"Advanced" Failover

Muzaki · Wed Jan 18, 2023 11:21 pm

Well, I'm not sure I can describe what I want to do on the first try, but I'll try.

I have a customer who will have 2 ISPs active.

They must mainly use ISP1, but ISP2 must be active and must be able to respond to traffic.

If ISP1 stops working, ISP2 should take all traffic.

I have tried to set up a failover as shown in this example:
https://help.mikrotik.com/docs/pages/vi ... d=26476608

I had problems with not getting any traffic out, but then I removed the routing table and mangle! and then failover worked.Traficc

/routing/table
add fib name=to_ISP1
add fib name=to_ISP2
 
/ip/firewall/missing
add chain=output connection-state=new connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn out-interface=ether1
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1 out-interface=ether1
add chain=output connection-state=new connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn out-interface=ether2
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2 out-interface=ether2

But without mangle and the routing table, the traffic that enters ISP2 will receive a response from ISP1 and then it works poorly.

The reason they need this is because the plan is to put both ISP IP addresses in the DNS A-Record so that if one ISP drops out, the customers will not notice.

Can anyone provide some examples of how to set this up? Or do I have to use 2 routers?

ISP1 = DHCP Client
ISP2= pppoe, but I can set manual route, or change to static ip.

This was written in Norwegian in Google Translate, so all grammar may not be completely correct.

anav · Wed Jan 18, 2023 11:42 pm

Sounds good but if this is a simple WAN1 primary to WAN failover, no mangling is required.

The only question I have is WHY is traffic originating on the internet and coming in on WAN2 ???
If WAN1 is the primary WAN all traffic originating from within the router will go out WAN1. There should be no traffic coming in on WAN2 ????

"But without mangle and the routing table, the traffic that enters ISP2 will receive a response from ISP1 and then it works poorly."

Muzaki · Thu Jan 19, 2023 1:14 am

Sounds good but if this is a simple WAN1 primary to WAN failover, no mangling is required.

The only question I have is WHY is traffic originating on the internet and coming in on WAN2 ???
If WAN1 is the primary WAN all traffic originating from within the router will go out WAN1. There should be no traffic coming in on WAN2 ????

"But without mangle and the routing table, the traffic that enters ISP2 will receive a response from ISP1 and then it works poorly."

Well, thats my challenge. They have services inhouse that they access with DNS names. If only one ISP is active, the services will only be accessible when you hit ISP1, and not if you hit ISP2. (A-records are "round-robin"). Thats why I need incoming trafick to return to the incoming ISP.
The outgoing trafick should always go to ISP1 if online

Eks:
nslookup service.customer
Name: service.customer
Adresses: ISP1
ISP2

http://service.customer -> ISP1 -> Firewall/NAT -> Service on LAN -> Return Data to ISP1
http://service.customer -> ISP2 -> Firewall/NAT -> Service on LAN -> Return Data to ISP2

In my case it seems to work like this:
http://service.customer ISP1 -> Firewall/NAT -> Service on LAN -> Return Data to ISP1
http://service.customer ISP2 -> Firewall/NAT -> Service on LAN -> Return Data to ISP1

The same behavier is with ping. It doesnt resond to the correct interface, and then the package is lost.

It is a bit tricky, but im sure it can be solved with the correct firewall / mange / route settings?

Muzaki · Thu Jan 19, 2023 10:00 am

Would it be better to use 2 routers?
If I set ISP1 LAN with default gateway and ISP2 with a different IP
(ISP1=192.168.0.1 ISP2=192.168.0.2)
I set up the same firewall rules on both routers.
Will the server then respond to the router that sends incoming data, or will it respond to the standard gateway?

Then I can use the example to create a simple failover from ISP1 to ISP2 by routing data between the routers.

If the ISP2 router becomes defective, I can use Netwatch to change the IP on the ISP2 LAN.

Theoretically, this should perhaps work, if the server sends data back to ISP2 when needed. Does anyone know or is there something I need to figure out?

aarntesla · Fri Jan 20, 2023 7:20 am

if you only need backup, you dont need firewall mangle , add the follow:
/ip route
add comment=Check-ISP1 dst-address=208.67.222.222 gateway=192.168.0.1
add comment=Check-ISP2 dst-address=208.67.220.220 gateway=192.168.0.2

add comment=ISP1 disabled=no gateway=192.168.0.1 distance=1
add comment=ISP2 disabled=no gateway=192.168.0.2 distance=2

/tool netwatch
add disabled=no down-script="/ip route set [find comment=ISP1] disabled=yes" host=208.67.222.222 interval=10s test-script="" type=simple up-script="ip route set [find comment=ISP1] disabled=no"
add disabled=no down-script="/ip route set [find comment=ISP2] disabled=yes" host=208.67.220.220 interval=10s test-script="" type=simple up-script="ip route set [find comment=ISP2] disabled=no"

