Netwatch Script ISP Failover Mikrotik

Netwatch tool, that monitors the status of a network or a link. At a certain point in time, this tool sends a ping request to a predefined network or a link. If for some reason this tool does not receive a ping response from that link or network, it sends a notification in the form of email or SMS to the system admin or user. Or maybe re-route the traffic to a different ISP or gateway.

Whenever there is a change detected in the status of the link, related action will be taken. The Netwatch tool performs this task with the help of some scripts. Whenever there is a change in the status of the link, the script related to that status will be started.

In this tutorial, we will discuss how to re-route traffic to a secondary ISP or gateway if the primary ISP or gateway gets down. At the same time, we will be discussing how to get back to the primary ISP or gateway if it comes back.

At this point, we already know that the “Netwatch” tool can monitor a gateway status or a server link by pinging that device that is located on the internet. If for any reason that link or server goes down, then this tool will disable the failed gateway link and at the same, it will enable the secondary gateway link. All the things will be done by executing the script which we have to be configured into the Netwatch tool.

In this case, no matter which link is down, it may be our router to ISP-1 link or it may be ISP-1 to their gateway link, the router will switch to secondary ISP automatically.

Now we will discuss the script that, the “Netwatch” tool will execute if the primary gateway goes down. We assume that our primary ISP gateway address is 1.1.1.1 and our secondary ISP gateway address is 2.2.2.2. We are assuming more that, the Netwatch tool will continuously send ping requests to the 8.8.8.8 server that is located on the internet using the primary ISP gateway. Also, it will send a ping request to the 8.8.4.4 server using a secondary ISP gateway. If for some reason, it didn’t get any ping response from those servers between specific periods of time, then it will disable that specific gateway. Means, If the Netwatch tool didn't get a response from the 8.8.8.8 server, then it will disable the ISP-1 gateway which is 1.1.1.1 and in the same way, if it didn't get a response from the 8.8.4.4 server, then it will disable the second ISP gateway, which is 2.2.2.2. After getting a response, it will enable it automatically. 

At this point, we will add two more routes to trace the link status of ISP-1 and ISP-2. We will send 8.8.8.8 traffic via ISP-1 and 8.8.4.4 traffic via ISP-2.

To trace the ISP-1 link we will add the following route

To trace the ISP-2 link we will add the following route

Now we will go for a script.

The script for disabling primary route:-

ip route disable [find gateway="1.1.1.1"]

[Note:- If we use any comment for primary gateway entry than here we can use that comment for disabling that gateway]

ip route disable [find comment=”write_your_comment”]

For example:- ip route disable [find comment=”backup route”]

or

ip route disable [/ip route find comment="my comment"]

For example:- ip route disable [/ip route find comment="backup route"]

In the same way, the script for enabling secondary route:-

ip route enable [find gateway="2.2.2.2"]

or

ip route enable [find comment=”write_your_comment”]

For example:- ip route enable [find comment=”backup route”]

or

ip route enable [/ip route find comment="my comment"]

For example:- ip route enable [/ip route find comment="backup route"]

How to configure those script into the Netwatch tool, is shown using the picture below:-

First of all, we will open the Netwatch tool and create a rule.

Now we will create a rule and there we have to write our target server address 8.8.8.8 at the “Host” field. The rest of the things will be the default. It will send requests using our primary gateway means 1.1.1.1.

Now click on the “Down” tab and there we have to write the below code:-

ip route disable [find gateway="1.1.1.1"]

When the Netwatch tool didn't get a response from the 8.8.8.8 server, then this script will be executed. As a script, 1.1.1.1 gateway will be disabled.

Now we will go to the “Up” tab and have to write the below code:-

ip route enable [find gateway="1.1.1.1"]

When it starts getting a response from the 8.8.8.8 server, then this script will be executed. As a script  1.1.1.1 gateway will be activated.

One more thing that we have to do is, disable the associate NAT entry for that route. Because, if the NAT entry is enabled for that route, all requested traffic is going to be translated, and then it will forward to the gateway that is already disabled by the Netwatch script. As a result, all traffic should be dropped.

To disable the associate NAT we have to run another script as a part of Netwach action. We can run multiple scripts for a single Netwatch entry or we can add multiple Netwatch entries for associating that multiple scripts. Here we will use the multiple Netwach entries method.

Now we will add another entry for the 8.8.8.8 server.

Now we will go to the "Up" tab and have to write the below code:-

ip firewall nat enable numbers=0

Here, the "numbers" parameter value is represented the serial number of the NAT entry. That is:-

The script "numbers" value should be the same as your NAT entry serial number. In this example, we used 0 because of which NAT entry we are going to be disabled that NAT entry serial number is 0.

