Community discussions

 
dakotabcn
newbie
Topic Author
Posts: 29
Joined: Thu Apr 21, 2016 11:16 pm

load balancing with fail over, added backup line 4G

Fri Jul 05, 2019 11:57 am

Hello
I have an RB1100AHx4 with a load balancing with 2 FTTH of 300 Mb symmetrical. The client has asked us if it is possible to mount a backup 4G in case of failure that the Backup is activated for only an RDP connection to a cloud
currently the load balancing has an automatic fail over that notifies us by mail in case of a fall of a line, I'm looking at how to make if the two lines fall activate the backup, but I'm looking at examples and I do not know how to apply them, someone has experience in this?
summarizing: activate 4G backup in case of failure of the two FTTH lines and that ONLY allows RDP to the cloud
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1664
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: load balancing with fail over, added backup line 4G

Sun Jul 07, 2019 12:42 am

Hey

You're mangling now for connection / routing mark, and you've setup separate routing tables for each mark. Right?

Then just have all three routes in the tables
T1
Wan1 distance 1
Wan2 distance 2
4G distance 3

T2
Wan2 distance 1
Wan1 distance 2
4G distance 3

In filter:forward you would want to filter traffic over out-interface=4G to be RDP only (+technical traffic: ping, dns, ...).
 
dakotabcn
newbie
Topic Author
Posts: 29
Joined: Thu Apr 21, 2016 11:16 pm

Re: load balancing with fail over, added backup line 4G

Tue Jul 09, 2019 11:58 am

Hey Sebastian

This mi actual config, the 4G not is installed:
(i have deleted/modified no essential info for security reason)

# model = RB1100x4

/interface bridge
add name=DMZ
add name=LAN

/interface ethernet
set [ find default-name=ether1 ] name=ISP1 speed=100Mbps
set [ find default-name=ether2 ] name=ISP2 speed=100Mbps

/interface list
add name=WAN

/interface bridge port
add bridge=LAN interface=ether12

/interface list member
add interface=ISP1 list=WAN
add interface=ISP2 list=WAN

/ip firewall address-list
add address=192.168.xx.xxx disabled=yes list=ExclusionBalanceoISP1
add address=192.168.xx.xxx disabled=yes list=ExclusionBalanceoISP2
add address=192.168.xxx.0/24 list=RedLocal

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"EXCLUSION DEL BALANCEO SALIENDO POR ISP1" new-routing-mark=to_ISP1 \
passthrough=no src-address-list=ExclusionBalanceoISP1
add action=mark-routing chain=prerouting comment=\
"EXCLUSION DEL BALANCEO SALIENDO POR ISP2" new-routing-mark=to_ISP2 \
passthrough=no src-address-list=ExclusionBalanceoISP2
add action=mark-connection chain=prerouting comment="REGLAS BALANCEO " \
connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP1_conn \
passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ISP2 new-connection-mark=ISP2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN new-connection-mark=ISP1_conn \
passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN new-connection-mark=ISP2_conn \
passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
in-interface=LAN new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
in-interface=LAN new-routing-mark=to_ISP2
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2

/ip route
add check-gateway=ping distance=1 gateway=1.1.1.1 routing-mark=to_ISP1
add check-gateway=ping comment="Recursiva - WAN1" distance=1 gateway=1.1.1.1 \
routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=to_ISP1
add check-gateway=ping comment="Recursive - WAN2" distance=1 gateway=8.8.8.8 \
routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=1.1.1.1 routing-mark=to_ISP2
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=to_ISP2
add check-gateway=ping comment="Recursive - Default" distance=1 gateway=\
1.1.1.1
add check-gateway=ping comment="Recursive - Default" distance=2 gateway=\
8.8.8.8
add comment="Recursive - to_WAN1" distance=1 dst-address=1.1.1.1/32 gateway=\
192.168.6.1 scope=10
add distance=1 dst-address=1.1.1.1/32 gateway=192.168.16.1 scope=10
add comment="Recursive - to_WAN2" distance=1 dst-address=8.8.8.8/32 gateway=\
192.168.19.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.19.1 scope=10

