Saturday, November 7, 2020

Mikrotik Secondary WAN

Secondary WAN connection is essential for any organization to ensure smooth internet access. Specially it is mandatory for the business, those works are completely dependent on internet access. That's why all of those organizations configure their router for redundant internet access or dual internet connection. In this tutorial, we are about to discuss, how to configure a Mikrotik router for dual internet access or for secondary ISP.

First of all, we have to configure NAT for both of our ISP. We assume that our first ISP's gateway address is 1.1.1.1 and our second ISP's gateway address is 2.2.2.2. For NAT configuration, we can use "Masquerade" or "src-nat" as an action value. But in this tutorial, we are going to use "src-nat" as an action value. 

NAT configuration for ISP-1:-


NAT configuration for ISP-2:-


Now, we are going to configure the rote entry. We have to configure the default route for both of our ISP.

Route for ISP-1


Route for ISP-2


Now, we will use the "Distance" parameter to reach our goal. If the router found multiple gateways to reach one single destination, then the router will check it's "Distance" value. The lowest value will be prioritized for the traffic destination. If any of the selected route or low distance value route is failed or going to unreachable, then automatically second route or second distance value will be selected for traffic routing.

In this tutorial, we will use distance value 1 for ISP-1 and distance value 2 for ISP-2. So that, if ISP-1 connectivity is broken or unreachable then automatically all the traffic switches to ISP-2 without any user interaction. Also, we have to select the "Check Gateway" value to "Ping", so that, the router can monitor that gateway for checking availability. If the router didn't get a response for 20 seconds, then it will decide that this gateway is dead or unreachable. Then, the router will transfer all traffic to the second gateway automatically. If ISP-1 come back to the reachable state, then all traffic switch to ISP-1 automatically.

For ISP-1 entry:-


For ISP-2 entry:-


All work is done. From now on, the router will give priority to ISP-1 for sending traffic because it's "Distance" value is lower than ISP-2. And the same time, if for any reason the ISP-1 will go down, then all traffic switches to ISP-2 automatically because it's "Distance" value is next to the ISP-1 value.

But this process is not effective if the link is broken between ISP-1 and their gateway. In this case, you are going to be disconnected from the internet connection because of ISP-1 has no internet connectivity. The router will not be going to switch to ISP-2 because the link between our router and ISP-1 is reachable. In this situation, this process is not going to work.

To overcome this issue, we will use the "Netwatch" tool, which is a built-in tool of the Mikrotik router. 

Netwatch tool, that monitors the status of a network or a link. At a certain point in time, this tool sends a ping request to a predefined network or a link. If for some reason this tool does not receive a ping response from that link or network, it sends a notification in the form of email or SMS to the system admin or user. Or maybe re-route the traffic to a different ISP or gateway.

Whenever there is a change detected in the status of the link, related action will be taken. The Netwatch tool performs this task with the help of some scripts. Whenever there is a change in the status of the link, the script related to that status will be started.

In this tutorial, we will discuss how to re-route traffic to a secondary ISP or gateway if the primary ISP or gateway gets down. At the same time, we will be discussing how to get back to the primary ISP or gateway if it comes back.

At this point, we already know that the “Netwatch” tool can monitor a gateway status or a server link by pinging that device that is located on the internet. If for any reason that link or server goes down, then this tool will disable the failed gateway link and at the same, it will enable the secondary gateway link. All the things will be done by executing the script which we have to be configured into the Netwatch tool.

In this case, no matter which link is down, it may be our router to ISP-1 link or it may be ISP-1 to their gateway link, the router will switch to secondary ISP automatically.

Now we will discuss the script that, the “Netwatch” tool will execute if the primary gateway goes down. We assume that our primary ISP gateway address is 1.1.1.1 and our secondary ISP gateway address is 2.2.2.2. We are assuming more that, the Netwatch tool will continuously send ping requests to the 8.8.8.8 server that is located on the internet using the primary ISP gateway. Also, it will send a ping request to the 8.8.4.4 server using a secondary ISP gateway. If for some reason, it didn’t get any ping response from those servers between specific periods of time, then it will disable that specific gateway. Means, If the Netwatch tool didn't get a response from the 8.8.8.8 server, then it will disable the ISP-1 gateway which is 1.1.1.1 and in the same way, if it didn't get a response from the 8.8.4.4 server, then it will disable the second ISP gateway, which is 2.2.2.2. After getting a response, it will enable it automatically. 

At this point, we will add two more routes to trace the link status of ISP-1 and ISP-2. We will send 8.8.8.8 traffic via ISP-1 and 8.8.4.4 traffic via ISP-2.

To trace the ISP-1 link we will add the following route


To trace the ISP-2 link we will add the following route


Now we will go for a script.