Now for the "Down" tab. Have to write the below code:-

ip firewall nat disable numbers=0

From now on, if the primary link gets down then our primary route should be disabled as well as that associate NAT should be disabled. If the link gets back, then this route entry and NAT entry would be enabled again. 

Now we will add an entry for the 8.8.4.4 server. Add a new rule and write your server address means 8.8.4.4. It will send a ping request using the second ISP means 2.2.2.2.

Now click on the “Down” tab and have to write the below code:-

ip route disable [find gateway="2.2.2.2"]

When the Netwatch tool didn't get a response from the 8.8.4.4 server, then this script will be executed. As a script, 2.2.2.2 gateway will be disabled.

Now we will go to the “Up” tab and have to write the below code:-

ip route enable [find gateway="2.2.2.2"]

When it starts getting a response from the 8.8.4.4 server, then this script will be executed. As a script,  2.2.2.2 gateway will be activated.

Now, will add another entry for disabling NAT associate of that specific gateway.

Have to write the below code to the "Up" tab.

ip firewall nat enable numbers=1

Here, we used the "numbers" parameter value 1 because the serial number for that NAT entry is 1.

Now we will have to write code for the "Down" tab.

ip firewall nat disable numbers=1

Finally, click on “Apply” and then “OK”.

Another important thing we have required to complete. If our primary link gets down then our 8.8.8.8 server should be stopped receive a response from it. Otherwise, it will not execute any code that we have written. Generally, When our Mikrotik router can't reach the 8.8.8.8 server via our primary gateway means 1.1.1.1 then it will try to reach that 8.8.8.8 server via secondary gateway means 2.2.2.2. And this time the Mikrotik router should succeed. It can reach it using a secondary gateway. That's why it will not execute any script because the link is reachable. 

That's why we have to stop the Mikrotik router to reach the 8.8.8.8 server using a secondary gateway. We can do this using the firewall rule. We will create a rule that drops all the connections to reach the 8.8.8.8 server using a secondary gateway. The rule is as follows:-

ip firewall filter add chain=output dst-address=8.8.8.8 protocol=icmp out-interface=ether7 action=drop

It will be the same for the 8.8.4.4 server.

ip firewall filter add chain=output dst-address=8.8.4.4 protocol=icmp out-interface=ether8 action=drop

In this example, we are connected to the second ISP via the Ether7 interface. That's why we select ether7 as our output interface. And for the 8.8.4.4 server we have select out-interface ether8 because this interface is connected to our primary ISP.

From now on, if the "Netwatch" tool didn't get a ping response from the 8.8.8.8 server or 8.8.4.4 server, then it will execute those script. No matter which link is down whether it's our link or it's our ISP link, it will switch automatically. At the same time, when our primary ISP or gateway gets back, then our secondary ISP or gateway will be set as backed up automatically and our primary ISP will be activated.

Mikrotik Port Forwarding Port 80

First of all, we are going to discuss what port forwarding is and why it is being used. Then we move on to the details of how to configure port forwarding for the web server in the Mikrotik Router.

To access a service from the internet which is running behind on our router, in that case, port forwarding is required. Port forwarding is the process of forwarding traffic to a specific destination which is originated from the internet or outside of the local network.

Suppose you have a service that is running on your local network is accessible only for your local user. Now you want to publish that service on the internet so that any internet user can access this service from anywhere in the world. Internet users will submit a request on the router to reach a specific service using that service's port number. Then the router will check its forwarding table if any entry is available for that port number. Every router maintains a port forwarding table where every service (port number) should be listed that are intended to access from the internet. Not only the service name, which computer is providing that service also be listed. And that's why a router can redirect the traffic to a specific destination what is an internet user searching for. This process is working like "Destination NAT" or "PAT (Port Address Translator)".

Assume that, we have a web server running on our local network. Only our LAN user can access this web server. No internet users can't access because this server is not published on the internet. Now we want to make available this web server on the internet. We have two options to accomplish this task. The first one is, we can use one public IP address directly in our web server and that's why it will automatically available on the internet. And the other one is, we can forward the web server request to our internal web server from our router, which is called port forwarding. 

In this tutorial, we are going to learn how to perform port forwarding for web server on the Mikrotik router.  

In the Mikrotik router, we can achieve this task by configuring one destination NAT entry. By this entry, we are telling our router that if any request has come from the internet to reach a web server then forward that traffic to our internal web server. 

Step by step the whole process is shown graphically below.

First of all, we will go to the "NAT" option from the "Firewall" menu and there we will create a destination NAT rule.

