I have a mtik routerboard which is my firewall. Port 1 goes out my cable modem. And port 2 is my internal network. I want to add a backup route, which will allow traffic to flow out port 3 (instead of port 1). I'm wondering if there is a BEST way to do this. I can write a simple script to monitor the cable modem and take actions, but how should I setup the ports? I see these options:
1. Bridge ports 1+3, and then enable/disable either port to cause traffic to flow out the other
2. Keep ports 1+3 separate. Use the failover script to change firewall rules to change traffic flow
3. Other?
Can someone explain conceptually which way is best and why?
Re: Best way to setup backup route
Not sure what you mean.
Data flow is two way.
If you mean can you have a dual WAN setup.
Two modems, lets say cable from rogers, and fibre from bell, the answer is yes.
Typically one uses the etherport for the WAN client, 3 common options.
1. pppoe setup
2. Dynamic public IP
3. Static public or private IP.
In the case of pppoe setup, generally one does not IP DHCP client to identify the wan connection, nor IP address.
In the case of dynamic public IP (typical cable), one use IP DHCP client. Some connections come in on a vlan, so we identify the vlan to the port, and in IP DCHP client state the vlan is the interface.
In the case of a static WANIp one can usuallly ignore the IP DHCP client (aka disabled) and use IP address alone with interface being the port,
The bridge is most typically used to identify a single subnet that will be used on the remaining ports and the bridge handles dhcp of private IPs to the users on all ports.
If multiple subnets are required its best to use all vlans and vlan filtering and the bridge does not dhcp.
In terms of two wans, there are two main approaches.
Failover is a useful term for two independent sources, so users access one WAN and if it fails get moved over to the other WAN.
Load balancing refers to an attempt to use both wans equally so the entire bandwidth of two connections is available to all users.
Data flow is two way.
If you mean can you have a dual WAN setup.
Two modems, lets say cable from rogers, and fibre from bell, the answer is yes.
Typically one uses the etherport for the WAN client, 3 common options.
1. pppoe setup
2. Dynamic public IP
3. Static public or private IP.
In the case of pppoe setup, generally one does not IP DHCP client to identify the wan connection, nor IP address.
In the case of dynamic public IP (typical cable), one use IP DHCP client. Some connections come in on a vlan, so we identify the vlan to the port, and in IP DCHP client state the vlan is the interface.
In the case of a static WANIp one can usuallly ignore the IP DHCP client (aka disabled) and use IP address alone with interface being the port,
The bridge is most typically used to identify a single subnet that will be used on the remaining ports and the bridge handles dhcp of private IPs to the users on all ports.
If multiple subnets are required its best to use all vlans and vlan filtering and the bridge does not dhcp.
In terms of two wans, there are two main approaches.
Failover is a useful term for two independent sources, so users access one WAN and if it fails get moved over to the other WAN.
Load balancing refers to an attempt to use both wans equally so the entire bandwidth of two connections is available to all users.
Re: Best way to setup backup route
Ok I will try to provide more clear information.
The firewall port 1 is connected to my cablemodem. The cablemodem is in bridge mode, meaning that my firewall gets a public IP assigned from the cable company. (No PPoe). I want to connect port 3 to a different WAN service (let's say its public wifi, where my firewall will be assigned a private IP address).
So I want traffic to flow between LAN and WAN over either port 1, or port 3 (never both). I need to configure the firewall to route this traffic was failover has been detected (using a simple monitor), but I'm not sure the best way to deal with the traffic flow.
I guess I can't bridge ports 1+3 since they would each get different IP addresses. But I also don't want to have to rewrite a bunch of firewall rules by script in the event of failover.
The firewall port 1 is connected to my cablemodem. The cablemodem is in bridge mode, meaning that my firewall gets a public IP assigned from the cable company. (No PPoe). I want to connect port 3 to a different WAN service (let's say its public wifi, where my firewall will be assigned a private IP address).
So I want traffic to flow between LAN and WAN over either port 1, or port 3 (never both). I need to configure the firewall to route this traffic was failover has been detected (using a simple monitor), but I'm not sure the best way to deal with the traffic flow.
I guess I can't bridge ports 1+3 since they would each get different IP addresses. But I also don't want to have to rewrite a bunch of firewall rules by script in the event of failover.
Re: Best way to setup backup route
All is possible.
