variables, in case this is the 1st \
    time the script has ran\r\
    \n:if ([:typeof \$PingFailCountISP1] = \"nothing\") do={:set PingFailCount\
    ISP1 0}\r\
    \n:if ([:typeof \$PingFailCountISP2] = \"nothing\") do={:set PingFailCount\
    ISP2 0}\r\
    \n\r\
    \n# This variable will be used to keep results of individual ping attempts\
    \r\
    \n:local PingResult\r\
    \n\r\
    \n# Check ISP1\r\
    \n:set PingResult [ping \$PingTarget count=1 interface=\$InterfaceISP1]\r\
    \n:put \$PingResult\r\
    \n\r\
    \n:if (\$PingResult = 0) do={\r\
    \n\t:if (\$PingFailCountISP1 < (\$FailTreshold+2)) do={\r\
    \n\t\t:set PingFailCountISP1 (\$PingFailCountISP1 + 1)\r\
    \n\t\t\r\
    \n\t\t:if (\$PingFailCountISP1 = \$FailTreshold) do={\r\
    \n\t\t\t:log warning \"ISP1 has a problem en route to \$PingTarget - incre\
    asing distance of routes.\"\r\
    \n\t\t\t:foreach i in=[/ip route find gateway=\$GatewayISP1 && static] do=\
    \\\r\
    \n\t\t\t\t{/ip route set \$i distance=([/ip route get \$i distance] + \$Di\
    stanceIncrease)}\r\
    \n\t\t\t:log warning \"Route distance increase finished.\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n:if (\$PingResult = 1) do={\r\
    \n\t:if (\$PingFailCountISP1 > 0) do={\r\
    \n\t\t:set PingFailCountISP1 (\$PingFailCountISP1 - 1)\r\
    \n\t\t\r\
    \n\t\t:if (\$PingFailCountISP1 = (\$FailTreshold -1)) do={\r\
    \n\t\t\t:log warning \"ISP1 can reach \$PingTarget again - bringing back o\
    riginal distance of routes.\"\r\
    \n\t\t\t:foreach i in=[/ip route find gateway=\$GatewayISP1 && static] do=\
    \\\r\
    \n\t\t\t\t{/ip route set \$i distance=([/ip route get \$i distance] - \$Di\
    stanceIncrease)}\r\
    \n\t\t\t:log warning \"Route distance decrease finished.\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n\r\
    \n# Check ISP2\r\
    \n:set PingResult [ping \$PingTarget count=1 interface=\$InterfaceISP2]\r\
    \n:put \$PingResult\r\
    \n\r\
    \n:if (\$PingResult = 0) do={\r\
    \n\t:if (\$PingFailCountISP2 < (\$FailTreshold+2)) do={\r\
    \n\t\t:set PingFailCountISP2 (\$PingFailCountISP2 + 1)\r\
    \n\t\t\r\
    \n\t\t:if (\$PingFailCountISP2 = \$FailTreshold) do={\r\
    \n\t\t\t:log warning \"ISP2 has a problem en route to \$PingTarget - incre\
    asing distance of routes.\"\r\
    \n\t\t\t:foreach i in=[/ip route find gateway=\$GatewayISP2 && static] do=\
    \\\r\
    \n\t\t\t\t{/ip route set \$i distance=([/ip route get \$i distance] + \$Di\
    stanceIncrease)}\r\
    \n\t\t\t:log warning \"Route distance increase finished.\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n:if (\$PingResult = 1) do={\r\
    \n\t:if (\$PingFailCountISP2 > 0) do={\r\
    \n\t\t:set PingFailCountISP2 (\$PingFailCountISP2 - 1)\r\
    \n\t\t\r\
    \n\t\t:if (\$PingFailCountISP2 = (\$FailTreshold -1)) do={\r\
    \n\t\t\t:log warning \"ISP2 can reach \$PingTarget again - bringing back o\
    riginal distance of routes.\"\r\
    \n\t\t\t:foreach i in=[/ip route find gateway=\$GatewayISP2 && static] do=\
    \\\r\
    \n\t\t\t\t{/ip route set \$i distance=([/ip route get \$i distance] - \$Di\
    stanceIncrease)}\r\
    \n\t\t\t:log warning \"Route distance decrease finished.\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}"
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Mon Apr 15, 2013 12:32 pm

Your problem is you dont have the 2 connections set up at all. You need to fix your mangle and your routing table for it to all work correctly.

Watch my presentation here: http://tiktube.com/video/DofH3iFnjDJomG ... uKlEoLqHq=
It should explain most of the stuff you need to make it all work.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Mon Apr 15, 2013 4:33 pm

Hi tomaskir,

Thanks for the advise I had a look at your presentation pdf, and copied the console commands as close as possible, yet up until before page 38 - since I don't want load balancing, only automated fail-over (and restore).

Yes, the same problem persists, when ISP1 is the primary connection, I cannot ping out of ISP2's interface.

