Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

MultiWAN setup, pcunite way

Post Reply
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 246
Joined: Mon Nov 30, 2020 7:44 pm

MultiWAN setup, pcunite way

Fri Feb 09, 2024 9:50 pm

Hi
I'm trying to learn policy routing and failover, so I read the pcunite article about a multiwan scenario one more time.
I came up with this setup in my GNS3 to give it a go, study it, and dive deeper into it possibly:


Image

Code: Select all
/interface bridge
add name=BR1 protocol-mode=none
/disk
set slot1 slot=slot1 type=hardware
set slot2 slot=slot2 type=hardware
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=POOL1 ranges=192.168.1.10-192.168.1.20
/ip dhcp-server
add address-pool=POOL1 interface=BR1 name=DHCP1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2
/interface bridge port
add bridge=BR1 interface=ether3
/ip firewall connection tracking
set loose-tcp-tracking=no
/ip settings
set rp-filter=loose
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=BR1 list=LAN
/ip address
add address=10.1.1.2/24 comment=ISP1_Static interface=ether1 network=10.1.1.0
add address=192.168.1.1/24 comment=MyLAN interface=BR1 network=192.168.1.0
/ip dhcp-client
add add-default-route=no comment=ISP2_Monitor interface=ether2 script=":if (\$\
    bound=1) do={\r\
    \n /ip route set [/ip route find where gateway!=\$\"gateway-address\" and \
    comment~\"ISP2_Monitor\"] gateway=\$\"gateway-address\"\r\
    \n\t:log info \"ISP2_Monitor gateway updated\";\r\
    \n}"
/ip dhcp-server lease
add address=192.168.1.123 client-id=1:0:c:29:c3:55:4b mac-address=\
    00:0C:29:C3:55:4B server=DHCP1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall mangle
add action=mark-connection chain=prerouting comment=ISP_LIST \
    connection-state=new in-interface=ether1 new-connection-mark=WAN1 \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 \
    in-interface-list=LAN new-routing-mark=ISP1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
    in-interface=ether2 new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 \
    in-interface-list=LAN new-routing-mark=ISP2 passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=\
    ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
    ISP1 passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=\
    ether2 new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
    ISP2
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip route
add comment=ISP1_Monitor distance=1 dst-address=1.1.1.1 gateway=10.1.1.1 \
    scope=10 target-scope=11
add check-gateway=ping comment=ISP1_GW distance=1 dst-address=0.0.0.0/0 \
    gateway=1.1.1.1 scope=10 target-scope=12
add comment=ISP1_WAN distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 \
    routing-table=ISP1 scope=10 target-scope=12
add comment=ISP2_Monitor distance=3 dst-address=8.8.8.8 gateway=10.2.2.1 \
    scope=10 target-scope=11
add check-gateway=ping comment=ISP2_GW distance=3 dst-address=0.0.0.0/0 \
    gateway=8.8.8.8 scope=10 target-scope=12
add comment=ISP2_WAN distance=3 dst-address=0.0.0.0/0 gateway=8.8.8.8 \
    routing-table=ISP2 scope=10 target-scope=12
/routing rule
add action=lookup-only-in-table dst-address=192.168.1.0/24 table=main
add action=lookup-only-in-table dst-address=192.168.2.0/24 table=main
add src-address=192.168.1.123/32
/system identity
set name=MultiWAN_Router_Example1
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool romon
set enabled=yes

To make it simple I modified the pcunite Example1.rsc setup. I deleted lined related to ISP3 and ISP4.
However, it seems that I missed something to make it work as expected.
The article says, "Server uses IPS2 only - incoming/outgoing rules". What does it mean exactly? The server goes to internet only via ISP2 (unless failover occurs) and clients from outside connect to the server only via ISP2? Which rules I missed? And what I failed to understand?
Moreover, what is this line for?
Code: Select all
add action=lookup-only-in-table dst-address=192.168.2.0/24 table=main
Could you help me make completely sense of it and come up with a working setup? Thanks
You do not have the required permissions to view the files attached to this post.
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: MultiWAN setup, pcunite way

