2 WAN Failover - Cloud DNS

djferdinad · Wed Mar 27, 2024 5:12 am

Hi Community,

Hope you all are doing great!!

[Description]:
2 WAN Connections are used, both of them are DHCP from the provider. From one of them I know the Gateway (Physical Carrier Router, Higher bandwidth but CGNAT). For the second WAN there is an ADSL modem on premise.
Also the CloudDNS is used with the 2nd WAN connection (Public ip but lower bandwidth)

[Expected behaviour]:
1. Check when the 1st or 2nd WAN goes down and make a failover. Using a ping to 8.8.8.8 would be desirable.
2. Able to use the CloudDNS through the 2nd WAN. When 1st is preferred to LAN traffic.
3. Hopefully create an script to send WAN Status to Telegram.

[Actual Behaviour]:
1. If 1st WAN goes down (gets IP and the gateway is reachable) but there is no Internet traffic the Router remains sending traffic to 1st WAN instead of switching to 2nd WAN.
2. The CloudDNS is only using 1st WAN (with CGNAT) and becomes unusable.

Hope you all can help me pleasee!

anav · Wed Mar 27, 2024 1:01 pm

/export file=anynameyouwish ( minus router serial number and any public WANIP information )

djferdinad · Wed Mar 27, 2024 2:33 pm

Thank you anav.

I have seen you on other posts and seems like you are a beast! Hopefully you can help me.

