Hello everyone, first of all thank you that you took the time to review my config, I really appreciate it!
When you ping a public IP address it will route it if you have set up failover... that is the aim of failover!
I thought that this route would restrict the 8.8.8.8 IP
add distance=1 dst-address=8.8.8.8/32 gateway=10.0.2.1
Question: Why would you need the netwatch script? It seems doing unnecessary things in my opinion which can be done directly with routing table...
I decided to use a netwatch script because if the 10.0.2.1 router loses its Internet connection the route is still considered valid, with netwatch I could ping a internet address and make sure that the 10.0.2.1 router still has Internet access. I tried recursive routing failover but when I tested it I had some problems with it (sometimes it would not use the primary route even if that route was up).
I plan to try the following solution,
thank you rextended, you even took the time to write me a script, you are great! I will post the results as soon as I can test this in a lab.
based on this:
viewtopic.php?f=2&t=174230&p=854924&hil ... ay#p854924
Hi
anav, thank you for taking the time to review my whole config
(1) The first thing to point out is that your bridge setup is erroneous.
a. the vlans interface should be the BRIDGE not ether2
b. you define six vlans and then provide only 4 pools, 4 server networks, and 3 dhcps server etc AKA --> your vlan setups are incomplete!!
c. I see only four addresses for six vlans, and only one WAN address and was expecting a second backup WAN address?
d. I see two admin networks, do you really need two, and a third one, .102. which is not defined anywhere??? (OKAY I see its for vpn access??)
1a) I don't think I need a bridge, WAN (10.0.2.1) is connected to ether1 (access port) and everything else is connected to ether2 (hybrid port)
1b) true, but some of the vlans use only static addresses
1c) some of the vlans were moved to the other router 192.168.10.1, that router serves as backup
1d) I only really need two, but it made my life easier to include another one while I was building the network, 192.168.102.0 is the VPN network.
(2) Keep the mac Winbox-mac server for winbox access but
this one should be set to none as its a security risk.
/tool mac-server
set allowed-interface-list=MANAGEMENT
You are right, I misunderstood this setting, thus allowing telnet access, I was able to remedy that with the firewall but now I understand this better
(3) What is the purpose of having this enabled.. WHY??
/ip upnp interfaces
add interface=lte3 type=external
add interface=ether2 type=internal
True, I don't need UPNP
(4) I dont understand your failover routing at all??
Can you explain the purpose of each line, so I can understand why you added them as such??
/ip route
add distance=1 gateway=10.0.2.1
add distance=2 gateway=192.168.10.1
add two routes to the internet with different distance
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.10.1
add distance=1 dst-address=8.8.8.8/32 gateway=10.0.2.1
route 8.8.4.4 throught the secondary gateway and 8.8.8.8 through the primary (I thought this would be restrictive and 8.8.8.8 would only be routed to 10.0.2.1)
/tool netwatch
add down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=10.0.2.1\
]\
\n\r\
\n/ip firewall connection remove [find]\r\
\n/ip firewall mangle { disable [/ip firewall mangle find new-packet-mark~\
\"lte3_client\"] }\r\
\nlog error \"ISP_lte3 is down!\"\
\n" host=8.8.8.8 interval=10s
if 8.8.8.8 gets down disable the 10.0.2.1 route and clear all connections
up-script="ip route enable [find dst-address\
=0.0.0.0/0 gateway=10.0.2.1]\
\n\r\
\n/ip firewall mangle { enable [/ip firewall mangle find new-packet-mark~\
\"lte3_client\"] }\r\
\nlog error \"ISP_lte3 is up!\"\r\
\n\
\n"
if 8.8.8.8 gets up enable the 10.0.2.1 route
the rest has to do with queues and is irrelevant
(5) If this is the sum total of your firewall rules and this device is directly connected to the internet you should be fired LOL. In other words you should disconnect immediately and at least install the basic defaults.
/ip firewall filter
add action=drop chain=output dst-address=8.8.8.8 out-interface=ether2
no I posted this before completing the setup, I didn't need it for the purposes of this post, but I'm sure you will find a more valid reason for me to get fired :)
(6) Where is your SOURCE NAT RULE??????
I don't need one, the next router does NAT
(7) There are no bridge vlan settings?????
I don't need them, there's only one hybrid port, bridge VLAN settings would make more sense if I used the router as a switch, I use a layer 2 switch for that
(8) With respect to (7), which ports are trunk ports and which ports are access ports on your router???
eth1 is WAN access and eth2 is hybrid
In summary much confusion is also caused by seemingly have ether2 be many things, aka bridge port but secondary wan port etc...............
A network diagram well labelled will clear much up!!
this is actually the case, I only use ether2
here is a config attempt (and where missing pieces are identified) assuming ether2 is simply another port to be used and not a wan port.
ether2 is also a WAN port albeit secondary and I don't need to clearly define it because I didn't use the default firewall configuration (in the final setup)
a. who has access to the router itself to config the router
b. who needs access to the internet
c. who needs access to shared devices, perhaps a printer for example.
I believe I covered this when I finished the configuration and I don't feel that I need help with that
You do not have the required permissions to view the files attached to this post.