You can
a. have all traffic go over ether1, and when that fails switch to ether3
b. load balance traffic between the two connections
c. have some users or subnets go out ether1 and some users or subnets go out ether3
For basic failover ( primary and backup )
/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12 comment="primary ether1"
add distance=4 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 comment="secondary ether3"
add distance=2 dst-address=1.0.0.1/32 gateway=PrimaryISP-gatewayIP scope=10 target-scope=11
add distance=4 dst-address=9.9.9.9/32 gateway=SecondaryISP-gatewayIP scope=10 target-scope=11
basically one uses distance to differentiate the primary and backup routes.
we use checkgateway ping, which occurs every 10 secs the status of the router, if after two consecutive fails, the router declares the route not active and switches to the next route on the main table. It keeps checking for primary route availability and when back on line switches traffic back to primary.
The reason to use recursive routing ( why we seem to have two routes for one WAN, is basically due to the fact that its very possible to have a good connection to the ISP ( your house to ISP server ) but in fact the ISP is failing to connect to the internet. The above method ensures that connectivity is checked not to the ISP server but to a public IP address on the WWW.
You can
a. have all traffic go over ether1, and when that fails switch to ether3
b. load balance traffic between the two connections
c. have some users or subnets go out ether1 and some users or subnets go out ether3
For basic failover ( primary and backup )
/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12 comment="primary ether1"
add distance=4 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 comment="secondary ether3"
add distance=2 dst-address=1.0.0.1/32 gateway=PrimaryISP-gatewayIP scope=10 target-scope=11
add distance=4 dst-address=9.9.9.9/32 gateway=SecondaryISP-gatewayIP scope=10 target-scope=11
basically one uses distance to differentiate the primary and backup routes.
we use checkgateway ping, which occurs every 10 secs the status of the router, if after two consecutive fails, the router declares the route not active and switches to the next route on the main table. It keeps checking for primary route availability and when back on line switches traffic back to primary.
The reason to use recursive routing ( why we seem to have two routes for one WAN, is basically due to the fact that its very possible to have a good connection to the ISP ( your house to ISP server ) but in fact the ISP is failing to connect to the internet. The above method ensures that connectivity is checked not to the ISP server but to a public IP address on the WWW.
Re: Best way to setup backup route
Ok some cool ideas! I didn't realize there was a "CHECK GATEWAY" option on each route, and didn't really understand how the distance was used.
I found and read the wiki "failover wan backup" https://help.mikrotik.com/docs/spaces/R ... WAN+Backup and I think I understand now what you are doing. The scope/target-scope is still a bit fuzzy, but I get it well enough to try it.
But a few things aren't clear.
I found and read the wiki "failover wan backup" https://help.mikrotik.com/docs/spaces/R ... WAN+Backup and I think I understand now what you are doing. The scope/target-scope is still a bit fuzzy, but I get it well enough to try it.
But a few things aren't clear.
- On the wiki they add a SRCNAT rule for both interfaces. I'm guessing you are doing that too?
- Because I setup all my forwarding firewall rules to be port specific (eg: rule applies if going out ether1). How do you handle that? Is there a way to make the rules to refer to a group of ports (so it will automatically apply to port 1 and port 3)? Or do I have to duplicate a bunch of rules?
- Since I use DHCP on both external interfaces, the routing rules are dynamically created. Will any changes I make to these rules by wiped out on next DHCP refresh or change?
Re: Best way to setup backup route
You can source nat both WANS or use Sourcenat on WAN interface list.
No mention of port forwarding before>>>
This is what I call scope creep. I am not interested in chasing. If you have a network plan, then provide a network diagram.
then list the requirements.
a. identify all the users/devices including the admin that will need some sort of traffic flow ( originating traffic --> external incoming and internal to internal and internal to external )
b. Identify their specific traffic needs.
Then you can start to plan a config.
To ensure external users are using specific WANs for port forwarding means you are getting into intermediate programming ( mangling etc.) and will require more knowledge on your part.
Are you up to the task?
No mention of port forwarding before>>>
This is what I call scope creep. I am not interested in chasing. If you have a network plan, then provide a network diagram.
then list the requirements.
a. identify all the users/devices including the admin that will need some sort of traffic flow ( originating traffic --> external incoming and internal to internal and internal to external )
b. Identify their specific traffic needs.
Then you can start to plan a config.
To ensure external users are using specific WANs for port forwarding means you are getting into intermediate programming ( mangling etc.) and will require more knowledge on your part.
Are you up to the task?