/system scheduler
add comment="This will run after 4 mins" interval=5m name=ISP1 on-event="/syst\
em scheduler set [find name=checker] disabled=yes\r\
\n:local pinged [/ping address=8.8.8.8 count=5 interface=ISP1 size=50]\r\
\n:if ((\$pinged=0)) do={\r\
\n#send email\r\
\n/tool e-mail send subject=(\"alerta: Fibra ISP1 caida\") \\\r\
\nbody=(\"LA LINEA ISP1 ESTA CAIDA DESDE \" . [/system clock get time]) \\\
\r\
\nto=(\"XXXXXXX@XXXX.ES\")\r\
\n/system scheduler set [find name=backupwan] disabled=no\r\
\n}\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jun/21/2019 start-time=17:31:44
add comment="This will run after 4 mins" interval=5m name=ISP2 on-event="/syst\
em scheduler set [find name=checker] disabled=yes\r\
\n:local pinged [/ping address=8.8.8.8 count=5 interface=ISP2 size=50]\r\
\n:if ((\$pinged=0)) do={\r\
\n#send email\r\
\n/tool e-mail send subject=(\"alerta: Fibra ISP1 caida\") \\\r\
\nbody=(\"LA LINEA ISP1 ESTA CAIDA DESDE \" . [/system clock get time]) \\\
\r\
\nto=(\"XXXXXXX@XXXX.ES\")\r\
\n/system scheduler set [find name=backupwan] disabled=no\r\
\n}\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jun/21/2019 start-time=20:21:53


My work approach is the following:
- Create the BKPG4 interface in ETH3
- monitor via script or other process that the ping responds in ISP1 or ISP2 (interface list WAN could be useful?)
- If the ping does not respond in ISP1 and ISP2 automatically activate BKPG4 and activate a rule that only allows traffic to the external citrix IP (I have to determine if it is an IP or range of IP) and the DNS keeps working, mail, web and other services by not allowing anything more than citrix IPs and DNS should not work, we should also send the MKT an email notifying of this to take the necessary measures
- when ISP1 or ISP2 go back to work, disable the blocking rule so that normal Internet will work again

I have the idea of using netwatch, I have seen some script and it seems the best solution, although I do not know how to apply the first part, the monitoring, if I saw some examples that were similar I would look to mount a system for what they ask me

regards
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1664
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: load balancing with fail over, added backup line 4G

Thu Jul 11, 2019 2:14 pm

Regarding config (didn't review it all, just relevant part for this topic)
# you probably don't want "passthrough" here
add action=mark-connection chain=prerouting comment="REGLAS BALANCEO " \
connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP1_conn \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
in-interface=LAN new-routing-mark=to_ISP1 passthrough=yes
Scripting is one possibility, another is this https://wiki.mikrotik.com/wiki/Advanced ... _Scripting. -> already implemented for isp1 & 2, just add route for 4G to both to_isp1 & to_isp2 tables.
That filter rule for traffic over LTE can be always active: in filter:forward, out-interface=<4G> ...

You have duplicate + typo? routings -> best to remove them
/ip route
add check-gateway=ping                            distance=1 gateway=1.1.1.1 routing-mark=to_ISP1
add check-gateway=ping comment="Recursiva - WAN1" distance=1 gateway=1.1.1.1 routing-mark=to_ISP1
add check-gateway=ping                            distance=2 gateway=8.8.8.8 routing-mark=to_ISP1
add check-gateway=ping comment="Recursive - WAN2" distance=1 gateway=8.8.8.8 routing-mark=to_ISP2
add check-gateway=ping                            distance=1 gateway=1.1.1.1 routing-mark=to_ISP2
add check-gateway=ping                            distance=2 gateway=8.8.8.8 routing-mark=to_ISP2
add check-gateway=ping comment="Recursive - Default" distance=1 gateway=1.1.1.1
add check-gateway=ping comment="Recursive - Default" distance=2 gateway=8.8.8.8
add comment="Recursive - to_WAN1" distance=1 dst-address=1.1.1.1/32 gateway=192.168.6.1 scope=10
add                               distance=1 dst-address=1.1.1.1/32 gateway=192.168.16.1 scope=10
add comment="Recursive - to_WAN2" distance=1 dst-address=8.8.8.8/32 gateway=192.168.19.1 scope=10
add                               distance=1 dst-address=8.8.8.8/32 gateway=192.168.19.1 scope=10

Who is online

Users browsing this forum: No registered users and 22 guests