Archive for April, 2015


This method never worked as planned. The IPSEC tunnel left a hidden route in the route table, so it just got messy. Try this one instead.

 

http://blog.greypuddles.net/?p=258

 

I needed a way to fail over from an IPSEC tunnel with static IPs at each end, to a PPTP tunnel from a site with a non routable address.

The main problem is that I have the remote subnet listed as accessible Via bridge.local to allow the IPSEC traffic and to allow NetWatch to monitor the remote sites.

The solution is as follows

  • Setup and test IPSEC Tunnel
  • Setup the PPTP tunnel as needed to the remote site.
  • Add a route with a lower preference than the normal route.
  • Add a comment to the remote site route

/ip route
add check-gateway=ping comment=”over ipsec” distance=1 dst-address=10.4.44.0/24 \
gateway=bridge.Local
add distance=10 dst-address=10.4.44.0/24 gateway=pptp-out1
add distance=1 dst-address=192.168.1.1/32 gateway=”ether1-ADSL Modem”

In this setup, the local subnet is 10.4.40.0/24 and the remote subnet is 10.4.44.0/24

We put in the netwatch scripts Red below 1.2.3.4 is the STATIC IP address of the main interface.

/tool netwatch
add host=10.4.44.253
add down-script=\
“/ip route set [/ip route find where comment=\”over ipsec\”] disabled=yes” \
host=1.2.3.4 up-script=\
“/ip route set [/ip route find where comment=\”over ipsec\”] disabled=no”

The red “over ipsec” is used to identify the rule that’s going to get changes.

 

When the main interface goes down, NetWatch will disable the route Via bridge.local and allow the PPTP distance 10 route to kick in.
The PPTP interface should redial as needed to get connection over the second internet connection and all should just work. I will be testing that tomorrow.

In testing now with only one interface. When the “over IPSEC” rule is enabled, all traffic goes over the IPSECĀ tunnel, when that route gets disabled, traffic will flow over the PPTP.

If you have a dynamic WAN IP address, then you will have to get more creating running a lookup using /IP address printĀ and putting that into this NetWatch host

 

I’m sure there are much cleaner ways of doing this, as this will not fail over in the event of the IPSEC tunnel failing but the ADSL staying alive, but thats a topic for another day

I needed a way of resolving DNS Names to IPs to use in firewall rules.

 

/ip firewall address-list
add address=216.58.220.100 comment=www.google.com list=dns_list
add address=1.2.3.4 comment=www.website1.com list=dns_list
add address=157.56.242.98 comment=outlook.com list=dns_list

 

/system scheduler
add interval=9m1s name=DNSLookup on-event=DNSLookupScrip policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
jan/01/1970 start-time=00:00:01

/system script
add name=DNSLookupScrip policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=”:foreach \
dnsitems in=[ /ip firewall address-list find where list=\”dns_list\” ] do={\
\r\
\n /ip firewall address-list set \$dnsitems address=[:resolve [/ip firewall \
address-list get \$dnsitems comment]];\r\
\n};”

OR

:foreach dnsitems in=[ /ip firewall address-list find where list=”dns_list” ] do={
/ip firewall address-list set $dnsitems address=[:resolve [/ip firewall address-list get $dnsitems comment]];
};