Page 1 of 1
Duel Firewall rule or HA failover
Posted: Sun Apr 15, 2018 1:22 pm
by sheldonlendrum
Hi all,
We use the MT as our firewall, and a nat rule that sends all 80/443 traffic on an external IP to a NGINX load balancer on our internal network.
This works well.
BUT - what I want to look at is adding a failover rule, maybe with a script?, If the internal Load Balancer, lets say x.x.1.2 goes down, then the firewall rule will automatically reroute traffic to x.x.1.3.
I could set up a monitor machine that pings the LB updates the rule on the MT, or the MT just always LB's that traffic to both LB's?
How would you do this?
Re: Duel Firewall rule or HA failover
Posted: Mon Apr 16, 2018 5:19 pm
by StubArea51
There is a project on Github that worked on this concept (link below) and there are a number of examples of config synch scripts out there.
https://github.com/svlsResearch/ha-mikrotik
Re: Duel Firewall rule or HA failover
Posted: Mon Apr 16, 2018 6:29 pm
by 2frogs
Netwatch to enable/disable nat rules
Re: Duel Firewall rule or HA failover
Posted: Mon Apr 16, 2018 6:54 pm
by juliokato
Netwatch to enable/disable nat rules
Netwatch only monitoring icmp.
Not monitoring TCP ports 80 or 443 either services http or https. (like F5 or A10 balancers)
Re: Duel Firewall rule or HA failover
Posted: Tue Apr 17, 2018 7:51 am
by sheldonlendrum
Thanks guys, I'll look at the gibhub project, and am looking at the API and putting a service in the middle that monitors bot hand alters the rules accordingly.
Re: Duel Firewall rule or HA failover
Posted: Fri Apr 20, 2018 5:17 pm
by juliokato
Maybe using /tool fetch script be able to perform application monitoring http / https.
I never did, it's something to develop.
Re: Duel Firewall rule or HA failover
Posted: Fri Jun 01, 2018 10:31 am
by pe1chl
Yes you can do a scheduled script (regularly started or started at boot and then using a loop) to do much better
monitoring than netwatch can do. Not only can you use /tool fetch (use the on-error construct) but also you
could do ping and set some threshold, which netwatch cannot do!
(when using netwatch, every missed ping is considered a failure so when you have a small packet loss there will
be a lot of unnecessary alerting and switching to failover)
Re: Duel Firewall rule or HA failover
Posted: Sat Jun 02, 2018 1:50 am
by alasmar4924
hi I need help how I can use firewall on mikrotik to block an application named (netshare). I use hotspot so people use this app to share free internet to others. you can find it on google play and how it work. I see that this app use port 8282 and it give the client a diffrent ip which is 192.168.49.1/24
and I find in netshare setting the proxy port is
1024-65563
so, please help me to block it. I used a diffrent ways but I coud not stop this application
Re: Duel Firewall rule or HA failover
Posted: Sat Jun 02, 2018 3:34 am
by Samot
hi I need help how I can use firewall on mikrotik to block an application named (netshare). I use hotspot so people use this app to share free internet to others. you can find it on google play and how it work. I see that this app use port 8282 and it give the client a diffrent ip which is 192.168.49.1/24
and I find in netshare setting the proxy port is
1024-65563
so, please help me to block it. I used a diffrent ways but I coud not stop this application
Please do not hijack a post about a completely different issue with your issue that is not related. Open a new forum post for your issue so it can be handled properly, otherwise you will have people trying to solve two different issues in the same thread and it will cause confusion.