Here is my mangle and routing rules:
/ip address
add address=172.20.0.1/24 interface=LAN network=172.20.0.0
add address=193.168.0.3/24 interface=ISP_2 network=193.168.0.0
add address=10.10.0.2/24 interface=ISP_1 network=10.10.0.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP_2 src-address-list=""
add action=masquerade chain=srcnat out-interface=ISP_1 src-address-list=""
add action=masquerade chain=srcnat out-interface=ISP_1
add action=masquerade chain=srcnat out-interface=ISP_2
/ip firewall mangle
add chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=ISP_1 new-connection-mark=WAN1->ROS
add action=mark-connection chain=input connection-mark=no-mark in-interface=ISP_2 new-connection-mark=WAN2->ROS
add action=mark-routing chain=output connection-mark=WAN1->ROS new-routing-mark=ISP1_Route
add action=mark-routing chain=output connection-mark=WAN2->ROS new-routing-mark=ISP2_Route
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ISP_1 new-connection-mark=WAN1->LANs
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ISP_2 new-connection-mark=WAN2->LANs
add action=mark-routing chain=prerouting connection-mark=WAN1->LANs new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LANs new-routing-mark=ISP2_Route src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!Connected dst-address-type=!local new-connection-mark=LAN->WAN src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=LAN->WAN new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=LAN->WAN new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=output connection-mark=WAN2->ROS new-routing-mark=ISP2_Route
/ip route
add distance=1 gateway=10.10.0.1 routing-mark=ISP1_Route
add distance=3 gateway=193.168.0.1 routing-mark=ISP2_Route
add distance=1 gateway=10.10.0.1
add distance=4 gateway=193.168.0.1
Thanks again for the assistance!
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Mon Apr 15, 2013 8:09 pm

Your mangle is still not right. Since you arent doing the actual topology in my presentation, but a different thing, you need to modify the mangle, the presentation was just an example so you could see how the whole thing is supposed to work.

Put just this in your mangle.
/ip firewall mangle
add chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=ISP_1 new-connection-mark=WAN1->ROS
add action=mark-connection chain=input connection-mark=no-mark in-interface=ISP_2 new-connection-mark=WAN2->ROS
add action=mark-routing chain=output connection-mark=WAN1->ROS new-routing-mark=ISP1_Route
add action=mark-routing chain=output connection-mark=WAN2->ROS new-routing-mark=ISP2_Route
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ISP_1 new-connection-mark=WAN1->LANs
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ISP_2 new-connection-mark=WAN2->LANs
add action=mark-routing chain=prerouting connection-mark=WAN1->LANs new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LANs new-routing-mark=ISP2_Route src-address-list=LAN
That will make your router and LAN (if you do some NATs) accessible from both ISPs. You dont need any more mangle, since your LAN -> WAN connections will always stay in the "main" routing table.

The rest of your setup is OK, so the script should now work fine. Example from one of our routers here. (I have more routes in each WAN routing table because of load-balancing)
You do not have the required permissions to view the files attached to this post.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Mon Apr 15, 2013 8:51 pm

Thank you very much for your help, I sincerely appreciate it.

I will test the updated mangle script first thing tomorrow morning!

Awesome MUM presentation by the way, I'll be referring to it in future.
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Tue Apr 16, 2013 11:16 am

What am I missing here?

I can ping both ISP's now from RouterOS, thank you for helping out, but now my LAN cannot access the net, I can see packet flow through the NAT rules, but nothing beyond than, I also checked and double checked the distances, and my masquerade rules....
/ip address
add address=172.20.0.1/24 interface=LAN network=172.20.0.0
add address=10.10.0.2/24 interface=ISP_2 network=10.10.0.0
add address=192.168.1.2/24 interface=ISP_1 network=192.168.1.0

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4


/ip firewall address-list
add address=193.168.0.0/24 list=Connected
add address=10.10.0.0/24 list=Connected
add address=172.20.0.0/24 list=Connected
add address=172.20.0.0/24 list=LAN
add address=10.10.0.0/24 list=Connected
add address=193.168.0.0/24 list=Connected
add address=172.168.0.0/24 list=Connected
add address=172.168.0.0/24 list=LAN


/ip firewall mangle
add chain=prerouting disabled=yes dst-address-list=Connected \
    src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark disabled=yes \
    in-interface=ISP_1 new-connection-mark=WAN1->ROS
add action=mark-connection chain=input connection-mark=no-mark disabled=yes \
    in-interface=ISP_2 new-connection-mark=WAN2->ROS
add action=mark-routing chain=output connection-mark=WAN1->ROS disabled=yes \
    new-routing-mark=ISP1_Route
add action=mark-routing chain=output connection-mark=WAN2->ROS disabled=yes \
    new-routing-mark=ISP2_Route
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    in-interface=ISP_1 new-connection-mark=WAN1->LANs
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    in-interface=ISP_2 new-connection-mark=WAN2->LANs
add action=mark-routing chain=prerouting connection-mark=WAN1->LANs disabled=\
    yes new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LANs disabled=\
    yes new-routing-mark=ISP2_Route src-address-list=LAN


/ip firewall nat
add chain=srcnat out-interface=ISP_1
add chain=srcnat out-interface=ISP_2


/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=ISP1
add distance=1 gateway=192.168.1.1 routing-mark=ISP1
add check-gateway=ping distance=2 gateway=10.10.0.1 routing-mark=ISP1
add distance=2 gateway=10.10.0.1 routing-mark=ISP1
add check-gateway=ping distance=1 gateway=10.10.0.1 routing-mark=ISP2
add distance=1 gateway=10.10.0.1 routing-mark=ISP2
add check-gateway=ping distance=2 gateway=192.168.1.1 routing-mark=ISP2
add distance=2 gateway=192.168.1.1 routing-mark=ISP2
add distance=1 gateway=192.168.1.1 scope=10
add distance=1 gateway=192.168.1.1
add distance=2 gateway=10.10.0.1 scope=10
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10
add distance=1 dst-address=8.8.4.4/32 gateway=10.10.0.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=10.10.0.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 scope=10
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Tue Apr 16, 2013 11:36 am

There is an error in your addess-list, also, your routes are a mess now.

