Community discussions

MikroTik App
 
VioxxElite
just joined
Topic Author
Posts: 10
Joined: Thu Apr 29, 2021 6:32 pm

3 ISP, separate by bridge

Sat May 20, 2023 6:43 pm

What I'm going to try is a little confusing, and for most people it doesn't make any sense.

But it's a demand I currently have.

I have the Mikrotik 1100ahx2 (v7.9) with 2 bridge
bridge1 (eth1, eth2, eth3, eth4, eth5, eth6, eth7, eth8, eth9)
bridge2 (eth10)

The eth11, eth12 and eth13 ports are ISP

I have 2 to 3 links per store

Bridge1 has to go out through ISP1
Bridge2 has to go out through ISP2

If ISP1 stops working, you have to disable the eth9 port, and change the navigation from bridge1 to ISP2

If you don't have ISP2, exit through ISP3

on bridge2, I don't need this link exchange

All traffic from bridge1 must be isolated from bridge2, they must not talk to each other, and must be of different ranges.

Can anyone help me with this configuration?
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: 3 ISP, separate by bridge

Sat May 20, 2023 7:10 pm

interesting 🤔

ok. let us see what have you tried?
 
VioxxElite
just joined
Topic Author
Posts: 10
Joined: Thu Apr 29, 2021 6:32 pm

Re: 3 ISP, separate by bridge

Sat May 20, 2023 7:15 pm

all my attempts were a failure, so I came here to ask for help :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: 3 ISP, separate by bridge

Sat May 20, 2023 10:56 pm

Okay just to confirm requirements are understood.
You have three Internet Links. ISP1, ISP2,ISP3
Normal traffic flow requires Bridge1 users go to through ISP1 and Bridge 2 users go through ISP2.
If ISP1 is down, all traffic using ISP1 should flow throught ISP2
If ISP2 is also down, all traffic should flow through ISP3

+++++++++++++++++++++++++++++++++++++++++++

What I dont get is why you use ports to segregate users,
What are the different groups of users, typically they are identified by subnets? How many?

Are there any subnets that span more than one port?

Why are you removing port9 from any traffic if ISP1 is down, do you simply mean to say they should not have any failover? ( as if ISP1 is not available subnets on port 9 should not have access to either ISP2 or ISP3? )

You have not described any possible servers on network??

A good diagram always helps clarify planning and communicate intentions......
 
VioxxElite
just joined
Topic Author
Posts: 10
Joined: Thu Apr 29, 2021 6:32 pm

Re: 3 ISP, separate by bridge

Sun May 21, 2023 8:23 pm

requirements are correct

I am not segregating users, from port 1 to port 8 I have VOIP phones

Ports 9 and 10 are connected on a Cisco 890 through the GE and FE ports.

That's why it has to be on a different network, and that's why you should disable port 9, in case ISP1 goes down, so that Cisco understands that it had a drop, and closes the VPN through port 10, and no longer through port 9.

I know it's confusing, and it really doesn't make sense, but as I said at the beginning, it's what I need at the moment, and I'm breaking my head, but so far my attempts haven't worked out very well
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 3 ISP, separate by bridge

Sun May 21, 2023 8:34 pm

Isolating bridge1 traffic from bridge2 traffic is just a matter of firewall rules - it is enough to only allow traffic from the bridges that is routed via any WAN and drop the rest in the forward chain of /ip firewall filter.
How to implement a failover from ISP1 to ISP2 down to ISP3 has also been described a thousand times here; you just need another routing table that only contains a default route via ISP2 and a routing rule that tells the router to use that routing table for anything that has a source address matching the subnet of bridge2.
So the only "exotic" requirement is to disable ether9 (which is a member port of a bridge and the remaining ports of that bridge must not be affected) if the internet is unreachable via ISP1; you can do that using a script that tracks the state of the route via ISP1 and disables ether9 whenever the route becomes unavailable or, if you need that not even a single packet that comes in via ether9 ever passes via any other WAN than the ISP1 one, you can use /interface bridge filter to assign a packet-mark to packets ingressing via ether9 and then use an action=drop rule in chain forward of /ip firewall filter, placed before (above) the "accept established,related" one, to drop packets with that packet-mark. But the latter approach doesn't inform the device connected to ether9 about the ISP1 outage, so you may want to use both approaches simultaneously.

If this doesn't help enough, post a properly anonymized configuration to get the detailed configuration commands - of course along with the answers to the implicit question above.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 3 ISP, separate by bridge

Sun May 21, 2023 8:42 pm

Ports 9 and 10 are connected on a Cisco 890 through the GE and FE ports.

That's why it has to be on a different network, and that's why you should disable port 9, in case ISP1 goes down, so that Cisco understands that it had a drop, and closes the VPN through port 10, and no longer through port 9.
Ah, with these usage requirements, I'd probably use a different approach, I'd just remove ether9 from bridge1 and attach to it yet another subnet for the Cisco's GE uplink, and another routing table and a corresponding routing rule for it. So traffic coming in via ether9 would only ever use ISP1, and traffic coming in via ether10 would only ever use ISP2. Whether you need to infomr the Cisco about ISP1 outage by shutting down ether9 or not depends on how the Cisco behaves.

Both the keywords "VPN" and "VoIP" suggest that you will need a housekeeping script to restore the traffic after WANs recover from outages, as you most likely have NAT on all WANs.
 
VioxxElite
just joined
Topic Author
Posts: 10
Joined: Thu Apr 29, 2021 6:32 pm

Re: 3 ISP, separate by bridge

Sun May 21, 2023 9:01 pm

I clear existing connections
 /ip firewall connection remove numbers=[find protocol="ipsec-esp"]
 /ip firewall connection; :foreach idc in=[find where timeout>60] do={remove [find where .id=$idc]};
 /ip dns cache flush
But I'm still confused on how to create the routes you provided

I understand, but I'm having doubts about how to reproduce this in Mikrotik
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: 3 ISP, separate by bridge

Sun May 21, 2023 9:19 pm

I clear existing connections
That code is inconsistent in terms that you remove the ESP connections directly whereas for the time-based choice you use a :foreach; worse than that, the foreach alone doesn't save you from the script stopping on first error (a connection disappearing spontaneously before you remove it), you need the :do ... on-error construct to ignore such events. But that's not the essence.

But I'm still confused on how to create the routes you provided
Have you seen (or even tried) this?

I understand, but I'm having doubts about how to reproduce this in Mikrotik
What exactly do you mean by "this"?

Who is online

Users browsing this forum: GoogleOther [Bot], rplant, Shylie and 87 guests