Advanced Routing Failover without Scripting

Thank you for your answers!
I stll have some doubts:

I don’t have too much experience with marking Packets, I understand the concept a little bit tho.. some time ago I used it to some queues.
Can a packet have 2 routing marks? If not, I don’t get it then, what would be the point of marking packets with routing mark? wouldn’t that be something like a Load Balance to split the traffic between the two WANs? Or, How should I manage it so all traffic goes to one route or the other when the check gateway fails?

Thanks, I’ll include that!

Roger That!! I think “automagic” recursive routes will do the job, and also I did used it some years ago to failover between links to a set of servers, not the whole internet. In that time, I didn’t used routing marks tho.

Another comment:
I remember having some troubles back then with the check-gateway=ping, and if a remember correctly, what I did was that I set the pref. source field with the specific IP address where the check ping should be generated.
Just out of curiosity, and based on your comment.. I don’t know if that its an alternative to

Thank you again for your help!
SN

Again, please define your goal first. If you need failover - then just don’t use routing marks. For load balancing, you mark some packets with ISP1 mark and others with ISP2 mark. After that they go to the necessary uplinks.

That can be necessary if your connected route for the gateway has different pref. src for some reason.

I have tried this method of load balancing with fail over.
While I am able to successfully load balance; WAN1 without any routing marks but WAN2 with routing mark to_WAN2
Using Address lists and Mangle I now have most traffic on WAN1 but 2 devices on WAN2.

When WAN1 or WAN2 are power cycled, the recursive message changes to the alternative WAN IP address but the corresponding rule does not activate. What I mean in the 4 route, with 2 active (the default route) only those route change their recursive nature. The backup routes NEVER become active.

Also, traffic does not appear to swap WAN.

WAN1 = 192.168.10.1 modem ether7
WAN2 = 192.168.15.1 modem ether6

initially WAN1 is recursive on 192.168.10.1 When power cycled, this then changes to 192.168.15.1 but traffic does not flow.

Any ideas?

dave864 :

Sorry, the glass ball broke, this post exist to archive the documentation page from wiki.
it’s work properly in many my MultiWan situation. About LB…

I really recommended to learn and do this one HowTo who have got the best way to use many WAN’s at ones.
Next you can use any method netwatch/script/pcc etc to just flow the outgoing - then this is small stuff.

Bandwidth-based load-balancing with failover. This presentation also covers Mangle.
This was presented at the MUM (MikroTik User Meeting) in New Orelans, USA.
Tomas Kirnak - YouTube: https://www.youtube.com/watch?v=67Dna_ffCvc&t=1s
http://mum.mikrotik.com/presentations/US12/tomas.pdf

And Recursive Routing is a good way to automate wan detection.

WAN2 have a connection mark.
WAN1 does not. Could that be the source of the problem you think?

“/ip route print detail” can shed some light on what’s happening, after that we can explain if something goes wrong or happens as expected

I had changed WAN1 to now be fully Conn marked. So now both WAN1 & WAN2 devices have conn marks. I obviously have the Route marks set in Mangle too.
Today I had an outage on WAN1. I turned WAN1 off and all the WAN1 devices did not switch over. The route did change to the backup. However, a Dynamic rule was created. I deleted the dynamic rule and still no connectivity on WAN1 devices. It wasn’t vital and the outage lasted only an hour, so I left it.

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 X S  ;;; Local LTE
        dst-address=0.0.0.0/0 gateway=192.168.42.129 
        gateway-status=192.168.42.129 inactive check-gateway=ping distance=2 
        scope=30 target-scope=10 routing-mark=to_ISP2 

 1 A S  ;;; DEFAULT route for WAN2 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 
        gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 
        check-gateway=ping distance=1 scope=10 target-scope=10 
        routing-mark=to_WAN2 

 2   S  ;;; backup route for WAN2 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 
        gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 
        check-gateway=ping distance=2 scope=10 target-scope=10 
        routing-mark=to_WAN2 

 3 X S  ;;; WAN2 Default
        dst-address=0.0.0.0/0 gateway=192.168.15.1 
        gateway-status=192.168.15.1 inactive check-gateway=ping distance=1 
        scope=10 target-scope=30 routing-mark=to_WAN2 

 4 X S  ;;; WAN2 backup
        dst-address=0.0.0.0/0 gateway=192.168.10.1 
        gateway-status=192.168.10.1 inactive check-gateway=ping distance=2 
        scope=10 target-scope=30 routing-mark=to_WAN2 

 5 A S  ;;; DEFAULT route for WAN1 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 
        gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 
        check-gateway=ping distance=1 scope=10 target-scope=10 
        routing-mark=to_WAN1 

 6   S  ;;; backup route for WAN1 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 
        gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 
        check-gateway=ping distance=2 scope=10 target-scope=10 
        routing-mark=to_WAN1 

 7 ADS  dst-address=0.0.0.0/0 gateway=192.168.15.1 
        gateway-status=192.168.15.1 reachable via  ether6 distance=1 scope=30

I removed the DAS dynamic entry - again. happens whenever a connection drops.