Reenable all the mangles and it should work. If not, try to add this mangle rule as the last rule, but it should not be needed.
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=!Connected dst-address-type=!local new-connection-mark=LAN->WAN src-address-list=LAN
Also, watch the actual presentation, and try to read up on the subject to understand how it works, its better in the long run then copying things on/to forums.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Tue Apr 16, 2013 11:56 am

Also, watch the actual presentation, and try to read up on the subject to understand how it works, its better in the long run then copying things on/to forums.
I have the MTCNA training scheduled for next week, but my manager requires a working Failover script "TODAY" - to quote him.

So I'm left learning about mikrotik routing, mangles, and route marking - all in one go.

I noticed that even though I can ping through both ISP's now, if I kill the ISP2 connection, and once the script makes the necessary distance changes, it I still cannot ping ISP2 once its plugged back in - I assume this is because my routes are mess?
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Tue Apr 16, 2013 12:12 pm

Possibly. The script will properly fallback to the primary connection when it comes back if everything is configured properly.

Test it multiple times, see if it works with ping from console, and what the script does with pings, if the variables get decreased properly, etc.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Tue Apr 16, 2013 1:37 pm

Is it possible to post what the routing table should look like?
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Tue Apr 16, 2013 2:13 pm

/ip route
add distance=1 gateway=10.10.0.1 routing-mark=ISP1_Route
add distance=1 gateway=193.168.0.1 routing-mark=ISP2_Route
add distance=1 gateway=10.10.0.1
add distance=2 gateway=193.168.0.1
Assuming you do no load-balancing, assuming all the connections go out 10.10.0.1 unless its down, and assuming instant fallback of all traffic when that ISP is back up.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
aacable
Member
Member
Posts: 420
Joined: Wed Sep 17, 2008 11:58 am
Location: ISLAMIC Republic of PAKISTAN
Contact:

Re: "Official" 2 WAN Failover Script not working

Wed Apr 17, 2013 9:22 am

After carefully watching the script in action for a couple minutes, I've found that it DOES work, BUT, it does not automatically revert back to ISP1 when it's reachable again, instead it will stay on ISP2 until it goes down, then only revert back to ISP1.

I noticed that the script increases the route distance of the ISP that's down, as it should, but in doing so, pinging ISP1 won't work, unless it's possible to "force" ping out of ISP1's interface, regardless of distance.
You can simply create a route for target host, for example if you are monitoring 8.8.8.8 , then create a route for 8.8.8.8 that should always goes via WAN1. This way monitoring to 8.8.8.8 will always goes via WAN1. For example>
/ip route add comment="Static ROUTE for 8.8.8.8 so it should always go from WAN 1" disabled=no distance=1 dst-address=8.8.8.8/32 gateway=Primary_GW_IP scope=30 target-scope=1
Last edited by aacable on Wed Apr 17, 2013 11:00 am, edited 1 time in total.
_____________
Regard's

Syed Jahanzaib
Web: http://aacable.wordpress.com
Email: aacable [at] hotmail.com
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Wed Apr 17, 2013 9:43 am

My goal is to create a "fully functional" failover-ready routerboard, both for novice's like myself, and other's looking for a starting point in creating more elaborate fail-over scripts...

Since the tomaskir's script is the first result returned when Googling, for example, I think it's good to at least have the "official" script working as it should - I know I know, it's not official, but's like I said before, a entry in the Wiki is more 'official' than in the forum.

Just to recap, the script is located here http://wiki.mikrotik.com/wiki/Failover_Scripting

So here is what I have so far, thanks to tomaskir. What is the below paste'able code missing?
/ip address
add address=172.20.0.1/24 interface=LAN network=172.20.0.0
add address=10.10.0.2/24 interface=ISP_2 network=10.10.0.0
add address=193.168.0.2/24 interface=ISP_1 network=192.168.1.0

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall mangle
add chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=ISP_1 new-connection-mark=WAN1->ROS
add action=mark-connection chain=input connection-mark=no-mark in-interface=ISP_2 new-connection-mark=WAN2->ROS
add action=mark-routing chain=output connection-mark=WAN1->ROS new-routing-mark=ISP1_Route
add action=mark-routing chain=output connection-mark=WAN2->ROS new-routing-mark=ISP2_Route
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ISP_1 new-connection-mark=WAN1->LANs
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ISP_2 new-connection-mark=WAN2->LANs
add action=mark-routing chain=prerouting connection-mark=WAN1->LANs new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LANs new-routing-mark=ISP2_Route src-address-list=LAN

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP_1 src-address-list=""
add action=masquerade chain=srcnat out-interface=ISP_2 src-address-list=""
add chain=srcnat out-interface=ISP_1
add chain=srcnat out-interface=ISP_2

