Hi,Just a suggestion for investigation, as I could only test part of it on a remote device I cannot afford to tamper with too much.
If you specify an interface as a parameter of the ping command, RouterOS doesn't look for the best route out of those whose gateway interface is the specified one, but it sends an ARP request from that interface, and if it gets a response, it sends the echo request packet to the MAC address returned. But it seems that before doing that, it queries the normal routing, and if the gateway interface indicated by normal routing is the one specified for the ping, it sends the echo request to the MAC address of the corresponding gateway without first sending an ARP request for the actual destination of the ping.
So the difference between your wan1 and wan2 may be the support of the proxy-arp functionality on the adjacent routers (gateways) - if my assumption is correct, the one connected to wan2 supports it and the one connected to wan1 doesn't. So ping with interface=wan1 only works if wan1 is the gateway interface of the active default route.
Sniffing on your system in both states (wan1 distance=1 and wan1 distance=10) will show you whether my assumption is correct.
One possibility I can think of is that the ping with specification of interface works different on the two operating systems. Another possibility is that whereas Mikrotik definitely ignores the ICMP router advertisements possibly sent by the gateway router, the archlinux may use them to associate a gateway with an interface, so it knows what gateway to use for packets sent from "wan1" even though the gateway doesn't support proxy-arp.from a another router (a custom archlinux based router), it works as expected and i have no issue at all.
In both case, the adjacent router is the same.
Why on mikrotik it does not work ?
I would just use routing-table instead of interface as a parameter of the ping.Do i have something special to do to allow just a ping for an interface even after changing the distance/metric ?
Oops... not possible in ROS 7 (hopefully it's a temporary state). So you'd have to use a routing rule matching on a src-address (the one attached to the wan in question) and specify a src-address as a parameter of the ping.how to define a routing-table with ping command on ROS ?
Sorry, I don't understand what you ask (and my French is really bad).Could you please confirm me the configuration in my context to make recursive routing work ?
Could you please confirm me the configuration in my context to make recursive routing work ?
The general idea is OK, but the implementation details are not. The purpose of scope and target-scope is to define the hierarchy of the routes for the recursive next-hop search or, in another words, to prevent looping. So set the scope of all the routes with dst-address=0.0.0.0/0 to the default 30, otherwise they could use each other in the recursion.Is it correct ?
Yes and no depending on your traffic. Active TCP connections will fail at each change; depending on the applications that use them, some will get re-established automatically and some will have to be re-established manually. UDP connections that are periodically updated, such as IPsec or SIP connections, need to be removed using a script after a failover, because the router itself or the device in its LAN keep sending packets even if no responses come back, and the router sets the source address of these packets to the one of the WAN through which the respective connection has been established initially, unless that address has been lost (due to interface down or expiration of DHCP lease) and they have been src-nated using a masquerade rule.In case of a link failure from ISP1, the failover is automatic as i understand.
But the rollback recover is also automatic or do i have to script something ?
Something likeif i would like to make sure that 80.11.60.1 never change and prefer a dhcp script, do you have an example to found gateway from dhcp-client please ?
You don't exactly have to, but any backup solution is almost useless if it is not monitored - as it stays unused for months or even years, it may silently fail and when the primary one fails, the backup is not available. I prefer to use the Telegram app to send notifications about the state of SOHO networks to their users, but of course you can use e-mail as well.Do I have to check-gateway ping the failover wan too ?
Sure I can have a look at the export of your current configuration, but it will be much more useful if you check it practically first (using /interface/disable ether1 and/or by adding firewall rules dropping the test pings to chain output of firewall filter). E.g. if you use /ip/firewall/filter add chain=output dst-address=1.1.1.1 protocol=icmp action=drop, you will imitate that 1.1.1.1 doesn't respond, so the /0 route via 1.1.1.1 will become inactive and the route via 8.8.8.8 will take over.Just to make sure, could you please my implementation ?