Now I get this:

 0 X S  ;;; Local LTE
        dst-address=0.0.0.0/0 gateway=192.168.42.129 gateway-status=192.168.42.129 inactive check-gateway=ping distance=2 
        scope=30 target-scope=10 routing-mark=to_ISP2 

 1 A S  ;;; DEFAULT route for WAN2 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 check-gateway=ping 
        distance=1 scope=10 target-scope=10 routing-mark=to_WAN2 

 2   S  ;;; backup route for WAN2 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 check-gateway=ping 
        distance=2 scope=10 target-scope=10 routing-mark=to_WAN2 

 3 X S  ;;; WAN2 Default
        dst-address=0.0.0.0/0 gateway=192.168.15.1 gateway-status=192.168.15.1 inactive check-gateway=ping distance=1 
        scope=10 target-scope=30 routing-mark=to_WAN2 

 4 X S  ;;; WAN2 backup
        dst-address=0.0.0.0/0 gateway=192.168.10.1 gateway-status=192.168.10.1 inactive check-gateway=ping distance=2 
        scope=10 target-scope=30 routing-mark=to_WAN2 

 5 A S  ;;; DEFAULT route for WAN1 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 check-gateway=ping 
        distance=1 scope=10 target-scope=10 routing-mark=to_WAN1 

 6   S  ;;; backup route for WAN1 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 check-gateway=ping 
        distance=2 scope=10 target-scope=10 routing-mark=to_WAN1 

 7 X S  ;;; WAN1 backup
        dst-address=0.0.0.0/0 gateway=192.168.15.1 gateway-status=192.168.15.1 inactive check-gateway=ping distance=2 
        scope=10 target-scope=30 

 8 X S  ;;; WAN1 default
        dst-address=0.0.0.0/0 gateway=192.168.10.1 gateway-status=192.168.10.1 inactive check-gateway=ping distance=1 
        scope=10 target-scope=30 

 9 A S  ;;; Ping target 2 on WAN2
        dst-address=8.8.4.4/32 gateway=192.168.15.1 gateway-status=192.168.15.1 reachable via  ether6 distance=1 scope=10 
        target-scope=10 

10 X SB ;;; Blackhole Ping target2 fix
        dst-address=8.8.4.4/32 type=blackhole distance=20

So, what routing mark are we discussing? I don’t know your marking rules.

to_WAN1 and to_WAN2

So I have removed the old testing rules. So everything listed is used except the LTE rule 0 and the currently the blackholes are not active.

 0 X S  ;;; Local LTE
        dst-address=0.0.0.0/0 gateway=192.168.42.129 gateway-status=192.168.42.129 inactive check-gateway=
        scope=30 target-scope=10 routing-mark=to_ISP2 

 1 A S  ;;; DEFAULT route for WAN2 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 che
        distance=1 scope=10 target-scope=10 routing-mark=to_WAN2 

 2   S  ;;; backup route for WAN2 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 che
        distance=2 scope=10 target-scope=10 routing-mark=to_WAN2 

 3 A S  ;;; DEFAULT route for WAN1 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 che
        distance=1 scope=10 target-scope=10 routing-mark=to_WAN1 

 4   S  ;;; backup route for WAN1 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 che
        distance=2 scope=10 target-scope=10 routing-mark=to_WAN1 

 5 A S  ;;; Ping target 2 on WAN2
        dst-address=8.8.4.4/32 gateway=192.168.15.1 gateway-status=192.168.15.1 reachable via  ether6 dist
        target-scope=10 

 6 X SB ;;; Blackhole Ping target2 fix
        dst-address=8.8.4.4/32 type=blackhole distance=20 

 7 A S  ;;; Ping target 1 on WAN1
        dst-address=8.8.8.8/32 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable via  ether7 dist
        target-scope=10 

