I don’t see 0.0.0.0/0 route in your ‘main’ table (the one that is used by the router’s processes like Cloud for initial route lookup) - that can be the reason.
can you guide me specifically what route should i add in order to test it? 0.0.0.0/0 at which gateway?
thanks
0.0.0.0/0 via 8.8.8.8 and 8.8.4.4 (the same you already have but without routing marks) should be good enough
I have a strange problem, I want to distrubute more traffic at WAN2, I have created one more PCC rule
So we have 3 PCC rules, 2/0 ISP1, 2/1 ISP2, 2/2 ISP2, but it seems there is no traffic at my last rule 2/2 ISP2. Also connections seems to be distributed evenly 50-50 and there are not more connection at ISP2.
Is something wrong with the setup?
these are the connections and the routes:
Yep, something is wrong with the setup. Your three rules should be 3/0, 3/1 and 3/2 instead of 2/*.
can you explain me why 3? I though after several readings that the first part of PCC is the number of the WANs, 2 means 2 wan, is that wrong? Please help me to understand better the classifier algorithm.
Do I need more or other mangle rules? Is there any document to read more about PCC loadbalancing?
If i have a setup with 3 wan, the pcc will be 4/0, 4/1, 4/2, 4/3 ?
thanks!
PCC divides all connections into groups, it has nothing to do with WANs. In your case, you need 3 groups, one of them to be sent to WAN1 and another two - to WAN2 (so that it gets more traffic).
f you have 3 WANs and want traffic equally distributed, you still use 3/0, 3/1 and 3/2.
If you need to send 20% to WAN1, 30% to WAN2 and 50% to WAN3 - you need 10 groups:
10/0, 10/1 → WAN1
10/2, 10/3, 10/4 → WAN2
10/5, 10/6, 10/7, 10/8, 10/9 → WAN3
You are legend! thank you very much for the info!
Hi folks, I am very much interested in this tidbit of script.
:if ($bound=1) do={
:local iface $interface
:local gw [ /ip dhcp-client get [ find interface=$“iface” ] gateway ]
/ip route set [ find comment=“GW1_IP” gateway!=$gw ] gateway=$gw
}
My issue is not the recursive bits, works fine for sometime, however whenever my ISP gives me a new gateway for whatever reason, power on/off etc.
The recursive route gateway is NOT updated automatically and I have to do it manually and would like the dhcp client script to do this.
I have tried two scripts thus far that failed.
THe first one I got from somewhere but quite frankly don’t understand it at all, too elegant for me!
(1) script="":if (\$bound=1) do={ /ip route set [find commen\\r
\nt=\"BellFibre\"] gateway=(\$\"gateway-address\") disabled=no; :lo
g warning\\r
\n\(\"New ISP1 gateway: \".(\$\"gateway-address\")) }"" _
The second one looks more like yours but didn’t work either (tested by changing recursive gateway IPs to wrong ones, going to dhcp client hit release, renew)
(2) :if ($bound=1) do={
:local newgw $“gateway-address”;
:local routegw [/ip route get [find comment=“PrimaryRecursive”] gateway ];
:if ($newgw != $routegw) do={
/ip route set [find comment=“PrimaryRecursive”] gateway=$newgw;
/ip route set [find comment=“SecondaryRecursive”] gateway=$newgw;
/tool e-mail send to=“myaddress@email.ca” subject=([/system identity
get name]) body=" This is your new gateway IP: $newIgw" start-tls=yes;
}
}
Any pointers appreciated, and will use whatever script works LOL, However do need to substitute for both recursive routes)
:if ($bound=1) do={
:local iface $interface
:local gw [ /ip dhcp-client get [ find interface=$“iface” ] gateway ]
/ip route set [ find comment=“GW1_IP” gateway!=$gw ] gateway=$gw
/ip route set [ find comment=“GW2_IP” gateway!=$gw ] gateway=$gw
}
This script works… 
if ($bound=1) do={
:local iface $interface
:local gw [ /ip dhcp-client get [ find interface=$“iface” ] gateway ]
/ip route set [ find comment=“PrimaryRecursive” gateway!=$gw ] gateway=$gw
/ip route set [ find comment=“SecondaryRecursive” gateway!=$gw ] gateway=$gw
}
Hi - thanks for all the info, but I’m still unclear on how to merge static/dhcp for failover.
Background / goal:
- wan1: DHCP, 100mb/s; ISP changes address every few days even w/o link going down
- wan2: static, 1mb/s - failure use only
- masquerade on
- No load balancing needed (or even wanted with such disparate links).
- A bit of hysteresis would be good (eg: 4 pings in a row would fail before failover).
- Usually the links themselves do not fail, but some place further upstream - which is why I’ve been trying the recursive routing methods listed above (and in other threads).
The PPP methods look like they should work for the DHCP link, but do not seem to.
Thanks!
Hi everyone!
Great post… I tried this config on my setup and in most part it’s working but i’m facing the named interface next-hop issue.
My Internet backup is using a onboard LTE interface, anyone knows a workaround to this?
Thanks!
Hi everyone,
I’m sharing my workaround to add LTE to the Failover, is not so fancy but it’s functional.
