https://wiki.mikrotik.com/index.php?title=Manual:Failover_with_firewall_marking&feed=atom&action=history
Manual:Failover with firewall marking - Revision history
2024-03-28T19:47:48Z
Revision history for this page on the wiki
MediaWiki 1.38.2
https://wiki.mikrotik.com/index.php?title=Manual:Failover_with_firewall_marking&diff=33507&oldid=prev
Artursc at 07:55, 24 July 2019
2019-07-24T07:55:59Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:55, 24 July 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l15">Line 15:</td>
<td colspan="2" class="diff-lineno">Line 15:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><h4>Mangle and <del style="font-weight: bold; text-decoration: none;">NAT</del></h4></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><h4>Mangle<ins style="font-weight: bold; text-decoration: none;">, NAT </ins>and <ins style="font-weight: bold; text-decoration: none;">Filter rules</ins></h4></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Connections going through the ether1 interface is marked as <b>"first"</b> and packets going through the ether2 is marked as <b>"other"</b>.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Connections going through the ether1 interface is marked as <b>"first"</b> and packets going through the ether2 is marked as <b>"other"</b>.</div></td></tr>
</table>
Artursc
https://wiki.mikrotik.com/index.php?title=Manual:Failover_with_firewall_marking&diff=33506&oldid=prev
Artursc at 07:53, 24 July 2019
2019-07-24T07:53:45Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:53, 24 July 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l17">Line 17:</td>
<td colspan="2" class="diff-lineno">Line 17:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><h4>Mangle and NAT</h4></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><h4>Mangle and NAT</h4></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Connections going through the <del style="font-weight: bold; text-decoration: none;">ehter1 </del>interface is marked as <b>"first"</b> and packets going through the ether2 is marked as <b>"other"</b>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Connections going through the <ins style="font-weight: bold; text-decoration: none;">ether1 </ins>interface is marked as <b>"first"</b> and packets going through the ether2 is marked as <b>"other"</b>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>/ip firewall mangle</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>/ip firewall mangle</div></td></tr>
</table>
Artursc
https://wiki.mikrotik.com/index.php?title=Manual:Failover_with_firewall_marking&diff=33505&oldid=prev
Artursc at 07:52, 24 July 2019
2019-07-24T07:52:20Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:52, 24 July 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l33">Line 33:</td>
<td colspan="2" class="diff-lineno">Line 33:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>When the primary link will fail, we will reject all the established connections, so a new connections will pass through the secondary link. The same behavior will happen when a primary link will come back again and here we will prevent local IP leakage to a public network, which is one of <span class="plainlinks">[https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Masquerade masquerades disadvantages]</span>. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>When the primary link will fail, we will reject all the established connections, so a new connections will pass through the secondary link. The same behavior will happen when a primary link will come back again and here we will prevent local IP leakage to a public network, which is one of <span class="plainlinks">[https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Masquerade masquerades disadvantages]</span>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">/ip firewall filter</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>add action=reject chain=forward connection-mark=other out-interface=ether1 reject-with=icmp-network-unreachable</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>add action=reject chain=forward connection-mark=other out-interface=ether1 reject-with=icmp-network-unreachable</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>add action=reject chain=forward connection-mark=first out-interface=ether2 reject-with=icmp-network-unreachable</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>add action=reject chain=forward connection-mark=first out-interface=ether2 reject-with=icmp-network-unreachable</div></td></tr>
</table>
Artursc
https://wiki.mikrotik.com/index.php?title=Manual:Failover_with_firewall_marking&diff=33503&oldid=prev
Artursc: Created page with "<h2>Summary</h2> This example demonstrates how to set up failover with a Firewall mangle, filter and NAT rules. <h2>Application example</h2> [[File:Dual-wan.png|300px|center]..."
2019-07-24T07:49:54Z
<p>Created page with "<h2>Summary</h2> This example demonstrates how to set up failover with a Firewall mangle, filter and NAT rules. <h2>Application example</h2> [[File:Dual-wan.png|300px|center]..."</p>
<p><b>New page</b></p><div><h2>Summary</h2><br />
This example demonstrates how to set up failover with a Firewall mangle, filter and NAT rules.<br />
<h2>Application example</h2><br />
<br />
[[File:Dual-wan.png|300px|center]]<br />
<br />
<h4>IP address</h4><br />
In this example our provider assigned two upstream links, one connected to <b>ether1</b> and other to <b>ether2</b>. Our local network has two subnets 192.168.1.0/24 and 192.168.2.0/24<br />
<pre><br />
/ip address<br />
add address=10.1.101.18/24 interface=ether1 <br />
add address=10.1.200.18/24 interface=ether2<br />
add address=192.168.1.1/24 interface=Local<br />
add address=192.168.2.1/24 interface=Local<br />
</pre><br />
<br />
<h4>Mangle and NAT</h4><br />
<br />
Connections going through the ehter1 interface is marked as <b>"first"</b> and packets going through the ether2 is marked as <b>"other"</b>.<br />
<pre><br />
/ip firewall mangle<br />
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=first out-interface=ether1 passthrough=yes<br />
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=other out-interface=ether2 passthrough=yes<br />
</pre><br />
<br />
Instead of masquerade, we will use src-nat for our local networks, because we do not want to purge connections which is one of masquarades main features when a primary link fails. We will restrict them with a firewall rules (later in this example)<br />
<pre><br />
/ip firewall nat<br />
add action=src-nat chain=srcnat out-interface=ether1 to-address=10.1.101.18/24<br />
add action=src-nat chain=srcnat out-interface=ether2 to-address=10.1.200.18/24<br />
</pre><br />
<br />
When the primary link will fail, we will reject all the established connections, so a new connections will pass through the secondary link. The same behavior will happen when a primary link will come back again and here we will prevent local IP leakage to a public network, which is one of <span class="plainlinks">[https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Masquerade masquerades disadvantages]</span>. <br />
<pre><br />
add action=reject chain=forward connection-mark=other out-interface=ether1 reject-with=icmp-network-unreachable<br />
add action=reject chain=forward connection-mark=first out-interface=ether2 reject-with=icmp-network-unreachable<br />
</pre><br />
<br />
<h4>Routes</h4><br />
We will add two default routes. With <code>distance</code> parameter we set route preference:<br />
<pre><br />
/ip route add gateway=10.1.101.1 distance=1 check-gateway=ping<br />
/ip route add gateway=10.1.200.1 distance=2<br />
</pre></div>
Artursc