/ip route
add distance=1 gateway=10.10.0.1 routing-mark=ISP1_Route
add distance=1 gateway=193.168.0.1 routing-mark=ISP2_Route
add distance=1 gateway=10.10.0.1
add distance=2 gateway=193.168.0.1

Why is this required:
add chain=srcnat out-interface=ISP_1
add chain=srcnat out-interface=ISP_2

When this will suffice?
add action=masquerade chain=srcnat out-interface=ISP_1 src-address-list=""
add action=masquerade chain=srcnat out-interface=ISP_2 src-address-list=""
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Wed Apr 17, 2013 9:46 am

add chain=srcnat out-interface=ISP_1
add chain=srcnat out-interface=ISP_2
These dont need to be there, you only need to have the masquerade rules.
You can simply create a route for target host, for example if you are monitoring 8.8.8.8 , then create a route for 8.8.8.8 that should always goes via WAN1. This way monitoring to 8.8.8.8 will always goes via WAN1. For example>
/ip route add comment="Static ROUTE for 8.8.8.8 so it should always go from WAN 1" disabled=no distance=1 dst-address=8.8.8.8/32 gateway=Primary_GW_IP scope=30 target-scope=1
http://aacable.wordpress.com/2013/04/12 ... r-scripts/
I personally dont like recursive route lookup as a means for fail-over because:
1) it makes a mess of your routing table
2) you have to force one host to WAN1 only, and another host to WAN2 only. If you have more then 2 connections, you have to dedicate a single host for each WAN connection to always go out that WAN connection.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Wed Apr 17, 2013 2:45 pm

Okay, so as per the above code, here it is made live... yet, it's still not working...

I also wanted to ask, what's the purpose of, and why is it required:

/ip firewall address-list
add address=193.168.0.0/24 list=Connected
add address=10.10.0.0/24 list=Connected
add address=172.20.0.0/24 list=Connected
add address=172.20.0.0/24 list=LAN
add address=10.10.0.0/24 list=Connected
add address=193.168.0.0/24 list=Connected
add address=172.168.0.0/24 list=Connected
add address=172.168.0.0/24 list=LAN
/ip address
add address=172.20.0.1/24 interface=LAN
add address=192.168.1.2/24 interface=ISP_2
add address=192.168.70.200/16 interface=ISP_1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall mangle
add chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ISP_1 new-connection-mark=WAN1->ROS
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ISP_2 new-connection-mark=WAN2->ROS
add action=mark-routing chain=output connection-mark=WAN1->ROS \
new-routing-mark=ISP1_Route
add action=mark-routing chain=output connection-mark=WAN2->ROS \
new-routing-mark=ISP2_Route
add action=mark-connection chain=forward connection-mark=no-mark in-interface=\
ISP_1 new-connection-mark=WAN1->LANs
add action=mark-connection chain=forward connection-mark=no-mark in-interface=\
ISP_2 new-connection-mark=WAN2->LANs
add action=mark-routing chain=prerouting connection-mark=WAN1->LANs \
new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LANs \
new-routing-mark=ISP2_Route src-address-list=LAN

/ip firewall nat
add chain=srcnat out-interface=ISP_1
add chain=srcnat out-interface=ISP_2

/ip route
add distance=1 gateway=192.168.0.254 routing-mark=ISP1_Route
add distance=1 gateway=192.168.1.1 routing-mark=ISP2_Route
add distance=1 gateway=192.168.0.254
add distance=2 gateway=192.168.1.1
You do not have the required permissions to view the files attached to this post.
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Wed Apr 17, 2013 2:50 pm

What I find interesting, is that all the routes, as going through ISP_2, even though ISP_1's gateway is only available on eth1.
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Wed Apr 17, 2013 6:36 pm

The address lists are required for mangle. Its explained in the presentation.

Also, your routes are wrong in your last post. As you can see, they are going out through wrong interfaces.
Also, in your IP Addresses, you have IP addresses assigned outside of the specified network.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Fri Apr 26, 2013 7:13 pm

You can simply create a route for target host, for example if you are monitoring 8.8.8.8 , then create a route for 8.8.8.8 that should always goes via WAN1. This way monitoring to 8.8.8.8 will always goes via WAN1. For example>
/ip route add comment="Static ROUTE for 8.8.8.8 so it should always go from WAN 1" disabled=no distance=1 dst-address=8.8.8.8/32 gateway=Primary_GW_IP scope=30 target-scope=1

What happens if WAN1 is down, and WAN2 is up? - Wouldn't the above route break the script? (By the way, I'm a big follower of your blog!)

tomaskir, can I get your input as well? -So I did my MTCNA course this week, aaaand I watched your presentation [again]. Thank you, after the course, your presentation made much more sense, and the light-bulb that went up in my head was this big >
Image


BUT, after I manually typed all the code out, checking each phase of your presentation, all is working, I understand now, that even without the script, "fail over" technically still works, since plugging WAN1 out, the second route (WAN2) automatically becomes active.

But I noticed now, the script works fine and changed the route distances to give ISP2 priority, but again pings will go out ISP2/WAN2, so even if WAN1 is back up, the script won't notice it.

Did I miss something?