Now go to the "General" tab and select "dstnat" as "Chain" value. Write your public IP address at the "Dst. Address" field. Select "TCP" from the "Protocol" field. And finally, write the destination port number at the "Dst. Port" field. We know that web service is working with TCP port 80 number.

Now we will navigate to the "Action" tab. And there we select "dst-nat" as "Action" value. At the "To Address" field, we will write our server IP address where the web service is running on. At the "To Port" field, we will write the service's port number, that our web server is using for that service.

Finally, click on apply and then "OK". A destination NAT entry will be added as follows.

From now on if any request has come to the router from the internet which is intended to go to the web server, then our router will redirect it to our internal web server means 10.168.1.247 IP address.

This is the whole process for Mikrotik Port Forwarding. We can call this Mikroitk Destination NAT.

Configure Mikrotik Vmware

Sometimes it is required to install Mikrotik Router OS in the VMware Workstation. Generally, students are doing this to learn about the Mikrotik Router OS. But in the virtual environment most of the time we are getting problems connecting to the internet from the Mikrotik router. The problem arises during configuring the NAT function or routing function. It does not work as our expectation. 

In this tutorial, we are going to discuss how to configure internet access for the Mikrotik WAN interface in the VMware Workstation. We are also going to discuss what will be the hardware settings for the Mikrotik router in the VMware Workstation application. What network settings we will use in the VMware Workstation for the Mikrotik Router so that the Mikrotik router can perform the NAT functions.

First of all, to share the internet with the Mikrotik Router we have to enable the ICS (Internet Connection Sharing) service in our host Windows Operating System. How to enable ICS (Internet Connection Sharing) service on the Windows Operating System is described below step by step.

Nowadays, sharing your desktop or laptop internet connection among others is a common practice. There are many third-party applications available, which can be used to share your internet connection with others. Microsoft Windows operating system has one built-in feature that can be used to share your internet connection among the full LAN network. This feature is called ICS (Internet Connection Sharing). 

To enable ICS on a system you must have two network adapters. One will be used to connect to the internet and the other one will be used to share your internet with LAN which will be directly connected with your local network device.

After enabling the ICS on a computer, this system will be performed as a DHCP server. The LAN adapter which is connected to the LAN switch will be the DHCP server interface. This interface will allocate the IP address to other LAN computers. Generally, the IP address range is 192.168.127.0/24.

If you want you can change this network. The other LAN computers should be set to "Automatic IP Address Configuration Mode".

Now we will be discussed how to enable ICS on a system.

First of all, we have to open the "Network & Internet Settings" (In Windows 10) or "Network & Sharing Center" (In Windows 7). We have multiple ways to open these settings. We can open it from the network icon or using the "Control Panel".

To open from the network icon just right click on it and click on the " Open Network & Sharing Center".

Now click on "Change adapter options".

For Windows 10

For Windows 7

Now you will be appeared by your available network interface card. We can access directly on this interface by using the command line. Please execute the below command in the "Run" program.

Right-click on your network adapter which is connected to the internet and go to "Properties". 

From there, go to the "Sharing" tab and click on "Allow other network users to connect through this computer's internet connection". And then select your network adapter from the dropdown list, which is connected to the LAN switch. This adapter will perform the routing function on behalf of LAN users. It takes all the internet requests from the users and will forward it to the network adapter which is connected to the internet.

In this example, we are using "Ethernet 2" as an adapter for connecting to the LAN, and our internet-connected network adapter is our Wifi network adapter. Means, we will share this wifi internet connection to our LAN users via the "Ethernet 2" network adapter. 

Finally, click on "OK" at the end of all configurations. Now you will be appeared by the below informational message. From there, we click on "Yes".

This message notified you that, your LAN adapter means "Ethernet 2" will be set by IP address 192.168.127.1 and this IP address will act as a gateway for your LAN users. And your LAN users IP address settings should be set by "Obtain an IP address automatically".

If the internet connection sharing process has completed successfully, then a "Shared" tag will be appeared on your internet-connected network adapter (in our case wifi adapter).

Now we will check our "Ethernet 2" network adapter whether it has changed the IP address to 192.168.137.1. 

Yes, we found that address has changed. One more thing is, here we have to set the DNS address.

And just for clarification, the IP address of our Wifi adapter which is connected to the internet is 10.16.16.11/24.

All work is done. From now on, all of our LAN users can connect to the internet using this network adapter. This 192.168.137.1 IP will be the gateway address for all LAN users. If you want you can change this network range as your preference.

Now we will discuss about the VMware Workstation configuration.

