Best method to load balance 2 internet line?

bootchi · Thu Apr 29, 2010 12:48 am

hi all i asked for the best method to loadbalance two internet line each one is 4 M
1- pcc or
2-nth
i have mk ver 3.30
please help me to choose the better way

fewi · Thu Apr 29, 2010 1:25 am

PCC is better.

bootchi · Thu Apr 29, 2010 6:55 am

thanks for you
what a bout NTH
I want to know the advantages of each method

Chupaka · Thu Apr 29, 2010 2:29 pm

PCC can behave like Nth, and can do balancing in smarter way (depending on classifier)
PCC don't waste connection-mark, so you can use it for other purposes

does anybody knows advantages of Nth? except it works on v3.20

Ibersystems · Thu Apr 29, 2010 4:22 pm

Hi Chupaka! My problem with PCC is that I need a script to watchdog my ADSL lines, and if one line have problems reconfigure the PCC to avoid problems with the connections.
Do you have something made to solve this?

thanks!

Chupaka · Thu Apr 29, 2010 4:25 pm

AFAIR, there were such script posted about a month ago or something...

void · Thu Apr 29, 2010 4:35 pm

Just mark your connections using PCC and then put a routing mark on them.
Then add default backup routes for all the different routing marks with a higher distance over the other DSL lines.

If there are troubles with your DSL just disable your PPPOE client (or interface) and PCC will work over the other lines.

Ibersystems · Thu Apr 29, 2010 4:44 pm

Just mark your connections using PCC and then put a routing mark on them.
Then add default backup routes for all the different routing marks with a higher distance over the other DSL lines.

If there are troubles with your DSL just disable your PPPOE client (or interface) and PCC will work over the other lines.

This don't work, becaume my adsl routers will be connected with my routeros and this conection will work, but not my pppoe in router.

void · Thu Apr 29, 2010 4:51 pm

This don't work, becaume my adsl routers will be connected with my routeros and this conection will work, but not my pppoe in router.

So how do you decide your ADSL connection has problems ? You want to ping something or ... ?

Ibersystems · Thu Apr 29, 2010 5:02 pm

http://forum.mikrotik.com/viewtopic.php ... pcc+script

this is a post with the script, but I think this is using pppoe in the routeros. My networks use other routers that make the pppoe connections.

thanks,

Ibersystems · Thu Apr 29, 2010 5:04 pm

This don't work, becaume my adsl routers will be connected with my routeros and this conection will work, but not my pppoe in router.
So how do you decide your ADSL connection has problems ? You want to ping something or ... ?

Void,

I decide if my adsl works if my pings works across this "ADSL1" line. You can test it with a ping using out-interface for this ping ADSL1 or ADSL2, etc..

Ibersystems · Thu Apr 29, 2010 5:09 pm

I used this BIG script for NTH months ago.. to make this, but is not inmediatly. You have to run every 5 minutes or so, and you could have your system this time working bad. This is for 2 lines, for 4 lines you need 16 scripts to work like this.. SORRY FOR THE \n and \r but I copy paste my rsc.

/system script
add name=TESTADSLSCRIPT policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff source="#SCRIPT MI\
    RAR ESTADO ADSLs#\r\
    \n\r\
    \n#set variables\r\
    \n:local pingcount 3\r\
    \n:local ipA 192.168.7.2\r\
    \n#ADSL1\r\
    \n:local GatewayA 192.168.7.1\r\
    \n:local ipB 192.168.8.2\r\
    \n#ADSL2\r\
    \n:local GatewayB 192.168.8.1\r\
    \n:local website www.google.com\r\
    \n\r\
    \n\r\
    \n#ping gateways with src\r\
    \n:local pingresultA [/ping \$website src-address=\$ipA count=\$pingcount]\
    \r\
    \n:local pingresultB [/ping \$website src-address=\$ipB count=\$pingcount]\
    \r\
    \n\r\
    \n\r\
    \n:if ((\$pingresultA=0) && (\$pingresultB>0)) do={ /system script run ADS\
    L1FALLA; :log warning \" Falla ADSL1\" }\r\
    \n\r\
    \n:if ((\$pingresultA>0) && (\$pingresultB=0)) do={ /system script run ADS\
    L2FALLA; :log warning \" Falla ADSL2\" }\r\
    \n\r\
    \n:if ((\$pingresultA=0) && (\$pingresultB=0)) do={ /system script run FAL\
    LANTODASADSL; :log warning \" Fallan todas las ADSL\" }\r\
    \n\r\
    \n:if ((\$pingresultA>0) && (\$pingresultB>0)) do={ /system script run FUN\
    CIONANTODASADSL; :log info \" Funcionan todas las ADSL\" }\r\
    \n"
add name=FUNCIONANTODASADSL policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff source="#SCRIPT SI\
    LAS DOS FUNCIONAN BIEN#\r\
    \n:local GatewayA 192.168.7.1\r\
    \n:local GatewayB 192.168.8.1\r\
    \n/ip firewall mangle set [find comment=\"ADSL1 CONN\"] disabled=no;\r\
    \n/ip firewall mangle set [find comment=\"ADSL2 CONN\"] disabled=no;\r\
    \n/ip firewall mangle set [find comment=\"Marca la ruta como ADSL1GW\"] di\
    sabled=no;\r\
    \n/ip firewall mangle set [find comment=\"Marca la ruta como ADSL2GW\"] di\
    sabled=no;\r\
    \n/ip firewall mangle set [find comment=\"Conexiones del router de la red1\
    \"] disabled=no;\r\
    \n/ip firewall mangle set [find comment=\"Paquetes del router de la red1\"\
    ] disabled=no;\r\
    \n/ip firewall mangle set [find comment=\"Conexiones del router de la red2\
    \"] disabled=no;\r\
    \n/ip firewall mangle set [find comment=\"Paquetes del router de la red2\"\
    ] disabled=no;\r\
    \n/ip route set [find comment=\"TRAFICO DEL ROUTER Y TRAFICO SIN MARCAR1\"\
    ] gateway=\$GatewayB;\r\
    \n/ip route set [find comment=\"TRAFICO DEL ROUTER Y TRAFICO SIN MARCAR2\"\
    ] gateway=\$GatewayA;\r\
    \n:log info \"Se ha ejecutado el script de 2 ADSL ok\";\r\
    \n"
add name=FALLANTODASADSL policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff source="#SCRIPT SI\
    LAS DOS ADSL FALLAN#\r\
    \n:local GatewayA 192.168.7.1\r\
    \n:local GatewayB 192.168.8.1\r\
    \n/ip firewall mangle set [find comment=\"ADSL1 CONN\"] disabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"ADSL2 CONN\"] disabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"Marca la ruta como ADSL1GW\"] di\
    sabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"Marca la ruta como ADSL2GW\"] di\
    sabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Conexiones del router de la red\
    1\"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Paquetes del router de la red1\
    \"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Conexiones del router de la red\
    2\"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Paquetes del router de la red2\
    \"] disabled=yes;\r\
    \n#/ip route set [find comment=\"TRAFICO DEL ROUTER Y TRAFICO SIN MARCAR1\
    \"] gateway=\$GatewayB;\r\
    \n#/ip route set [find comment=\"TRAFICO DEL ROUTER Y TRAFICO SIN MARCAR2\
    \"] gateway=\$GatewayB;\r\
    \n:log info \"Se ha ejecutado el script de ADSLs FALLAN\";\r\
    \n/system script run ERROR;"
add name=ADSL1FALLA policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff source="#SCRIPT SI\
    ADSL1 FALLA#\r\
    \n:local GatewayA 192.168.7.1\r\
    \n:local GatewayB 192.168.8.1\r\
    \n/ip firewall mangle set [find comment=\"ADSL1 CONN\"] disabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"ADSL2 CONN\"] disabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"Marca la ruta como ADSL1GW\"] di\
    sabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"Marca la ruta como ADSL2GW\"] di\
    sabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Conexiones del router de la red\
    1\"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Paquetes del router de la red1\
    \"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Conexiones del router de la red\
    2\"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Paquetes del router de la red2\
    \"] disabled=yes;\r\
    \n/ip route set [find comment=\"TRAFICO DEL ROUTER Y TRAFICO SIN MARCAR1\"\
    ] gateway=\$GatewayB;\r\
    \n/ip route set [find comment=\"TRAFICO DEL ROUTER Y TRAFICO SIN MARCAR2\"\
    ] gateway=\$GatewayA;\r\
    \n:log info \"Se ha ejecutado el script de ADSL1 FALLA\";\r\
    \n/system script run ERROR;"
add name=ADSL2FALLA policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff source="#SCRIPT SI\
    ADSL2 FALLA#\r\
    \n:local GatewayA 192.168.7.1\r\
    \n:local GatewayB 192.168.8.1\r\
    \n/ip firewall mangle set [find comment=\"ADSL1 CONN\"] disabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"ADSL2 CONN\"] disabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"Marca la ruta como ADSL1GW\"] di\
    sabled=yes;\r\
    \n/ip firewall mangle set [find comment=\"Marca la ruta como ADSL2GW\"] di\
    sabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Conexiones del router de la red\
    1\"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Paquetes del router de la red1\
    \"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Conexiones del router de la red\
    2\"] disabled=yes;\r\
    \n#/ip firewall mangle set [find comment=\"Paquetes del router de la red2\
    \"] disabled=yes;\r\
    \n/ip route set [find comment=\"TRAFICO DEL ROUTER Y TRAFICO SIN MARCAR1\"\
    ] gateway=\$GatewayA;\r\
    \n/ip route set [find comment=\"TRAFICO DEL ROUTER Y TRAFICO SIN MARCAR2\"\
    ] gateway=\$GatewayB;\r\
    \n:log info \"Se ha ejecutado el script de ADSL2 FALLA\";\r\
    \n/system script run ERROR;"

Chupaka · Thu Apr 29, 2010 5:57 pm

Martin, on PL MUM, Valens said something about 'scope' and 'target-scope' for checking remote addresses... maybe one should ask him for details? =)

Ibersystems · Thu Apr 29, 2010 6:36 pm

yes,

I talked with Valens and I did tests here in the office, but I didn't arrive to nothing.

What mxena said is that I can ping to google and microsoft (or whatever "always" will work) and mark this ping destinations with a routing mark.. and then, as this pings always should use the same ADSL route.. in my case ADSL1 or ADSL2, then I can use the watchdog to enable or disable rules for PCC with up and down scripts. Do you understand what I try to do?