P.S I passed my MTCNA, so stoked! Now onto MTCWE.
You do not have the required permissions to view the files attached to this post.
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Fri Apr 26, 2013 10:52 pm

Hehe, I laughted good at the light-bulb :)

So, what is not working for you now with the script is fall-back?
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Fri Apr 26, 2013 11:17 pm

That's exactly the problem, the script does not fall back to ISP1 when it's back online.

As seen in the logs, I have to manually disconnect ISP2 in order for ISP1 to come back up.
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Fri Apr 26, 2013 11:21 pm

Ok, lets do it this way, contact me on Skype, it will simply be much much faster to figure out :)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Sat Apr 27, 2013 2:16 pm

Just an update for future readers of this post.
tomaskir eventually remotely connected to my configuration, and he detected a bug in ROS 5.24 as well as 6.0 RC14 (quite possibly all the RC's).

Since this error is reproducible, he will create a report for Mikrotik's development perusal.

But for the time being, the only solution is to use manual failover, or downgrade to a earlier version, or make use of a different solution.

(Note for Tomas: Even with static ARP on 5.24, ICMP's would stop after a couple minutes)
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Sat Apr 27, 2013 3:22 pm

You can simply create a route for target host, for example if you are monitoring 8.8.8.8 , then create a route for 8.8.8.8 that should always goes via WAN1. This way monitoring to 8.8.8.8 will always goes via WAN1. For example>
/ip route add comment="Static ROUTE for 8.8.8.8 so it should always go from WAN 1" disabled=no distance=1 dst-address=8.8.8.8/32 gateway=Primary_GW_IP scope=30 target-scope=1
Hi aacable,

I decided to give recursive monitoring a try - it's working now.

It's not as elegant as I hoped, but beggars can't be choosers.

Thanks for the help!
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Tue May 07, 2013 11:05 am

Just a little update, I confirmed all is working as it should on 5.12.

I found a DL here, if you wanna try it with your setup.
http://download.mikrotikindonesia.com/i ... e-5.12.npk
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
kwagga
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Aug 28, 2011 11:49 pm
Location: Pretoria, South Africa

Re: "Official" 2 WAN Failover Script not working

Tue May 07, 2013 11:09 am

Hi!

Thanks Tomas!

Do you reckon it's advisable to downgrade a RB when the downgrade ROS is lower than the version the board came out with?
-
Werner van Heerden
wernergvh[@]gmail.com
HNDip(IS:Network Engineering) - MTCNA - MTCWE - CCENT - MCITP - MCTS
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1110
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: "Official" 2 WAN Failover Script not working

Tue May 07, 2013 11:34 am

Well, worst case scenario, you will have to netinstall it to a newer version, so make sure you have backups :)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
ahmedramze
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: "Official" 2 WAN Failover Script not working

Tue Jul 16, 2013 2:45 am

You looking for Failover not for load balance.

No need to these scripts just need to monitor the ISP with DNS and change route according to failures WAN only 7 lines.

WAN1 192.168.1.2/24 with gateway 192.168.1.1 ISP1
WAN2 192.168.2.2/24 with gateway 192.168.2.1 ISP2
/ip address add address=192.168.1.2/24 interface=WAN1
/ip address add address=192.168.2.2/24 interface=WAN2
ISP1 will be the Main and ISP2 will be the Backup , now route all traffic into ISP1
/ip route add gateway=192.168.1.1
Now Set monitor IP of WAN1 will use public DNSs like 8.8.8.8 , 8.8.4.4
/ip route add dst-address=8.8.8.8 gateway=192.168.1.1 commit=ISP1

/tool netwatch
add down-script=ISP1_Down host=8.8.8.8 interval=10s timeout=500ms up-script=ISP1_UP
/system script
add name=ISP1_Down  source="ip route set [/ip route find dst-address=0.0.0.0/0]  gateway=192.168.2.1"
add name=ISP1_UP  source="ip route set [/ip route find dst-address=0.0.0.0/0]  gateway=192.168.1.1"
This I tested and work 100%

if you looking for Load Balancing its different code.
 
herot
just joined
Posts: 7
Joined: Sun Jul 14, 2013 2:22 am

Re: "Official" 2 WAN Failover Script not working

Sat Aug 10, 2013 11:12 pm

When testing this script I found that it works fine when lines outside of the building go down. However, when you unplug the primary WAN cable from the router it creates a "script loop" and every 10 secs it keeps switching the 0.0.0.0/0 gateways back and forth. What sort of trick could one use to prevent this?
 
ahmedramze
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: "Official" 2 WAN Failover Script not working

Sat Aug 10, 2013 11:25 pm

no its check the ping into 8.8.8.8 throught WAN1 if its less than 500ms will switch the IP ROUTE back into WAN1 ISP , if its still down , the script will use ISP2 as gateway ,

if you talk about LOG (( there is too many IP Route changed by admin)) its will be too many and you can disable it from system Logging. but its normal.

also you can change the Down time , (( I use here 10s to do the ping test )) if you have higher loss on your link will see too many switching in ip route.