 8 X SB ;;; Blackhole Ping target1 fix
        dst-address=8.8.8.8/32 type=blackhole distance=20 

 9 ADC  dst-address=192.168.10.0/24 pref-src=192.168.10.10 gateway=ether7 gateway-status=ether7 reachable 

10 ADC  dst-address=192.168.15.0/24 pref-src=192.168.15.254 gateway=ether6 gateway-status=ether6 reachable
        scope=10 

11  DC  dst-address=192.168.40.0/24 pref-src=192.168.40.1 gateway=sfp-sfpplus1 gateway-status=sfp-sfpplus1
        distance=255 scope=10

In that state to_WAN1 traffic goes to 192.168.10.1 ether7, to_WAN2 traffic goes to 192.168.15.1 ether6 - is that what you expect?

Yes, that is correct.
For to_WAN1, When the modern on ether7 goes down then I expect it to switch to ether6. While that does happen in the router, additional dynamic rule is created. And the traffic does not actually flow to ether6. When I delete the dynamic rule traffic still does not flow.

By dynamic, I mean an automatically generated rule. Those are represented as D status rules.

What rule? What’s /ip route print detail at that moment?

Normal: WAN1 and WAN2 working

 0 X S  ;;; Local LTE
        dst-address=0.0.0.0/0 gateway=192.168.42.129 gateway-status=192.168.42.129 inactive check-gateway=ping distance=2 scope=30 target-scope=10 
        routing-mark=to_ISP2 

 1 A S  ;;; DEFAULT route for WAN2 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 check-gateway=ping distance=1 scope=10 
        target-scope=10 routing-mark=to_WAN2 

 2   S  ;;; backup route for WAN2 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 check-gateway=ping distance=2 scope=10 
        target-scope=10 routing-mark=to_WAN2 

 3 A S  ;;; DEFAULT route for WAN1 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 check-gateway=ping distance=1 scope=10 
        target-scope=10 routing-mark=to_WAN1 

 4   S  ;;; backup route for WAN1 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 check-gateway=ping distance=2 scope=10 
        target-scope=10 routing-mark=to_WAN1 

 5 A S  ;;; Ping target 2 on WAN2
        dst-address=8.8.4.4/32 gateway=192.168.15.1 gateway-status=192.168.15.1 reachable via  ether6 distance=1 scope=10 target-scope=10 

 6 X SB ;;; Blackhole Ping target2 fix
        dst-address=8.8.4.4/32 type=blackhole distance=20 

 7 A S  ;;; Ping target 1 on WAN1
        dst-address=8.8.8.8/32 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable via  ether7 distance=1 scope=10 target-scope=10 

 8 X SB ;;; Blackhole Ping target1 fix
        dst-address=8.8.8.8/32 type=blackhole distance=20 

 9 ADC  dst-address=192.168.10.0/24 pref-src=192.168.10.10 gateway=ether7 gateway-status=ether7 reachable distance=0 scope=10 

10 ADC  dst-address=192.168.15.0/24 pref-src=192.168.15.254 gateway=ether6 gateway-status=ether6 reachable distance=0 scope=10 

11  DC  dst-address=192.168.40.0/24 pref-src=192.168.40.1 gateway=sfp-sfpplus1 gateway-status=sfp-sfpplus1 unreachable distance=255 scope=10 

12 ADC  dst-address=192.168.50.0/24 pref-src=192.168.50.1 gateway=bridge1 gateway-status=bridge1 reachable distance=0 scope=10 

13  DC  dst-address=192.168.51.0/24 pref-src=192.168.51.1 gateway=ether5 gateway-status=ether5 unreachable distance=255 scope=10

Then WAN1 dead, note that the routes switch from DEFAULT to Backup for WAN1 but no to_WAN1 data flows through WAN2:

 0 X S  ;;; Local LTE
        dst-address=0.0.0.0/0 gateway=192.168.42.129 gateway-status=192.168.42.129 inactive check-gateway=ping distance=2 scope=30 target-scope=10 
        routing-mark=to_ISP2 

 1 A S  ;;; DEFAULT route for WAN2 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 check-gateway=ping distance=1 scope=10 
        target-scope=10 routing-mark=to_WAN2 

 2   S  ;;; backup route for WAN2 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 unreachable check-gateway=ping distance=2 scope=10 target-scope=10 
        routing-mark=to_WAN2 

 3   S  ;;; DEFAULT route for WAN1 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 unreachable check-gateway=ping distance=1 scope=10 target-scope=10 
        routing-mark=to_WAN1 