Chupaka · Sat May 01, 2010 11:07 pm

huhuh! real-life testing required, but in the lab all seems fine...

let's suppose we have 192.168.1.1 as a modem1 address, 192.168.2.1 as a modem2 address. 1.1.1.1 and 2.2.2.2 are fake addresses - they don't exists nowhere, are used only for recursive routing building

we'll check using 213.180.204.3 and 93.158.134.3 (those are ya.ru website)

/ip route
add dst-address=213.180.204.3/32 gateway=192.168.1.1 scope=10 target-scope=10
add dst-address=93.158.134.3/32 gateway=192.168.2.1 scope=10 target-scope=10
add dst-address=1.1.1.1/32 gateway=213.180.204.3 scope=30 target-scope=10 check-gateway=ping
add dst-address=2.2.2.2/32 gateway=93.158.134.3 scope=30 target-scope=10 check-gateway=ping
add gateway=1.1.1.1 routing-mark=ISP1 scope=30 target-scope=30
add gateway=2.2.2.2 routing-mark=ISP2 scope=30 target-scope=30
add distance=10 gateway=2.2.2.2 routing-mark=ISP1 scope=30 target-scope=30
add distance=10 gateway=1.1.1.1 routing-mark=ISP2 scope=30 target-scope=30

now, if both 213.180.204.3 (via 192.168.1.1) and 93.158.134.3 (via 192.168.2.1) are reachable, 'ISP1' routing table uses 192.168.1.1, 'ISP2' uses 192.168.2.1 as default gateway. if one of 213.180.204.3/93.158.134.3 stops responding to ping, all traffic is routed to another modem

comments are welcome =)

Ibersystems · Sat May 01, 2010 11:55 pm

I'll try in ten days, when I return to the office.

Thanks!!!

Chupaka · Sun May 02, 2010 3:04 am

oops, I don't exactly remember where I have got this fake addresses in my investigations, but actually they are not needed - it's maybe just more beautiful (and easy-to-change) to use them ))) below is 'lite' version

/ip route
add dst-address=213.180.204.3/32 gateway=192.168.1.1 scope=10 target-scope=10
add dst-address=93.158.134.3/32 gateway=192.168.2.1 scope=10 target-scope=10
add gateway=213.180.204.3 routing-mark=ISP1 scope=30 target-scope=30 check-gateway=ping
add gateway=93.158.134.3 routing-mark=ISP2 scope=30 target-scope=30 check-gateway=ping
add distance=10 gateway=93.158.134.3 routing-mark=ISP1 scope=30 target-scope=30 check-gateway=ping
add distance=10 gateway=213.180.204.3 routing-mark=ISP2 scope=30 target-scope=30 check-gateway=ping

Ibersystems · Thu May 13, 2010 11:09 am

Mmm. This is working fine with google and microsoft ips.. but:

My router is now making ping to google and microsoft.. 24x7.. what can they do if they look this extrange infinite ping?
We can make a script to change the IPs every 24 hours but I don't know if it's necessary.

How many pings make the check gateway option in a minute? it's possible to set how many seconds between pings?

Thanks,

Chupaka · Thu May 13, 2010 12:31 pm

just relax - the best half of the world pings those servers twenty four hours a day, they won't notice you =)

also, you may use some nearer sites: some of your ISP devices, for example...

Ibersystems · Thu May 13, 2010 12:38 pm

aaaaaaaargh, I have to give you a Karma. Catching you will be very difficult.. xD

thanks, this works very well for 3 hours, we will try it all this week.

mag · Thu May 13, 2010 12:40 pm

sorry it's years ago i used that stuff... but why not pinging the PPPoE-clients public IP-address? If the corresponding ADSL-line disconnects, the IP-address is unreachable as well. unfortunately this IP-Address will possibly be given to another ISPs client, but usually not within seconds. plus one could force the ping through the right interface. If it's possible to get a fixed public IPs via PPPoE this test will work for sure.

Chupaka · Thu May 13, 2010 12:55 pm

This don't work, becaume my adsl routers will be connected with my routeros and this conection will work, but not my pppoe in router.

Ibersystems · Thu May 13, 2010 7:24 pm

To this, I added:

add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.101.1 scope=30 target-scope=10

because my router needs to connect Internet to remote access or NTP..

/ip route
add dst-address=213.180.204.3/32 gateway=192.168.1.1 scope=10 target-scope=10
add dst-address=93.158.134.3/32 gateway=192.168.2.1 scope=10 target-scope=10
add gateway=213.180.204.3 routing-mark=ISP1 scope=30 target-scope=30 check-gateway=ping
add gateway=93.158.134.3 routing-mark=ISP2 scope=30 target-scope=30 check-gateway=ping
add distance=10 gateway=93.158.134.3 routing-mark=ISP1 scope=30 target-scope=30 check-gateway=ping
add distance=10 gateway=213.180.204.3 routing-mark=ISP2 scope=30 target-scope=30 check-gateway=ping

Chupaka · Fri May 14, 2010 12:22 am

well, for this you may add two last rules, but without routing marks =)

Ibersystems · Fri May 14, 2010 1:22 am

Yes, but i prefer only one, for make easy to get public ip with dyndns script.

I activated the 2, with diferent distance, 1 and 2 ; D!

Next week i have to make the same for 3 adsl.. I think i'll have 8 rules ; (

Thanks,

Chupaka · Fri May 14, 2010 1:53 am

I activated the 2, with diferent distance, 1 and 2 ; D!

hmmm... but again, what if the modem is up, but no connection to the internet? =) distance=2 won't help =)

Next week i have to make the same for 3 adsl.. I think i'll have 8 rules ; (

more than 8, I think ))) but... what's problem? =)

Ibersystems · Fri May 14, 2010 1:59 am

Its 2^3
i'll try to configure it ; D!

Chupaka · Fri May 14, 2010 2:31 am

I mean, 3 routes to 'checkpoints', 3 routes to 'fake' gateways (it's better to use them - in case of 'checkpoint' change you will change only one route, not three), and 3*3 default routes (including failover). 15 in total =)

xezen · Fri May 14, 2010 7:50 am

souns right

Ibersystems · Fri May 14, 2010 12:59 pm

hmmm... but again, what if the modem is up, but no connection to the internet? =) distance=2 won't help =)

I activated the 2 routers but with diferent distance. Now if one fails, router will work with the other, and I can enter always with my prefered line.

treborr · Sat Jul 03, 2010 1:47 pm

Hello,
I am biginner user of RouterOS and also new user of this forum. I have found this topic with google. I would like to thank you for good tip:

oops, I don't exactly remember where I have got this fake addresses in my investigations, but actually they are not needed - it's maybe just more beautiful (and easy-to-change) to use them ))) below is 'lite' version

/ip route
add dst-address=213.180.204.3/32 gateway=192.168.1.1 scope=10 target-scope=10
add dst-address=93.158.134.3/32 gateway=192.168.2.1 scope=10 target-scope=10
add gateway=213.180.204.3 routing-mark=ISP1 scope=30 target-scope=30 check-gateway=ping
add gateway=93.158.134.3 routing-mark=ISP2 scope=30 target-scope=30 check-gateway=ping
add distance=10 gateway=93.158.134.3 routing-mark=ISP1 scope=30 target-scope=30 check-gateway=ping
add distance=10 gateway=213.180.204.3 routing-mark=ISP2 scope=30 target-scope=30 check-gateway=ping

I have problem with this.
I have try to use it and it works following way:
When the connection is lost between modem and internet the all traffic is forwarded to working connection. When later the connection is restored, is the traffic splited accrording routing marks in both connections. That works perfectly.
But I have a problem when the connection is lost between routerboard and modem (for example modem2). The all traffic is forwarded to working connection (modem1). That also works. When the connection between routerboard and modem2 is restored, is NOT traffic splited to two connections. All traffic goes over modem1. In this way it works for both modems.

I woul like, that connection is again splited to both modems.
Could you help me please?

Thank You

Chupaka · Mon Jul 05, 2010 4:01 pm

and what do you see in the "/ip route print detail" at that moment?

treborr · Mon Jul 05, 2010 11:30 pm

Hello, here is output:
[ro3ot1@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 S dst-address=0.0.0.0/0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw check-gateway=ping distance=1 scope=30 target-scope=30 routing-mark=to_ISP1
1 A S dst-address=0.0.0.0/0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw check-gateway=ping distance=10 scope=30 target-scope=30 routing-mark=to_ISP1
2 A S dst-address=0.0.0.0/0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw check-gateway=ping distance=1 scope=30 target-scope=30 routing-mark=to_ISP2
3 S dst-address=0.0.0.0/0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw check-gateway=ping distance=10 scope=30 target-scope=30 routing-mark=to_ISP2
4 A S dst-address=0.0.0.0/0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw check-gateway=ping distance=10 scope=30 target-scope=30
5 S dst-address=0.0.0.0/0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw check-gateway=ping distance=10 scope=30 target-scope=30
6 A S dst-address=93.158.134.3/32 gateway=192.168.0.1 gateway-status=192.168.0.1 reachable 4-gw distance=1 scope=10 target-scope=10
7 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.240 gateway=4-gw gateway-status=4-gw reachable distance=0 scope=10
8 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=1-green gateway-status=1-local reachable distance=0 scope=10
9 ADC dst-address=192.168.5.0/24 pref-src=192.168.5.1 gateway=2-orange gateway-status=2-local reachable distance=0 scope=10
10 ADC dst-address=192.168.7.0/24 pref-src=192.168.7.1 gateway=3-blue gateway-status=3-local unreachable distance=0 scope=200
11 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.12 gateway=5-gw gateway-status=5-gw reachable distance=0 scope=10
12 A S dst-address=213.180.204.3/32 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable 5-gw distance=1 scope=10 target-scope=10

The active gateway after reconecting the modem on iterface 5 is still for trafic "to ISP1" the gateway with distance 10 (line 2). I would expected that after reconecting the modem on interface 5 will be active for trafic "to ISP1" the gateway with distance 1 (line 0).

Thank You for your help.

Ibersystems · Mon Jul 05, 2010 11:54 pm

One question:

did you copy paste any part of these rules via terminal or console?

If yes, try to copy paste the export file without the "/32" in the dst addresses/gateways.
I have this problem and reported to Maris via support, but he says that rules are Active..

You can see the rules active but as you say, the rules don't work correct. True?! Is something like this?

I have the same problem if I disable the isp1 ethernet (example), and enable it. The routes shown aren't the same than after reboot.

Chupaka · Tue Jul 06, 2010 12:05 pm

treborr, please make supout.rif at that moment and send it to support@mikrotik.com together with "/ip rou pr det" output...

treborr · Tue Jul 06, 2010 7:04 pm

treborr, please make supout.rif at that moment and send it to support@mikrotik.com together with "/ip rou pr det" output...