I'm trying to use two or more IP for monitoring in NetWatch and use one script to run,
for example use 8.8.8.8 and 8.8.4.4 and 4.2.2.1 , till two down then the script will work , but I can't get final success tests
 
herot
just joined
Posts: 7
Joined: Sun Jul 14, 2013 2:22 am

Re: "Official" 2 WAN Failover Script not working

Sat Aug 10, 2013 11:44 pm

I am wanting to setup failover (no load balance) for 3 WANs. I want the WAN to failover if the ISP modem dies and/or if the line outside the building is cut. Like so:
Image

I have been trying to do it without scripting:
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          8.8.8.8                   1
 1   S  0.0.0.0/0                          8.8.4.4                   2
 2 A S  0.0.0.0/0                          8.8.4.4                   1
 3   S  0.0.0.0/0                          8.8.8.8                   2
 4 A S  0.0.0.0/0                          1.1.1.89                  1
 5   S  0.0.0.0/0                          2.2.2.110                 2
 6   S  0.0.0.0/0                          3.3.3.25                  3
 7 A S  4.2.2.2/32                         1.1.1.89                  1
 8 A S  8.8.4.4/32                         2.2.2.110                 1
 9 A S  8.8.8.8/32                         3.3.3.25                  1
10 ADC  10.20.0.0/21       10.20.0.10      lan                       0
11 ADC  10.20.0.11/32      10.20.0.11      lan-vrrp                  0
12 ADC  2.2.2.108/30       2.2.2.109       wan-cellular              0
13 ADC  1.1.1.88/30        1.1.1.90        wan-fiber                 0
14 ADC  3.3.3.24/29        3.3.3.26        wan-circuit               0
15 A S  172.16.0.0/24                      10.20.0.14                1
16 ADC  192.168.0.0/24     192.168.0.2     voip                      0
17 ADC  192.168.0.0/32     192.168.0.1     voip-vrrp                 0
No luck so far loss between router - modem fails over but line cut outside does not failover.
 
ahmedramze
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: "Official" 2 WAN Failover Script not working

Sun Aug 11, 2013 12:04 am

I did not understand your script try with /ip route export.

for your image its too easy to config ,
first do the WANs faillers then
2nd do the VRRP.
For WANs faillers assuming 1.1.1.1 ISP1 and 2.2.2.1 ISP3 and 3.3.3.1 ISP3
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=1.1.1.1 scope=30 target-scope=10
add disabled=no distance=1 dst-address=4.2.2.2/32 gateway=2.2.2.1 scope=30 target-scope=10

and use same config
/tool netwatch
add down-script=ISP1_Down host=8.8.8.8 interval=10s timeout=500ms up-script=ISP1_UP
add down-script=ISP2_Down host=4.2.2.2 interval=10s timeout=500ms up-script=ISP2_UP

/system script
add name=ISP1_Down  source="ip route set [/ip route find dst-address=0.0.0.0/0]  gateway=1.1.1.1"
add name=ISP1_UP  source="ip route set [/ip route find dst-address=0.0.0.0/0]  gateway=2.2.2.1"


add name=ISP2_Down  source="ip route set [/ip route find dst-address=0.0.0.0/0 gateway=2.2.2.1]  gateway=2.2.2.1"
add name=ISP2_UP  source="ip route set [/ip route find dst-address=0.0.0.0/0 gateway=2.2.2.1]  gateway=3.3.3.1"

try this then will config the VRRP later.

NOTE
if your ISP limited by Quota the Netwatch will make a traffic of the WAN and will cost you traffic.
also try with lower than 500ms , here our ping to DNS from 90-300 im use 250 for time out. for VSAT and other lossy system use 500ms.
 
herot
just joined
Posts: 7
Joined: Sun Jul 14, 2013 2:22 am

Re: "Official" 2 WAN Failover Script not working

Sun Aug 11, 2013 2:09 am

Here is my /ip route export:
# aug/10/2013 19:05:29 by RouterOS 5.25
# software id = E0W5-HA1S
#
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=ISP1
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=ISP1
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=ISP2
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=ISP2
add distance=1 gateway=1.1.1.89
add distance=2 gateway=2.2.2.110
add distance=3 gateway=3.3.3.25
add distance=1 dst-address=4.2.2.2/32 gateway=1.1.1.89 scope=10
add distance=1 dst-address=8.8.4.4/32 gateway=2.2.2.110 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=3.3.3.25 scope=10
add distance=1 dst-address=172.16.0.0/24 gateway=10.20.0.14
Don't worry about the VRRP. I have it working fine. I just need help with the 3 WAN failover. I understand what you have told me to add. What do I need to remove from my routing according to what I have above ^. I am still not sure that this will avoid the loop if WAN 1 cable is removed from router.

Does this look right? :
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          1.1.1.89              1
 1 A S  4.2.2.2/32                         1.1.1.89              1
 2 A S  8.8.4.4/32                         2.2.2.110             2
AND
 1   name="wan-fiber-down" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
     run-count=0 source=ip route set [/ip route find dst-address=0.0.0.0/0] gateway=2.2.2.110

 2   name="wan-fiber-up" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
     run-count=0 source=ip route set [/ip route find dst-address=0.0.0.0/0] gateway=1.1.1.89

 3   name="wan-cellular-down" owner="admin"        
	 policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
	 run-count=0
     source=ip route set [/ip route find dst-address=0.0.0.0/0 gateway=2.2.2.110] gateway=3.3.3.25