Yes.Could you please confirm that it is better to do this :
dst-address=0.0.0.0/0 -> scope=30
I don't say that having the distance values of the /32 routes as you had them before is wrong; what I say is that it doesn't matter what those distance values are because those /32 routes differ in dst-address.dst-address=x.x.x.x/32 -> distance=3
The relation between target-scope and scope of the same route is irrelevant; what matters is that the target-scope of a "client" route was at least one higher than the scope of the "server" route, see a hypothetic example below. Red and blue indicate the related elements, gray indicates default values (that are normally not shown in export):But I thank that i must set target-scope > scope ?
Right.right ?
Mostly to illustrate that there may be multiple levels of recursion and how they are related. But a typical approach when using multiple "canary addresses" looks as follows:but i do not understand why you choose in your example to add a route to 8.8.8.255 ?
No. You can use 8.8.4.4 instead of 8.8.8.8, 1.0.0.1 instead of 1.1.1.1, and 149.112.112.112 instead of 9.9.9.9 - same companies, different addresses.But, will I be able to join 8.8.8.8, 1.1.1.1. And 9.9.9.9 from wan2 ?
arp means that ROS uses ARP protocol rather than ICMP echo to check the availability of the gateway, which means that the gateway must be reachable via an L2 interface, hence this mode cannot be used to check that the uplink is transparent all the way to the internet. Even in the unlikely case that the nearest Orange's router acting as the gateway for your one supports proxy-arp mode, if you'd be checking e.g. 8.8.8.8 using check-ping=arp, it would be the nearest Orange that would respond. So in case of an issue somewhere inside Orange's network, your router would keep using wan1 but would get nowhere.What does check-gateway arp and bfd ?
Nope. What @sindy means by canary is an address that is used as an indicator that the uplink is working all the way to the internet. The term is not mine, and it is based on the fact that before electronic gas detectors became available, miners used canaries as biological indicators that the air is safe to breathe. If all canary addresses associated to a given uplink stop responding, you know that internet cannot be reached via that uplink.In this case we use a fictitious _ ahhh this is what Sindy means by canary!! address to force the router to resolve it via two recursive routes.
In your simple application, the nested approach is not better than the flat one, it is just different. In more complicated applications, the nested one becomes better because it makes the overall configuration simpler than the flat one.will work as expected, and is BETTER than the following flat :
It is equally efficient. The recursion is not reiterated for every single packet - when you use /ip/route/print detail, you'll see something like gateway-status=8.8.8.8 recursive via 192.168.1.1 ether1.Nested seems more readable, but is it more efficient ?
No, just remove these rules./ip routing rule
———- is it necessary ???? —————
routing-mark=ISP1_route action=lookup table=main
routing-mark=ISP2_route action=lookup table=main
—————————————————-
Setting check-gateway to none should help, I hazily remember it worked strange for non-recursive routes.And if i do this
...
The route as unreachable
Don't trust my opinion, trust mere logic:Are you sure that there is no need for this route to be recursive because in Anav guide and milkrotik help site, these exist and are recursive.
No. You only need the distance parameter to define the mutual priority of routes with identical routing-table and dst-address parameters.If it is not necessary, I suppose I could also keep only one (the first) table=route_ISP1 distance=3 ?
Do i need the distance param in this case ?
Yes, sure. strict means that packets that come in through any other interface than through which responses to them would be sent are dropped, and the rp-filter cannot use any kind of policy routing when evaluating this. But the benefits of rp-filter=strict are overrated anyway.Finally, is it necessary to change rp_filter from no to loose ?
"no distance parameter" actually means distance=1. All parameters have some value, but like with many other vendors, configuration export doesn't show parameters with default values unless explicitly asked to do so (using the verbose parameter)with no distance param in each route table != main.
