Routing failover

I have a business customer that leases out executive office space. The users are assigned static public IP’s from our IP space.

I want to add business DSL with static IP to the site, and have automatic failover. What would be required in a router to allow us to failover these customers in the event our service goes down?


Tell them that they should have another ISP connection :slight_smile:

We have 3 ISPs that provide us with Internet connection, so when some of them goes down we reroute the traffic trough another one automatically.

That’s what the DSL is for.

I need to figure out how to route the airCloud customer IP’s through the DSL connection.

If you want to route your ipset over someone else’s network you are going to have to VPN it.

cant you get load balancing routers?

I think I figured out the easiest way.

Set up a Cisco 2600 with 3 Ethernet interfaces.

e0/0 - airCloud WAN
e0/1 - DSL WAN
e1/0 - LAN

Configure e0/0 as primary WAN route bridge mode.

Configure e0/1 as secondary WAN route and NAT the IP range. Customers using VPN may or may not be able to connect, but at least they will have Internet.

Configure e1/0 as LAN.

I’ll let you know if we get it to work.

Tsarles, that is actually a very smart way to do it.

Then just a simple load balancing router with VPN will do the job.

There’s a protocol specifically for that…However, I’m not sure that it’s what your looking for…but if it is:

HSRP - Hot Standby Router Protocol.

I can’t speak from experience, I’ve never used it. However, I would assume it would do the job with a router that supports it. … r_Protocol

HSRP is used on ciscos. We have a pair of ciscos that talk to each other using HSRP…if keep-alive packets are dropped from either one, the one that is good picks up where things left off.

Here is what we decided:

MikroTik with 2 WAN and 1 LAN

WAN1 = bridge only to airCloud network
WAN2 = NAT the IP’s to the DSL

Some users on older VPN software will be unable to connect, but most will. For everyone else it’s transparent.

Easy to implement, supportable, low cost.

HSRP is a simple setup, however that solves the problem of router redundancy, when in this case we are looking for WAN redundancy.

HSRP is cisco proprietary, VRRP is the same thing but a open standard. I asked some Cisco people about better ways to do this. They said you would need to setup BGP, which isn’t a simple task, and would require some hefty routers.

Indeed so with VRRP…

That’s one reason why I like our cisco gear…HSRP works. It’s pretty sweet to see the whole shebang, IP’s and all, fail onto a completely seperate piece of hardware.

WAN2 = NAT the IP's to the DSL

Jerry, what exactly do you mean here? What IP's are you NATing?

airCloud Router --> BH link --> AP --> SM --> Switches --> Multi Tenant customers with static public IP’s.

So the plan is

SM --> WAN1 Bridge ----Switches --> Multi Tenant customers with static public IP’s.
DSL -> WAN2 NAT -----/

We are going to try this with a MikroTik Router. It will ping our router and if it loses connectivity on WAN1 it will fail over to the DSL on WAN2 and NAT the IP addresses so nobody knows the difference.

We may have issues with a few users on old VPN technology but I can live with that.

If it works I plan to sell it as a mission critical solution for businesses that absolutely positively have to be up and running. Talk about a Telco killer.

Jerry if you really want true failover use 2 MikroTik’s running VRRP when one dies the other will take over. Any reason why you want to bridge WAN1? All you have to do is set up 2 default gateways

/ip route add gateway=x.x.x.x check-gateway=ping
/ip route add gateway=x.x.x.x distance=2

The first gateway will begin as it’s distance is smaller (default 0); the check-gateway will make sure it’s up; when the ping will fail, it will disable the first gateway and the second will take over; when first one comes up, it will return to it’s function.

As far as NAT

new nat rule
/ip firewall nat add chain=srcnat Out. Interface=WAN2 action=masquerade

this will NAT all traffic out WAN2 with the IP address of WAN2

thanks for the info.

I am less worried about the MikroTik failing (should I worry?) than I am our network failing. If an AP, BH, or more recently a CMM fails, it’s 1/2 day to get up there and get it replaced.

I have an RB532-4 on the way that will be pre-configured and ready to roll.

No you shouldnt worry about it failing. I have a 20Mbps connection feeding the network. All traffic goes threw a MikroTik router and my peak time it is hitting 20 quite often. That router also handles DHCP, QOS, Firewall and anything else I threw at it. It’s not a 532 though. I built it out of a SuperMicro Superserver with a P4 2Ghz processor, 512MB DDR, no hard drive or moving parts to wear out. MikroTik OS is installed on a 64MB DOM, and I stuck in a RB44 4 port NIC card giving me 6 1000BaseT ports all for about a grand. In 3 yrs I lost the RB44 card 1 due to a surge but no other failures and I never see the processor go over 15% So don’t worry.

One neat thing about the 532 is it has 2 minipci slots that you can put Wireless 802.11 cards in and with the Nstream 2 feature in the software you can set up a point to point link using one 802.11 card to TX while the other RX in full duplex. I have seen a test of 3 532’s linked to 3 other’s using Nstream 2 802.11Wireless in turbo mode and the guy was pumping 300Mbps threw to the other side. 100Mbps per 532.

Sounds like MikroTik deserves more of my attention.

Thanks for the info.

MikroTik was the answer.

3 Port MikroTik configured as such:

Eth1 = bridged to my network (has an IP from my IP block)
Eth2 = DSL Natting Local IP Pool backup to Eth1
Eth3 = Local IP range

Eth 1 is continually pinging my edge router and as long as it’s up traffic is bridged transparently to my router. If pings stop for 30 sec, Eth3 is routed to Eth2 using NAT.

This was a ridiculously inexpensive solution and works great!

Same solution (for the most part) with a Soekris net4801 here using it’s 2 ethernet ports and an additional LAN1641 (4port) ethernet card. Nice little router.

Works great, inexpensive, and pretty reliable so far.