Community discussions

MikroTik App
 
User avatar
computman
just joined
Topic Author
Posts: 5
Joined: Sat May 21, 2022 4:28 pm
Location: France

Double Failover WAN

Mon May 23, 2022 2:28 am

Hello

I have spend time to understand how to configure my double WAN in failover "mode"

I have 1 LAN : 172.16.0.0/24
2 WAN :
  • 1 with double NAT : 10.16.0.1 (Router IP 10.16.0.6 in DMZ)
    1 with DHCP : 92.188.3.254 (I can't ping it)
Image

I have found the tutorial https://help.mikrotik.com/docs/pages/vi ... d=26476608 but this seems to no work for me.

I can't ping the gateway of my ISP 2, no answer
I can't remove my ISP1 BOX and I can't bridge it

Here is my config file : https://pastebin.com/QKZc0TLb

Here how routes react
Image


How can I configure my Mikrotik to have a failover more efficient than the distance=1 & 2 ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double Failover WAN

Mon May 23, 2022 4:02 am

The first two points are really about not understanding why you are hiding private IPs that have no bearing on security?
For all we know 172 etc, is not even the private IP you use, not that it matter an iota.

(1) First issue I see is that your private IP lan address has the letter z in it instead of a number?
/ip address
add address=172.16.0.z/24 interface="sfp-sfpplus1 - LAN" network=172.16.0.0

(2) Second issue is really more of the same for dhcp server on a private lan subnet............
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.z domain=home.local.lan \
gateway=172.16.0.z netmask=24 ntp-server=172.16.0.yyy

(3) Dont like your nomenclature usage for firewall list called WANs, a tad confusing to say the least.

(4) Dont like your nomenclature usage for firewall list call LANs, a tad confusing.

(5) Dont support silly usage of firewall address list instead of the simpler choices. There is no need!
a. src-address=172.16.0.0/24 OR
b. interface="sfp-sfpplus1 - LAN" OR
c. in-interface-list=LAN

Firewall address lists are best to capture a group of IPs less than a full subnet, or bunch of IPs from different subnets or either of those in conjunction with subnets ( a mix of both ).
If one had a group of subnets, then use interface lists...............

(6) Should state the firewall rules are crap..........
For example instead of all the frivolous icmp rules simply have one rule.
add chain=input action=accept protocol=icmp

At the end of the input chain you should put a block all else rule.........

Use the basic firewall here and add any specific accept traffic required.........
viewtopic.php?t=180838

It seems you do have a drop all rule at the end of the forward chain making all your drop rules prior to that redundant, and messy.

(7) You are mangling for hairpin nat so very curious as to which WANIP is involved in this setup (telling users to go to which WAN for the server vice the LANIP directly).

(8) Mangling and fasstrack do not mix well.

(9) What in tarnation does this rule accomplish............
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT"

(10) The dst-nat and ip routes also look screwy.

In conclusion you have cobbled together a messy config that seems bloated and pulled together from various youtube adventures with very little understanding of what has been configged.
The config is overly complex due to the unecessary garbage added without confirming the basic connectivity you need works first.
Simple firewall, simple routes, basic source-nat and basic destination nat, (see if everything works then start adding).

- which wanip is used by external users to reach your server
- which wanip is used by internal users to reach your server (otherwise hairpin nat is not required).

Assuming you have fixed private WANIP on WAN1, just use a fake one to display it on the config here...... so its clear which one it is throughout the config.
 
User avatar
computman
just joined
Topic Author
Posts: 5
Joined: Sat May 21, 2022 4:28 pm
Location: France

Re: Double Failover WAN

Wed May 25, 2022 1:29 am

Thank you for your time answering me, very informative feedback

Here is my new configuration : https://pastebin.com/DWmAiYV2

The double failover wan topic is not yet discussed also
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Double Failover WAN

Wed May 25, 2022 11:12 am

Finally, welcome to the forum ;)
I moved all previous @computman2 topics and posts to @computman
I hope you can have the best fom this forum, and help the others.

Thanks 8)
 
User avatar
computman
just joined
Topic Author
Posts: 5
Joined: Sat May 21, 2022 4:28 pm
Location: France

Re: Double Failover WAN

Wed May 25, 2022 2:31 pm

Finally, welcome to the forum ;)
I moved all previous @computman2 topics and posts to @computman
I hope you can have the best fom this forum, and help the others.

Thanks 8)
I have noticed your action and I thank you very much :)

Now I can focus on my failover configuration :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Double Failover WAN

Wed May 25, 2022 2:37 pm

If you can use two DHCP client inside the RouterBOARD:

viewtopic.php?f=13&t=176956&p=868082#p868082
 
User avatar
computman
just joined
Topic Author
Posts: 5
Joined: Sat May 21, 2022 4:28 pm
Location: France

Re: Double Failover WAN

Wed May 25, 2022 2:51 pm

If you can use two DHCP client inside the RouterBOARD:

viewtopic.php?f=13&t=176956&p=868082#p868082
"This works only on 6.46.8+ and not in v7+"

As I'm in 7+... #sad
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Double Failover WAN

Wed May 25, 2022 3:08 pm

Is the same on v7, but for now I do not play with "scope and distance", search the right values for scope and distance on dedicated failover for v7,
but the example is working
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Double Failover WAN

Wed May 25, 2022 4:31 pm

No worries, if you had been curious, the link I provided you also has a link to the overarching topic.........
...........
link1.JPG
In any case, here as well - Para I applies (and possibly J-L as well) - viewtopic.php?t=182373
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 8 guests