Hello,
it is done, the files are sended to support@mikrotik.com.

treborr · Tue Jul 06, 2010 7:08 pm

One question:

did you copy paste any part of these rules via terminal or console?

If yes, try to copy paste the export file without the "/32" in the dst addresses/gateways.
I have this problem and reported to Maris via support, but he says that rules are Active..

You can see the rules active but as you say, the rules don't work correct. True?! Is something like this?

I have the same problem if I disable the isp1 ethernet (example), and enable it. The routes shown aren't the same than after reboot.

Yes the routes are different after reboot and reconecting of modem.
Here is the pasted report without /32
0 S dst-address=0.0.0.0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw check-gateway=ping distance=1 scope=30 target-scope=30 routing-mark=to_ISP1
1 A S dst-address=0.0.0.0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw check-gateway=ping distance=10 scope=30 target-scope=30 routing-mark=to_ISP1
2 A S dst-address=0.0.0.0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw check-gateway=ping distance=1 scope=30 target-scope=30 routing-mark=to_ISP2
3 S dst-address=0.0.0.0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw check-gateway=ping distance=10 scope=30 target-scope=30 routing-mark=to_ISP2
4 A S dst-address=0.0.0.0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw check-gateway=ping distance=10 scope=30 target-scope=30
5 S dst-address=0.0.0.0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw check-gateway=ping distance=10 scope=30 target-scope=30
6 A S dst-address=93.158.134.3 gateway=192.168.0.1 gateway-status=192.168.0.1 reachable 4-gw distance=1 scope=10 target-scope=10
7 ADC dst-address=192.168.0.0 pref-src=192.168.0.240 gateway=4-gw-cisco gateway-status=4-gw reachable distance=0 scope=10
8 ADC dst-address=192.168.1.0 pref-src=192.168.1.1 gateway=1-green gateway-status=1 reachable distance=0 scope=10
9 ADC dst-address=192.168.5.0 pref-src=192.168.5.1 gateway=2-orange gateway-status=2 unreachable distance=0 scope=200
10 ADC dst-address=192.168.7.0 pref-src=192.168.7.1 gateway=3-blue gateway-status=3 unreachable distance=0 scope=200
11 ADC dst-address=192.168.10.0 pref-src=192.168.10.12 gateway=5-gw-asus gateway-status=5-gw reachable distance=0 scope=10
12 A S dst-address=213.180.204.3 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable 5-gw distance=1 scope=10 target-scope=10

Ibersystems · Tue Jul 06, 2010 7:50 pm

Work diferent with the /32 or without in the copy paste?

yes?

treborr · Tue Jul 06, 2010 8:16 pm

Work diferent with the /32 or without in the copy paste?

yes?

In winbox it is without /32. /32 is only in terminal "/ip route print detail" and than in copy paste.
Sorry for confusing.

Ibersystems · Tue Jul 06, 2010 8:45 pm

I noticed that if I copy paste with or without the /32 it works different and return or not to the initial state.

treborr · Tue Jul 06, 2010 10:35 pm

I cannot se difference, when i disconnect and than reconect the modem, the stay active gateway with bigger distance. I noticed, when after reconecting change something on any gateway, it is enough to switch off check gateway, after click on ok is active the gateway with lower distance.

Eliminateur · Wed Jul 07, 2010 6:21 pm

chupaka,
i found this thread looking for a simple way to failover two connections(one similar to this examples in which a external router brings up the adsl connection and the other one is standard ethernet).
(btw, i have to finish reading the documentation about scopes and target scopes)

i have a some questions after reading this:
1) i see you generate routing marks, should i need to do anything else on the roputing rules to forward users traffic through the different connections?
2) before these routes, i assume i'll need a MASQ rule for each wan, right(what happens to masquerading in the routed connection case seeing as the modem gives a private DMz ip to the routeros?)?
3) what about default gateway for the routeros itself?
4) for incoming connections i assume i'll need a DSTNAT/forward rule per connection?

regards,
Guillermo

Chupaka · Wed Jul 07, 2010 6:45 pm

1) no additional routing rules needed
2) it depends on the modem config. if your modem will route your VPN addresses back to your router - then you'd better not to double-NAT =)
3) use those default routes but without 'routing-mark' =)
4) well, you may use one NAT rule, but anyway you will need to mark connections according to the incoming interface, so that it will be routed back via that interface

Ibersystems · Wed Jul 07, 2010 6:48 pm

fu**, you are so fast.. xD

point 4, for wxample like this:

/ip firewall mangle
add action=mark-connection chain=input comment="IN router1" disabled=no in-interface=ether2-ISP1 new-connection-mark=ISP1_conn passthrough=no
add action=mark-connection chain=input comment="IN router2" disabled=no in-interface=ether3-ISP2 new-connection-mark=ISP2_conn passthrough=no

treborr · Wed Jul 07, 2010 7:20 pm

Hello,
I have received answer from support. I get recommendation to change some routing marks. The second recommendation was to change check-gateway from ping to arp. I have tried this, but I lost connection to internet. What do you thing about this, could this change ping to arp be a solution? Nothing else was in answer from support.

Ibersystems · Wed Jul 07, 2010 7:25 pm

I think you can't use arp here, because the gateways are on internet.

Chupaka · Wed Jul 07, 2010 7:54 pm

definitely, you may use only 'ping' for checking

treborr · Wed Jul 07, 2010 8:00 pm

Thank you for answer. I think the same, that arp cannot work, but it was official answer from support. Hopefully support will come with something “better”.

Chupaka · Wed Jul 07, 2010 8:03 pm

treborr, what does "/ip route nexthop print" shows when problem appears? and also during normal operation...

treborr · Wed Jul 07, 2010 8:20 pm

During normal function it shows:
[ro3ot1@MikroTik] > /ip route nexthop print detail
0 address=93.158.134.3 gw-state=recursive forwarding-nexthop=192.168.0.1 scope=30 check-gateway=icmp gw-check-ok=yes
1 address=192.168.0.1 gw-state=reachable scope=10 check-gateway=none
2 address=192.168.10.1 gw-state=reachable scope=10 check-gateway=none
3 address=213.180.204.3 gw-state=recursive forwarding-nexthop=192.168.10.1 scope=30 check-gateway=icmp gw-check-ok=yes

when one modem is disconnected:
[ro3ot1@MikroTik] > /ip route nexthop print detail
0 address=93.158.134.3 gw-state=recursive forwarding-nexthop=192.168.0.1 scope=30 check-gateway=icmp gw-check-ok=yes
1 address=192.168.0.1 gw-state=reachable scope=10 check-gateway=none
2 address=192.168.10.1 gw-state=unreachable scope=10 check-gateway=none
3 address=213.180.204.3 gw-state=recursive forwarding-nexthop=192.168.0.1 scope=30 check-gateway=icmp gw-check-ok=yes

a when the modem is reconnected:
[ro3ot1@MikroTik] > /ip route nexthop print detail
0 address=93.158.134.3 gw-state=recursive forwarding-nexthop=192.168.0.1 scope=30 check-gateway=icmp gw-check-ok=yes
1 address=192.168.0.1 gw-state=reachable scope=10 check-gateway=none
2 address=192.168.10.1 gw-state=reachable scope=10 check-gateway=none
3 address=213.180.204.3 gw-state=recursive forwarding-nexthop=192.168.10.1 scope=30 check-gateway=icmp gw-check-ok=yes

Chupaka · Wed Jul 07, 2010 8:24 pm

disconnected?.. "gw-check-ok" is always "yes"... have you waited a minute?..

is 192.168.10.1 static address?..

Eliminateur · Wed Jul 07, 2010 8:41 pm

fu**, you are so fast.. xD

point 4, for wxample like this:

/ip firewall mangle
add action=mark-connection chain=input comment="IN router1" disabled=no in-interface=ether2-ISP1 new-connection-mark=ISP1_conn passthrough=no
add action=mark-connection chain=input comment="IN router2" disabled=no in-interface=ether3-ISP2 new-connection-mark=ISP2_conn passthrough=no

and after that i have to build a route rule using the connection marks: ISP2_conn /ISP1

i think i'm getting the hang of this(it's bee a while since i used a ROS and never for dual-wan failover without balancing)

treborr · Wed Jul 07, 2010 8:47 pm

disconnected?.. "gw-check-ok" is always "yes"... have you waited a minute?..

is 192.168.10.1 static address?..

Yes i always wait cca 1 minute. Yes the 192.168.10.1 is static address.

Chupaka · Thu Jul 08, 2010 12:53 am

hmmm... what version of ROS?.. I'm wondering why "gw-check-ok=yes"... can you ping 213.180.204.3 when modem is disconnected?..

treborr · Thu Jul 08, 2010 10:11 pm

Version of ROS is 4.9 from 29.4.2010
Yes i can ping 213.180.204.3
the begin of tracert
1 < 1 ms < 1 ms <1 1 ms 192.168.0.1 - this is ip address of second modem.

Thank You

Chupaka · Thu Jul 08, 2010 11:21 pm

hmmm... try to change target-scope of all default routes to 10 (it should not be 30)...

treborr · Thu Jul 08, 2010 11:35 pm

Thank you for your help.
I have changed the target-scope to 10 for all default routes. It still the same after reconnecting of modem

Chupaka · Fri Jul 09, 2010 12:11 am

and what about ping?

treborr · Sun Jul 11, 2010 8:46 pm

Solution for issue: not active routes with shorter distance after reconnecting modem.

It is not my solution, all Thanks belongs to Chupaka.
Thank You.