/interface ethernet
set [ find default-name=sfp1 ] name=SFP
set [ find default-name=ether1 ] name=ether1-NetUno
set [ find default-name=ether2 ] name=ether2-CANTV
set [ find default-name=ether3 ] loop-protect=off
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/disk
set sd1 type=hardware
add parent=sd1 partition-number=1 partition-offset="4 194 304" \
    partition-size="3 960 995 840" type=partition
set usb1 type=hardware
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=23h59m59s name=\
    defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=NetUno
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=SFP
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2-CANTV list=WAN
add interface=wireguard1 list=LAN
add interface=ether1-NetUno list=WAN
/interface wireguard peers
add allowed-address=10.20.1.2/32 interface=wireguard1 public-key=\
    "xxxxxxxxxxxx"
add allowed-address=10.20.1.3/32 interface=wireguard1 public-key=\
    "xxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.20.1.1/24 interface=wireguard1 network=10.20.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=ether1-NetUno use-peer-dns=no use-peer-ntp=no
add default-route-distance=2 interface=ether2-CANTV use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.252 client-id=1:d8:32:14:e4:1c:88 mac-address=\
    D8:32:14:E4:1C:88 server=defconf
add address=192.168.88.247 mac-address=08:00:27:A1:50:F7 server=defconf
add address=192.168.88.253 client-id=1:90:61:ae:16:b0:1b mac-address=\
    90:61:AE:16:B0:1B server=defconf
add address=192.168.88.251 client-id=1:3c:19:cb:6e:7:2f mac-address=\
    3C:19:CB:6E:07:2F server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.10,1.1.1.1 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.0/16 list=Access
add address=190.0.0.0/8 list=Access
add address=186.0.0.0/8 list=Access
add address=200.0.0.0/8 list=Access
add address=192.168.80.0/24 list=Local
/ip firewall filter
add action=reject chain=forward dst-address-list=Ads protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list=Access
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.20.1.0/24
add action=accept chain=input in-interface=ether1-NetUno src-address-list=\
    Access
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting in-interface=ether1-NetUno
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address=192.168.88.0/24
add action=accept chain=prerouting in-interface=ether1-NetUno
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address=192.168.88.0/24
add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address=192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Caracas
/system identity
set name="MikroTik"
/system logging
add topics=dns,!packet
add action=disk topics=script
/system note
set show-at-login=no
/system scheduler
add interval=1m name=checkreboot on-event="/system script run CheckReboot" \
    policy=read,write,policy,test start-date=2023-09-07 start-time=21:48:23
add interval=15m name="Check Details" on-event="/system script run Details" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-09-07 start-time=22:17:26
/system script
add dont-require-permissions=yes name=CheckReboot owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff source="# Func: Telegram \
    send message\r\
    \n:local TGSendMessage do={\r\
    \n    :local tgUrl \"https://api.telegram.org/bot\$Token/sendMessage\?chat\
    _id=\$ChatID&text=\$Text&parse_mode=html\";\r\
    \n    /tool fetch http-method=get url=\$tgUrl keep-result=no;\r\
    \n}\r\
    \n\r\
    \n# Constants\r\
    \n:global RebootStatus;\r\
    \n:local TelegramBotToken \"xxxxxxxxxxxx:xxxxxxxxxxxx\
    \";\r\
    \n:local TelegramChatID \"-xxxxxxxxxxxx\";\r\
    \n:local temperature [/system health get [find name=temperature] value]\r\
    \n:local DeviceName [/system identity get name];\r\
    \n\r\
    \n:local TelegramMessageText \"\\F0\\9F\\9F\\A2 <b>\$DeviceName:</b> start\
    \_after Power Off. Temp \$temperature C\";\r\
    \n\r\
    \n# Program\r\
    \n:if (\$RebootStatus != true)  do={\r\
    \n    \$TGSendMessage Token=\$TelegramBotToken ChatID=\$TelegramChatID Tex\
    t=\$TelegramMessageText;\r\
    \n    :set RebootStatus true;\r\r\
    \n}"
add dont-require-permissions=no name=Details owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n# Func: Telegram send message\r\
    \n:local TGSendMessage do={\r\
    \n    :local tgUrl \"https://api.telegram.org/bot\$Token/sendMessage\?chat\
    _id=\$ChatID&text=\$Text&parse_mode=html\";\r\
    \n    /tool fetch http-method=get url=\$tgUrl keep-result=no;\r\
    \n}\r\
    \n\r\
    \n# Constants\r\
    \n:global RebootStatus;\r\
    \n:local TelegramBotToken \"xxxxxxxxxxxx:xxxxxxxxxxxx\
    \";\r\
    \n:local TelegramChatID \"-xxxxxxxxxxxx\";\r\
    \n:local upTime [/system resource get uptime];\r\
    \n:local DeviceName [/system identity get name];\r\
    \n:local voltage [/system health get [find name=voltage] value]\r\
    \n:local temperature [/system health get [find name=temperature] value]\r\
    \n:local TelegramMessageText \"\$DeviceName: has \$upTime Running | \$volt\
    age V | Temp \$temperature C\";\r\
    \n\r\
    \n# Program\r\
    \n\r\
    \n    \$TGSendMessage Token=\$TelegramBotToken ChatID=\$TelegramChatID Tex\
    t=\$TelegramMessageText;\r\
    \n"
add dont-require-permissions=no name=Fecha owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local fecha [/system clock get date]\r\
    \n:local mes [ :pick \$fecha 5 7]\r\
    \n:local dia [ :pick \$fecha 8 11 ]\r\
    \n:local year [ :pick \$fecha 0 4 ]\r\
    \n:log info \"date format : \$dia \$mes \$year\""
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=yes down-script="/tool fetch url=\"https://api.telegram.org/bot64\
    xxxxxxxxxxxx:xxxxxxxxxxxx/sendMessage\?chat_id=-xxxxxxxxxxxx\
    86&text=Google ping is not responding\"" host=8.8.8.8 http-codes="" \
    interval=1m test-script="" type=icmp up-script="/tool fetch url=\"https://\
    api.telegram.org/xxxxxxxxxxxx:xxxxxxxxxxxx/sendMes\
    sage\?chat_id=-xxxxxxxxxxxx&text=Is UP\""
/tool sniffer
set filter-stream=yes streaming-enabled=yes streaming-server=192.168.88.253

anav · Wed Mar 27, 2024 5:20 pm

To be clear, you want WAN1 to be primary as it has higher bandwidth.
In addition you also want WAN2 to be available all the time as wireguard goes through here.
If WAN1 goes down traffic should go to WAN2 as backup.
If WAN2 goes down, you will lose your ability to keep wireguard going..........

(1) Set this to NONE
/interface detect-internet
set detect-interface-list=WAN

(2) Why are you trying PCC ???? I thought you wanted primary UNO (cgnag) and secondary ADSL ( public IP: )

(3) You have many non standard fw rules,..........have deviated from defaults and not in a good way.

(4) Unless your gateways dont get updated automatically suggest you dont use default routes and you use manual routes
for both ISP.............
and even then we can use scripts to keep gateway IPs updated as required.

djferdinad · Wed Mar 27, 2024 11:42 pm

Correct!

All your statements are correct. "If WAN2 goes down, you will lose your ability to keep wireguard going" Yes, it is understandable.

1. Done.

2. Sorry, I probably set this the wrong way. I would like to do it the correct way and Yes, that is what I want to achieve.