Muzaki · Fri Jan 20, 2023 9:35 am

if you only need backup, you dont need firewall mangle , add the follow:
/ip route
add comment=Check-ISP1 dst-address=208.67.222.222 gateway=192.168.0.1
add comment=Check-ISP2 dst-address=208.67.220.220 gateway=192.168.0.2

add comment=ISP1 disabled=no gateway=192.168.0.1 distance=1
add comment=ISP2 disabled=no gateway=192.168.0.2 distance=2

/tool netwatch
add disabled=no down-script="/ip route set [find comment=ISP1] disabled=yes" host=208.67.222.222 interval=10s test-script="" type=simple up-script="ip route set [find comment=ISP1] disabled=no"
add disabled=no down-script="/ip route set [find comment=ISP2] disabled=yes" host=208.67.220.220 interval=10s test-script="" type=simple up-script="ip route set [find comment=ISP2] disabled=no"

Thanks, but my challenge is not only backup. It is to have both working at the same time.

Fri Jan 20, 2023 10:43 am

Sounds more like load balancing to me, not failover.
With a heavy bias towards one connection but still it will be load balancing.
No ?

Muzaki · Fri Jan 20, 2023 3:07 pm

Sounds more like load balancing to me, not failover.
With a heavy bias towards one connection but still it will be load balancing.
No ?

It will be more like load-balancing from WAN to LAN and Failover from LAN to WAN

anav · Fri Jan 20, 2023 3:13 pm

Well, its basically ensuring any traffic originating external to the router leaves the router from the same WAN the traffic came in on. Not load balancing.............
Any traffic originating on the router must go out wan1 if available.

Sounds like a mangling mess is required.

Muzaki · Mon Jan 23, 2023 9:20 am

Well, its basically ensuring any traffic originating external to the router leaves the router from the same WAN the traffic came in on. Not load balancing.............
Any traffic originating on the router must go out wan1 if available.

Sounds like a mangling mess is required.

You are right, its a mess

I will try with 2 routers first, unless someone can give me an example that will work

anav · Mon Jan 23, 2023 3:30 pm

1. Need to mark the incoming traffic as to which WAN it came in on............
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes

2. The tables.......
add fib name=ether1-mark
add fib name=ether2-mark

3. Create a corresponding routing mark for this traffic when its coming from the LAN ( aka return traffic )
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=WAN1 disabled=no in-interface=bridge \ ( or in interface-list=LAN or etherX (what is the LAN comprised of??) )
new-routing-mark=ether1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 disabled=no in-interface=bridge \ ( or in interface-list=LAN or etherX (what is the LAN comprised of??) )
new-routing-mark=ether2-mark passthrough=yes

3. For routing purposes then
dst-address=0.0.0.0/gwy=ISP1 gatewayIP table=main distance=2 check-gateway=ping
dst-address=0.0.0.0/gwy=ISP2 gatewayIP table=main distance=4
add dst-address=0.0.0.0/gwy=ISP1 gatewayIP table=ether1-mark
add dst-address=0.0.0.0/gwy=ISP2 gatewayIP table=ether2-mark

In this way, all traffic originating behind the router will go out WAN1 if it is available otherwise it will go out WAN2, until WAN1 comes back on line.
Any traffic that came in on WAN1 will be marked and then routed according back out WAN1 after hitting the LAN and same for WAN2.

Anyway probably not exactly right but thats the gist of it.

Muzaki · Mon Jan 23, 2023 3:43 pm

Thank you.

I have tried the same setup, but it didnt work for me. Maybe i messed something up with mangle from Wan or Lan.

I cant even get this one to work: https://help.mikrotik.com/docs/pages/vi ... d=26476608 when Im using routing table and mangle. But if I skip that part, failover works fine.

I have placed another router at the customer, and put a network cable between the new and the old.

When everyting is working, traffic is going to the new router. If ISP1 fails, it sendt traffic to the old router.
WAN traffic to the old router will be NAT'ed to LAN.

If the new router fails, (PSU fail, Kernel fail etc) then Netwatch will replace IP address on the old router to match default gateway on internal servers and users. (and remove NAT to LAN)

I think this will work

anav · Mon Jan 23, 2023 4:46 pm

You say you tried the same setup but to me we cannot verify help without facts to work with...........its pure conjecture.
You should post your config with that configuration and then the evidence will dictate required changes to make it work.

/export file=anynameyouwish ( minus router serial # and any public WANIP information ).

Muzaki · Tue Jan 24, 2023 11:58 am

You say you tried the same setup but to me we cannot verify help without facts to work with...........its pure conjecture.
You should post your config with that configuration and then the evidence will dictate required changes to make it work.

/export file=anynameyouwish ( minus router serial # and any public WANIP information ).

I dont have that setup on the customers router now.
I tried one night when the traffic is low. I took one backup and export before testing, and reverted the changes when it didnt work.
Like I said, Im not saying that I didnt mess up some Mangle rules, but believe me, I tried

"Advanced" Failover

"Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Re: "Advanced" Failover

Who is online