To the solution which is posted in this topic on the first page are added the following two routes:

/ip route
add dst-address=213.180.204.3 type=blackhole distance=20 scope=30 target-scope=10
add dst-address=93.158.134.3 type=blackhole distance=20 scope=30 target-scope=10

Here is the output of complete solution:
/ip route print detail

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw-asus check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_ISP1
1 S dst-address=0.0.0.0/0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw-cisco check-gateway=ping distance=10 scope=30 target-scope=10 routing-mark=to_ISP1
2 A S dst-address=0.0.0.0/0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw-cisco check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_ISP2
3 S dst-address=0.0.0.0/0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw-asus check-gateway=ping distance=10 scope=30 target-scope=10 routing-mark=to_ISP2
4 A S dst-address=0.0.0.0/0 gateway=93.158.134.3 gateway-status=93.158.134.3 recursive via 192.168.0.1 4-gw-cisco check-gateway=ping distance=15 scope=30 target-scope=10
5 S dst-address=0.0.0.0/0 gateway=213.180.204.3 gateway-status=213.180.204.3 recursive via 192.168.10.1 5-gw-asus check-gateway=ping distance=15 scope=30 target-scope=10
6 A S dst-address=93.158.134.3/32 gateway=192.168.0.1 gateway-status=192.168.0.1 reachable 4-gw-cisco distance=1 scope=10 target-scope=10
7 SB dst-address=93.158.134.3/32 type=blackhole distance=20
8 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.240 gateway=4-gw-cisco gateway-status=4-gw-cisco reachable distance=0 scope=10
9 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=1-green gateway-status=1-green unreachable distance=0 scope=200
10 ADC dst-address=192.168.5.0/24 pref-src=192.168.5.1 gateway=2-orange gateway-status=2-orange unreachable distance=0 scope=200
11 ADC dst-address=192.168.7.0/24 pref-src=192.168.7.1 gateway=3-blue gateway-status=3-blue unreachable distance=0 scope=200
12 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.12 gateway=5-gw-asus gateway-status=5-gw-asus reachable distance=0 scope=10
13 A S dst-address=213.180.204.3/32 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable 5-gw-asus distance=1 scope=10 target-scope=10
14 SB dst-address=213.180.204.3/32 type=blackhole distance=20

Chupaka · Sun Jul 11, 2010 9:17 pm

yep, after adding those blackhole routes recursive routes are recalculated correctly - to be fixed in next version =)

Chupaka · Sat Jul 17, 2010 8:49 pm

added to the Wiki as "Workaround 1"

http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

adrianatkins · Sun Jul 18, 2010 12:26 am

Chupaka, did you try to look like a younger version of the Kargen off Highlander, or is it coincidence ?

Chupaka · Sun Jul 18, 2010 12:37 am

the Kargen off Highlander

sorry?..

adrianatkins · Sun Jul 18, 2010 12:21 pm

Highlander - it's a Film

http://www.google.co.uk/#hl=en&&sa=X&ei ... 5743156be6

Kurgan aparently - i spelt it wrong

Chupaka · Mon Jul 19, 2010 1:41 pm

yep, he looks almost like me

wifi442 · Wed Aug 25, 2010 1:18 am

/ip route
add dst-address=213.180.204.3/32 gateway=192.168.1.1 scope=10 target-scope=10
add dst-address=93.158.134.3/32 gateway=192.168.2.1 scope=10 target-scope=10
add gateway=213.180.204.3 routing-mark=ISP1 scope=30 target-scope=30 check-gateway=ping
add gateway=93.158.134.3 routing-mark=ISP2 scope=30 target-scope=30 check-gateway=ping
add distance=10 gateway=93.158.134.3 routing-mark=ISP1 scope=30 target-scope=30 check-gateway=ping
add distance=10 gateway=213.180.204.3 routing-mark=ISP2 scope=30 target-scope=30 check-gateway=ping

And: http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

This looks to be a great setup right here. I have been messing around with it all day on my test router with no luck.

I was hoping to use this instead of: http://wiki.mikrotik.com/wiki/Two_gateways_failover

I must be missing something. Can I get some examples of mangle connection marking with the ISP1 and ISP2 routing marks?

Chupaka · Wed Aug 25, 2010 3:47 pm

what's your setup? do you need mangling at all?

wifi442 · Wed Aug 25, 2010 7:22 pm

what's your setup? do you need mangling at all?

I was hoping to use it on my core router. It is set up as a pppoe server for my network with queues, lots of mangle rules, etc. I want the 2nd connection to function only as a backup, no need for load sharing etc.

I am trying to get it working on my test router first, a RB750. It is set up pretty simple. It just seems with the marked routes, nothing gets past. Just page not found errors

Here is a print out of my routes. (The 2 IPs are googles IPs)

[admin@750G] /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          74.125.19.148      1       
 1   S  0.0.0.0/0                          74.125.19.147      2       
 2 A S  0.0.0.0/0                          74.125.19.147      1       
 3   S  0.0.0.0/0                          74.125.19.148      2       
 4 ADC  70.XXX.2.0/24      70.XXX.2.210    ether1PUBLIC       0       
 5 A S  74.125.19.147/32                   70.XXX.2.2         1       
 6 A S  74.125.19.148/32                   70.XXX.2.1         1       
 7 ADC  192.168.9.0/24     192.168.9.1     ether5JETCORP      0       
 8 ADC  192.168.88.0/24    192.168.88.1    JetWire_Bridge     0       
[admin@750G] /ip route>

wifi442 · Thu Aug 26, 2010 2:20 am

Ok I simply removed the Marked routes and it seems to be working. For my simple setup i'm not sure they were needed. I still need to test more.

Can I turn off ping checking on the 2nd gateways? The 2nd backup link is over wireless and I wouldn't want it to turn itself off because of a few dropped packets.

wifi442 · Thu Aug 26, 2010 2:53 am

Here is what I have so far for with no routing marks. The 12.0.0.1 is a fake address. I am hoping the 2nd conenction won't need to be pinged, cause if its down it doses not matter. Can you see any problems? Going to test more....

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
   74.125.19.148 scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=12.0.0.1 scope=30 \
   target-scope=10
add disabled=no distance=1 dst-address=12.0.0.1/32 gateway=70.XXX.2.2 scope=\
   10 target-scope=10
add disabled=no distance=1 dst-address=74.125.19.148/32 gateway=70.XXX.2.1 \
   scope=10 target-scope=10

adrianatkins · Sat Aug 28, 2010 3:57 am

do you need mangling at all?

Only a true bloodthirsty (but polite) 1000 year old warrior would ask that question !

You must be the Kurgan !

There Can Be Only One .....

Chupaka · Mon Aug 30, 2010 2:38 pm

sorry for the long delay, girls are a bit time-consuming %)

I am hoping the 2nd conenction won't need to be pinged, cause if its down it doses not matter

sure, in case of backup link you don't need to check it - you need checking only in case of load-balance, when both links are simultaneously primary and backup for each other

kazanova · Wed Sep 08, 2010 12:42 pm

nice one

kazanova · Wed Sep 08, 2010 10:07 pm

why not work???

/ip route
add dst-address=98.137.149.56/32 gateway=192.168.1.1 scope=10 target-scope=10 comment="yahoo" disabled=no
add dst-address=66.249.92.104/32 gateway=192.168.2.1 scope=10 target-scope=10 comment="google" disabled=no
add gateway=98.137.149.56 routing-mark=route-to-isp1 scope=30 target-scope=30 check-gateway=ping disabled=no
add gateway=66.249.92.104 routing-mark=route-to-isp2 scope=30 target-scope=30 check-gateway=ping disabled=no
add distance=10 gateway=66.249.92.104 routing-mark=route-to-isp1 scope=30 target-scope=30 check-gateway=ping disabled=no
add distance=10 gateway=98.137.149.56 routing-markroute-to-isp2 scope=30 target-scope=30 check-gateway=ping disabled=no

kazanova · Wed Sep 08, 2010 10:20 pm

right now i use this one but it not so perfect
i need to ping something not my gateway like google cuz my gateway is my DSL machine and always ping replay

http://wiki.mikrotik.com/wiki/Manual:PCC
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

infidel · Thu Sep 09, 2010 8:49 pm

Did you have a look at my script?
http://forum.mikrotik.com/viewtopic.php?f=9&t=39365

kazanova · Thu Sep 09, 2010 11:27 pm

yes sure and iam thankfull but i like this idea more

Chupaka · Fri Sep 10, 2010 6:31 pm

why not work???

/ip route
add dst-address=98.137.149.56/32 gateway=192.168.1.1 scope=10 target-scope=10 comment="yahoo" disabled=no
add dst-address=66.249.92.104/32 gateway=192.168.2.1 scope=10 target-scope=10 comment="google" disabled=no
add gateway=98.137.149.56 routing-mark=route-to-isp1 scope=30 target-scope=30 check-gateway=ping disabled=no
add gateway=66.249.92.104 routing-mark=route-to-isp2 scope=30 target-scope=30 check-gateway=ping disabled=no
add distance=10 gateway=66.249.92.104 routing-mark=route-to-isp1 scope=30 target-scope=30 check-gateway=ping disabled=no
add distance=10 gateway=98.137.149.56 routing-markroute-to-isp2 scope=30 target-scope=30 check-gateway=ping disabled=no

what are your gateways? 192.168.1.1 and 1.2? or 10.111.0.1 and 10.112.0.1?..

kazanova · Sat Sep 11, 2010 1:17 am

my gateway 192.198.1.1 and 192.168.2.1
10.111.0.1 and 10.112.0.1 just EX form wiki page

Chupaka · Sun Sep 12, 2010 5:26 pm

so, what doesn't work?..

/ip route print detail

kazanova · Tue Sep 14, 2010 11:28 pm

http://forum.mikrotik.com/viewtopic.php?f=2&t=45025

rgodoy · Fri Sep 17, 2010 2:20 am

Hello everyone. I'm new in routeros with just a couple of weeks. It's really very hard to understand this...

Well, I just wanted to ask you all if you would make some coding for me, for specific purposes, and I pay to you thru Paypal for the work. I really want to learn but almost all the time, the people I'm working for, are not pacient at all. Please let me know if any of you are interested.

By the way. All the code in http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting is all I need to make it work? I guess I need a mangle rule, a NAT rule... I just put all this code in a VM to test it but it doesn't work.

Best regards.

rgodoy · Sat Sep 18, 2010 7:19 pm

Can anybody help me with this little issue? I basically don't understand how to replace this code (from PCC):

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_wlan1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_wlan2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

for this code (from Advanced routing...):

/ip route
add dst-address=Host1 gateway=GW1 scope=10
add dst-address=Host2 gateway=GW2 scope=10

/ip route
add distance=1 gateway=Host1 routing-mark=ISP1 check-gateway=ping
add distance=2 gateway=Host2 routing-mark=ISP1 check-gateway=ping

/ip route
add distance=1 gateway=Host2 routing-mark=ISP2 check-gateway=ping
add distance=2 gateway=Host1 routing-mark=ISP2 check-gateway=ping

When i use the first one, it works, but happens what somebody said about the phone line down. The second code doesn't work. What are the missing lines of code in order to make it work??

Thanks in advance.

kazanova · Sat Sep 18, 2010 10:56 pm

ping dst-address not my GW
http://forum.mikrotik.com/viewtopic.php?f=2&t=45025

Chupaka · Mon Sep 20, 2010 3:21 pm

rgodoy, at first, replace 'ISP1' and 'ISP2' marks with your 'to_wlan1', 'to_wlan2'

and please, post exact rules you use, not just templates

rgodoy · Wed Sep 22, 2010 6:04 pm

Hello guys. Thanks for replaying.