 4   name="wan-cellular-up" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
     run-count=0
     source=ip route set [/ip route find dst-address=0.0.0.0/0 gateway=3.3.3.25] gateway=2.2.2.110
 
herot
just joined
Posts: 7
Joined: Sun Jul 14, 2013 2:22 am

Re: "Official" 2 WAN Failover Script not working

Sun Aug 11, 2013 7:14 pm

What syntax is wrong in this script? :
/system script add name=fiber-ether-down source=":global u /interface ethernet monitor wan-fiber once do={:set u $status} :if ($u != "link-ok") do={/tool netwatch disable 0,1; /system script run wan-fiber-down; /system scheduler enable fiber-ether-up}"
 
ahmedramze
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Feb 21, 2005 9:29 am
Location: IRAQ
Contact:

Re: "Official" 2 WAN Failover Script not working

Mon Aug 12, 2013 12:44 am

Hello herot and thanks for karma

first your script its to monitor the ethernet status (( cable ok or not )) not test the all network from your point till google 8.8.8.8

2nd you did big mistake by add 8.8.8.8 as a gateway you can not use 8.8.8.8 as a private network.
you need to remove all these
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=ISP1
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=ISP1
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=ISP2
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=ISP2
add distance=1 gateway=1.1.1.89
add distance=2 gateway=2.2.2.110
add distance=3 gateway=3.3.3.25
add distance=1 dst-address=4.2.2.2/32 gateway=1.1.1.89 scope=10
add distance=1 dst-address=8.8.4.4/32 gateway=2.2.2.110 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=3.3.3.25 scope=10
add distance=1 dst-address=172.16.0.0/24 gateway=10.20.0.14

and add this
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.89 scope=30 target-scope=10
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=1.1.1.89 scope=30 target-scope=10
add disabled=no distance=1 dst-address=4.2.2.2/32 gateway=2.2.2.110 scope=30 target-scope=10
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=3.3.3.25 scope=30 target-scope=10



and use same config of Netwatch and script in my last comment.

Just not all traffic will routed to 1.1.1.89 will be the main and 2.2.2.110 & 3.3.3.25 will backup1 and backup2

and do not use these IPs as private try with 172.X.X.X or 192.168.X.X ,
google network and other work on 8.X.X.X , 4.X.X.X
 
herot
just joined
Posts: 7
Joined: Sun Jul 14, 2013 2:22 am

Re: "Official" 2 WAN Failover Script not working

Mon Aug 12, 2013 3:32 am

ahmedramze, thanks. I got it working the way I want. For netwatch, I used my WAN interfaces gateways. This allows failover to occur outside the building AND between router and modem. I will post my final configuration here:
[admin@souledge] /ip route> export
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.89 scope=30 target-scope=10


[admin@souledge] /tool netwatch> export
/tool netwatch
add comment=wan-fiber-check disabled=no down-script=wan-fiber-down host=1.1.1.89 interval=8s timeout=250ms \
    up-script=wan-fiber-up
add comment=wan-circuit-check disabled=no down-script=wan-circuit-down host=2.2.2.25 interval=8s timeout=250ms \
    up-script=wan-circuit-up

[admin@souledge] /system script> export
add name=wan-fiber-down policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=\
    "ip route set [/ip route find dst-address=0.0.0.0/0] gateway=2.2.2.25"
add name=wan-fiber-up policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=\
    "ip route set [/ip route find dst-address=0.0.0.0/0] gateway=1.1.1.89"
add name=wan-circuit-down policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=\
    "ip route set [/ip route find dst-address=0.0.0.0/0 gateway=2.2.2.25] gateway=3.3.3.110"
add name=wan-circuit-up policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=\
    "ip route set [/ip route find dst-address=0.0.0.0/0 gateway=3.3.3.110] gateway=2.2.2.25"
 
macnan
just joined
Posts: 1
Joined: Tue Dec 10, 2013 3:09 am

Re: "Official" 2 WAN Failover Script not working

Tue Dec 10, 2013 3:53 pm

Hi guys, sorry for reopen this post.
I was trying to implement the failover and the problem that I'm having is that one of the gateways does not work (ISP2_Route).

This is how it looks like:

/ip route
add check-gateway=ping distance=2 gateway=50.xxx.xxx.134 routing-mark=ISP1_Route
add check-gateway=ping distance=2 gateway=10.0.0.1 routing-mark=ISP2_Route
add check-gateway=ping distance=2 gateway=50.xxx.xxx.134
add check-gateway=ping distance=2 gateway=10.0.0.1

/ip firewall mangle
add chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=ISP_1 new-connection-mark=WAN1->ROS
add action=mark-connection chain=input connection-mark=no-mark in-interface=ISP_2 new-connection-mark=WAN2->ROS
add action=mark-routing chain=output connection-mark=WAN1->ROS new-routing-mark=ISP1_Route
add action=mark-routing chain=output connection-mark=WAN2->ROS new-routing-mark=ISP2_Route
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ISP_1 new-connection-mark=WAN1->LANs
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ISP_2 new-connection-mark=WAN2->LANs
add action=mark-routing chain=prerouting connection-mark=WAN1->LANs new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LANs new-routing-mark=ISP2_Route src-address-list=LAN


/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP_1 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ISP_2 to-addresses=0.0.0.0

Can anyone give me a hand to figured out what is the issue ?
I'm using a RouterOS 6.4 on RB450G

I guess if the 2 gateway works the script will run without issues, right now it increases the distance of the second route because it can't ping.

