We need to quote to a client for two routers capable of running a VPN
between two sites - easy, that's a MikroTik. But they want a fallback
to 3G/4G so that the site that falls back keeps Internet access AND so
that the VPN keeps running.
What's the state of MikroTik 3G/4G fallback? Last I looked it seemed
very roll-your-own, and supported only a few very specific dongles...
Ideally it would work like the (vastly more expensive) Merakis and just
fail everything over to the secondary link if the primary fails, where
"fail" would be either a ping test or interface down.
That said, I'm OK with a solution that needs more work, as long as once
done it is set-and-forget.
Any pointers?
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer(a)nullarbor.com.au) work +61 2 64957435
http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
Old fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D
On Fri, 2021-07-16 at 20:14 +1000, Karl Auer wrote:
> I have these two routers which *were* doing an IPSec VPN quite
> successfully, but for reasons unclear now no longer have a (VPN)
> connection. There is Internet connectivity between them, but IPsec
> stays stubbornly down. I'm at a bit of a loss, because the setup
> seems ridiculously simple!
I'm almost too embarrassed to write this, but here goes.
Basically I made the cardinal mistake of assuming something instead of
just noting the symptoms. I assumed the VPN was down; but all I really
knew was that my test traffic was not being delivered as it should have
been, and that it should have been going over the VPN.
The policy at one end says run traffic over the VPN if it comes from
192.168.102.0/24 and is going to 192.168.103.0/24. The policy at the
other end says vice versa.
I was testing from the routers themselves - which have many interfaces
and thus many possible source addresses. And I was not specifying a
source address for my tests, so my test packets were not coming from
source addresses that matched the policies.
The penny dropped as I watched (for the thousandth time) a host
unreachable come back from the ISP's next hop address, and oh-so-
belatedly twigged that my test packets were not being directed over the
VPN at all...
As soon as I specified the right source addresses in my tests, the
traffic went over the VPN. And when I then tested from the networks on
the LAN sides of the routers (something I should have tried a lot
earlier), that worked too.
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer(a)nullarbor.com.au) work +61 2 64957435
http://www.nullarbor.com.au mobile +61 428 957160
Two MikroTik RB951G-2HnD routers have sort of swung back into my orbit
with the return after some time of an old customer.
These routers both have 6.36 on them, and I'm thinking I should upgrade
them to 6.47.10 LTS.
Is that too big a jump? Will chunks of the current configuration fail?
It's all fairly plain-vanilla except for an IPSec VPN running between
the two devices.
The particular model is barely mentioned in any of the (many, many)
release notes since 6.36, and nothing really relevant.
Any hints appreciated.
Thanks, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer(a)nullarbor.com.au) work +61 2 64957435
http://www.nullarbor.com.au mobile +61 428 957160
Hi Folks,
We had a bit of an outage at work this morning, and I was a little
surprised that my 'net at home went down - it should have just failed over
to going via VPN over the MF823 with Telstra 4G that I have had plugged in
for YEARS here.. Finally had some time to sit down and check, and the LTE
interface is nowhere to be found.
Rebooted the CRS109 incase something was hinkey.. No go. Moved the MF823
to another CRS109.. Still no go. Swapped in a spare MF823.. STILL no go..
These are on 6.47.10 and 6.46.8.
Tested on our travel router (RB2011, 6.45.6), and lte1 comes up fine!
Have Mikrotik removed support for MF823's in the last 12 months?? Anyone
have a suggestion of something not crazy expensive to replace them with? :)
--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag(a)rendrag.net - http://www.rendrag.net/
--
We rode on the winds of the rising storm,
We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder
Hi Damien,
I have no idea on the CRS109 support. However, I've generally given up on 4G USB modems as I've found too many times they let you down when failover is critical due to a quirk of some sort... My go to now are the Teltonika RUT240 (sorry Mike ☹) the bonus is they have Band 28 support too, I've got a few dozen scattered around with 100% reliability so far.
Hope this helps,
DB
-----Original Message-----
From: Public <public-bounces(a)talk.mikrotik.com.au> On Behalf Of Damien Gardner Jnr
Sent: Saturday, 10 July 2021 2:50 PM
To: MikroTik Australia Public List <public(a)talk.mikrotik.com.au>
Subject: [DKIM Failure] [MT-AU Public] MF823's on routerOS?
Hi Folks,
We had a bit of an outage at work this morning, and I was a little surprised that my 'net at home went down - it should have just failed over to going via VPN over the MF823 with Telstra 4G that I have had plugged in for YEARS here.. Finally had some time to sit down and check, and the LTE interface is nowhere to be found.
Rebooted the CRS109 incase something was hinkey.. No go. Moved the MF823 to another CRS109.. Still no go. Swapped in a spare MF823.. STILL no go..
These are on 6.47.10 and 6.46.8.
Tested on our travel router (RB2011, 6.45.6), and lte1 comes up fine!
Have Mikrotik removed support for MF823's in the last 12 months?? Anyone have a suggestion of something not crazy expensive to replace them with? :)
--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag(a)rendrag.net - https://click.pstmrk.it/2t/www.rendrag.net%2F/YYsaliMN/OHBV/RUqHRZAp5S
--
We rode on the winds of the rising storm, We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder
_______________________________________________
Public mailing list
Public(a)talk.mikrotik.com.au
https://click.pstmrk.it/2t/talk.mikrotik.com.au%2Fmailman%2Flistinfo%2Fpubl…