I have a Mikrotik RB4011iGS+RM serving three VLANs, I would like to add a second WAN connection to this router and route one interface list to use the second WAN. Preferably I would like WAN2 to fail over to WAN1 automatically, but if this has to be done manually or via routerboard script that’s fine.
My two WAN networks need to be set up are as follows:
WAN1 - PPPoE with dynamic address
WAN2 - DHCP client on ethernet interface
I thought about simply setting a routing mark in mangle on the two interface lists (prerouting, add routing mark WAN1 or WAN2) then set the routing mark under the route, but because both interfaces create the default route dynamically, I’m not sure how to achieve this (since I don’t have static gateways to remove the default route and create custom ones). I also tried to use the routing mark to allocate which masquerade route to use (limit WAN1 masquerade to WAN1 routing mark, WAN2 masquerade to WAN2 routing mark). This didn’t work, and honestly I figured it was a bit of a long shot in the first place.
I’ve been looking at examples in the wiki, but everything I’ve seen assumes you have a known static gateway.
With DHCP, you can use the recursive routing if you let the script above adjust the routes at the bottom at the recursion (towards the reference IP addresses in the internet) instead of the default route (which is the topmost recursive one).
With /interface pppoe-client, the situation is a bit simpler or a bit more complex depending on the goal. If you don’t need the checking of path transparency all the way to the internet, you can use the interface name as a gateway and you don’t need to care about the remote IP address of the tunnel. If you do need to check path transparency, you have to use the IP address of the remote end of the PPPoE tunnel, but the good news is that many ISPs never change it - there is no notion of a “subnet” on PPP interfaces, so the address they assign to you and the address at their end can be totally unrelated. So no need to adjust the address at their end when they give out another one for your end. But if you do need to track that address, make a copy of /ppp profile named default (or use directly that one, it depends on your general attitude to life) and configure the on-up script in a similar way like in the DHCP case, except that the variable names are different. Then tell the /interface pppoe-client to use that modified profile instead of default (or do nothing if you’ve modified the default). On the other hand, add-default-route is still a property of the /interface pppoe-client item itself, not of the profile.
The toughest time comes when you have two PPPoE connections, both give you the same remote-address (which can easily happen even if you have two distinct ISPs, as many use 10.64.64.64), and you still want to use path transparency check. In that case, there is no way to convince the recursive routing to distinguish between the two gateways (gateway=ip.add.re.ss%interface-name prevents recursive routing from working), and you have to use dedicated routing marks, netwatch, and scheduled evaluation scripts to track the path transparency. But be happy, that’s not your case.
I’ve done something slightly different to what you said - I’ve left the DHCP client’s default route in place, but overridden the distance to be 10. Left the PPPoE client’s default route in place, but with a distance of 5. Set up the script you provided to put a default route for WAN2 for packets with the WAN2 routing mark with a distance of 1. If my theory is correct, this should do the following:
Route packets through WAN2 if they have the WAN2 routing mark
Route packets through WAN1 if they have no routing mark, or if WAN2 fails to receive a DHCP lease
Route packets through WAN2 if they have no routing mark and WAN1’s PPPoE client fails to connect
Does that sound about right to you? Is there any potential downsides I need to be aware of with this setup? Or is it discouraged for any reason?
Thank you so much for your quick help! I’ve spent hours googling this, but I hadn’t seen DHCP client scripts before!
By “override”, do you mean something more complex than setting the default-route-distance parameter of /ip dhcp-client item to 10? No matter how you did it, it’s fine, just curiosity.
It sounds perfectly right to me as long as it satisfies your goal I personally prefer the path transparency checking but it is always the question of effort/outcome ratio.
Am I correct in understanding that a routing mark creates an entirely new routing table? I assumed that default routes (with a blank routing mark) would apply, and routes with a specified routing mark would add to that table?
I just realized my VPN isn’t working, and I tracked it down to not having a route for the interface - on my local router. Does this mean I need to make an interface route for every local interface with my WAN2 routing mark? Is there any way I can get it to do this automatically?
As an additional question - How would I do something similar like this with IPv6?
I can’t seem to see any way to do this sort of routing mark with IPv6? I can have the two DHCP clients populating two pools, and set the DHCP servers to provide IPs from the different pools - is the router smart enough to use the required backhaul in the background? Obviously I can’t do the failover in the same way, which is not the end of the world. I could do it with scripts, checking if the two gateways are up and changing pools based on this…
That’s correct, the routing-mark as assigned by mangle rules or using /ip route vrf is essentially the same thing as the routing table name. The “routing table name” is more or less just a mental model, the routing process just only chooses among routes bearing the desired routing-mark.
And only if it doesn’t find any matching route with the required routing-mark, it looks among routes with none (except if you have expressly prohibited it or if the routing-mark has been assigned by the VRF functionality).
You mean that there is no route to the interface’s subnet at all or that there is no route to that subnet with the necessary routing-mark? If the latter, it is normal and you have to either not assign any routing-mark to packets coming in via WAN, or, if it would make the mangle rules too complex, you can do the following: /ip route rule add dst-address=your.lan.sub.net/mask action=lookup-only-in-table table=main
Oh. That makes total sense, of course - since the custom route I’ve made for 0.0.0.0/0 applies for that routing mark, it’s not cascading through to the default tables. I didn’t consider that it would apply the specific routing mark first, then distance. In my head, it went distance first, then routing mark. Therefore, in my head, the dynamic interface routes would apply first as they were a lower distance.
I’ve changed the mangle rule to not apply to destination packets matching 192.168.0.0/16 and now we are all sweet!
Just need to figure out how to move traffic for IPv6 now!
I’d recommend to open a new topic for this if you find out you need advice. But forget about dual WAN for IPv6 on Mikrotik, as Mikrotik doesn’t support NAT for IPv6, so you’d need your ISPs to support BGP so that you could inform the internet that the IPv6 network assigned by one of them is currently accessible via the other one.
I personally prefer the path transparency checking but it is always the question of effort/outcome ratio.