MikroTik

Posted: **Thu Jun 11, 2009 10:13 pm**

Hello.

It's happened we signed contract with one more new ISP. They give us one public IP and their GW.
Let it be 210.22.33.3, GW: 210.22.33.1

We have:
- RB450 connected
to LAN 192.168.5.0/24 (eth2 IP:192.168.5.3),
to I-net (eth1 IP: 209.11.22.3), GW is 209.11.22.1 - default GW for this router -- these are from the old one ISP.
- src-nat
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.5.0/24 to-addresses=209.11.22.3
NOTE: simple masquerade is not appropriate here, because we have a server (mail, www, etc...) inside LAN which needs to be accessible from I-net, so we use dstnat/srcnat for some particular pairs of addresses like publicIP/local IP (209.11.22.2 <-> 192.168.5.54):
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=209.11.22.2 to-addresses=192.168.5.54
add action=src-nat chain=srcnat src-address=192.168.5.54 to-addresses=209.11.22.2
..etc. (NOTE: 209.11.22.2 is secondary IP for eth1 of RB450 and there are some more public IPs configured on eth1 also the same way... I think it doesn't really matter...)

We need:
1. Connect our network to the 2nd new ISP in parallel
2. Distribute Internet traffic load 50/50 between these two different ISPs
3. Make our Internet connection fail-safe, so when one of two ISP connections is down all the Internet traffic 100% to be served by the second one.

Of course I've read the documentation, especially these two chapters:
http://www.mikrotik.com/testdocs/ros/2.9/ip/nat.php
http://www.mikrotik.com/testdocs/ros/2.9/ip/route.php
but it's not enough to solve my problem because of:
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.5.0/24 to-addresses=209.11.22.3
-- it's clear that all the connection coming from LAN to be mapped to only one IP 209.11.22.3.

I was also trying to search trough this forum, but it seems there is no appropriate information to help me.
Please, Mikrotik gurus, give me a clue or an example how to solve my problem.

thank you in advance.

Posted: **Thu Jun 11, 2009 10:56 pm**

What version of routerOS are you running?

I can give you a solution but it'll only work if you're running v3.24 or newer.

Posted: **Thu Jun 11, 2009 11:13 pm**

currently it's ROS 3.23,
but it is not a problem to upgrade to 3.24

Posted: **Fri Jun 12, 2009 9:33 am**

# allow multiple inbound connections on dynamic (adsl) interfaces
/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 connection-state=new disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 connection-state=new disabled=no new-routing-mark=wan2 passthrough=no
add action=mark-connection chain=prerouting comment="Mark new established connection wan1" connection-state=established disabled=no in-interface=wan1 new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark new established connection wan2" connection-state=established disabled=no in-interface=wan2 new-connection-mark=wan2 passthrough=yes
add action=mark-routing chain=output comment="Mark new established route wan1" connection-mark=wan1 connection-state=established disabled=no new-routing-mark=wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new established route wan2" connection-mark=wan2 connection-state=established disabled=no new-routing-mark=wan2 passthrough=no

# round robin outbound traffic routing, based on src port and src address
/ip firewall mangle    
add chain=prerouting dst-address-type=!local in-interface=lan per-connection-classifier=src-address-and-port:2/0 action=mark-connection new-connection-mark=wan1_pcc_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=lan per-connection-classifier=src-address-and-port:2/1 action=mark-connection new-connection-mark=wan2_pcc_conn passthrough=yes
add chain=prerouting connection-mark=wan1_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan1
add chain=prerouting connection-mark=wan2_pcc_conn in-interface=Hotspot action=mark-routing new-routing-mark=wan2

This setup assumes:
1) You have 2 internet links
2) You have created 1 route for each link with a routing mark "wan1" and "wan2" respectively
3) That you have all the relevant nat rules created

If you want to make sure its an automatic fallover, you can also create backup marked routes and use check-gateway=ping on each of your devices.