It's working now. What happened was: I have a virtual test environment with only 1 real Internet connection. I was simulating the second one. Problem was that in the article doesn't appear the default routes created dynamically. So, I had to create those routes by myself. I realized that when I plugged my MK-PC directly to the cablemodem. Before that, there was a WRG54G between modem and MK-PC.

I have not 2 real internet connections to test it's really working. In theory, it works fine. I'll test with 2 conns tomorrow.

I have a little question. How do I know it's really balancing? When I turn off one WAN interface, it works, the other one starts to work. But I don't know how to determine if the router is really using both connections to balance the load.

Regards.

Chupaka · Wed Sep 22, 2010 9:12 pm

just look at your uplinks' load - if traffic goes through one uplink, then balancing is not working =)

rgodoy · Thu Sep 23, 2010 11:55 pm

Hi Chupaka. I'm just wondering if you could be interested in helping me with an specific issue, and of course I'll pay for your work. If you're insterested we could entablish contact thru e-mail and/or skype. Please let me know if you are or aren't interested. If not, I have to look for someone else. I really need to solve this problem.

All this thing works, but only in my test environment (with only 1 Internet connection). When I try to make it work with 1 cablemodem and 1 PPPoE, it doesn't work at all. When I disable one interface, router "realizes" that one link is down and starts using the another. But workstations doesn't.

kazanova · Thu Sep 23, 2010 11:59 pm

if you want tow line to work together you should use Load-balance try pcc

rgodoy · Fri Sep 24, 2010 12:08 am

if you want tow line to work together you should use Load-balance try pcc

I did, but doesn't work. As I said, router seems to work, but not workstations.

I'm trying this:
1. Open a command window (in workstation) and ping something. Also open a terminal win (winbox) and ping something.
2. I disable the active outgoing interface.
3. Terminal win shows me 1 or 2 timeouts (or was no route... I don't remember) and then keeps pinging with the another conn.
4. Workstation stops pinging and NEVER do it again. Even when I enable the first outgoing conn.

I don't know what else to do with this...

kazanova · Fri Sep 24, 2010 12:26 am

plz export the firewall and past it

rgodoy · Fri Sep 24, 2010 4:19 pm

Ok Kazanova, here it is!
THE PROBLEM: Load balance doesn't work properly. Router seems to work, but not workstations.
I'm trying this:
1. Open a command window (in workstation) and ping something. Also open a terminal win (winbox) and ping something.
2. I disable the active outgoing interface in winbox (the first one is iFIBER [cablemodem]).
3. Terminal win shows me 1 or 2 timeouts (or was "no route"... I don't remember) and then keeps pinging with the another conn.
4. Workstation stops pinging and NEVER do it again. Even when I enable the first outgoing conn and router keeps pinging ok.

# OVERVIEW
# local network 192.168.5.0/24 with DHCP svr.
# interfaces: iLAN, iARNET (WAN PPPoE), iFIBER (WAN cablemodem)
# Mangle and NAT was extracted from PCC article. ROUTING was extracted from Advanced Routing... article.

/ip pool
add name=dhcp_pool1 ranges=192.168.5.30-192.168.5.49
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=iLAN lease-time=3d name=dhcp1
/port
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=\
    "" dial-on-demand=no disabled=no interface=iARNET max-mru=1480 max-mtu=\
    1480 mrru=disabled name=pppoe-ARNET password=9999999 profile=default \
    service-name="" use-peer-dns=no user=\
    user@isp

# Router IP.
/ip address
add address=192.168.5.2/24 broadcast=192.168.5.255 comment="" disabled=no \
    interface=iLAN network=192.168.5.0

# ISP FIBER. Here, use-peer-DNS is set to "no" because it changes /ip dns config.
#I want in that config DNSs from both ISPs. I also did it en PPPoE interaface config.
/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no \
    interface=iFIBER use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m

# DHCP SVR local network with 5 dns servers. 1º and 3º belongs to ISP FIBER.
# 2º and 4º to ISP ARNET.
/ip dhcp-server network
add address=192.168.5.0/24 comment="" dns-server=\
    200.49.130.31,200.45.191.35,200.49.130.30,200.45.48.233,192.168.5.2 \
    gateway=192.168.5.2 netmask=24

# One DNS for ISP FIBER and the another for ISP ARNET.
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=4096KiB \
    max-udp-packet-size=512 primary-dns=200.49.130.31 secondary-dns=\
    200.45.48.233
    
# Here starts the config of PCC article. I guess there's nothing important.
/ip firewall address-list
add address=192.168.0.0/16 comment="" disabled=no list=illegal-addr
add address=10.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=172.16.0.0/12 comment="" disabled=no list=illegal-addr
add address=169.254.0.0/16 comment="" disabled=no list=illegal-addr
add address=127.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=224.0.0.0/3 comment=multicast disabled=no list=illegal-addr
add address=223.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=198.18.0.0/15 comment="" disabled=no list=illegal-addr
add address=192.0.2.0/24 comment="" disabled=no list=illegal-addr
add address=185.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=180.0.0.0/6 comment="" disabled=no list=illegal-addr
add address=179.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=176.0.0.0/7 comment="" disabled=no list=illegal-addr
add address=175.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=104.0.0.0/6 comment="" disabled=no list=illegal-addr
add address=100.0.0.0/6 comment="" disabled=no list=illegal-addr
add address=49.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=46.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=42.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=39.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=36.0.0.0/7 comment="" disabled=no list=illegal-addr
add address=31.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=27.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=23.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=14.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=5.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=2.0.0.0/8 comment="" disabled=no list=illegal-addr
add address=0.0.0.0/7 comment="" disabled=no list=illegal-addr
add address=128.0.0.0/16 comment="" disabled=no list=illegal-addr
add address=192.168.5.0/24 comment="my local network, all NATed" disabled=no \
    list=local-addr

# Here I have some disabled. Another rules (specially with action "jump") are Invalid I don't know why.
# Nevertheless, if I disable all, it is still not working.
/ip firewall filter
add action=accept chain=forward comment="Allow traffic between clients" \
    disabled=no in-interface=iLAN out-interface=iLAN
add action=jump chain=forward comment="Sanity Check Forward" disabled=no \
    jump-target=sanity-check
add action=jump chain=sanity-check comment="Deny illegal NAT traversal" \
    disabled=no jump-target=drop packet-mark=NAT-T
add action=accept chain=input comment=\
    "Allow The Router to be visible via Neighbor Discovery to WinBox" \
    disabled=no dst-address=255.255.255.255 dst-port=5678 in-interface=iLAN \
    protocol=udp
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=3d chain=sanity-check comment="Block port scans" \
    disabled=yes protocol=tcp psd=20,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=sanity-check comment=\
    "*** Block TCP Null scan" disabled=no protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=sanity-check comment=\
    "*** Block TCP Xmas scan" disabled=no protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check comment="" disabled=no jump-target=drop \
    protocol=tcp src-address-list=blocked-addr
add action=jump chain=sanity-check comment="*** Drop TCP RST" disabled=no \
    jump-target=drop protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment="*** Drop TCP SYN+FIN" disabled=no \
    jump-target=drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=sanity-check comment=\
    "Dropping invalid connections at once" connection-state=invalid disabled=\
    no jump-target=drop
add action=accept chain=sanity-check comment=\
    "Accepting already established connections" connection-state=established \
    disabled=no
add action=accept chain=sanity-check comment=\
    "Also accepting related connections" connection-state=related disabled=no
add action=jump chain=sanity-check comment=\
    "*** Drop all traffic that goes to multicast or broadcast addresses" \
    disabled=no dst-address-type=broadcast,multicast jump-target=drop
add action=jump chain=sanity-check comment=\
    "Drop illegal destination addresses" disabled=no dst-address-list=\
    illegal-addr dst-address-type=!local in-interface=iLAN jump-target=drop
add action=jump chain=sanity-check comment="Drop everything that goes from loc\
    al interface but not from local address" disabled=no in-interface=iLAN \
    jump-target=drop src-address-list=!local-addr
add action=jump chain=sanity-check comment="Drop illegal source addresses" \
    disabled=no in-interface=iFIBER jump-target=drop src-address-list=\
    illegal-addr
add action=jump chain=sanity-check comment="Drop illegal source addresses" \
    disabled=no in-interface=iARNET jump-target=drop src-address-list=\
    illegal-addr
add action=jump chain=sanity-check comment=\
    "*** Drop all traffic that comes from multicast or broadcast addresses" \
    disabled=no jump-target=drop src-address-type=broadcast,multicast
add action=accept chain=input comment=\
    "Allow local traffic (between router applications)" disabled=no \
    dst-address-type=local src-address-type=local
add action=jump chain=input comment="DHCP protocol would not pass sanity check\
    ing, so enabling it explicitly before other checks" disabled=no dst-port=\
    67 in-interface=iLAN jump-target=dhcp protocol=udp src-port=68
add action=jump chain=input comment="Sanity Check" disabled=no jump-target=\
    sanity-check
add action=jump chain=input comment="*** Dropping packets not destined to the \
    router itself, including all broadcast traffic" disabled=no \
    dst-address-type=!local jump-target=drop
add action=accept chain=input comment=\
    "Allow pings, but at a very limited rate (5 packets per sec)" disabled=\
    yes icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=jump chain=input comment=\
    "Allowing some services to be accessible from the local network" \
    disabled=no in-interface=iLAN jump-target=local-services
add action=jump chain=input comment=\
    "Allowing some services to be accessible from the Internet" disabled=no \
    in-interface=iFIBER jump-target=public-services
add action=jump chain=input comment=\
    "Allowing some services to be accessible from the Internet" disabled=no \
    in-interface=iARNET jump-target=public-services
add action=jump chain=input comment="" disabled=no jump-target=drop
add action=accept chain=dhcp comment="" disabled=no dst-address=\
    255.255.255.255 src-address=0.0.0.0
add action=accept chain=dhcp comment="" disabled=no dst-address-type=local \
    src-address=0.0.0.0
add action=accept chain=dhcp comment="" disabled=no dst-address-type=local \
    src-address-list=local-addr
add action=drop chain=local-services comment="SSH (22/TCP)" disabled=no \
    dst-port=22 protocol=tcp
add action=accept chain=local-services comment=DNS disabled=no dst-port=53 \
    protocol=udp
add action=accept chain=local-services comment=DNS disabled=no dst-port=53 \
    protocol=tcp
add action=accept chain=local-services comment="HTTP Proxy (3128/TCP)" \
    disabled=no dst-port=3128 protocol=tcp
add action=accept chain=local-services comment="Winbox (8291/TCP)" disabled=\
    no dst-port=8291 protocol=tcp
add action=accept chain=local-services comment=SNMP disabled=no dst-port=161 \
    protocol=udp
add action=accept chain=local-services comment=NTP disabled=no dst-port=123 \
    protocol=udp
add action=accept chain=local-services comment="Neighbor discovery" disabled=\
    no dst-port=5678 protocol=udp
add action=log chain=local-services comment=\
    "Temporary Logging to check for things we should not drop" disabled=no \
    log-prefix=""
add action=drop chain=local-services comment="" disabled=yes
add action=accept chain=public-services comment="SSH (22/TCP)" disabled=no \
    dst-port=22 protocol=tcp
add action=accept chain=public-services comment="PPTP (1723/TCP)" disabled=\
    yes dst-port=1723 protocol=tcp
add action=accept chain=public-services comment="Winbox (8291/TCP)" disabled=\
    no dst-port=8291 protocol=tcp
add action=accept chain=public-services comment="GRE for PPTP" disabled=yes \
    protocol=gre
add action=drop chain=forward comment=Skype disabled=no layer7-protocol=Skype
add action=log chain=public-services comment=\
    "Temporary Logging to check for things we should not drop" disabled=yes \
    log-prefix=""
add action=drop chain=public-services comment="" disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Detect NAT Traversal" \
    disabled=no dst-address-list=local-addr in-interface=iFIBER \
    new-packet-mark=nat-traversal passthrough=no
add action=mark-packet chain=prerouting comment="" disabled=no \
    dst-address-list=local-addr in-interface=iARNET new-packet-mark=\
    nat-traversal passthrough=yes
add action=mark-connection chain=input comment="Config b\E1sica" disabled=no \
    in-interface=iFIBER new-connection-mark=conn_FIBER passthrough=yes
add action=mark-connection chain=input comment="" disabled=no in-interface=\
    iARNET new-connection-mark=conn_ARNET passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=conn_FIBER \
    disabled=no new-routing-mark=rt_FIBER passthrough=yes
add action=mark-routing chain=output comment="" connection-mark=conn_ARNET \
    disabled=no new-routing-mark=rt_ARNET passthrough=yes
add action=accept chain=prerouting comment="" disabled=no dst-address=\
    !192.168.5.0/24 in-interface=iLAN
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=iLAN new-connection-mark=conn_FIBER \
    passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment="" disabled=no \
    dst-address-type=!local in-interface=iLAN new-connection-mark=conn_ARNET \
    passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment="" connection-mark=\
    conn_FIBER disabled=no in-interface=iLAN new-routing-mark=rt_FIBER \
    passthrough=yes
add action=mark-routing chain=prerouting comment="" connection-mark=\
    conn_ARNET disabled=no in-interface=iLAN new-routing-mark=rt_ARNET \
    passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    iFIBER
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    iARNET
add action=dst-nat chain=dstnat comment=RDP disabled=no dst-port=3389 \
    in-interface=!iLAN protocol=tcp src-address-list="" to-addresses=\
    192.168.5.9 to-ports=3389
add action=src-nat chain=srcnat comment=RDP disabled=no out-interface=!iLAN \
    protocol=tcp src-address=192.168.5.9 src-port=3389 to-ports=1024-65535