 4 A S  ;;; backup route for WAN1 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 check-gateway=ping distance=2 scope=10 
        target-scope=10 routing-mark=to_WAN1 

 5 A S  ;;; Ping target 2 on WAN2
        dst-address=8.8.4.4/32 gateway=192.168.15.1 gateway-status=192.168.15.1 reachable via  ether6 distance=1 scope=10 target-scope=10 

 6 X SB ;;; Blackhole Ping target2 fix
        dst-address=8.8.4.4/32 type=blackhole distance=20 

 7   S  ;;; Ping target 1 on WAN1
        dst-address=8.8.8.8/32 gateway=192.168.10.1 gateway-status=192.168.10.1 unreachable distance=1 scope=10 target-scope=10 

 8 X SB ;;; Blackhole Ping target1 fix
        dst-address=8.8.8.8/32 type=blackhole distance=20 

 9 ADC  dst-address=192.168.15.0/24 pref-src=192.168.15.254 gateway=ether6 gateway-status=ether6 reachable distance=0 scope=10 

10  DC  dst-address=192.168.40.0/24 pref-src=192.168.40.1 gateway=sfp-sfpplus1 gateway-status=sfp-sfpplus1 unreachable distance=255 scope=10 

11 ADC  dst-address=192.168.50.0/24 pref-src=192.168.50.1 gateway=bridge1 gateway-status=bridge1 reachable distance=0 scope=10 

12  DC  dst-address=192.168.51.0/24 pref-src=192.168.51.1 gateway=ether5 gateway-status=ether5 unreachable distance=255 scope=10 

13  DC  dst-address=192.168.80.0/24 pref-src=192.168.80.1 gateway=ether8 gateway-status=ether8 unreachable distance=255 scope=10

Now WAN1 back online, note the automatic rule (rule number 5):

 0 X S  ;;; Local LTE
        dst-address=0.0.0.0/0 gateway=192.168.42.129 gateway-status=192.168.42.129 inactive check-gateway=ping distance=2 scope=30 target-scope=10 
        routing-mark=to_ISP2 

 1 A S  ;;; DEFAULT route for WAN2 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 check-gateway=ping distance=1 scope=10 
        target-scope=10 routing-mark=to_WAN2 

 2   S  ;;; backup route for WAN2 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 check-gateway=ping distance=2 scope=10 
        target-scope=10 routing-mark=to_WAN2 

 3 A S  ;;; DEFAULT route for WAN1 devices to WAN1
        dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 recursive via 192.168.10.1 ether7 check-gateway=ping distance=1 scope=10 
        target-scope=10 routing-mark=to_WAN1 

 4   S  ;;; backup route for WAN1 devices to WAN2
        dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 recursive via 192.168.15.1 ether6 check-gateway=ping distance=2 scope=10 
        target-scope=10 routing-mark=to_WAN1 

 5 ADS  dst-address=0.0.0.0/0 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable via  ether7 distance=1 scope=30 target-scope=10 
        vrf-interface=ether7 

 6 A S  ;;; Ping target 2 on WAN2
        dst-address=8.8.4.4/32 gateway=192.168.15.1 gateway-status=192.168.15.1 reachable via  ether6 distance=1 scope=10 target-scope=10 

 7 X SB ;;; Blackhole Ping target2 fix
        dst-address=8.8.4.4/32 type=blackhole distance=20 

 8 A S  ;;; Ping target 1 on WAN1
        dst-address=8.8.8.8/32 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable via  ether7 distance=1 scope=10 target-scope=10 

 9 X SB ;;; Blackhole Ping target1 fix
        dst-address=8.8.8.8/32 type=blackhole distance=20 

10 ADC  dst-address=192.168.10.0/24 pref-src=192.168.10.10 gateway=ether7 gateway-status=ether7 reachable distance=0 scope=10 

11 ADC  dst-address=192.168.15.0/24 pref-src=192.168.15.254 gateway=ether6 gateway-status=ether6 reachable distance=0 scope=10 

12  DC  dst-address=192.168.40.0/24 pref-src=192.168.40.1 gateway=sfp-sfpplus1 gateway-status=sfp-sfpplus1 unreachable distance=255 scope=10 

13 ADC  dst-address=192.168.50.0/24 pref-src=192.168.50.1 gateway=bridge1 gateway-status=bridge1 reachable distance=0 scope=10

Do you use VRF there?..

no to_WAN1 data flows through WAN2
What error does, for example, ‘ping’ return on the client? Is it timeout? Did you check where actually packets marked as to_WAN1 go?