Eg:

/ip route
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.2 routing-mark=wan2 scope=30 target-scope=10
add check-gateway=ping comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-mark=wan1 scope=30 target-scope=10
add check-gateway=ping comment="fallover" disabled=no distance=10 dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-mark=wan2 scope=30 target-scope=10
add check-gateway=ping comment="fallover" disabled=no distance=10 dst-address=0.0.0.0/0 gateway=10.0.0.2 routing-mark=wan1 scope=30 target-scope=10

Posted: **Fri Jun 12, 2009 11:45 am**

In another words - use this MikroTik example: http://wiki.mikrotik.com/wiki/PCC

Posted: **Sat Jun 13, 2009 12:04 am**

thank you, guys!

It works,

BUT

it is not 100% fallover.

Let me tell you about some results of my tests.
For example: when I test it from LAN side by pinging some remote I-net address or doing ssh-session, and then I break one of two ISP connections then I have the results as follows:
if the session was not on the route of that broken connection -- it's clear - it continues to work ok, but when it's on the broken route, then both tests (ping and ssh-session) stop forever. The only remedy is to cancel or kill the session, then when you restart it again you will be re-routed to the second connection which is still living. BUT, if you cancel and restart it too fast, then your have strong ~95% chance to get to the broken route again! You have to wait about 10-15 sec before to start you application again to have good chance to be re-routed to non-broken link. In other words, the interruption of service will be definitely noticed by our client.
Yes, it is still better then nothing, but
is it possible to have some kind of workaround for this to make it working better?

Thank you for reading.

Posted: **Sat Jun 13, 2009 7:19 am**

If you're using 2 x pppoe connections and terminating them directly on the mikrotik then this shouldn't happen.

However using the check-gateway=ping to 2 routers that are making the connections out for you, means you'll only be able to detect if a router dies for any reason, seeing as that's what's being ping'd

Posted: **Mon Jun 15, 2009 4:17 pm**

hello.

I was trying to simulate link failures two ways:
1) by disconnecting cable directly from MT's eth port and watching routing table in parallel. Of course this way it reacts fast and switches to backup route. But ping and ssh tests stops and freezes forever anyway.
2) by braking link before ADSL router, i.e. not between adsl and MT, and for "check-gateway=ping" it looks like link is still alive. This way it takes definitely much more time to recover and re-route.
Anyway, as I told, both cases the failure is not transparent for the end user, the service will be interrupting for 10...20 seconds, but despite this fact it is still useful feature.

Posted: **Mon Jun 15, 2009 9:08 pm**

There will always be some sort of failure as any current connections going out one link aren't going to be continued on the other, that sort of routing only works when you're using bonded links.

However if the response time of the ping to gateway doesn't suit you, you could always try using the netwatch tool to change the gateway automatically quicker than it would normally. (See Tools -> Netwatch in winbox)

Posted: **Tue Jul 21, 2009 8:09 am**

PC-1 obtain automatic IP - This PC is connected to the Ethernet port
2(Mikrotik) - 192.168.1.98 Router assign ip.
PC-2 obtain automatic IP - This PC is connected to the Ethernet port
3(Mikrotik) - 192.168.1.99 Router assign ip.

Both PC's use a PC client Application and the Application data send to this IP Destination 192.168.9.9 and this Destination Port (3004) both PC's to the same IP and port Destination.

Local remote Port for each PC is a random port assigned.

*** I receive this traffic From both PC's an apply this command (NAT)***

I NAT BOTH PC's to the same private LAN 10.1.2.33 Port (5577).

This address is my Host address (10.1.2.33:5577) this is a SERVER Application to answer the PC's request.

[My server application listening (port 5577) and response the data.

Important each PC establish a permanet connection to my host.

(we use the Ethernet port 0) (Mikrotik). To connect to my Host Server.

In my Application server we have only one socket connection or station to receive both pc's at the same time.

I need to establish permanent connection for both PC's? Or send traffic both PC's for the same server socket connection.

We need work like a lease line uplink.

*Now only work one pc at the time* Example PC1 connect send the data, desconnect this socket and the second PC connect a send data*

We need Many connection to One (permanent connection) All trafic recive for al client side sent to the same uplink (WAN).

We appreciate your help!

Thanks
David

MikroTik

2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?

Re: 2 different ISPs, 2xGW, srcnat. Howto load balance/failower?