Community discussions

MikroTik App
 
User avatar
sandi
just joined
Topic Author
Posts: 1
Joined: Mon May 29, 2023 4:51 pm

WAN doesn't failover when it can no longer ping gateway. (check-gateway=ping with recursive routing)

Mon May 29, 2023 5:24 pm

Hi all! This is our first MikroTik box and I'm having trouble getting dual wan with DHCP working...

I have a dual WAN setup using two DHCP clients and recursive routing (see config below) . When I physically remove the cable from the main WAN the device fails over to the secondary WAN as expected. However if I sever the connection further down in the chain so the link is still up but the gateway can no longer be pinged, it doesn't failover. What am I doing wrong? Thanks for the help!

(Running v6.48.7)

Full config below...
# may/28/2023 18:16:01 by RouterOS 6.48.7
# 
/interface bridge
add name=bridge1-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether12 ] name=ether12-Other
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=x.x.1.180-x.x.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1-LAN name=dhcp1
/interface bridge port
add bridge=bridge1-LAN interface=ether3
add bridge=bridge1-LAN interface=ether4
add bridge=bridge1-LAN interface=ether5
add bridge=bridge1-LAN interface=ether6
add bridge=bridge1-LAN interface=ether7
add bridge=bridge1-LAN interface=ether8
add bridge=bridge1-LAN interface=ether9
add bridge=bridge1-LAN interface=ether10
add bridge=bridge1-LAN interface=ether11
/ip firewall connection tracking
set enabled=yes
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=bridge1-LAN list=LAN
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
/ip address
add address=x.x.1.1/24 interface=bridge1-LAN network=x.x.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN1 script="if (\$bound\
    =1) do={ \\\r\
    \n/ip route set [find comment=\"VERIZON CF\"] distance=1 dst-address=1.1.1\
    .1/32 gateway=\$\"gateway-address\" scope=10\r\
    \n/ip route set [find comment=\"VERIZON GOOGLE\"] distance=1 dst-address=8\
    .8.8.8/32 gateway=\$\"gateway-address\" scope=10\r\
    \n}" use-peer-dns=no use-peer-ntp=no
add add-default-route=no disabled=no interface=ether2-WAN2 script="if (\$bound\
    =1) do={ \\\r\
    \n/ip route set [find comment=\"COMCAST-NAT CF\"] distance=2 dst-address=1\
    .0.0.1/32 gateway=\$\"gateway-address\" scope=10\r\
    \n/ip route set [find comment=\"COMCAST-NAT GOOGLE\"] distance=2 dst-addre\
    ss=8.8.4.4/32 gateway=\$\"gateway-address\" scope=10\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip route
add check-gateway=ping comment="VERIZON DEFAULT CF" distance=1 gateway=\
    1.1.1.1
add check-gateway=ping comment="VERIZON DEFAULT GOOGLE" distance=1 gateway=\
    8.8.8.8
add check-gateway=ping comment="COMCAST-NAT ALT CF" distance=2 gateway=\
    1.0.0.1
add check-gateway=ping comment="COMCAST-NAT ALT GOOGLE" distance=2 gateway=\
    8.8.4.4
add comment="COMCAST-NAT CF" distance=2 dst-address=1.0.0.1/32 gateway=\
    x.x.0.1 scope=10
add comment="VERIZON CF" distance=1 dst-address=1.1.1.1/32 gateway=\
    x.x.x.1 scope=10
add comment="COMCAST-NAT GOOGLE" distance=2 dst-address=8.8.4.4/32 gateway=\
    x.x.0.1 scope=10
add comment="VERIZON GOOGLE" distance=1 dst-address=8.8.8.8/32 gateway=\
    x.x.x.1 scope=10
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=x.x.1.0/24 gateway=x.x.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.11,149.112.112.11
/ip firewall address-list
add address=x.x.1.2-x.x.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting dst-address-list=ddos-targets \
    src-address-list=ddos-attackers
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=x.x.1.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=LAN \
    src-address=!x.x.1.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/lcd
set color-scheme=dark default-screen=stats
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system package update
set channel=long-term
/system ups
add name="Network UPS" port=usbhid1
/tool bandwidth-server
set enabled=no
** Note: gateway addresses are obscured with "x.x" for public posting, they are proper addresses in the config.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN doesn't failover when it can no longer ping gateway. (check-gateway=ping with recursive routing)

Sun Jun 04, 2023 10:27 pm

I cannot see anything wrong in your recursive routing setup, so first imitate the outage of the Verizon uplink and after 20 seconds, check whether the default routes via Verizon are still marked as Active. If they are, there is indeed something wrong with the setup. If they are not, maybe your expectations or the way you test the failover are incorrect?

