ECMP Failover Script
How to do automatic ECMP failover
This script demonstrates one method of doing automatic failover using the Netwatch function and using scripting to enable or disable gateways. This is probably not the most efficient way, but it works. I would welcome any input on how it can be improved.
You have 2 lines going out to the internet - 10.0.0.12 and 10.0.0.13. You have setup a mangle to mark HTTP traffic (optional) and want to route http along the 2 lines using load balancing.
You setup the mangle:
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=80 action=mark-routing \ new-routing-mark=ecmp-http-route passthrough=yes comment=" Route HTTP \ traffic to ECMP" disabled=no
You set up ECMP (Equal Cost Multipath Routing) by using something like
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.12,10.0.0.13 routing-mark=ecmp-http-route comment="ECMP route for HTTP"
Now you have ECMP for HTTP only. This is nice because MSN messenger, banking websites and other programs and problem sites will not be broken in the same way it might be if you used ECMP for all protocols.
What I then do is for example mark SMTP traffic and route this out through 10.0.0.12:
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=25 action=mark-routing \ new-routing-mark=smtp-out passthrough=yes comment="SMTP Traffic" disabled=no
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.12 routing-mark=smtp-out comment="SMTP Traffic out"
and route all other traffic through 10.0.0.13
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.13 comment="Default Route to Internet"
Then I need to setup 2 routes to specific addresses to force the router through specific gateways to "test" the links. These should not be popular addresses with your users! Otherwise when a gateway goes down they will have no access to those sites. The addresses I am using as an example are 184.108.40.206 to test 10.0.0.12, and 220.127.116.11 to test 10.0.0.13.
Next I use the Netwatch Function to switch all traffic to the working gateway should any of the gateways fail:
/ tool netwatch add host=18.104.22.168 timeout=2s interval=30s up-script="/ip route set \ \[find comment=\"Default Route To Internet\"\] gateway=10.0.0.13" \ down-script="/ip route set \[find comment=\"Default Route To Internet\"\] \ gateway=10.0.0.12 comment="" disabled=no add host=22.214.171.124 timeout=2s interval=30s up-script="/ip route set \ \[find comment=\"SMTP Traffic out\"\] gateway=126.96.36.199" down-script="/ip \ \n" \route set \[find comment=\"SMTP Traffic out\"\] gateway=10.0.0.13 comment="" disabled=no
The problem is that the ECMP http route will still be active, therefore http traffic wont work, so I have 2 scripts to check if both gateways are up or down and take action accordingly:
/ system script add name="ecmp-startup" source=":if \(\[/ping 188.8.131.52 count=1\]=1