2 Wan Failover

Anyone who can assist in configuring WAN failover in Mikrotik RouterOS 6.48.3 # model = 2011UiAS
We have isp 1 (main) isp 2 (backup) port 1 & 2 respectively. Our internal lan has vlans 10, 20, 30, 40& 50. All to be connected to mikrotik as a trunk port from a cisco switch. Both Isp have CPE in our premises and we would like the failover to check connectivity to internet (past the cpe) units, also ISPs are not of equal speeds one is fiber and other is LTE connection. Both isp have static ip assigned to us.
Isp 1=192.168.200.114/30 gateway .113
Isp 2= 192.168.210.2/24() gateway .1
Vlan 10 = 192.168.10.1/24
Vlan 20 = 192.168.20.1/24
Vlan 30 = 192.168.30.1/24
Vlan 40 = 192.168.40.1/24
Vlan 50 = 192.168.50.1/24
All vlan networks default gateway is .1
mikrotik trunk port is ether 4

I hope I have given all details required for this set up.

Any assistance will be highly appreciated.
Thank you.


Edwahi.

Yoiu provide too much detail, why WAN failover can be influenced from VLANs?
Are the 2nd gateway simple a failover or not?

/ip dns
set servers=1.1.1.1,8.8.8.8

/ip route
add comment="A - 1.1.1.1 must be reachable only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=192.168.200.113 scope=10
add comment="B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP" distance=10 gateway=1.1.1.1 check-gateway=ping
add comment="C - ISP2 is alternative Gateway" distance=20 gateway=192.168.210.1

As rextended asked.

1. Which ISP connection is supposed to the be primary and secondary? ( assumes you dont want users/vlans to use both ISP in some sort of sharing fashion, both being used).
2. In the case of lets say ISP1 being the primary, is it good enough that we are checking its internet connection lets say through two DNS sites, and if not available switch to ISP2.
   In other words, not necessary to check Secondary ISP recursively because as soon as Primary ISP comes back on line will switch back anyway.
3. Are there any specific vlans that should go out a specific ISP that is different from the PRIMARY?

@ rextended
My modifications adding second internet site to check, plus I never use distance=1 in case I want to add something else in front…
My main concern is that you have a distance of 1 and a distance of 10 for the same rule combination… no need they should be the same!
ip route
add comment=“A - 1.1.1.1 must be reachable only from ISP1” distance=1 dst-address=1.1.1.1/32 gateway=192.168.200.113 scope=10
add comment=“B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP” distance=10 gateway=1.1.1.1 check-gateway=ping



/ip route
add comment=“A1- 1.1.1.1 must be reachable only from PrimaryISP” distance=5 dst-address=1.1.1.1/32 gateway=192.168.200.113 scope=10
add comment=“A2- 9.9.9.9 must be reachable only from PrimaryISP” distance=10 dst-address=9.9.9.9/32 gateway=192.168.200.113 scope=10
add comment=“B1 - Recursive Routing, check ping 1.1.1.1 instead of PrimaryISP” distance=5 gateway=1.1.1.1 check-gateway=ping
add comment=“B2 - Recursive Routing check ping 9.9.9.9 instead of PrimaryISP” distance=10 gateway=9.9.9.9 check-gateway=ping
add comment=“C - ISP2 is alternative Gateway” distance=20 gateway=192.168.210.1

Isp 1= main
Isp 2= backup
All vlans should use one ISP

You have been given examples, what doesnt work?

dear Anav,
when isp1 is down still i cannot get internet from isp2
below is my config

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.70.0/24 list=LAN_USERS
add address=192.168.10.0/24 list=LAN_USERS
add address=192.168.1.0/24 list=LAN_USERS
add address=192.168.20.0/24 list=LAN_USERS
add address=192.168.30.0/24 list=LAN_USERS
add address=192.168.40.0/24 list=LAN_USERS
add address=192.168.88.0/24 list=LAN_USERS
add address=192.168.80.0/24 list=LAN_USERS
add address=192.168.210.0/24 list=WAN_LIST
add address=196.x.x.x/30 list=WAN_LIST
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=196.x.x.x/30 src-address-list=LAN_USERS
add action=accept chain=prerouting dst-address=192.x.x.0/24 src-address-list=LAN_USERS
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=ether2-WAN2
/ip route
add check-gateway=ping comment=“B1 - Recursive Routing, check ping 1.1.1.1 instead of PrimaryISP” distance=5 gateway=1.1.1.1
add check-gateway=ping comment=“B2 - Recursive Routing check ping 9.9.9.9 instead of PrimaryISP” distance=10 gateway=9.9.9.9
add comment=“C - ISP2 is alternative Gateway” distance=20 gateway=192.168.210.1
add comment=“A1- 1.1.1.1 must be reachable only from PrimaryISP” distance=5 dst-address=1.1.1.1/32 gateway=196.x.x.x scope=10
add comment=“A2- 9.9.9.9 must be reachable only from PrimaryISP” distance=10 dst-address=9.9.9.9/32 gateway=196.x.x.x scope=10

Not the full config unfortunately
/export hide-sensitive file=anynameyouwish

I dont see anything really wrong with your route setup…

Here is my setup which works.
ip route
add comment=SecondaryWAN distance=10 gateway=aa.bbb.cc.1
add check-gateway=ping distance=3 gateway=1.0.0.1
add check-gateway=ping distance=4 gateway=9.9.9.9
add comment=PrimaryRecursive distance=3 dst-address=1.0.0.1/32 gateway=
xx.yy.zz.1 scope=10
add comment=SecondaryRecursive distance=4 dst-address=9.9.9.9/32 gateway=
xx.yy.zz.1 scope=10

wan_failover.rsc (7.05 KB)

Change ether4 to bridge!
/interface vlan
add interface=ether4 name=vlan5 vlan-id=5
add interface=ether4 name=vlan10 vlan-id=10
add interface=ether4 name=vlan20 vlan-id=20
add interface=ether4 name=vlan30 vlan-id=30
add interface=ether4 name=vlan40 vlan-id=40
add interface=ether4 name=vlan70 vlan-id=70
add interface=ether4 name=vlan80 vlan-id=80

You have 7 vlans and 9 ip pools DISCONNECT?
Okay I see what you are doing, you have one pool for the bridge, 7, for vlans,
and a MISTAKEN DUPLICATE (two bridge pools), one needs to be removed.

In general I recommend creating a VLAN and not an open subnet as you have on bridge.
In other words, the bridge does no DHCP should just provide ports etc…

Bridge ports, assuming ether 3-5 and wlan are all trunk ports going to “smart” devices that can read vlan tags??
Typically if the WLAN port is on the router itself then the bridge port would look like

add bridge=bridge interface=wlan1 pvid=xx ingress-filtering=yes allow priority and untagged frames only (where xx, is the vlan you are using for wifi)


Okay ether5 is its own Subnet, but you have it as part of the bridge, so another CONFLICT
You have the ether 5 on the bridge but you have the bridge the same address…
What are you doing??

Get rid of those mangle rules for now… no purpose
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In summary, you need to show in a network diagram what are the purpose of your ports including wlan port.
what vlans are supposed to go through those ports… and what are the ports connected to.
I think this is the issue, not your routes.

Guessing I would say that ether5 is something separate than the rest, what is it for?
Why do you have the bridge giving out DHCP, what is that for?

Answering those two questions will allow for a cleaner setup.
What you should do is define one or more vlans along with the 7 you have if you have one or two more groups of users you want to reach.
let me know and we can clean up this config very quickly.