# I disabled this. I don't understand what is doing.
add action=redirect chain=dstnat comment="Transparent DNS Cache" \
    connection-mark=dns disabled=yes in-interface=iLAN
add action=redirect chain=dstnat comment="Transparent Web Cache" disabled=no \
    dst-port=80 protocol=tcp to-ports=3128

# I disabled this. I don't understand what is doing.
add action=redirect chain=dstnat comment="Transparent proxy for NTP requests" \
    connection-mark=ntp disabled=yes in-interface=iLAN

# All transparent proxy stuff. It's running, but doesn't cache anything. Again, I don't unterstand why.
/ip proxy
set always-from-cache=yes cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=yes enabled=yes max-cache-size=none max-client-connections=\
    1000 max-fresh-time=3d max-server-connections=1000 parent-proxy=0.0.0.0 \
    parent-proxy-port=0 port=3128 serialize-connections=no src-address=\
    0.0.0.0
/ip proxy access
add action=deny comment="" disabled=no dst-host=:facebook
/ip proxy cache
/store
add comment="" disabled=no disk=primary-master name=user-manager1 type=\
    user-manager
add comment="" disabled=no disk=primary-master name=web-proxy1 type=web-proxy

# Here is the main problem I guess.
# I replaced PCC code for Advanced Balancing..... code.
# gateway 201.231.156.1 for ISP FIBER.
# gateway 200.3.60.15 for ISP ARNET.
# Main routes for both ISPs are not here. They are created dynamically when I plug the modems.
# What the distance for those dynamic routes should be?

/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=137.254.16.57 routing-mark=rt_ARNET scope=30 \
    target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=69.147.112.160 routing-mark=rt_FIBER scope=30 \
    target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=137.254.16.57 routing-mark=rt_FIBER scope=30 \
    target-scope=10
add check-gateway=ping comment="" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=69.147.112.160 routing-mark=rt_ARNET scope=30 \
    target-scope=10
add comment="ping Yahoo Mail - host1" disabled=no distance=1 dst-address=\
    69.147.112.160/32 gateway=201.231.156.1 scope=10 target-scope=10
add disabled=no distance=20 dst-address=69.147.112.160/32 type=blackhole
add comment="ping Sun - host2" disabled=no distance=1 dst-address=\
    137.254.16.57/32 gateway=200.3.60.15 scope=10 target-scope=10
add comment="" disabled=no distance=20 dst-address=137.254.16.57/32 type=\
    blackhole

rgodoy · Mon Sep 27, 2010 1:46 am

I tried to do this with another software package and always have the same result: workstations doesn't work after the primary link is down, but, the router works fine.

So the question is: how should be the workstations proper config? I don't understand what's going on here... Anybody has this working????????

jamiewatson69 · Mon Sep 27, 2010 12:45 pm

Hi all,

I have been trying to get this working for about a week now! Basically my setup is very similar to what you have all achieved, except I want my default route to have more than one gateway in. When the route has one gateway in its fine and the next hop correctly detects if the link is down. If I then add a second gateway the default route it no longer detects if the gateways are, see below;
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
1.1.1.1/32 gateway=81.187.244.77,81.187.164.216 scope=30 target-scope=10

4 address=81.187.164.216 gw-state=recursive forwarding-nexthop=81.187.84.221
scope=10 check-gateway=none

5 address=81.187.244.77 gw-state=recursive forwarding-nexthop=81.187.84.222
scope=10 check-gateway=none

So even though I am doing a gateway check on the two gateways the actual nexthop seems to be disregrding it! Do you think this is a bug because I know you can use multiple gateways in other scenarios!

Thanks
Jamie
http://www.fusionmanageit.co.uk

rgodoy · Mon Sep 27, 2010 3:52 pm

Hi all,

I have been trying to get this working for about a week now! Basically my setup is very similar to what you have all achieved, except I want my default route to have more than one gateway in. When the route has one gateway in its fine and the next hop correctly detects if the link is down. If I then add a second gateway the default route it no longer detects if the gateways are, see below;
add check-gateway=ping comment="" disabled=no distance=1 dst-address=\
1.1.1.1/32 gateway=81.187.244.77,81.187.164.216 scope=30 target-scope=10

4 address=81.187.164.216 gw-state=recursive forwarding-nexthop=81.187.84.221
scope=10 check-gateway=none

5 address=81.187.244.77 gw-state=recursive forwarding-nexthop=81.187.84.222
scope=10 check-gateway=none

So even though I am doing a gateway check on the two gateways the actual nexthop seems to be disregrding it! Do you think this is a bug because I know you can use multiple gateways in other scenarios!

Thanks
Jamie
http://www.fusionmanageit.co.uk

Hi Jamie. I'm sorry I don't have an answer for your question. I just want to ask you how do you configure network settings in your workstations in order to work.

For anybody who wants to comment about this, below is my Win workstations netconfig example:
static config:
IP: 192.168.223.20
Mask: 255.255.255.0
gateway: 192.168.223.1 (Mikrotik LAN interface)
DNS svr: 192.168.223.1 (Mikrotik LAN interface)

I don't know what else to do in order to make it work. When I disable one uplink, the another works fine, but only inside the router. The workstation stops working and never do it again (even if I enable the uplink) until I reboot it.

Chupaka · Mon Sep 27, 2010 7:23 pm

sorry for long delay %)

using multiple gateways is ECMP. do you want to use ECMP or PCC?

I've added my skype id to my signature for faster conversation...

kazanova · Mon Sep 27, 2010 8:33 pm

've added my skype id to my signature for faster conversation..

that so nice for you because sure it helpfully to accept as talk to you but i think some people will forget to give karma

jamiewatson69 · Mon Sep 27, 2010 9:46 pm

rgodoy have you setup NAT correctly in the first place?

rgodoy · Mon Sep 27, 2010 10:02 pm

rgodoy have you setup NAT correctly in the first place?

I just copied all my settings above. Do you see something wrong?

jamiewatson69 · Mon Sep 27, 2010 11:25 pm

I would prefer to use ECMP, my ISP does the download load balancing and presents it to each of the lines on a routed back! Therefore each of the DSL modems have an external IP and a IP address on the routed block. The MT has an IP on the routed block so providing I could use ECMP gateway checking on the external interfaces of the DSL modem all would be fine! Only problem is when you put more than one recursively routable IP address in the gateway check stops working!

The only other way I (well thanks to infidel for his input) can think of doing it is to have 7 routes;
route#1 (1-2-3), route#2 (1-2), route#3 (1-3), route#4 (2-3), route#5 (1), route#6 (2), route#7 (3)
Route #1 will have distance 1
Routes #2,3,4 will have distance 2
Routes #5,6,7 will have distance 3

I could then use netwatch to check the external ppp interfaces of the ADSL modems and a script to disable / enable the relevant routes when the relevant netwatch hosts come up and down!!

Unless anyone else has any other ideas?

myso · Thu Nov 25, 2010 3:58 pm

Hi,

I'm trying to get a failover solution for my scenario: RB433AH having these interfaces:
- WAN (primary internet),
- PPPoE (backup ADSL connection) and of course
- LAN interface.

I don't need any load balancing.

The basic setup from mikrotik wiki works fine, but I don't understand what are the 10.x.x.x IP addresses in the Multiple host checking setup. May I ask you for a little help here?

Thanks in advance...