E.g. if you test using a continous ping, it will fail once the primary uplink becomes unavailable even though the route via Comcast becomes active. The reason is the NAT - the first ping request creates a tracked connection that is src-nated to the IP address of the Verizon WAN, and the packets belonging to that connection keep being src-nated to that IP address even after they start being routed via Comcast. So either Comcast drops them because they come from a wrong address, or it lets them through but the responses are sent to the Verizon IP address which is not accessible. UDP connections like SIP or IPsec are affected by the same phenomenon if they are reattempted before the timeout for responded UDP connections (3 minutes by default) expires. So if you use such kind of connections, you need to add scheduled scripts that remove tracked connections whose reply-dst-address is the one of the unavailable uplink.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN doesn't failover when it can no longer ping gateway. (check-gateway=ping with recursive routing)

Sun Jun 04, 2023 11:27 pm

I dont understand the purpose of your DHCP client script, It would appear perhaps to find the gateway IP??? My take is its doing too much and interfering with the recursive routing.
Forget the distance parameter as you want the dhcp client info to be found in both cases and the gateway to be found in both cases. Let the IP routes decide which route will be used.

Secondly not particularly fond of the recursive setup you have. Try it this way.....
/ip route
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12
add distance=3 dst-address=1.1.1.1/32 gateway=Primary_ISP-gatewayIP scope=10 target-scope=11
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=8.8.8.8 scope=10 target-scope=12
add distance=4 dst-address=8.8.8.8/32 gateway=Primary_ISP-gatewayIP scope=10 target-scope=11
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping distance=5 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=5 dst-address=1.0.0.1/32 gateway=SECONDARY_ISP-gatewayIP scope=10 target-scope=11
add check-gateway=ping distance=6 dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=12
add distance=6 dst-address=8.8.4.4/32 gateway=SECONDARY_ISP-gatewayIP scope=10 target-scope=11

============================================================================================

Here is the script I use to ascertain gateway and then stick that into my IP ROUTES at the appropriate spot.
Add default route=YES, route distance=255

:if ($bound=1) do={
:local iface $interface
:local gw [ /ip dhcp-client get [ find interface=$"iface" ] gateway ]
/ip route set [ find comment="PrimaryRecursive" gateway!=$gw ] gateway=$gw
/ip route set [ find comment="SecondaryRecursive" gateway!=$gw ] gateway=$gw


The trick here is to use the comments on each of the routes. In my case I only use this for one ISP, with two recursive routes.
You would have something similar but in both IP DHCP Clients.

Here are my routes so you can see how the key words were used (in comments): Note this is from vers6, so no need to mess with scopes................
/ip route
add check-gateway=ping distance=3 gateway=1.0.0.1
add check-gateway=ping distance=4 gateway=9.9.9.9
add comment=PrimaryRecursive distance=3 dst-address=1.0.0.1/32 gateway=..4.1 scope=10
add comment=SecondaryRecursive distance=4 dst-address=9.9.9.9/32 gateway=..4.1 scope=10


+++++++++++++++++++++++++++++++++++

Thus in your case, it may be applied as follows
/ip route
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12
add distance=3 dst-address=1.1.1.1/32 gateway=Primary_ISP-gatewayIP scope=10 target-scope=11 comment=MainRC-V
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=8.8.8.8 scope=10 target-scope=12
add distance=4 dst-address=8.8.8.8/32 gateway=Primary_ISP-gatewayIP scope=10 target-scope=11 comment=AlternativeRC-V
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add check-gateway=ping distance=5 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=5 dst-address=1.0.0.1/32 gateway=SECONDARY_ISP-gatewayIP scope=10 target-scope=11 comment=MainRC-H
add check-gateway=ping distance=6 dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=12
add distance=6 dst-address=8.8.4.4/32 gateway=SECONDARY_ISP-gatewayIP scope=10 target-scope=11 comment=AlternativeRC-H


Verizon
:if ($bound=1) do={
:local iface $interface
:local gw [ /ip dhcp-client get [ find interface=$"iface" ] gateway ]
/ip route set [ find comment="MainRC-V" gateway!=$gw ] gateway=$gw
/ip route set [ find comment="AlternativeRC-V" gateway!=$gw ] gateway=$gw


Horizon
:if ($bound=1) do={
:local iface $interface
:local gw [ /ip dhcp-client get [ find interface=$"iface" ] gateway ]
/ip route set [ find comment="MainRC-H" gateway!=$gw ] gateway=$gw
/ip route set [ find comment="AlternativeRC-H" gateway!=$gw ] gateway=$gw

Who is online

Users browsing this forum: No registered users and 57 guests