Problem with Failover

FalconWiFi · Tue Oct 03, 2023 7:10 pm

Hello!
I'm having a bit of a trouble configuring a WAN failover in Mikrotik. I've done it a lot of times with no problems, but this time is different.
WAN 1 is 1G fiber.
WAN 2 is LTE.
Problem is that the ISP router in WAN 1 replies ping with net unreachable (this is the difference VS the other times I've done this, normally the ISP router simply doesn't reply when there's no internet connection), so the route detects the reply and keeps the route active even when is not the host (1.1.1.1) who is responding but the router.
What can I do?
(Sorry for my English)

This is the config. Firewall & LAN config not included because not needed for this.

/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN1 use-peer-dns=no \
    use-peer-ntp=no #This one gets 192.168.1.0/24
add add-default-route=no disabled=no interface=ether5-WAN2 use-peer-dns=no \
    use-peer-ntp=no #This one gets 192.168.2.0/24
/ip route
add dst-address=0.0.0.0/0 distance=1 gateway=1.1.1.1
add dst-address=0.0.0.0/0  distance=2 gateway=9.9.9.9
add check-gateway=ping distance=1 dst-address=1.1.1.1/32 gateway=192.168.1.1 \
 scope=10
add check-gateway=ping distance=1 dst-address=9.9.9.9/32 gateway=192.168.2.1 \
    scope=10

raphaps · Tue Oct 03, 2023 7:58 pm

If you are using RouterOS7, the target scope must be greater than the resolved route, so it would look like this:

/ip/route
add comment="Check WAN01" dst-address=1.1.1.1/32 gateway=192.168.1.1 scope=10 target-scope=10
add comment="Check WAN02" dst-address=9.9.9.9/32 gateway=192.168.2.1 scope=10 target-scope=10

/ip/route
add check-gateway=ping comment="WAN 01" distance=1 gateway=1.1.1.1 scope=30 target-scope=11
add check-gateway=ping comment="WAN 02" distance=2 gateway=9.9.9.9 scope=30 target-scope=11

You can also do a double check, as in the example below:

/ip/route
add comment="Check WAN01" dst-address=1.1.1.1/32 gateway=192.168.1.1 scope=10 target-scope=10
add comment="Check WAN01" dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10 target-scope=10
add comment="Check WAN02" dst-address=9.9.9.9/32 gateway=192.168.2.1 scope=10 target-scope=10
add comment="Check WAN02" dst-address=94.140.14.140/32 gateway=192.168.2.1 scope=10 target-scope=10

/ip/route
add check-gateway=ping comment="WAN 01" distance=1 gateway=1.1.1.1 scope=30 target-scope=11
add check-gateway=ping comment="WAN 01" distance=2 gateway=8.8.4.4 scope=30 target-scope=11
add check-gateway=ping comment="WAN 02" distance=3 gateway=9.9.9.9 scope=30 target-scope=11
add check-gateway=ping comment="WAN 02" distance=4 gateway=94.140.14.140 scope=30 target-scope=11

Unless you use it for some marking, checking the second link would not be necessary, you would simply add a route with distance 03.

/ip/route
add comment="WAN 02" distance=3 gateway=192.168.2.1 scope=30 target-scope=10

FalconWiFi · Tue Oct 03, 2023 11:00 pm

I think that's not my issue.

Problem here is that ISP1 router replyes with "net unreachable (when there's no connection)" when you make ping to any host outside the ISP router's LAN. Mikrotik detects the host (1.1.1.1 in this case) like up and reachable because it's receiving an ICMP reply. Earlier firmwares of this same ISP router do not reply when there's no connection, so the route checking works and detects this connection like down.

I'm sorry if I'm not explaining very well. English is not my best.

bpwl · Tue Oct 03, 2023 11:43 pm

It is expected that the ISP router replies to a PING (ICMP). The content of the reply could be "unreachable". The Mikrotik understands this answer, and flags the tested host as down (the pinged host as unreachable).

This is not what we want to test with a check-gateway. The check-gateway checks the gateway, not the destination.

The check-gateway s should (also) be on the gateways 1.1.1.1 and 9.9.9.9 , and that's missing in your initial config. You only check the local gateways 192.168.1.1 and 192.168.2.1. This will not see any problems behind those local gateways!

@raphaps config is better. It checks gateways 1.1.1.1 and 9.9.9.9. The local router check is not so important, we stop using those local routers when 1.1.1.1 or 9.9.9.9 is not responding.

raphaps · Wed Oct 04, 2023 12:14 am

When you say there is no connection, are you referring to ISP1 being down or you unplugging the cable? For me, the operation in both version 6 and version 7 of RouterOS is the same; I tested it here and it appears to be the same. If your ISP1 is down in the sense of unplugging the cable from the interface, removing the address from the interface, or the ISP1 modem shutting off, 1.1.1.1 will still be reachable through the next configured route. This would happen even if you weren't using recursive routing. In the case where everything is connected, but there is no internet on ISP1, then indeed 1.1.1.1 will be unreachable. Remember that the main function of recursive routing is this: the route checks for a next hop that is not directly connected to the local router.

What @bpwl mentioned is also important. You are performing the check-gateway ping in the wrong place; it is being done for the addresses 1.1.1.1 and 9.9.9.9 when it should be done in the default route settings.

If you want to perform a test, you can block the address 1.1.1.1 and see if the WAN2 route becomes the primary one.

/ip firewall filter
add action=drop chain=output dst-address=1.1.1.1 out-interface=ISP1

Replace "ISP1" with the name of your interface.

Problem with Failover

Problem with Failover

Re: Problem with Failover

Re: Problem with Failover

Re: Problem with Failover

Re: Problem with Failover

Who is online