Fri Feb 09, 2024 10:02 pm

To comment without context would be foolish of me. It is not what you fail to understand its what is not articulated in terms of type of traffic flows YOU NEED>
The article could be talking about different requirements and they will confuse you if not pertinent. You may have copied rules not know what their intent/use actually is...................

a. Which WAN is primary and which is secondary
b. Do you have any VPN coming into the router or outgoing???
c. Do you have any servers external users use on the LAN and which WAN to they use.
d. Do you have any exceptions, users or subnets which should use the backup LAN to WAN, vice the primary?

looking at your script answered one unknown, WAN1 is a fixed static IP, WAN2 is a dynamic IP.
Last edited by Mesquite on Sat Feb 10, 2024 2:36 am, edited 2 times in total.
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: MultiWAN setup, pcunite way

Fri Feb 09, 2024 10:06 pm

At the moment its not clear due to lack of context, why you have mangle rules.
So will focus on the IP routes and recursive to ensure the basic primary failover works.

It would appear this is also botched up.................
The mikrotik article is also very poorly written and they have not fixed it despite pointing out flaws.

The first thing one should do is ensure a solid MAIN TABLE set of routes for the two WANS.

Typically it would be:
add dst-address=0.0.0.0/0 gateway=ISP1 table=main distance=1 check-gateway=ping.
add distance=2 dst-address=0.0.0.0/0 gateway=ISP2 table=main

Explanation: We have two routes separated by distance. The router will choose WAN1 due to the shorter distance.
By adding check-gateway, the router will check approx every 10 secs to see if it is up and if not after two successive failures will cause the route to be invalid.
It will continue checking for it to come back up. In the meantime the router will use WAN2 for internet access.

The reason people elect to use recursive routing is that the method solely using check-gateway check between the router and the ISP, not ISP to the internet Folks want to ensure end to end works............router to internet.
Thus the idea is we set the gateway to an existing internet site (DNS provider good choice) for all traffic. To get there we add another route in between, which say to reach that address you need to use the gateway of the ISP. Thus the router is forced to ensure it can reach the DNS address through the ISP gateway. There is some semantics about scope and target scope. Suffice to say as we go out from the router the target scope has to increase, and the scope should always be equal to or less then the TS on the same hop. Note: Do not use the same DNS provider for recursive as you use in IP DNS settings.


Example:
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 comment=WAN1
add dst-address=1.1.1.1/32 gateway=10.1.1.1 scope=10 target-scope=11
add distance=2 dst-address=0.0.0.0/0 gateway=10.2.2.1 *** comment=WAN2

*** Note: the gateway for ISP2 is kept current due to the script you made, as its a dynamic WAN.
Explanation: The only difference here from the first example is now we ensure WAN1 can reach the internet (not just the ISP) with the check-gateway=ping command.

For the last example lets say you want to ensure that the router also checks ISP2 recursively and lets say you have some dedicated LAN users that access WAN2 primarily so we want to know, if it goes off-line, when it comes back online so those users can get back on the current WAN (assuming we sent them to WAN1 when WAN2 went down).

add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 comment=WAN1
add dst-address=1.1.1.1/32 gateway=10.1.1.1 scope=10 target-scope=11
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 comment=WAN2
add distance=2 dst-address=9.9.9.9/32 gateway=10.2.2.1 scope=10 target-scope=11

Once we have determined context / requirements, then we can add further routing rules.
Top
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 246
Joined: Mon Nov 30, 2020 7:44 pm

Re: MultiWAN setup, pcunite way

Sat Feb 10, 2024 2:23 pm


add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 comment=WAN1
add dst-address=1.1.1.1/32 gateway=10.1.1.1 scope=10 target-scope=11
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 comment=WAN2
add distance=2 dst-address=9.9.9.9/32 gateway=10.2.2.1 scope=10 target-scope=11
Where is distance=1 for the primary WAN?

