Mikrotik 2 wan failover 5


How to failover 2 wan links with mikrotik

Main WAN link – Prov1
Backup (reserve) WAN link – Prov2

What we would like to:
Two WAN links working at the same time – mikrotik itself and possible services are available for them on the two WAN links independently.
Users access the Internet from the main WAN link, in the case of malfunction – with backup WAN link.

 

mikrotik 2 wan failover

mikrotik 2 wan failover

The theoretical basis:
Need to adjust the labeling of an incoming connection to track – if the request came fromProv1 then send a response via Prov1.
Two default route with a different “weight” (Distance). Script that switch distance depending on the state of the channel.
Do not mess with the routing tables

What to do (option settings from WinBox / Web interface):

1.

Two default route (Dst. Address 0.0.0.0/0) with Comment “Prov1” and “Prov2” respectively (needed for the script), and Distance set to: for main wan – 1, for backup wan – 2.

2. IP->Firewall->Mangle

add rules for labeling connections to the top of other rules:

General
Chain: prerouting
Dst. Address: [ip Prov1]
In. Interface: [Prov1 interface]

Action
Action: mark_connection
New Connection Mark: Prov1_c
Passthrough: yes

 

General
Chain: prerouting
Dst. Address: [ip Prov2]
In. Interface: [Prov2 interface]

Action
Action: mark_connection
New Connection Mark: Prov2_c
Passthrough: yes

For any cases duplicate these rules in chain = input

3. IP->Routes

Add two default route, as well as in claim 1, but without the Comment, and Routing Mark Prov1 write for the primary wan and Prov2 to backup wan. Distance = 1.

These routes will only work if we wrap them in appropriate traffic rule, that we should create (see paragraph 4).

 

4. IP->Routes->Rules

Create a rule that wraps marked connetctions to theĀ appropriate routing table:

Src. Address: [ip Prov1]
Dst. Addess: 0.0.0.0/0
Routing Mark: Prov1_r
Action: lookup only in table
Table: Prov1

 

Src. Address: [ip Prov2]
Dst. Addess: 0.0.0.0/0
Routing Mark: Prov2_r
Action: lookup only in table
Table: Prov2

And just in case is not marked:

Src. Address: [ip Prov1]
Dst. Addess: 0.0.0.0/0
Action: lookup
Table: Prov1

 

Src. Address: [ip Prov2]
Dst. Addess: 0.0.0.0/0
Action: lookup
Table: Prov2

5. IP->Firewall->Mangle

After labeling rules prescribe rules for labeling compounds route:

General
Chain: prerouting
Connection Mark: Prov1_c

Action
Action: mark routing
New Routing Mark: Prov1_r
Passthrough: yes

 

General
Chain: prerouting
Connection Mark: Prov2_c

Action
Action: mark routing
New Routing Mark: Prov2_r
Passthrough: yes

Duplicate it for chain = output:

General
Chain: output
Connection Mark: Prov1_c
Action.
Action: mark routing
New Routing Mark: Prov1_r
Passthrough: yes

 

General
Chain: output
Connection Mark: Prov2_c
Action.
Action: mark routing
New Routing Mark: Prov2_r
Passthrough: yes

6. IP->Firewall->NAT

Two rules for masquerading two outgoing interfaces:

General
Chain: srcnat
Out. Interface: [Prov1 interface]
Action.
Action: masquerade

 

General
Chain: srcnat
Out. Interface: [Prov2 interface]
Action.
Action: masquerade

 

If you want to – port forwarding rules on services DMZ, in two versions – for each provider

After these settings, we have to work – mikrotik itself and configured port forwarding must earn on two wan links independently.
If something does not work, you probably need to look carefully at the table and routing rules. Terms mangle themselves only put labels
so if something stops working when the on/off rule in mangle, then do not blame the rule itself mangle, and the rule that uses the supplied label (or lack thereof)

Do not forget to checkĀ  Connection Tracking: IP-> Firewall-> Connections ->Tracking is Enables = yes

 

 

Mikrotik Connection Tracking

Serttings for connection tracking in Mikrotik

Left to do script that will toggle the main route, depending on the channel status.

One embodiment of the switching script based on the following:

  1. There are 3 ip per link, which are monitored by ping
  2. Availability of the link defined by the formula:
    MainIfInetOk (($PingResult1 + $PingResult2 + $PingResult3) >= (2 * $PingCount))

    $PingCount = number of ping requests to the host. In other words – the channel is OK if 2/3 of requests for verification hosts passed

  3. When an event occurs, respectively, switch the default route Distance
  4. Do not forget to flush it from the existing NAT table and IPSec SA (at the moment there is one stable method – off/on the interface)

To ping requests for verification hosts passed through appropriate interfaces (for the main channel (Prov1) through the main, to backup (Prov2) – through the backup), you must add routing rules separately for screening hosts. If you’ve read this far, you already know how to do it.