Thanks,

Mc
 
hernan1302
just joined
Posts: 1
Joined: Tue Apr 17, 2018 2:12 pm

Re: "Official" 2 WAN Failover Script not working

Tue Apr 17, 2018 2:18 pm

Hola, podrian pasarme la configuración completa del router. (no solo el script). Yo tengo dos isp y configure un bridge con 2 puertos ethernet y los wifi con undhcp server para la lan.
gracias
 
jarda
Forum Guru
Forum Guru
Posts: 7573
Joined: Mon Oct 22, 2012 4:46 pm

Re: "Official" 2 WAN Failover Script not working

Tue Apr 17, 2018 11:48 pm

This is the English forum only. Rewrite your post in English, please.
 
ChefJay
newbie
Posts: 30
Joined: Mon Mar 20, 2017 7:25 pm
Location: Folsom, CA, USA

Re: "Official" 2 WAN Failover Script not working

Thu May 09, 2019 9:12 pm

Hello everyone, sorry to add to an old thread, but I don't know where else to post this.

I'm unable to locate the original Mangle rules for this script as the presentation link is now dead. I'm trying to implement dual wan failover script, but I think I'm missing the mangle rules portion of this. I have the script in place, and I can see the routes change when ISP 1 goes down, but traffic is not passed over to ISP 2. I'm also unable to externally ping ISP 2 when ISP 1 is active. I then also notice the distance of ISP 2 raise as active pings aren't able to get out on that interface.

ROS Version - 6.44.2
Model - RB3011
/interface ethernet
set [ find default-name=ether1 ] comment="Primary ISP Circuit" name=ETH1-PrimaryWAN speed=100Mbps
set [ find default-name=ether2 ] mac-address=CC:2D:E0:XX:XX:XX name=ETH2-LocalConfig speed=100Mbps
set [ find default-name=ether3 ] mac-address=CC:2D:E0:XX:XX:XX name=ETH3-FailoverWAN speed=100Mbps

/ip address
add address=192.168.88.1/24 comment="Local Config" interface=ETH2-LocalConfig network=192.168.88.0
add address=192.168.1.1/24 comment="Captive Portal" interface="Captive Portal Bridge" network=192.168.1.0
add address=172.20.32.1/24 comment="Salto System" interface=ETH4-Unused network=172.20.32.0
add address=96.xxx.xxx.xxx/29 interface=ETH1-PrimaryWAN network=96.xxx.xxx.xxx
add address=64.xxx.xxx.xxx/30 interface=ETH3-FailoverWAN network=64.xxx.xxx.xxx


Should my mangle rules look like the below? Or would they be incorrect?
/ip firewall mangle
add chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=ETH1-PrimaryWAN new-connection-mark=WAN1->ROS
add action=mark-connection chain=input connection-mark=no-mark in-interface=ETH3-FailoverWAN new-connection-mark=WAN2->ROS
add action=mark-routing chain=output connection-mark=WAN1->ROS new-routing-mark=ISP1_Route
add action=mark-routing chain=output connection-mark=WAN2->ROS new-routing-mark=ISP2_Route
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ETH1-PrimaryWAN new-connection-mark=WAN1->LANs
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ETH3-FailoverWAN new-connection-mark=WAN2->LANs
add action=mark-routing chain=prerouting connection-mark=WAN1->LANs new-routing-mark=ISP1_Route src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2->LANs new-routing-mark=ISP2_Route src-address-list=LAN
Thanks in advance for any help anyone can provide.
 
ChefJay
newbie
Posts: 30
Joined: Mon Mar 20, 2017 7:25 pm
Location: Folsom, CA, USA

Re: "Official" 2 WAN Failover Script not working

Tue May 14, 2019 6:21 pm

I think I'm also missing the proper Route rules.

Is there anyone that's familiar with this script and it's process that can shed some light on it for me please?

Or another failover option that would work with 2 different WAN's?
 
Sob
Forum Guru
Forum Guru
Posts: 4042
Joined: Mon Apr 20, 2009 9:11 pm

Re: "Official" 2 WAN Failover Script not working

Tue May 14, 2019 9:56 pm

You can find some inspiration here:

https://wiki.mikrotik.com/wiki/Manual:PCC

Just ignore two rules with per-connection-classifier options, those do load balancing which the article is primarily about. The rest should give you an idea about what you need.

And don't post new problems to old threads, make a new one for yourself. And if you really think that it's relevant to your problem, add link to old thread in your new one.
 
ChefJay
newbie
Posts: 30
Joined: Mon Mar 20, 2017 7:25 pm
Location: Folsom, CA, USA

Re: "Official" 2 WAN Failover Script not working

Thu May 16, 2019 4:11 am

You can find some inspiration here:

https://wiki.mikrotik.com/wiki/Manual:PCC

Just ignore two rules with per-connection-classifier options, those do load balancing which the article is primarily about. The rest should give you an idea about what you need.

And don't post new problems to old threads, make a new one for yourself. And if you really think that it's relevant to your problem, add link to old thread in your new one.
Thanks for the info Sob, I'll check in to this right away, and won't post questions to old posts. :-)

Who is online

Users browsing this forum: No registered users and 14 guests