The script for disabling primary route:-

ip route disable [find gateway="1.1.1.1"]

[Note:- If we use any comment for primary gateway entry than here we can use that comment for disabling that gateway]

ip route disable [find comment=”write_your_comment”]

For example:- ip route disable [find comment=”backup route”]
or
ip route disable [/ip route find comment="my comment"]

For example:- ip route disable [/ip route find comment="backup route"]

In the same way, the script for enabling secondary route:-

ip route enable [find gateway="2.2.2.2"]
or
ip route enable [find comment=”write_your_comment”]

For example:- ip route enable [find comment=”backup route”]
or
ip route enable [/ip route find comment="my comment"]

For example:- ip route enable [/ip route find comment="backup route"]


How to configure those script into the Netwatch tool, is shown using the picture below:-

First of all, we will open the Netwatch tool and create a rule.


Now we will create a rule and there we have to write our target server address 8.8.8.8 at the “Host” field. The rest of the things will be the default. It will send requests using our primary gateway means 1.1.1.1.


Now click on the “Down” tab and there we have to write the below code:-

ip route disable [find gateway="1.1.1.1"]

When the Netwatch tool didn't get a response from the 8.8.8.8 server, then this script will be executed. As a script, 1.1.1.1 gateway will be disabled.


Now we will go to the “Up” tab and have to write the below code:-

ip route enable [find gateway="1.1.1.1"]

When it starts getting a response from the 8.8.8.8 server, then this script will be executed. As a script,  1.1.1.1 gateway will be activated.


One more thing that we have to do is, disable the associate NAT entry for that route. Because, if the NAT entry is enabled for that route, all requested traffic is going to be translated, and then it will forward to the gateway that is already disabled by the Netwatch script. As a result, all traffic should be dropped.

To disable the associate NAT we have to run another script as a part of Netwach action. We can run multiple scripts for a single Netwatch entry or we can add multiple Netwatch entries for associating that multiple scripts. Here we will use the multiple Netwach entries method.

Now we will add another entry for the 8.8.8.8 server.


Now we will go to the "Up" tab and have to write the below code:-

ip firewall nat enable numbers=0

Here, the "numbers" parameter value is represented the serial number of the NAT entry. That is:-


The script "numbers" value should be the same as your NAT entry serial number. In this example, we used 0 because of  which NAT entry we are going to be disabled that NAT entry serial number is 0.


Now for the "Down" tab. Have to write the below code:-

ip firewall nat disable numbers=0


From now on, if the primary link gets down then our primary route should be disabled as well as that associate NAT should be disabled. If the link gets back, then this route entry and NAT entry would be enabled again. 

Now we will add an entry for the 8.8.4.4 server. Add a new rule and write your server address means 8.8.4.4. It will send a ping request using the second ISP means 2.2.2.2.


Now click on the “Down” tab and have to write the below code:-

ip route disable [find gateway="2.2.2.2"]

When the Netwatch tool didn't get a response from the 8.8.4.4 server, then this script will be executed. As a script, 2.2.2.2 gateway will be disabled.


Now we will go to the “Up” tab and have to write the below code:-

ip route enable [find gateway="2.2.2.2"]

When it starts getting a response from the 8.8.4.4 server, then this script will be executed. As a script,  2.2.2.2 gateway will be activated.


Now, will add another entry for disabling NAT associate of that specific gateway.


Have to write the below code to the "Up" tab.

ip firewall nat enable numbers=1

Here, we used the "numbers" parameter value 1 because the serial number for that NAT entry is 1.


Now we will have to write code for the "Down" tab.

ip firewall nat disable numbers=1


Finally, click on “Apply” and then “OK”.

Another important thing we have required to complete. If our primary link gets down then our 8.8.8.8 server should be stopped receive a response from it. Otherwise, it will not execute any code that we have written. Generally, When our Mikrotik router can't reach the 8.8.8.8 server via our primary gateway means 1.1.1.1 then it will try to reach that 8.8.8.8 server via secondary gateway means 2.2.2.2. And this time the Mikrotik router should succeed. It can reach it using a secondary gateway. That's why it will not execute any script because the link is reachable. 

That's why we have to stop the Mikrotik router to reach the 8.8.8.8 server using a secondary gateway. We can do this using the firewall rule. We will create a rule that drops all the connections to reach the 8.8.8.8 server using a secondary gateway. The rule is as follows:-

ip firewall filter add chain=output dst-address=8.8.8.8 protocol=icmp out-interface=ether7 action=drop

It will be the same for the 8.8.4.4 server.

ip firewall filter add chain=output dst-address=8.8.4.4 protocol=icmp out-interface=ether8 action=drop


In this example, we are connected to the second ISP via the Ether7 interface. That's why we select ether7 as our output interface. And for the 8.8.4.4 server we have select out-interface ether8 because this interface is connected to our primary ISP.

From now on, if the "Netwatch" tool didn't get a ping response from the 8.8.8.8 server or 8.8.4.4 server, then it will execute those script. No matter which link is down whether it's our link or it's our ISP link, it will switch automatically. At the same time, when our primary ISP or gateway gets back, then our secondary ISP or gateway will be set as backed up automatically and our primary ISP will be activated.


No comments:

Post a Comment