Sorry, I have msunderstood your question. Both no and loose are OK for policy routing, only strict breaks it.Rp_filter = no->loose
The current routing rules say that whatever is sent from one of the WAN addresses must use one of the two ISPx_route tables, and these tables have no routes but the default one, so the response to a ping coming from a private address in the LAN subnet are sent to the respective WAN gateway. So to let the router respond to these pings, you have to place another routing rule before the two existing ones:first problem : i cannot ping from the router itself and from LAN devices my 2 external public IP addresses given by my ISPs (from wan1 and wan2).
Indeed a ping request towards the IP of wan 1 from the IP of wan 2 should arrive to wan 1, but the log from the firewall shows that it was a ping towards the IP of wan 2 from the IP of wan 1, so it looks fine to me.pinging WAN1_IP should come from WAN1 not from WAN2 ?
The only reason to add the routing rules is that the router itself would respond to incoming requests from the internet using the proper uplink. This basically boils down to pinging it from the internet and connecting VPN clients (or peers) to it.but i disable all routing rules and everything seems to work fine, is it really necessary to add them ?
In the ISP1_route table, there is no point to use the recursion to monitor the uplink state - this table is used for responses that must use wan1 and if wan1 doesn't work, sending those packets via wan2 won't help. So the default route in ISP1_route can use directly PrimaryISP-gatewayIP as gateway and no check-gateway is necessary.
The very principle of fasttrack operation is that the fasttracked packets bypass some stages of packet processing, mangle is just one of these stages.I read somewhere that Fasttrack and mangle dual-wan are incompatible, is it a mistake ?
Sure there is: viewtopic.php?p=659676#p659676is there a workaround to keep fasttrack only for some packets of and keep mangle / routing rules/tables ?
/ip firewall mangle add action=mark-connection chain=input connection-state=new in-interface=vlan832-orange1 new-connection-mark=conn-wan1 passthrough=yes
/ip firewall mangle add action=mark-connection chain=input connection-state=new in-interface=ether2.wan2 new-connection-mark=conn-wan2 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=conn-wan1 new-routing-mark=route-wan1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=conn-wan1 in-interface-list=!WAN new-routing-mark=route-wan1 passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new in-interface=vlan832-orange1 new-connection-mark=conn-wan1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=conn-wan2 new-routing-mark=route-wan2 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=conn-wan2 in-interface-list=!WAN new-routing-mark=route-wan2 passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new in-interface=ether1.wan2 new-connection-mark=conn-wan2 passthrough=yes
/ip firewall mangle
add chain=prerouting connection-state=established,related connection-mark=no-mark action=accept # if a mid-connection packet has no connection mark, it needs the default handling
add chain=prerouting connection-state=established,related in-interface-list=WAN action=accept # download packets MUST NOT be routing-marked
add chain=prerouting connection-mark=conn-wan1 action=mark-routing new-routing-mark=route-wan1 # passthrough=no is a default behaviour but you can state it explicitly
add chain=prerouting connection-mark=conn-wan2 action=mark-routing new-routing-mark=route-wan2 # same like above
add chain=prerouting action=mark-connection connection-state=new in-interface=vlan832-orange1 new-connection-mark=conn-wan1 passthrough=yes
add chain=prerouting action=mark-connection connection-state=new in-interface=ether1.wan2 new-connection-mark=conn-wan2 passthrough=yes
add chain=output action=mark-routing connection-state=new connection-mark=conn-wan1 new-routing-mark=route-wan1 passthrough=yes
add chain=output action=mark-routing connection-state=new connection-mark=conn-wan2 new-routing-mark=route-wan2 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=conn-wan1 in-interface-list=!WAN new-routing-mark=route-wan1 passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new in-interface=vlan832-orange1 new-connection-mark=conn-wan1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=conn-wan2 in-interface-list=!WAN new-routing-mark=route-wan2 passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new in-interface=ether1.wan2 new-connection-mark=conn-wan2 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=conn-wan1 new-routing-mark=route-wan1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=conn-wan2 new-routing-mark=route-wan2 passthrough=yes