No idea what VRF is. I do not use BGP or anything. This router is in my house, I plugged 2 mobile broadband devices into it using Ethernet (1x Chateau, 1x Huawei). I no longer have a fixed line broadband.

All WAN1 traffic is conn tracked to WAN1conn and all WAN2 traffic is conn tracked to WAN2conn. All DNS goes to the respective conn track.

All devices except 3-4 are on WAN1. This is set using an address list. Mangle does this, grabbing all addresses on 192.168.50.x (my LAN) except address list marked to_WAN2list. Therefore, all devices ip not on to_WAN2list are ip listed as to_WAN1list. This works and I can see all that happening.

I have src nat on Ether7 and Ether6 with no route marking.

using various “what is my ip” websites, I have confirmed that devices are exposed to the correct mobile address.

I am assuming that the scope and target scope are correct and that the chaining of the rules (DEFAULT to Ping rule) is correct as that mirrors your original post. The Dynamic rule that is created when a WAN comes back on does not appear to have any negative effects.

“vrf-interface=ether7” in your dynamic rule is suspicious. Check your config for unexpected commands…

I think I know the problem:
Mangle.

My Ether7 and Ether6 inputs are mangled to WAN1conn and WAN2conn.
So when my traffic on WAN1 swaps to WAN2, the incoming traffic gets conn marked as WAN2conn while its out going traffic remains at a WAN1conn mark. Do you agree, is this the problem?

Hi chupaka and ty for all ur info. As i understand all i need is to set the 2 blackhole route lines. Is that ok u think?

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S               0.0.0.0/0                                            1.0.0.2                   1
 1 A S               0.0.0.0/0                                            1.1.1.2                   1
 2 A S               0.0.0.0/0                                            1.1.1.2                   1
 3   S                 0.0.0.0/0                                           1.0.0.2                   1
 4 A S               1.0.0.2/32                                      192.168.2.1               1
 5   SB              1.0.0.2/32                                                                       20
 6 A S               1.1.1.2/32                                      192.168.0.1               1
 7   SB              1.1.1.2/32                                                                       20
 8 ADC          10.10.10.0/24        10.10.10.1        Bridge_Xoleritsa          0
 9 ADC          10.10.20.0/24        10.10.20.1         Bridge_Guest              0
10 ADC         10.157.138.0/24    10.157.138.1           Bridge                    0
11 ADC         192.168.0.0/24      192.168.0.2            WAN1                      0
12 ADC         192.168.1.0/24      192.168.1.1              Bridge                    0
13 ADC         192.168.2.0/24      192.168.2.3            WAN2                      0

0 A S  dst-address=0.0.0.0/0 gateway=1.0.0.2 gateway-status=1.0.0.2 recursive via 192.168.2.1 WAN>
        check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_WAN2 

 1 A S  dst-address=0.0.0.0/0 gateway=1.1.1.2 gateway-status=1.1.1.2 recursive via 192.168.0.1 WAN>
        check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_WAN1 

 2 A S  dst-address=0.0.0.0/0 gateway=1.1.1.2 gateway-status=1.1.1.2 recursive via 192.168.0.1 WAN>
        check-gateway=ping distance=1 scope=30 target-scope=10 

 3   S  dst-address=0.0.0.0/0 gateway=1.0.0.2 gateway-status=1.0.0.2 recursive via 192.168.2.1 WAN>
        check-gateway=ping distance=1 scope=30 target-scope=10 

 4 A S  dst-address=1.0.0.2/32 gateway=192.168.2.1 gateway-status=192.168.2.1 reachable via  WAN2 
        check-gateway=ping distance=1 scope=10 target-scope=10 

 5   SB dst-address=1.0.0.2/32 type=blackhole distance=20 

 6 A S  dst-address=1.1.1.2/32 gateway=192.168.0.1 gateway-status=192.168.0.1 reachable via  WAN1 
        check-gateway=ping distance=1 scope=10 target-scope=10

,

And something else… is it better for performance to set a lower blackhole distance? Lets say 5…

I don’t see your exact rules. The rules from the manual mark only externally-initiated connections on WAN interfaces. So it should not affect your connections from LAN. You may add a logging rule to “forward” chain to see where some packets go (“out” interface in Log) when WAN1 is unavailable.

No difference