Now you Mikrotik works on 2 wan links at the same time, behind a NAT services available simultaneously on both wan links, and the script switches user traffic to the backup link if primary link fail. To learn how to make balancing on mikrotik between the two wan links will be another story …

Backup script:

#Main interface name
:global MainIf ether1-Prov1
#Reserve interface name
:global RsrvIf ether2-Prov2

:local PingCount 3
#
:local PingTarget1 8.8.8.8
#
:local PingTarget2 91.219.24.37
#
:local PingTarget3 213.59.5.110
#
:local PingTarget1R 194.87.0.50
#
:local PingTarget2R 80.68.243.243
#
:local PingTarget3R 8.8.4.4

#Check main internet connection
:local MainIfInetOk false;
:local PingResult1 [/ping $PingTarget1 count=$PingCount interface=$MainIf]
:local PingResult2 [/ping $PingTarget2 count=$PingCount interface=$MainIf]
:local PingResult3 [/ping $PingTarget3 count=$PingCount interface=$MainIf]
:set MainIfInetOk (($PingResult1 + $PingResult2 + $PingResult3) >= (2 * $PingCount))

#Check reserved internet connection
:local RsrvIfInetOk false;
:local PingResult1 [/ping $PingTarget1R count=$PingCount interface=$RsrvIf]
:local PingResult2 [/ping $PingTarget2R count=$PingCount interface=$RsrvIf]
:local PingResult3 [/ping $PingTarget3R count=$PingCount interface=$RsrvIf]

:set RsrvIfInetOk (($PingResult1 + $PingResult2 + $PingResult3) >= (2 * $PingCount))

:put "MainIfInetOk=$MainIfInetOk"
:put "RsrvIfInetOk=$RsrvIfInetOk"

if (!$MainIfInetOk) do={
/log error "Main internet connection error"
}

if (!$RsrvIfInetOk) do={
/log error "Reserve internet connection error"
}

:local MainGWDistance [/ip route get [find comment="Prov1"] distance]
:local RsrvGWDistance [/ip route get [find comment="Prov2"] distance]
:put "MainGWDistance=$MainGWDistance"
:put "RsrvGWDistance=$RsrvGWDistance"

#SetUp gateways
if ($MainIfInetOk && ($MainGWDistance >= $RsrvGWDistance)) do={
/ip route set [find comment="Prov1"] distance=1
/ip route set [find comment="Prov2"] distance=2
/interface disable $RsrvIf
/ip firewall connection tracking set enabled=no
delay 5
/ip firewall connection tracking set enabled=yes
/ip ipsec installed-sa flush sa-type=all
/log warning "Switch to main internet connection"
/interface enable $RsrvIf
}

if (!$MainIfInetOk && $RsrvIfInetOk && ($MainGWDistance <= $RsrvGWDistance)) do={
/ip route set [find comment="Prov1"] distance=2
/ip route set [find comment="Prov2"] distance=1
/interface disable $MainIf
/ip firewall connection tracking set enabled=no
delay 5
/ip firewall connection tracking set enabled=yes
/ip ipsec installed-sa flush sa-type=all
/log warning "Switch to reserve internet connection"
/interface enable $MainIf
}


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

5 thoughts on “Mikrotik 2 wan failover

  • Lumir Lindovsky

    I have an issue with this configuration or there is an error.
    Initial connections to VNC to the inside LAN through WAN2 are not working. In sniffer I can see that packets come IN on WAN2 and try to go out on WAN1 with IP of WAN2.
    ip prov1= my ip address on WAN1 right? Not the gateway IP of the provider right?
    And in your step 3 IP-Routes is that correct – mark it as Prov1? Not Prov1_r?

    • Lumir Lindovsky

      OK – this guide is great. My problem was that the default Firewall / Filter rule on chain FORWARD – FASTTRACK was enabled. After disabling this rule everything works great!

      • Lumir Lindovsky

        Also so that DMZ works I had to add IP route / rules:
        Src. Address: [INTERNAL LAN / 24] (e.g. 192.168.1.0/24)
        Dst. Addess: 0.0.0.0/0
        Routing Mark: Prov1_r
        Action: lookup only in table
        Table: Prov1

        Src. Address: [INTERNAL LAN / 24]
        Dst. Addess: 0.0.0.0/0
        Routing Mark: Prov2_r
        Action: lookup only in table
        Table: Prov2