Community discussions

MikroTik App
 
tech172
just joined
Topic Author
Posts: 1
Joined: Wed May 31, 2023 6:03 pm

VRF and failover

Thu Jun 01, 2023 10:34 am

Hi everyone !
I'm using a Hex Mikrotik Router. I'm pretty new on this field but I'm trying my best to make it work.
Here's what I wanted to do : Use 2 differents WANs for 2 LANs but the WANs have the same gateway and I can't change it. So I decided to use VRFs to fix this issue which worked (My 1st VRF has WAN1 and Bridge1 and the 2nd has WAN2 and Bridge2). But now I want to make a failover between my 2 VRFs.

How can I make a route between the two VRF so it can use the other WAN if it needs to ?

The gateways of the 2 WANs are 192.168.1.1
Bridge1 is 192.168.88.1
Bridge2 is 192.168.89.1

Here's my actual configuration :
# may/30/2023 13:56:23 by RouterOS 7.9.1
# software id = ZLYE-A3CY
#
# model = RB750Gr3
# serial number = 6F3807EAD74A
/interface bridge
add admin-mac=64:D1:54:0A:94:C1 auto-mac=no comment=1 name=bridge-1
add comment=2 name=bridge-2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=pool-1 ranges=192.168.88.10-192.168.88.254
add name=pool-2 ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=pool-1 interface=bridge-1 name=DHCP-1
add address-pool=pool-2 interface=bridge-2 name=DHCP-2 server-address=\
    192.168.89.1
/ip vrf
add interfaces=ether2,bridge-2 name=vrf2
add interfaces=ether1,bridge-1 name=vrf1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-1 comment=bridge-1 interface=ether3
add bridge=bridge-2 comment=bridge-2 interface=ether5
add bridge=bridge-1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-2 list=LAN
add interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment="Bridge 1" interface=bridge-1 network=\
    192.168.88.0
add address=192.168.89.1/24 comment="Bridge 2" interface=bridge-2 network=\
    192.168.89.0
/ip dhcp-client
add comment="WAN 1" interface=ether1
add comment="WAN 2" interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment="Bridge 1" dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
add address=192.168.89.0/24 comment="Bridge 2" dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=output disabled=yes dst-address=1.1.1.1 \
    new-connection-mark=test1111 passthrough=yes protocol=icmp
add action=mark-routing chain=prerouting connection-mark=test1111 disabled=\
    yes new-routing-mark=vrf2 passthrough=yes
add action=mark-routing chain=prerouting in-interface=bridge-1 \
    new-routing-mark=main passthrough=yes
add action=passthrough chain=prerouting dst-address=0.0.0.0/0 routing-mark=\
    main
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1@vrf1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1@vrf2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=yes down-script="" host=8.8.8.8 http-codes="" interval=10s \
    test-script="" type=simple up-script=""
add disabled=yes down-script="" host=1.1.1.1 http-codes="" test-script="" \
    type=simple up-script=""

If you need more informations, feel free to ask.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: VRF and failover  [SOLVED]

Thu Jun 01, 2023 10:26 pm

you can set gateway to be resolved in another vrf x.x.x.x@vrf
More info with examples are in the manual
https://help.mikrotik.com/docs/pages/vi ... getreemode

Who is online

Users browsing this forum: BrianTax, rplant and 72 guests