Lumpiasty/klaster
0
0
Fork 0
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity

Fast fail connection when WAN failover
ci/woodpecker/push/flux-reconcile-source Pipeline was successful
Details
ci/woodpecker/cron/renovate Pipeline was successful
Details

Browse Source
This commit is contained in:
Lumpiasty
2026-06-21 02:38:24 +02:00
parent 1e86dc5e2b
commit 4034628449
2 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ansible/roles/routeros/tasks/firewall.yml
+48
View File
@@ -1,8 +1,56 @@
--- ---
- name: Configure WAN connection marking
community.routeros.api_modify:
path: ip firewall mangle
data:
- action: mark-connection
chain: forward
connection-state: new
new-connection-mark: wan-gpon
out-interface: pppoe-gpon
passthrough: true
comment: Mark connections going out GPON
- action: mark-connection
chain: forward
connection-state: new
new-connection-mark: wan-lte
out-interface: vlan6
passthrough: true
comment: Mark connections going out LTE
handle_absent_entries: remove
handle_entries_content: remove_as_much_as_possible
ensure_order: true
- name: Configure IPv4 firewall filter rules - name: Configure IPv4 firewall filter rules
community.routeros.api_modify: community.routeros.api_modify:
path: ip firewall filter path: ip firewall filter
data: data:
- action: reject
chain: forward
connection-mark: wan-gpon
out-interface: vlan6
protocol: tcp
reject-with: tcp-reset
comment: Fast-fail TCP connections that shifted from GPON to LTE
- action: reject
chain: forward
connection-mark: wan-gpon
out-interface: vlan6
reject-with: icmp-network-unreachable
comment: Fast-fail non-TCP connections that shifted from GPON to LTE
- action: reject
chain: forward
connection-mark: wan-lte
out-interface: pppoe-gpon
protocol: tcp
reject-with: tcp-reset
comment: Fast-fail TCP connections that shifted from LTE to GPON
- action: reject
chain: forward
connection-mark: wan-lte
out-interface: pppoe-gpon
reject-with: icmp-network-unreachable
comment: Fast-fail non-TCP connections that shifted from LTE to GPON
- action: fasttrack-connection - action: fasttrack-connection
chain: forward chain: forward
connection-state: established,related connection-state: established,related
docs/lte-failover-design.md
+10
View File
@@ -243,6 +243,16 @@ QMI initialization within ~1 second.
Full investigation: see [wwan-bm806c-qmi-workaround.md](./wwan-bm806c-qmi-workaround.md). Full investigation: see [wwan-bm806c-qmi-workaround.md](./wwan-bm806c-qmi-workaround.md).
## Multi-WAN Stale Connection Tracking
When the routing table fails over from GPON to LTE (or vice versa), RouterOS does not automatically clear existing connection tracking entries. If an established TCP/UDP connection is routed out the new WAN interface, it retains the NAT translation state (source IP) of the old WAN interface. The packet is sent to the ISP with the wrong source IP and is silently dropped, causing clients (like Tailscale) to hang for minutes until their internal sockets time out.
To solve this purely declaratively without scripts or blanket connection flushes, the `forward` chain is configured to "fast-fail" these shifted connections:
1. Connections are marked with their egress WAN upon establishment (`wan-gpon` or `wan-lte`) via the `mangle` table.
2. If an established connection with a `wan-gpon` mark attempts to route out `vlan6` (LTE), or a `wan-lte` mark routes out `pppoe-gpon`, it is explicitly rejected (`tcp-reset` for TCP, `icmp-network-unreachable` for UDP) before reaching the NAT table.
3. This rejection immediately signals the client OS that the route is dead, forcing the application (Tailscale, SIP clients, etc.) to instantly close the socket and establish a new one, which successfully binds to the new WAN interface and NAT state.
## Implementation files ## Implementation files
| File | Role | | File | Role |