There are some hardware configurations required in the VMware Workstation to perform with the Mikrotik Internet connection. We need to enable two network adapter for our Mikrotik Router OS. One network adapter is required for WAN connection and the other one is required for LAN connection. In the VMware workstation, these network adapters should belong to the different virtual networks. 

The network adapter which intended connecting to the internet should be in the "Bridge" mode. The other one should be connected to the different ones like "VMnet2".

Here, The "Network Adapter" receives all traffic from the "Network Adapter 2" and will transfer it to the physical network. The "Network Adapter" IP address would be the same network range as the ICS server LAN interface IP address" which is 192.168.137.0/24. And for the "Network Adapter 2" you can use as your own preferences.

After the Mikrotik Router OS installation complete, now we will add the IP address in the Mikrtoitk Network interface card. For the "Network Adapter" card we will use 192.168.137.253/24 and for the "Network Adapter 2" card we will use 10.5.5.15/24.

Here, ether1 is representing the VMware "Network Adapter" card and ether2 is representing the "Network Adapter 2" interface card.

For sake of the Mikrotik router, ether1 is the public interface and the ether2 is the private interface. Now we have to configure NAT for our private interface.

Now we have to configure the DNS server address.

Now we are going to configure the default route.

Please notice that we are using our ICS server LAN interface IP address for our default gateway. Mikrotik receives all traffic from its clients using the ether2 interface and then it will perform NAT function. After the NAT all internet traffic will route to the ICS server LAN interface using the ether1 network adapter.

At this time your virtual Mikrotik router should connect to the internet using VMware host machine internet connectivity.

    

Port Forwarding SSH Server

First of all, we are going to discuss what port forwarding is and why it is being used. Then we move on to the details of how to configure port forwarding for the SSH server in the Mikrotik Router.

To access a service from the internet which is running behind on our router, in that case, port forwarding is required. Port forwarding is the process of forwarding traffic to a specific destination which is originated from the internet or outside of the local network.

Suppose you have a service that is running on your local network is accessible only for your local user. Now you want to publish that service on the internet so that any internet user can access this service from anywhere in the world. Internet users will submit a request on the router to reach a specific service using that service's port number. Then the router will check its forwarding table if any entry is available for that port number. Every router maintains a port forwarding table where every service (port number) should be listed that are intended to access from the internet. Not only the service name, which computer is providing that service also be listed. And that's why a router can redirect the traffic to a specific destination what is an internet user searching for. This process is working like "Destination NAT" or "PAT (Port Address Translator)".

Assume that, we have a SSH server running on our local network. Only our LAN user can access this SSH server. No internet users can't access because this server is not published on the internet. Now we want to make available this SSH server on the internet. We have two options to accomplish this task. The first one is, we can use one public IP address directly in our SSH server and that's why it will automatically available on the internet. And the other one is, we can forward the SSH server request to our internal SSH server from our router, which is called port forwarding. 

In this tutorial, we are going to learn how to perform port forwarding for SSH server on the Mikrotik router.  

In the Mikrotik router, we can achieve this task by configuring one destination NAT entry. By this entry, we are telling our router that if any request has come from the internet to reach a web server then forward that traffic to our internal SSH server. 

Step by step the whole process is shown graphically below.

First of all, we will go to the "NAT" option from the "Firewall" menu and there we will create a destination NAT rule.

Now go to the "General" tab and select "dstnat" as "Chain" value. Write your public IP address at the "Dst. Address" field. Select "TCP" from the "Protocol" field. And finally, write the destination port number at the "Dst. Port" field. We know that SSH service is working with TCP port 22 number.

Now we will navigate to the "Action" tab. And there we select "dst-nat" as "Action" value. At the "To Address" field, we will write our server IP address where the SSH service is running on. At the "To Port" field, we will write the service's port number, that our SSH server is using for that service.

Finally, click on apply and then "OK". A destination NAT entry will be added as follows.

From now on if any request has come to the router from the internet which is intended to go to the SSH server, then our router will redirect it to our internal SSH server means 10.168.1.247 IP address.

This is the whole process for Mikrotik Port Forwarding. We can call this Mikroitk Destination NAT.

Port Forwarding Mikrotik Web Server

First of all, we are going to discuss what port forwarding is and why it is being used. Then we move on to the details of how to configure port forwarding for the web server in the Mikrotik Router.

To access a service from the internet which is running behind on our router, in that case, port forwarding is required. Port forwarding is the process of forwarding traffic to a specific destination which is originated from the internet or outside of the local network.