3. Will try to fix that one.

4. Oh I see, Sure, I would prefer to use manual routes. But I do not know how could I have the script to check the Gateway IP.

anav · Thu Mar 28, 2024 12:04 am

To ensure the wireguard handshake coming in on WAN2 gets answered by WAN2 ( the slower ADSL connection with public IP )

/routing table add fib name=useWAN2
/ip mangle
add chain=input action=mark-connections connection-mark=no-mark in-interface=ether2 \
new-connection-mark=incomingWAN2 passthough=yes
add chain=output action=mark-routing connection-mark=incomingWAN2 \
new-routing-mark=useWAN

/ip route
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=CGNAT gateway IP routing-table=main
add distance=4 dst=address=0.0.0.0/0 gateway=ADSL gateway IP routing-table=main
add dst-address=0.0.0.0/0 gateway=ADSL gateway IP routing-table=useWAN2

Now if you want to add recursive to the routes.....

add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12
add distance=2 dst-address=1.1.1.1/32 gateway=CGNAT gateway IP scope=10 target-scope=11
add distance=4 check-gateway=ping dst=address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12
add distance=4 dst-address=9.9.9.9/32 gateway=ADSL gateway IP scope=10 target-scope=11
add dst-address=0.0.0.0/0 gateway=ADSL gateway IP routing-table=useWAN2

The next step will include mangling to ensure the IP Cloud service points to WAN2...............

anav · Thu Mar 28, 2024 12:14 am

/ip firewall address
add address=cloud.mikrotik.com name=MyCloud
add address=cloud2.mikrotik.com name=MyCloud

/ip mangle
add chain=output protocol=udp dst-port=15252 dst-address-list=MyCloud action=mark-routing new-routing-mark=useWAN2

djferdinad · Thu Mar 28, 2024 12:47 am

Thank you so much, I think this will work for the majority of this, but I have a question and is:

How could I know the gateway=ADSL gateway IP? It is Dynamic, even the gateway is Dynamic.

For gateway=CGNAT gateway IP it is totally fine, I know the private gateway IP address and this one will work as a charm, I have tried.

anav · Thu Mar 28, 2024 2:14 am

Super well do you get a public IP or a private IP from the ADSL modem??
If you reboot the modem do you sometimes get a different WANIP etc....

djferdinad · Thu Mar 28, 2024 3:40 am

Yes, public IP from the ADSL modem.

Yes, a different public IP address every reboot or Renew.

anav · Thu Mar 28, 2024 5:40 pm

Okay so add the new config,
See if the ADSL new gateway IP gets populated in the IP routes we create......
Unplug the modem for each test.......... and plug it back in........
You will see in IP DHCP client settings, (STATUS), the new IP and new gatewayIP, then check to see if the gatewayIP migrated to the iP routes.

if not doing recursive.
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=CGNAT gateway IP routing-table=main
add distance=4 dst=address=0.0.0.0/0 gateway=ADSL gateway IP routing-table=main
add dst-address=0.0.0.0/0 gateway=ADSL gateway IP routing-table=useWAN2

if doing resursive
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12
add distance=2 dst-address=1.1.1.1/32 gateway=CGNAT gateway IP scope=10 target-scope=11
add distance=4 check-gateway=ping dst=address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12
add distance=4 dst-address=9.9.9.9/32 gateway=ADSL gateway IP scope=10 target-scope=11
add dst-address=0.0.0.0/0 gateway=ADSL gateway IP routing-table=useWAN2

djferdinad · Tue Apr 02, 2024 12:11 am

Hi Anav.

Sorry for the late reply.

I tried the recommendations but is not working either.

a. The Cloud DDNS is still updating with the CGNAT IP address and not the correct "ether2-CANTV"

b. When the ADSL modem (public dynamic IP) reboots, on the routes tables is not showing the new gateway IP address. (Tried to use a script on the DHCP client but no success either)

Just in case attaching config.