Re: Best way to setup backup route
You can use interface-list= instead of the single port interface= in the firewall rules (which is the usual way in default Mikrotik firewall filter settings, interfaces are usually pre-configured in two such lists, WAN and LAN)
- Because I setup all my forwarding firewall rules to be port specific (eg: rule applies if going out ether1). How do you handle that? Is there a way to make the rules to refer to a group of ports (so it will automatically apply to port 1 and port 3)? Or do I have to duplicate a bunch of rules?
- Since I use DHCP on both external interfaces, the routing rules are dynamically created. Will any changes I make to these rules by wiped out on next DHCP refresh or change?
Are you sure you are talking of routing rules (as in Policy Routing: https://help.mikrotik.com/docs/spaces/R ... cy+Routing ) and not about routes (in routing table(s))?
A simple(r) failover approach, JFYI:
viewtopic.php?t=198999
further simplified here:
viewtopic.php?t=198999#p1102129
Re: Best way to setup backup route
I didn't mean to piss you off, I didn't realize port forwarding impacts the routing solution....still learning...
I can split that into a separate question. I don't understand the connection...could you explain how that affects the solution you already provided?
I can split that into a separate question. I don't understand the connection...could you explain how that affects the solution you already provided?
Re: Best way to setup backup route
haha, not pissed, I just speak plainly/factually 
You will know for sure if displeased.
Consider the config is like the human body, you cannot talk about muscles without discussing nerves that actually trigger muscle movement, you cannot talk about muscles without talking about their food supply oxygenated blood. So, similarly a config cannot be considered separately but it is an interaction of moving parts.
Start by watching youtube videos for beginners..... from a few folks ( many are crap or too advanced at the moment) , will add the main ones here later.
https://www.youtube.com/@TheNetworkBerg ( look at all the playlists and videos, this is a good one to start with )
https://www.youtube.com/watch?v=rwjtRLQ ... 25&t=2143s
https://www.youtube.com/playlist?list=P ... 2kkUgO_0_y ( look for videos that say FOR BEGINNERS )
https://www.youtube.com/watch?v=Aok7lM3 ... CEq7KbX2Oe
You will know for sure if displeased.
Consider the config is like the human body, you cannot talk about muscles without discussing nerves that actually trigger muscle movement, you cannot talk about muscles without talking about their food supply oxygenated blood. So, similarly a config cannot be considered separately but it is an interaction of moving parts.
Start by watching youtube videos for beginners..... from a few folks ( many are crap or too advanced at the moment) , will add the main ones here later.
https://www.youtube.com/@TheNetworkBerg ( look at all the playlists and videos, this is a good one to start with )
https://www.youtube.com/watch?v=rwjtRLQ ... 25&t=2143s
https://www.youtube.com/playlist?list=P ... 2kkUgO_0_y ( look for videos that say FOR BEGINNERS )
https://www.youtube.com/watch?v=Aok7lM3 ... CEq7KbX2Oe
Re: Best way to setup backup route
I watched a bunch of these. I think I knew MOST of this...but for sure some holes in my basic knowledge.
I actually have a routerboard that I setup as my main firewal! So I would say that I've got a handle on the basics. I've setup static routes too.
But never recursive routes, never set distance / scope / target scope / etc. I think I've ready to return my firewall to saved backup and start again.
And in case I wasn't clear, i meant FIREWALL RULES....not ROUTER RULES (I'm not even sure what those are).. I know iptables under linux...so that is what i configured.
I actually have a routerboard that I setup as my main firewal! So I would say that I've got a handle on the basics. I've setup static routes too.
But never recursive routes, never set distance / scope / target scope / etc. I think I've ready to return my firewall to saved backup and start again.
And in case I wasn't clear, i meant FIREWALL RULES....not ROUTER RULES (I'm not even sure what those are).. I know iptables under linux...so that is what i configured.
Re: Best way to setup backup route
Yep, sometimes the terminology can be confusing.
Routes are just routes (and the go in /ip route).
Routing rules are a mechanism for policy routing (that go in /routing rules) that allow to "filter" and modify some particular connections, you can think of them as similar to mangle rules (that go in /ip firewall mangle).
Firewall rules are more properly firewall filter rules (and they go in /ip firewall filter).
And then there are nat rules (that go in /ip firewall nat).
It is easy to confuse them.
Routes are just routes (and the go in /ip route).
Routing rules are a mechanism for policy routing (that go in /routing rules) that allow to "filter" and modify some particular connections, you can think of them as similar to mangle rules (that go in /ip firewall mangle).
Firewall rules are more properly firewall filter rules (and they go in /ip firewall filter).
And then there are nat rules (that go in /ip firewall nat).
It is easy to confuse them.