Anyway, as for just recursive failover, my/pcunite setup above (as you can see in the diagram above) works properly.
But, I also want that traffic from IP server 192.168.1.123 will go always through ISP2/WAN2 unless it goes down. In that case, it should go temporarily via ISP1/WAN1.
It doesn't happens now, it goes through WAN1.
Thanks
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: MultiWAN setup, pcunite way

Sat Feb 10, 2024 5:16 pm

As it should work, you copied his config, and its correct. I attempted to explain it in a bit more detail so that it was hopefully more learning and less copying.
If no distance is explicitly entered, the default is always "1"

You didnt explain why you have mangling yet? or routing rules?
Should be derived from stated requirments and applied depending upon the scenario.

In this case, you are stating you have a LAN server that you wish to ensure works via the backup WAN at all times, unless WAN2 is down and then should work through WAN1.
This assumes the external users will be re-directed to WAN1, somehow if WAN2 is not available ( this is not done by the router ) so assuming you have WAN2 (dynamic IP) assigned to some dyndns URL that users have been given --> ex. BobsServer.net:port#
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: MultiWAN setup, pcunite way

Sat Feb 10, 2024 5:24 pm

To ensure that external user traffic TO the LAN server coming in on WAN2, goes back out WAN 2.
We have to mark the traffic coming in on WAN2 and ensure that the return traffic with those marks is routed out WAN2.

In the backup case WAN1 takes, over, (WAN2 is down), we dont have a similar concern because
a. WAN1 is the only WAN
b. WAN1 is the primary WAN.

The issue also affects our Main Table Routing. Since we want wan2 users to go back to wan2 to reach the LAN when WAN2 comes back on line, we need to ensure we have check-gateway=ping for WAN2. The good news is that is already done in your config!!

Therefore at a minimum we need to mark the traffic coming in WAN2, create a table for WAN2, and create an IP route for that marked traffic.
You have it mostly done.
-->You do not need to modify distance for a different table, its unique and unless you have multiple routes using the new table no need to put distance.
-->The gateway should be the ISP2 gateway. Recursive is done on the main table to establish connectivity to the WWW, not needed on other tables.

The table needed: add disabled=no fib name=ISP2
The IP route needed: add comment=ISP2_Monitor dst-address=0.0.0.0/0 gateway=10.2.2.1 \
routing-table=ISP2 scope=10 target-scope=12

Note: We have to ensure as in the main table routes, that your script for ISP2 updates all the IP routes using WAN2 gateway IP hence the comment change!

Finally the mangling for WAN2............
The ideas being we want to mark all new connections originating externally coming into WAN2. ( typically these are either to the router (vpn services) itself or to a LAN server. ) What connection marking does is mark the entire connection (all the traffic) with the assigned the same mark, which can then be used in all kinds of mikrotik rules.
We use connection=no-mark, to distinguish the LAN traffic to only those with the marks given on the inbound so that eliminates other LAN traffic or any inbound traffic hitting the LAN from WAN1 and that return traffic, from being mark routed by the second rule. The route marking marks each packet in the connection and stays there until its outcome is decided the routing table. We use passthrough=no like its an accept rule, in that we dont want that traffic to touch any other mangle rules.

/ip firewall mangle
add chain=forward action=mark-connection connection-mark=no-mark \
in-interface=WAN2 new-connection-mark=WAN-to-Server passthrough=yes
add chain=prerouting action=mark-route connection-mark=WAN-to-Server in-interface-list=LAN \
new-routing-mark=ISP2 passthrough=no

DONE: Traffic heading to the server via WAN2 will hit the server and then go back out WAN2.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot], shahzaddj1 and 19 guests
  4. RouterOS
  5. Beginner Basics