/ip firewall mangle
add chain=prerouting connection-state=established,related connection-mark=no-mark action=accept # if a mid-connection packet has no connection mark, it needs the default handling
add chain=prerouting connection-state=established,related in-interface-list=WAN action=accept # download packets MUST NOT be routing-marked
add chain=prerouting action=mark-routing connection-mark=conn-wan1 new-routing-mark=route-wan1
add chain=prerouting action=mark-routing connection-mark=conn-wan2 new-routing-mark=route-wan2
add chain=prerouting action=mark-connection connection-state=new in-interface=vlan832-orange1 new-connection-mark=conn-wan1 passthrough=yes
add chain=prerouting action=mark-connection connection-state=new in-interface=ether1.wan2 new-connection-mark=conn-wan2 passthrough=yes
add chain=output action=mark-routing connection-state=new connection-mark=conn-wan1 new-routing-mark=route-wan1 passthrough=yes
add chain=output action=mark-routing connection-state=new connection-mark=conn-wan2 new-routing-mark=route-wan2 passthrough=yes
It is OK if it is your intention (to keep a connection on the secondary WAN even if the primary one recovers).1. YES (but I don't know if it a good pratice)
Traffic that uses input chain also uses the output chain. So once you have removed the mangle rules from input, the mangle rules in output became useless. Own outgoing traffic of the router is only handled by output and postrouting chains in mangle, not by the prerouting one.2. in the last version, I removed the input mangle rules and it works (but I think this not optimized)
The rough idea is to create a routing table initial that will contain the two topmost recursive default routes (via WAN 1 and via WAN 2, preferring WAN 1), and to use mangle rules in output and in prerouting to assign a routing-mark initial to packets that match connection-state=new so that they would use that table.3. I do not understand everything, could you please give me a small example ?
/ip firewall filter add action=fasttrack-connection chain=forward comment="accept established,related" connection-mark=no-mark connection-state=established,related,untracked hw-offload=yes
/ip firewall mangle add action=accept chain=prerouting comment="nomark related" connection-mark=no-mark connection-state=established,related
/ip firewall mangle add action=accept chain=prerouting comment="WAN related" connection-state=established,related in-interface-list=WAN
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=conn-wan1 new-routing-mark=route-wan1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=conn-wan2 new-routing-mark=route-wan2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new in-interface=vlan832-orange1 new-connection-mark=conn-wan1 passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new in-interface=ether1.wan2 new-connection-mark=conn-wan2 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=conn-wan1 new-routing-mark=route-wan1 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=conn-wan2 new-routing-mark=route-wan2 passthrough=yes
/ip firewall mangle add action=accept chain=prerouting comment="nomark related" connection-mark=no-mark connection-state=established,related
/ip firewall mangle add action=accept chain=prerouting comment="WAN related" connection-state=established,related in-interface-list=WAN
/ip route add check-gateway=ping comment="main recursive" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=12
/ip route add comment="main table" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=80.11.60.1 pref-src="" routing-table=route-wan1 scope=10 suppress-hw-offload=no target-scope=12
/ip route add comment="main recursive check1" disabled=no distance=3 dst-address=1.0.0.1/32 gateway=80.11.60.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
/ip route add check-gateway=ping comment="main recursive" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=9.9.9.10 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=12
/ip route add comment="main recursive check2" disabled=no distance=4 dst-address=9.9.9.10/32 gateway=80.11.60.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
/ip route add check-gateway=ping comment="main recursive" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=12
/ip route add comment="main recursive check3" disabled=no distance=5 dst-address=8.8.4.4/32 gateway=80.11.60.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=11
/ip route add comment=failover disabled=no distance=9 dst-address=0.0.0.0/0 gateway=192.168.6.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=30
/ip route add comment="failover table" disabled=no distance=9 dst-address=0.0.0.0/0 gateway=192.168.6.1 pref-src="" routing-table=route-wan2 scope=10 suppress-hw-offload=no target-scope=30