Michael

Chupaka · Thu Nov 25, 2010 6:03 pm

Multiple host checking setup

maybe, provide some links?..

myso · Thu Nov 25, 2010 7:06 pm

sorry I thought it was you who wrote the article: http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

Chupaka · Fri Nov 26, 2010 12:09 am

oh, you're about that...

10.x.x.x are some fake addresses, they are used only for recursive routes.

a) for any packet from user to Internet, you first set gateway=10.x.x.x

b) then route to that 10.x.x.x address is recursively resolved via one of hosts you are checking by ping

c) after that, route to the host you are checking is resolved via your real gateway

those 10.x.x.x addresses should NOT exist anywhere - just in routing table

myso · Fri Nov 26, 2010 10:10 am

Thanks for the explanation, now I seem to get it

Unfortunately, non of my default routes gets active, I don't know why. See the dump:

/ip route print

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0>  S  0.0.0.0/0                          10.1.1.1           1       
1>  S  0.0.0.0/0                          10.2.2.2           1       
2>  S  0.0.0.0/0                          10.2.2.2           2       
3>  S  0.0.0.0/0                          10.1.1.1           2  
4>A S  8.8.4.4/32                         10.18.33.1         1       
5>  SB 8.8.4.4/32                                            20      
6>A S  8.8.8.8/32                         192.168.222.1      1       
7>  SB 8.8.8.8/32                                            20      
8>A S  10.1.1.1/32                        208.67.222.222     1       
9>  S  10.1.1.1/32                        8.8.8.8            1       
10>A S  10.2.2.2/32                        208.67.220.220     1       
11>  S  10.2.2.2/32                        8.8.4.4            1       
12>ADC  10.18.33.0/24      10.18.33.85     SkyNET             0       
13>ADC  10.18.85.0/24      10.18.85.1      LAN                0       
14>ADC  192.168.222.0/24   192.168.222.194 CDMA               0       
15>A S  208.67.220.220/32                  10.18.33.1         1       
16>  SB 208.67.220.220/32                                     20      
17>A S  208.67.222.222/32                  192.168.222.1      1       
18>  SB 208.67.222.222/32                                     20

I'm testing against openDNS and GoogleDNS servers...

Chupaka · Fri Nov 26, 2010 5:51 pm

use 'print detail' - your output doesn't show scopes and routing marks

myso · Mon Nov 29, 2010 8:28 am

I'm sorry, here's the detailed output:

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
0>  S  dst-address=0.0.0.0/0 gateway=10.1.1.1 
        gateway-status=10.1.1.1 recursive via 192.168.222.1 CDMA 
        check-gateway=ping distance=1 scope=30 target-scope=10 

1>  S  dst-address=0.0.0.0/0 gateway=10.2.2.2 
        gateway-status=10.2.2.2 recursive via 10.18.33.1 SkyNET 
        check-gateway=ping distance=1 scope=30 target-scope=10 

2>  S  dst-address=0.0.0.0/0 gateway=10.2.2.2 
        gateway-status=10.2.2.2 recursive via 10.18.33.1 SkyNET 
        check-gateway=ping distance=2 scope=30 target-scope=10 

3>  S  dst-address=0.0.0.0/0 gateway=10.1.1.1 
        gateway-status=10.1.1.1 recursive via 192.168.222.1 CDMA 
        check-gateway=ping distance=2 scope=30 target-scope=10 

4>A S  dst-address=8.8.4.4/32 gateway=10.18.33.1 
        gateway-status=10.18.33.1 reachable SkyNET distance=1 scope=10 
        target-scope=10 

5>  SB dst-address=8.8.4.4/32 type=blackhole distance=20 

6>A S  dst-address=8.8.8.8/32 gateway=192.168.222.1 
        gateway-status=192.168.222.1 reachable CDMA distance=1 scope=10 
        target-scope=10 

7>  SB dst-address=8.8.8.8/32 type=blackhole distance=20 

8>A S  dst-address=10.1.1.1/32 gateway=208.67.222.222 
        gateway-status=208.67.222.222 recursive via 192.168.222.1 CDMA 
        check-gateway=ping distance=1 scope=10 target-scope=10 

9>  S  dst-address=10.1.1.1/32 gateway=8.8.8.8 
        gateway-status=8.8.8.8 recursive via 192.168.222.1 CDMA 
        check-gateway=ping distance=1 scope=10 target-scope=10 

10>A S  dst-address=10.2.2.2/32 gateway=208.67.220.220 
        gateway-status=208.67.220.220 recursive via 10.18.33.1 SkyNET 
        check-gateway=ping distance=1 scope=10 target-scope=10 

11>  S  dst-address=10.2.2.2/32 gateway=8.8.4.4 
        gateway-status=8.8.4.4 recursive via 10.18.33.1 SkyNET 
        check-gateway=ping distance=1 scope=10 target-scope=10 

12>ADC  dst-address=10.18.33.0/24 pref-src=10.18.33.85 gateway=SkyNET 
        gateway-status=SkyNET reachable distance=0 scope=10 

13>ADC  dst-address=10.18.85.0/24 pref-src=10.18.85.1 gateway=LAN 
        gateway-status=LAN reachable distance=0 scope=10 

14>ADC  dst-address=192.168.222.0/24 pref-src=192.168.222.194 gateway=CDMA 
        gateway-status=CDMA reachable distance=0 scope=10 

15>A S  dst-address=208.67.220.220/32 gateway=10.18.33.1 
        gateway-status=10.18.33.1 reachable SkyNET distance=1 scope=10 
        target-scope=10 

16>  SB dst-address=208.67.220.220/32 type=blackhole distance=20 

17>A S  dst-address=208.67.222.222/32 gateway=192.168.222.1 
        gateway-status=192.168.222.1 reachable CDMA distance=1 scope=10 
        target-scope=10 

18>  SB dst-address=208.67.222.222/32 type=blackhole distance=20

Chupaka · Mon Nov 29, 2010 5:38 pm

/ip route nexthop print

p.s. where are routing marks for your default gateways?..

myso · Tue Nov 30, 2010 9:30 am

/ip route print detail (with routing marks)

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 0   S  dst-address=0.0.0.0/0 gateway=10.1.1.1
        gateway-status=10.1.1.1 recursive via 192.168.222.1 CDMA
        check-gateway=ping distance=1 scope=30 target-scope=10
        routing-mark=ISP1

 1   S  dst-address=0.0.0.0/0 gateway=10.2.2.2
        gateway-status=10.2.2.2 recursive via 10.18.33.1 SkyNET
        check-gateway=ping distance=2 scope=30 target-scope=10
        routing-mark=ISP1

 2   S  dst-address=0.0.0.0/0 gateway=10.2.2.2
        gateway-status=10.2.2.2 recursive via 10.18.33.1 SkyNET
        check-gateway=ping distance=1 scope=30 target-scope=10
        routing-mark=ISP2

 3   S  dst-address=0.0.0.0/0 gateway=10.1.1.1
        gateway-status=10.1.1.1 recursive via 192.168.222.1 CDMA
        check-gateway=ping distance=2 scope=30 target-scope=10
        routing-mark=ISP2

 4 A S  dst-address=8.8.4.4/32 gateway=10.18.33.1
        gateway-status=10.18.33.1 reachable SkyNET distance=1 scope=10
        target-scope=10

 5   SB dst-address=8.8.4.4/32 type=blackhole distance=20

 6 A S  dst-address=8.8.8.8/32 gateway=192.168.222.1
        gateway-status=192.168.222.1 reachable CDMA distance=1 scope=10
        target-scope=10

 7   SB dst-address=8.8.8.8/32 type=blackhole distance=20

 8 A S  dst-address=10.1.1.1/32 gateway=208.67.222.222
        gateway-status=208.67.222.222 recursive via 192.168.222.1 CDMA
        check-gateway=ping distance=1 scope=10 target-scope=10

 9   S  dst-address=10.1.1.1/32 gateway=8.8.8.8
        gateway-status=8.8.8.8 recursive via 192.168.222.1 CDMA
        check-gateway=ping distance=1 scope=10 target-scope=10

10 A S  dst-address=10.2.2.2/32 gateway=208.67.220.220
        gateway-status=208.67.220.220 recursive via 10.18.33.1 SkyNET
        check-gateway=ping distance=1 scope=10 target-scope=10

11   S  dst-address=10.2.2.2/32 gateway=8.8.4.4
        gateway-status=8.8.4.4 recursive via 10.18.33.1 SkyNET
        check-gateway=ping distance=1 scope=10 target-scope=10

12 ADC  dst-address=10.18.33.0/24 pref-src=10.18.33.85 gateway=SkyNET
        gateway-status=SkyNET reachable distance=0 scope=10

13 ADC  dst-address=10.18.85.0/24 pref-src=10.18.85.1 gateway=LAN
        gateway-status=LAN reachable distance=0 scope=10

14 ADC  dst-address=192.168.222.0/24 pref-src=192.168.222.194 gateway=CDMA
        gateway-status=CDMA reachable distance=0 scope=10

15 A S  dst-address=208.67.220.220/32 gateway=10.18.33.1
        gateway-status=10.18.33.1 reachable SkyNET distance=1 scope=10
        target-scope=10

16   SB dst-address=208.67.220.220/32 type=blackhole distance=20

17 A S  dst-address=208.67.222.222/32 gateway=192.168.222.1
        gateway-status=192.168.222.1 reachable CDMA distance=1 scope=10
        target-scope=10

18   SB dst-address=208.67.222.222/32 type=blackhole distance=20

/ip route nexthop print

0 address=8.8.4.4 gw-state=recursive forwarding-nexthop=10.18.33.1 scope=10 check-gateway=icmp gw-check-ok=yes

 1 address=8.8.8.8 gw-state=recursive forwarding-nexthop=192.168.222.1 scope=10 check-gateway=icmp gw-check-ok=yes

 2 address=10.1.1.1 gw-state=recursive forwarding-nexthop=192.168.222.1 scope=10 check-gateway=icmp gw-check-ok=no

 3 address=10.2.2.2 gw-state=recursive forwarding-nexthop=10.18.33.1 scope=10 check-gateway=icmp gw-check-ok=no

 4 address=10.18.33.1 gw-state=reachable scope=10 check-gateway=none

 5 address=192.168.222.1 gw-state=reachable scope=10 check-gateway=none

 6 address=208.67.220.220 gw-state=recursive forwarding-nexthop=10.18.33.1 scope=10 check-gateway=icmp gw-check-ok=yes

 7 address=208.67.222.222 gw-state=recursive forwarding-nexthop=192.168.222.1 scope=10 check-gateway=icmp gw-check-ok=yes

A noob question: Are the routing marks needed even in a setup without loadbalancing? is there anything else needed to be setup together with the routing marks in default routes?