/interface ethernet
set [ find default-name=sfp1 ] name=SFP
set [ find default-name=ether1 ] name=ether1-NetUno
set [ find default-name=ether2 ] name=ether2-CANTV
set [ find default-name=ether3 ] loop-protect=off

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1

/disk
set sd1 type=hardware
add parent=sd1 partition-number=1 partition-offset="4 194 304" \
    partition-size="3 960 995 840" type=partition
set usb1 type=hardware

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=23h59m59s name=\
    defconf

/port
set 0 name=serial0

/routing table
add disabled=no fib name=NetUno
add fib name=useWAN2

/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=SFP

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2-CANTV list=WAN
add interface=wireguard1 list=LAN
add interface=ether1-NetUno list=WAN

/interface wireguard peers
add allowed-address=10.20.1.2/32 interface=wireguard1 public-key=\
    "VnTNWEPEIGe4ehffWqtG8GdIb+HKxcpSvACRekuVa1I="
add allowed-address=10.20.1.3/32 interface=wireguard1 public-key=\
    "D2bLdRCWi8QS/xznIUHNzufVZOpwX2pVdnf+0WcNr1k="

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.20.1.1/24 interface=wireguard1 network=10.20.1.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=5m

/ip dhcp-client
add add-default-route=no interface=ether1-NetUno use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no interface=ether2-CANTV script=":if (\$bound=1) do={/i\
    p route set [find dst-address=0.0.0.0/0] gateway=\$\"gateway-address\"  ad\
    d-distance=2}" use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.10,1.1.1.1 \
    gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall address-list
add address=cloud.mikrotik.com list=MyCloud
add address=cloud2.mikrotik.com list=MyCloud

/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.20.1.0/24
add action=accept chain=input in-interface=ether1-NetUno src-address-list=\
    Access
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN

/ip firewall mangle

add action=mark-routing chain=output dst-address-list=MyCloud dst-port=15252 \
    new-routing-mark=useWAN2 passthrough=no protocol=udp
	
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether2-CANTV new-connection-mark=incomingWAN2 passthrough=yes

add action=mark-routing chain=output connection-mark=incomingWAN2 \
    new-routing-mark=useWAN2 passthrough=no

add action=accept chain=prerouting in-interface=ether1-NetUno

add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address=192.168.88.0/24

add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address=192.168.88.0/24

add action=accept chain=prerouting in-interface=ether1-NetUno

add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 src-address=192.168.88.0/24

add action=mark-connection chain=prerouting dst-address-type=!local \
    new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 src-address=192.168.88.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=23000 in-interface=ether1-NetUno \
    protocol=tcp to-addresses=192.168.88.252 to-ports=80
add action=dst-nat chain=dstnat dst-port=24000 in-interface=ether1-NetUno \
    protocol=tcp to-addresses=192.168.88.247 to-ports=443
add action=dst-nat chain=dstnat dst-port=25000 in-interface=ether1-NetUno \
    protocol=udp to-addresses=192.168.88.247 to-ports=5060
add action=dst-nat chain=dstnat disabled=yes dst-port=10000-20000 \
    in-interface=ether1-NetUno protocol=udp to-addresses=192.168.88.247 \
    to-ports=10000-20000

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 \
    routing-table=main suppress-hw-offload=no
add distance=4 dst-address=0.0.0.0/0 gateway=ether2-CANTV routing-table=main
add dst-address=0.0.0.0/0 gateway=ether2-CANTV routing-table=useWAN2

anav · Tue Apr 02, 2024 2:00 am

I gauge discipline and attention to detail to get a sense of the OPs, capabilities and focus.
So far not doing so well. Not surprized no improvements yet.

(1) This is still not fixed. (should be NONE)
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

(2) No implementation of suggested routes???????.............

(3) Okay lets deal with mangles next.
I didn't realize you were also attempting PCC for your LAN traffic out both WANs. This has to be taken into account.
In this case please modify your mangle rules to the following......
Order counts so make sure you maintain the order and rules.

The first mangle rule should be the rule for outgoing IP CLOUD traffic from router out WAN2
add chain=output protocol=udp dst-port=15252 dst-address-list=MyCloud action=mark-routing \
new-routing-mark=useWAN2 passthrough=no

A. Step One:
/ip mangle { first we ensure traffic coming in on WAN2, for the router itself aka wireguard handshake, goes back out ISP2 )
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
ether2-CANTV new-connection-mark=incomingWAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=incomingWAN2 \
new-routing-mark=useWAN2 passthrough=no

Step Two: Ensuring that Traffic coming from LAN goes out the two different ISPs using PCC
/ip mangle
add action=mark-connection chain=forward dst-address-type=!local connection-mark=no-mark\
new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/0 src-address=192.168.88.0/24
add action=mark-connection chain=forward dst-address-type=!local connection-mark=no-mark\
new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/1 src-address=192.168.88.0/24
+++++++++++++++++++++++++++
add action=mark-route chain=prerouting connection-mark=wan1_conn \
new-routing-mark=useWAN1 passthrough=no
add action=mark-route chain=prerouting connection-mark=wan2_conn \
new-routing-mark=useWAN2 passthrough=no

IP routes can look like..