Suppose you have a service that is running on your local network is accessible only for your local user. Now you want to publish that service on the internet so that any internet user can access this service from anywhere in the world. Internet users will submit a request on the router to reach a specific service using that service's port number. Then the router will check its forwarding table if any entry is available for that port number. Every router maintains a port forwarding table where every service (port number) should be listed that are intended to access from the internet. Not only the service name, which computer is providing that service also be listed. And that's why a router can redirect the traffic to a specific destination what is an internet user searching for. This process is working like "Destination NAT" or "PAT (Port Address Translator)".

Assume that, we have a web server running on our local network. Only our LAN user can access this web server. No internet users can't access because this server is not published on the internet. Now we want to make available this web server on the internet. We have two options to accomplish this task. The first one is, we can use one public IP address directly in our web server and that's why it will automatically available on the internet. And the other one is, we can forward the web server request to our internal web server from our router, which is called port forwarding. 

In this tutorial, we are going to learn how to perform port forwarding for web server on the Mikrotik router.  

In the Mikrotik router, we can achieve this task by configuring one destination NAT entry. By this entry, we are telling our router that if any request has come from the internet to reach a web server then forward that traffic to our internal web server. 

Step by step the whole process is shown graphically below.

First of all, we will go to the "NAT" option from the "Firewall" menu and there we will create a destination NAT rule.

Now go to the "General" tab and select "dstnat" as "Chain" value. Write your public IP address at the "Dst. Address" field. Select "TCP" from the "Protocol" field. And finally, write the destination port number at the "Dst. Port" field. We know that web service is working with TCP port 80 number.

Now we will navigate to the "Action" tab. And there we select "dst-nat" as "Action" value. At the "To Address" field, we will write our server IP address where the web service is running on. At the "To Port" field, we will write the service's port number, that our web server is using for that service.

Finally, click on apply and then "OK". A destination NAT entry will be added as follows.

From now on if any request has come to the router from the internet which is intended to go to the web server, then our router will redirect it to our internal web server means 10.168.1.247 IP address.

This is the whole process for Mikrotik Port Forwarding. We can call this Mikroitk Destination NAT.

Windows RDP Port Forwarding

First of all, we are going to discuss what port forwarding is and why it is being used. Then we move on to the details of how to configure port forwarding for Remote Desktop Protocol in Mikrotik Router.

To access a service from the internet which is running behind on our router, in that case, port forwarding is required. Port forwarding is the process of forwarding traffic to a specific destination which is originated from the internet or outside of the local network.

Suppose you have a service that is running on your local network is accessible only for your local user. Now you want to publish that service on the internet so that any internet user can access this service from anywhere in the world. Internet users will submit a request on the router to reach a specific service using that service's port number. Then the router will check its forwarding table if any entry is available for that port number. Every router maintains a port forwarding table where every service (port number) should be listed that are intended to access from the internet. Not only the service name, which computer is providing that service also be listed. And that's why a router can redirect the traffic to a specific destination what is an internet user searching for. This process is working like "Destination NAT" or "PAT (Port Address Translator)".

Assume that, we have a Remote Desktop server running on our local network. Only our LAN user can access this RDP server. No internet users can't access because this server is not published on the internet. Now we want to make available this Remote Desktop server on the internet. We have two options to accomplish this task. The first one is, we can use one public IP address directly in our Remote Desktop server and that's why it will automatically available on the internet. And the other one is, we can forward the RDP service request to our internal Remote Desktop server from our router, which is called port forwarding. 

In this tutorial, we are going to learn how to perform port forwarding on the Mikrotik router.  

In the Mikrotik router, we can achieve this task by configuring one destination NAT entry. By this entry, we are telling our router that if any request has come from the internet to reach a Remote Desktop server then forward that traffic to our internal Remote Desktop server. 

Step by step the whole process is shown graphically below.

First of all, we will go to the "NAT" option from the "Firewall" menu and there we will create a destination NAT rule.

Now go to the "General" tab and select "dstnat" as the "Chain" value. Write your public IP address at the "Dst. Address" field. Select "TCP" from the "Protocol" field. And finally, write the destination port number at the "Dst. Port" field. We know that the RDP service is working with TCP port 3389 number.

Now we will navigate to the "Action" tab. Ant there we select "dst-nat" as "Action" value. At the "To Address" field, we will write our server IP address where the RDP service is running on. At the "To Port" field, we will write the service's port number, that our RDP server is using for that service.

Finally, click on apply and then "OK". A destination NAT entry will be added as follows.

From now on if any request has come to the router from the internet which is intended to go to the Remote Desktop server, then our router will redirect it to our internal RDP server means 10.168.1.247 IP address.

This is the whole process for Mikrotik Port Forwarding. We can call this Mikroitk Destination NAT.