Chupaka · Tue Nov 30, 2010 3:52 pm

arrrrgh, I see... sorry - I had no place to test this kind of setup =)

you should not use "check-gateway=ping" for 10.x.x.x gateways - they even don't exist...
here's the changes: http://wiki.mikrotik.com/index.php?titl ... ldid=18512

as far as I can see, no more changes is required

myso · Tue Nov 30, 2010 5:53 pm

Well, thanks very much for the corrections, it works now. Perhaps you should add (just for some routing beginners like me) that you need to add something like this to have it work (with the Routing marks):

/ip firewall mangle
add action=mark-routing chain=prerouting src-address=192.168.33.0/24 new-routing-mark=ISP1

Thanks again

Michael

Chupaka · Tue Nov 30, 2010 11:06 pm

Well, thanks very much for the corrections, it works now.

thank you for the testing =)

Perhaps you should add (just for some routing beginners like me) that you need to add something like this to have it work (with the Routing marks):
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting src-address=192.168.33.0/24 new-routing-mark=ISP1

the article is about failover, not balancing or something, so

Let's suppose <...> we have some policy routing rules, so all outgoing traffic is marked with ISP1 (which goes to GW1) and ISP2 (which goes to GW2) marks

myso · Wed Dec 01, 2010 12:45 pm

OK OK

my last question? is this setup possible to use without the ISP routing marks? i don't want to blanace the traffic load - I'd just like to have a primary GW and a backup GW and use this advanced routing for failover (with double check against 4 high availability servers).

Chupaka · Wed Dec 01, 2010 6:40 pm

actually, you need to check 2 servers via 1st gateway. if first gateway is down, there's no sense to check whether gw2 is working =)

yep, just remove routing mark ISP1 from routes and remove routes with ISP2 mark

pszemaz · Thu Jan 26, 2012 11:01 pm

Hi all!
First of all, I know this topic is old, but it is the right topic for me.
I "fight" on my MKT with "Advanced Routing Failover without Scripting"
http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

I've got 2 WAN connections, and 2 LAN (LAN2 I do not use, so lets say there is only LAN1).

If I do not use /ip route (s) from that wiki art, and use mangle as I paste later everything works fine.
All trafic from WAN1 goes out from WAN1, (the same for WAN2).
I although do default routes without marks for outgoing traffic from MKT itself.
That all works.

Now below I'll copy/paste my settings (ip, mangle, routes) whitch does not work.
I think the problem is in mangle, because I tried few arts about failover and

In Chupaka Wiki there are no routes without marks. If I don't use routs without marks I have no internet connection..
Chupaka wrote:

so all outgoing traffic is marked with ISP1 (which goes to GW1) and ISP2 (which goes to GW2) marks

I don't know how mark ALL OUTGOING traffic. As I wrote above, I use some default routes without marks to have internet connection.

HERE IP ROUTES that works for me, but no failover here (and I want to have it):

 0 A S  dst-address=0.0.0.0/0 gateway=94.87.83.254 
        gateway-status=94.87.83.254 reachable via  WAN1 
        distance=1 scope=30 target-scope=10 routing-mark=to_WAN1 

 3   S  dst-address=0.0.0.0/0 gateway=192.168.0.0 
        gateway-status=192.168.0.0 unreachable distance=2
        target-scope=10 routing-mark=to_WAN2 

 6 A S  dst-address=0.0.0.0/0 gateway=94.87.83.254 
        gateway-status=94.87.83.254 reachable scope=30 target-scope=10 

 7   S  dst-address=0.0.0.0/0 gateway=192.168.0.0 
        gateway-status=192.168.0.0 unreachable distance=2 target-scope=10 

16 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.59 gateway=WAN2 
        gateway-status=WAN2 reachable distance=0 scope=10 

17 ADC  dst-address=192.168.33.0/24 pref-src=192.168.33.1 gateway=LAN2 
        gateway-status=LAN2 reachable distance=0 scope=10 

18 ADC  dst-address=192.168.168.0/24 pref-src=192.168.168.1 gateway=LAN1 
        gateway-status=LAN1 reachable distance=0 scope=10 

19 ADC  dst-address=94.87.83.224/27 pref-src=94.87.83.242 gateway=WAN1 
        gateway-status=WAN1 reachable distance=0 scope=10

So here are my basic settings (I made to have failover withous script, but it does not work):

HOST1A - 8.8.8.8
HOST1B - 8.8.4.4
HOST2A - 208.67.220.220
HOST2B - 208.67.222.222

Fake GW1 - 172.16.1.1
Fake GW2 - 172.16.2.2

GW1: 94.87.83.254
GW2: 192.168.0.1

ip address print detail 

 0   address=192.168.168.1/24 network=192.168.168.0 interface=LAN1 actual-interface=LAN1 
 1   address=192.168.0.59/24 network=192.168.0.0 interface=WAN2 actual-interface=WAN2 
 2   address=192.168.33.1/24 network=192.168.33.0 interface=LAN2 actual-interface=LAN2 
 3 D address=94.87.83.242/27 network=94.87.83.224 interface=WAN1 actual-interface=WAN1

/ip firewall mangle print detail

 0   ;;; DEFAULT ROUTING table for traffic from LAN to connected (WAN) networks
     chain=prerouting action=accept dst-address=94.87.83.0/24
     in-interface=LAN1 

 1   chain=prerouting action=accept dst-address=192.168.0.0/24 
     in-interface=LAN1 

 2   ;;; INPUT in WAN1, out WAN1
     chain=input action=mark-connection new-connection-mark=WAN1_conn 
     passthrough=yes in-interface=WAN1 

 3   chain=output action=mark-routing new-routing-mark=to_WAN1 
	 passthrough=no connection-mark=WAN1_conn 

 4   ;;; INPUT in WAN2, out WAN2
     chain=input action=mark-connection new-connection-mark=WAN2_conn 
     passthrough=yes in-interface=WAN2 

 5   chain=output action=mark-routing new-routing-mark=to_WAN2 
	 passthrough=no connection-mark=wan2_conn 

 6   ;;; Forward in WAN1, out WAN1
     chain=forward action=mark-connection new-connection-mark=WAN1_forward 
     passthrough=yes connection-state=new in-interface=WAN1 

 7   chain=prerouting action=mark-routing new-routing-mark=to_WAN1 
     passthrough=no in-interface=LAN1 connection-mark=WAN1_forward 

 8   ;;; Forward in WAN2, out WAN2
     chain=forward action=mark-connection new-connection-mark=WAN2_forward 
     passthrough=yes connection-state=new in-interface=WAN2 

 9   chain=prerouting action=mark-routing new-routing-mark=to_WAN2 
     passthrough=no in-interface=LAN1 connection-mark=WAN2_forward

/ip route print detail

 0 A S  dst-address=0.0.0.0/0 gateway=172.16.1.1 
		gateway-status=172.16.1.1 recursive via 94.87.83.254 WAN1 
        distance=1 scope=30 target-scope=10 routing-mark=to_WAN1 

 1   S  dst-address=0.0.0.0/0 gateway=172.16.2.2 
		gateway-status=172.16.2.2 recursive via 192.168.0.1 WAN2 
        distance=2 scope=30 target-scope=10 routing-mark=to_WAN1 

 2 A S  dst-address=0.0.0.0/0 gateway=172.16.2.2 
		gateway-status=172.16.2.2 recursive via 192.168.0.1 WAN2 
        distance=1 scope=30 target-scope=10 routing-mark=to_WAN2 

 3   S  dst-address=0.0.0.0/0 gateway=172.16.1.1 
		gateway-status=172.16.1.1 recursive via 94.87.83.254 WAN1 
        distance=2 scope=30 target-scope=10 routing-mark=to_WAN2 

 4 A S  dst-address=8.8.4.4/32 gateway=192.168.0.1 
		gateway-status=192.168.0.1 reachable via  WAN2 distance=1 
        scope=10 target-scope=10 

 5   SB dst-address=8.8.4.4/32 type=blackhole distance=20 

 6 A S  dst-address=8.8.8.8/32 gateway=94.87.83.254 
		gateway-status=94.87.83.254 reachable via  WAN1 
        distance=1 scope=10 target-scope=10 

 7   SB dst-address=8.8.8.8/32 type=blackhole distance=20 

 8 A S  dst-address=172.16.1.1/32 gateway=208.67.222.222 
        gateway-status=208.67.222.222 recursive via 94.87.83.254 WAN1 
		check-gateway=ping distance=1 scope=10 target-scope=10 

 9   S  dst-address=172.16.1.1/32 gateway=8.8.8.8 
		gateway-status=8.8.8.8 recursive via 94.87.83.254 WAN1 
        check-gateway=ping distance=1 scope=10 target-scope=10 

10 A S  dst-address=172.16.2.2/32 gateway=208.67.220.220 
        gateway-status=208.67.220.220 recursive via 192.168.0.1 WAN2 
		check-gateway=ping distance=1 scope=10 target-scope=10 

11   S  dst-address=172.16.2.2/32 gateway=8.8.4.4 
		gateway-status=8.8.4.4 recursive via 192.168.0.1 WAN2 
        check-gateway=ping distance=1 scope=10 target-scope=10 

12 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.59 
		gateway=WAN2 gateway-status=WAN2 reachable distance=0 scope=10 


13 ADC  dst-address=192.168.33.0/24 pref-src=192.168.33.1 
		gateway=LAN2 gateway-status=LAN2 reachable distance=0 scope=10 

14 ADC  dst-address=192.168.168.0/24 pref-src=192.168.168.1 
		gateway=LAN1 gateway-status=LAN1 reachable distance=0 scope=10 

15 ADC  dst-address=94.87.83.224/27 pref-src=94.87.83.242 
		gateway=WAN1 gateway-status=WAN1 reachable distance=0 scope=10 

16 A S  dst-address=208.67.220.220/32 gateway=192.168.0.1 
		gateway-status=192.168.0.1 reachable via  WAN2 
        distance=1 scope=10 target-scope=10 

17   SB dst-address=208.67.220.220/32 type=blackhole distance=20 

18 A S  dst-address=208.67.222.222/32 gateway=94.87.83.254 
		gateway-status=94.87.83.254 reachable via  WAN1 
        distance=1 scope=10 target-scope=10 

19   SB dst-address=208.67.222.222/32 type=blackhole distance=20

Please check my mangle rules. Thank you.

pszemaz

newranman · Sat Oct 13, 2012 8:43 am

Here is post of mine with a working config

http://forum.mikrotik.com/viewtopic.php?f=2&t=66294

Randy Newman

Who is online