MikroTik

Hello

I'm having problems with a failover gateway configuration.

I'll descrive my topology, We have to sites, with their respective router, that are like
a two black boxes for me, they are form the internet provide, who had configured a VPN between
the sites. ( I couldn't touth this routers).
We have been instaled a RF link to each site, using routerOS , that works
correctly at the speed of 90 Mbps.

Our client would like to make a faillover link using the VPN of the provider and the RF link.
We had aplied correctly the comands that apears in the guide

http://wiki.mikrotik.com/wiki/Two_gateways_failover that says:

/ip route add gateway=192.168.1.1 check-gateway=ping
/ip route add gateway=192.168.2.1 distance=2


The main route is the RF link, and the secondary is the VPN of the provider.

That works, and when the link fail ( disabling temporaly the WLAN) the trafic is sended to
secondary path, imediatly and when we enable the wlan interface their recuperation it's fast too.

The problem is in the recuperation of a fail, the active connecticions from a hosts, servers,...,
continue using the secondary path, and don't refresh the new actual route (the main one). The new connections use the main path, but the connections stablished when the link was down don't take the right path.


Best regards

Fátima

Yes, established connection will use secondary gateway, you may flush established connections from /ip firewall connection, however clients active connection will be broken (for example downloads, Internet pages, etc.).

There are any form to close the active connections, without stay in front of the mikrotik?

Hi Serge,

I actually have a similar problem to Fatima. Very similar setup, and "active" connections don't go back trough the (higher bandwidth) wireless link when wireless connectivity is restored.

Funny thing is that that keeps happening in a variety of situations when going through all the cycle (wireless link up, wireless link down / rerouting through ADSL-VPN backup, wireless link up again):
- ping (ICMP packet): when pinging non-stop while going through this cycle, no pings get lost, but once it gets routed through the backup (VPN) link, it never gets back through the wireless link
- TCP based connections: they fail back to the backup link when wireless link is down, but once the connection is restored, never gets through the wireless link again
- UDP based connections: I'm not so sure about UDP, but I guess probably the same thing

The thing is that once a source IP is rerouted through the backup link, all the traffic from that IP goes through the backup link, and no matter what, if the connection keeps "active" (difficult to define "active" here... from what I've seen, it could mean some related traffic every minute or so) it NEVER defaults back to the wireless link.
Never means that unless the router gets rebooted, this behaviour can last DAYS, till manually resetted and back to the wireless link!

Even after wiping open connections from within winbox, it keeps going through the secondary link. Only way is to wipe open connections, and wait some time (at least 20-30s) before trying to send some traffic. If faster than that, traffic is still sent through the backup link and you have to start over.

Serge, you mention this is default behaviour in firewall code?
I guess this is part of the firewall code (connection tracking). Is it possible to disable this "feature" somehow? Or even deactivate the firewall completly (I won't be using it in this case)?

I've gone through all the documentation and wiki and haven't found any hint.
BTW, RouterOS version is 3.x.

Any hint would be appreciated.
Cheers,

--
Txema

fatima,

you should get access to the router and run,
/ip firewall connection remove [find]

txema,
what is your routing configuration ?

Hi Sergejs,

I have done what you told me, and it works. When I erased all the established connections I could pass traffic by the wireless connection. I would like know if could be automatically process when the connection is recuperated ?

After testing, I could find a way that works more or less like I want.
In IP -> Firewall -> Connections -> Tracking,
changing the TCP Established Timeout from 1day to 1 min (in my tests), when I have to recuperate the connection, the timeout of established TCP are too small, that create a new TCP Established connection, when I testing again.

Doing that change, would give me problems with the applications of the client would have, or is a good way for solve my problem?

Thanks for all
Fátima

I have found and tried the failover setup:

/ip route add gateway=192.168.1.1 check-gateway=ping
/ip route add gateway=192.168.2.1 distance=2


It is nice, and works fine. But.

Is there any other way? This method only seems to help if the connection to the gateway is broken, but will not work if the gateway IS reachable but after the gateway there is a black hole.

you need to use some script to ping some internet host via 192.168.1.1 and disable a route via that GW in case of failure... something like that...