/ip route
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12
add distance=2 dst-address=1.1.1.1/32 gateway=CGNAT gateway IP scope=10 target-scope=11
add distance=4 check-gateway=ping dst=address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12
add distance=4 dst-address=9.9.9.9/32 gateway=current gateweay ADSL gateway IP scope=10 target-scope=11 comment="Secondary WAN"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add dst-address=0.0.0.0/0 gateway=CGNAT gateway IP routing-table=useWAN1
add dst-address=0.0.0.0/0 gateway=current ADSL gateway IP routing-table=useWAN2 comment="ADSL WAN"

Couple of things........
/routing table
add fib name=useWAN1
add fib name=useWAN2

Need to disable fastrack or simply add connection-mark=no-mark......... in forward chain firewall rules.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes connection-mark=no-mark

Now finally go back to IP DHCP client for WAN2 (ADSL)
SELECT Default route=yes and put in a distance=255.

Then add this script in the DHCP Client script area:

:if ($bound=1) do={
:local gw $"gateway-address"
/ip route set [ find comment="Secondary WAN" gateway!=$gw ] gateway=$gw
/ip route set [ find comment="ADSL WAN" gateway!=$gw ] gateway=$gw
}

anav · Tue Apr 02, 2024 2:04 am

Will need to think if there is anything required for incoming wireguard traffic, but not at the moment. I dont believe you have outgoing wireguard traffic, just traffic to the router for config purposes or do you also reach LAN devices. If so many, need access to all ???

djferdinad · Fri Apr 05, 2024 6:53 am

Oh Sorry for the late but what I preferred to do was defaulted and start from the beginning with your guidance.

I think I am getting the point now. When doing the 1st mangle rule (cloudDDNS) and marking packets to go in and out right below using the WAN2 routes then the CloudDDNS does update correctly.

.

I added all the mangle rules but when this one is enabled, I lose internet connection.

add action=mark-connection chain=forward connection-mark=no-mark disabled=yes dst-address-type=!local new-connection mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address=192.168.88.0/24

And Yes, I would like to use the VPN to access devices inside the network. But I think we can save that for some other post.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf

/routing table
add fib name=useWAN2
add fib name=useWAN1

/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.20.1.1/24 interface=wireguard1 network=10.20.1.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=5m

/ip dhcp-client
add comment=defconf interface=ether1
add default-route-distance=255 interface=ether2 script=":if (\$bound=1) do={\r\
    \n:local gw \$\"gateway-address\"\r\
    \n/ip route set [ find comment=\"Secondary WAN\" gateway!=\$gw ] gateway=\
    \$gw\r\
    \n/ip route set [ find comment=\"ADSL WAN\" gateway!=\$gw ] gateway=\$gw\r\
    \n}" use-peer-dns=no use-peer-ntp=no

/ip firewall address-list
add address=cloud.mikrotik.com list=MyCloud
add address=cloud2.mikrotik.com list=MyCloud

/ip firewall filter
add action=accept chain=input in-interface=ether2 src-address-list=Access
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    10.20.1.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=mark-routing chain=output dst-address-list=MyCloud dst-port=15252 \
    new-routing-mark=useWAN2 protocol=udp
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether2 new-connection-mark=incomingWAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=incomingWAN2 \
    new-routing-mark=useWAN2
add action=mark-connection chain=forward connection-mark=no-mark disabled=yes \
    dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0 src-address=\
    192.168.88.0/24
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1 src-address=\
    192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    new-routing-mark=useWAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=useWAN2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    new-routing-mark=useWAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    new-routing-mark=useWAN2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add comment="ADSL WAN" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    190.203.32.1 pref-src="" routing-table=useWAN2 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=12
add disabled=no distance=2 dst-address=1.1.1.1/32 gateway=172.16.0.1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=11
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
    9.9.9.9 pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=12
add comment="Secondary WAN" distance=4 dst-address=9.9.9.9/32 gateway=\
    190.203.32.1 scope=10 target-scope=11
add dst-address=0.0.0.0/0 gateway=172.16.0.1 routing-table=useWAN1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=201.249.0.1 \
    routing-table=useWAN2 suppress-hw-offload=no

2 WAN Failover - Cloud DNS

2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Re: 2 WAN Failover - Cloud DNS

Who is online