Dual Wan Load balacing with failover mikrotik

Introduction
Let us suppose that we have two WAN links, and we want  load balance the two WAN links  and do a fail-over if one of the WAN links fails ( eg: traffic redirected to the link which is up ) . the problem is to monitor, whether the Internet is accessible through each of them. The problem can be everywhere.
If your VPN cannot connect – then there’s no problem, your default route with gateway=that-vpn-connection will be inactive.
If your ADSL modem is down – then check-gateway=ping is on stage, and no problem again.
But what if your modem is up, and telephone line is down? Or one of your ISP has a problem inside it, so traceroute shows only a few hops – and then stops…
Some people use NetWatch tool to monitor remote locations. Others use scripts to periodically ping remote hosts. And then disable routes or in some other way change the behaviour of routing.
But RouterOS facilities allow us to use only /ip routes to do such checking – no scripting and netwatch at all!
Implementation
Basic Setup
Let’s suppose that we have two uplinks: GW1, GW2. It can be addresses of ADSL modems , DSL modems , a satic ip and a local ip (like 192.168.1.1 and 192.168.2.1), or addresses of PPP interfaces (like pppoe-out1 and pptp-out1). Then, we have some PCC Load balancing rules in ip > firewall > mangle and in ip > routes , so all outgoing traffic is marked with ISP1 (which goes to GW1) and ISP2 (which goes to GW2) marks and using mangle PCC method the traffic will be  splited  to both WAN links evenly. And we want to monitor Host1  and Host2 via GW1, and Host3 and Host4 via GW2 – those may be some popular Internet websites, like Google, Yahoo, etc.
First Add ips to the interfaces : ( don’t forget to rename the interface names accordingly )
/ip address
add address=192.168.10.1/24interface=Local
add address=192.168.1.2/24 interface=WAN1
add address=192.168.2.2/24 interface=WAN2
Since some most of the ISP’s does not allow dns request’s outside of there network. it’s better to run our own dns server on mikrotik
or simply use opendns or google dns servers
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.4.4,8.8.8.8
The mangle rule set for distributing the traffic evenly to both links
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_mark
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_mark
add chain=output connection-mark=WAN1_mark action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=WAN2_mark action=mark-routing new-routing-mark=to_ISP2
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_mark passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_mark passthrough=yes
add chain=prerouting connection-mark=WAN1_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=WAN2_mark in-interface=Local action=mark-routing new-routing-mark=to_ISP2
FAIL OVER WITH ROUTING the wan Links
For checking the remote address i am using these hosts
8.8.8.8       Google-DNS  host1A
72.30.2.43    Yahoo       host1B
8.8.4.4       Google-DNS host2A
199.59.148.82 Twitter    host2B
first we need routes to our checking hosts:
/ip route
add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
add dst-address=72.30.2.43 gateway=192.168.1.1 scope=10
add dst-address=8.8.4.4 gateway=192.168.2.1 scope=10
add dst-address=199.59.148.82 gateway=192.168.2.1 scope=10
Then, let’s create destinations to “virtual” hops to use in further routes. I’m using 10.1.1.1 and 10.2.2.2 as an example:
/ip route
add dst-address=10.1.1.1 gateway=8.8.4.4 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.1.1.1 gateway=72.30.2.43 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=8.8.8.8 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.2.2.2 gateway=199.59.148.82 scope=10 target-scope=10 check-gateway=ping
And now we may add default routes for clients:
/ip route
add distance=1 gateway=10.1.1.1 routing-mark=to_ISP1
add distance=2 gateway=10.2.2.2 routing-mark=to_ISP1
add distance=1 gateway=10.2.2.2 routing-mark=to_ISP2
add distance=2 gateway=10.1.1.1 routing-mark=to_ISP2
And masquerade both wan interfaces
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

Comments

  1. Hi! I don't understand these lines"

    For checking the remote address i am using these hosts
    8.8.8.8 Google-DNS host1A
    72.30.2.43 Yahoo host1B
    8.8.4.4 Google-DNS host2A
    199.59.148.82 Twitter host2B
    first we need routes to our checking hosts:
    /ip route
    add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
    add dst-address=72.30.2.43 gateway=192.168.1.1 scope=10
    add dst-address=8.8.4.4 gateway=192.168.2.1 scope=10
    add dst-address=199.59.148.82 gateway=192.168.2.1 scope=10
    Then, let’s create destinations to “virtual” hops to use in further routes. I’m using 10.1.1.1 and 10.2.2.2 as an example:
    /ip route
    add dst-address=10.1.1.1 gateway=8.8.4.4 scope=10 target-scope=10 check-gateway=ping
    add dst-address=10.1.1.1 gateway=72.30.2.43 scope=10 target-scope=10 check-gateway=ping
    add dst-address=10.2.2.2 gateway=8.8.8.8 scope=10 target-scope=10 check-gateway=ping
    add dst-address=10.2.2.2 gateway=199.59.148.82 scope=10 target-scope=10 check-gateway=ping
    And now we may add default routes for clients:
    /ip route
    add distance=1 gateway=10.1.1.1 routing-mark=to_ISP1
    add distance=2 gateway=10.2.2.2 routing-mark=to_ISP1
    add distance=1 gateway=10.2.2.2 routing-mark=to_ISP2
    add distance=2 gateway=10.1.1.1 routing-mark=to_ISP2


    The usual way is to create a default route (0.0.0.0/0) pointing to the ISPs gateway then applying the Route Mark and Distance.

    Can you enlightened me on this?

    Thank you.

    ReplyDelete
  2. yes the failover is working ..however it takes time to shift from 1 ISP to the other... Estimated average time 12sec..Try to ping a website while trying to unplug or disable 1 of your ISP ether port. Can you explain why it takes too long to shift? and what should i do to make it shift seamlessly... Thank you.. Just e-mail me if you think you have a better solutions.. rodelpillo0324@yahoo.com Thanks

    ReplyDelete
    Replies
    1. check-gateway (arp | ping; Default: "")
      Periodically (every 10 seconds) check gateway by sending either ICMP echo request (ping) or ARP request (arp). If no response from gateway is received for 10 seconds, request times out. After two timeouts gateway is considered unreachable. After receiving reply from gateway it is considered reachable and timeout counter is reset.

      Delete
  3. Auto failover by using two links please!

    ReplyDelete
    Replies
    1. https://hak786.blogspot.com/2014/09/ecmp-load-balancing-simple-and-easy.html

      you may use above, it works fine if you are using mikrotik as a load balancer or failover, if users directly hitting to mikrotik then you should use PCC method which you may find on this blog.

      Delete
  4. hi Sir, let's say in failover that the default route with "gateway=that-vpn-connection" will be inactive caused by wan1 is down. Please explain to me how to the pptp vpn switch from each other wan? thanks. Regards

    ReplyDelete
  5. please can you explain better this point:
    Then, let’s create destinations to “virtual” hops to use in further routes. I’m using 10.1.1.1 and 10.2.2.2 as an example:
    What are virtual hops. I beg your pardon for my ignorance

    ReplyDelete

Post a Comment

Popular Posts