Fast fail connection when WAN failover
This commit is contained in:
@@ -1,8 +1,56 @@
|
||||
---
|
||||
- name: Configure WAN connection marking
|
||||
community.routeros.api_modify:
|
||||
path: ip firewall mangle
|
||||
data:
|
||||
- action: mark-connection
|
||||
chain: forward
|
||||
connection-state: new
|
||||
new-connection-mark: wan-gpon
|
||||
out-interface: pppoe-gpon
|
||||
passthrough: true
|
||||
comment: Mark connections going out GPON
|
||||
- action: mark-connection
|
||||
chain: forward
|
||||
connection-state: new
|
||||
new-connection-mark: wan-lte
|
||||
out-interface: vlan6
|
||||
passthrough: true
|
||||
comment: Mark connections going out LTE
|
||||
handle_absent_entries: remove
|
||||
handle_entries_content: remove_as_much_as_possible
|
||||
ensure_order: true
|
||||
|
||||
- name: Configure IPv4 firewall filter rules
|
||||
community.routeros.api_modify:
|
||||
path: ip firewall filter
|
||||
data:
|
||||
- action: reject
|
||||
chain: forward
|
||||
connection-mark: wan-gpon
|
||||
out-interface: vlan6
|
||||
protocol: tcp
|
||||
reject-with: tcp-reset
|
||||
comment: Fast-fail TCP connections that shifted from GPON to LTE
|
||||
- action: reject
|
||||
chain: forward
|
||||
connection-mark: wan-gpon
|
||||
out-interface: vlan6
|
||||
reject-with: icmp-network-unreachable
|
||||
comment: Fast-fail non-TCP connections that shifted from GPON to LTE
|
||||
- action: reject
|
||||
chain: forward
|
||||
connection-mark: wan-lte
|
||||
out-interface: pppoe-gpon
|
||||
protocol: tcp
|
||||
reject-with: tcp-reset
|
||||
comment: Fast-fail TCP connections that shifted from LTE to GPON
|
||||
- action: reject
|
||||
chain: forward
|
||||
connection-mark: wan-lte
|
||||
out-interface: pppoe-gpon
|
||||
reject-with: icmp-network-unreachable
|
||||
comment: Fast-fail non-TCP connections that shifted from LTE to GPON
|
||||
- action: fasttrack-connection
|
||||
chain: forward
|
||||
connection-state: established,related
|
||||
|
||||
@@ -243,6 +243,16 @@ QMI initialization within ~1 second.
|
||||
|
||||
Full investigation: see [wwan-bm806c-qmi-workaround.md](./wwan-bm806c-qmi-workaround.md).
|
||||
|
||||
## Multi-WAN Stale Connection Tracking
|
||||
|
||||
When the routing table fails over from GPON to LTE (or vice versa), RouterOS does not automatically clear existing connection tracking entries. If an established TCP/UDP connection is routed out the new WAN interface, it retains the NAT translation state (source IP) of the old WAN interface. The packet is sent to the ISP with the wrong source IP and is silently dropped, causing clients (like Tailscale) to hang for minutes until their internal sockets time out.
|
||||
|
||||
To solve this purely declaratively without scripts or blanket connection flushes, the `forward` chain is configured to "fast-fail" these shifted connections:
|
||||
|
||||
1. Connections are marked with their egress WAN upon establishment (`wan-gpon` or `wan-lte`) via the `mangle` table.
|
||||
2. If an established connection with a `wan-gpon` mark attempts to route out `vlan6` (LTE), or a `wan-lte` mark routes out `pppoe-gpon`, it is explicitly rejected (`tcp-reset` for TCP, `icmp-network-unreachable` for UDP) before reaching the NAT table.
|
||||
3. This rejection immediately signals the client OS that the route is dead, forcing the application (Tailscale, SIP clients, etc.) to instantly close the socket and establish a new one, which successfully binds to the new WAN interface and NAT state.
|
||||
|
||||
## Implementation files
|
||||
|
||||
| File | Role |
|
||||
|
||||
Reference in New Issue
Block a user