In my case my primary Internet connection is through a cable modem that it’s bridged to my ethe1 port, and my secondary Internet connection is through and internal LTE interface.
In my cable modem connection I don’t have static IP address so I have to configure dhcp-client script in order to install the rigth routes to make the recursive route feasible…
/
ip dhcp-client
add add-default-route=no disabled=no interface=WAN1 script="{\r\
\n :local count [/ip route print count-only where comment=\"IP 1/2 used to monitor WAN1\"]\r\
\n :if (\$bound=1) do={\r\
\n :if (\$count = 0) do={\r\
\n /ip route add distance=1 dst-address=8.8.8.8/32 gateway=\$\"gateway-address\" scope=10 comment=\"IP 1/2 used to monitor WAN1\"\r\
\n } else={\r\
\n :if (\$count = 1) do={\r\
\n :local test [/ip route find where comment=\"IP 1/2 used to monitor WAN1\"]\r\
\n :if ([/ip route get \$test gateway] != \$\"gateway-address\") do={\r\
\n /ip route set \$test gateway=\$\"gateway-address\"\r\
\n }\r\
\n } else={\r\
\n :error \"Multiple routes found\"\r\
\n }\r\
\n }\r\
\n } else={\r\
\n /ip route remove [find comment=\"IP 1/2 used to monitor WAN1\"]\r\
\n }\r\
\n}\r\
\n{\r\
\n :local count [/ip route print count-only where comment=\"IP 2/2 used to monitor WAN1\"]\r\
\n :if (\$bound=1) do={\r\
\n :if (\$count = 0) do={\r\
\n /ip route add distance=1 dst-address=208.67.220.220/32 gateway=\$\"gateway-address\" scope=10 comment=\"IP 2/2 used to monitor WAN1\"\r\
\n } else={\r\
\n :if (\$count = 1) do={\r\
\n :local test [/ip route find where comment=\"IP 2/2 used to monitor WAN1\"]\r\
\n :if ([/ip route get \$test gateway] != \$\"gateway-address\") do={\r\
\n /ip route set \$test gateway=\$\"gateway-address\"\r\
\n }\r\
\n } else={\r\
\n :error \"Multiple routes found\"\r\
\n }\r\
\n }\r\
\n } else={\r\
\n /ip route remove [find comment=\"IP 2/2 used to monitor WAN1\"]\r\
\n }\r\
\n}" use-peer-dns=no use-peer-ntp=no
The installed routes looks like this:
/ip route
add comment="IP 1/2 used to monitor WAN1" distance=1 dst-address=8.8.8.8/32 gateway=X.X.X.X scope=10
add comment="IP 2/2 used to monitor WAN1" distance=1 dst-address=208.67.220.220/32 gateway=X.X.X.X scope=10
Then, I add the routes pointing to the virtual IP address and the new default through the virtual IP:
/ip route
add dst-address=10.100.100.1 gateway=8.8.8.8 scope=10 check-gateway=ping
add dst-address=10.100.100.1 gateway=208.67.220.220 scope=10 check-gateway=ping
/ip route
add distance=1 gateway=10.100.100.1
Finally, when my default is not reachable because 8.8.8.8 and 208.67.220.220 are unreachable my default change from 10.100.100.1 with metric 1 to the lte1 inteface default with metric 2:
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 10.100.100.1 1
1 DS 0.0.0.0/0 lte1 2
So far is working just fine, any thought on this setup?
Adding here my working config for dual and triple DHCP WAN. Inspired by this thread.
https://gist.github.com/marfillaster/63c547d512b81f8207fc1c8a8e5986fe
Dual
/interface bridge add name=bridge
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether2
add bridge=bridge interface=ether1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether5 list=WAN
add interface=ether4 list=WAN
/interface detect-internet set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether5 type=external
add interface=ether4 type=external
/ip settings set allow-fast-path=no
/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip firewall address-list add address=192.168.88.0/24 list=local
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="bridge access" dst-address-list=local in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether4 new-connection-mark=CONN2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5 new-connection-mark=CONN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN1 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN2 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=CONN1 in-interface=bridge new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CONN2 in-interface=bridge new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN1 new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN2 new-routing-mark=ISP2 passthrough=yes
/routing filter
add chain=dynamic-in distance=33 set-distance=2 set-route-comment=ISP2 set-scope=10
add chain=dynamic-in distance=34 set-distance=3 set-route-comment=ISP1 set-scope=10
/ip dhcp-client
add default-route-distance=33 disabled=no interface=ether4 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP2_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n}" use-peer-dns=no use-peer-ntp=no
add default-route-distance=32 disabled=no interface=ether5 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP1_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n}" use-peer-dns=no use-peer-ntp=no
/ip route
add comment=ISP1_VALIDATE distance=1 dst-address=185.228.168.9/32 gateway=127.0.0.1 scope=10
add comment=ISP1_VALIDATE distance=1 dst-address=208.67.220.220/32 gateway=127.0.0.1 scope=10
add comment=ISP1_VALIDATE distance=1 dst-address=208.67.222.222/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=94.140.14.14/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=94.140.15.15/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=8.20.247.20/32 gateway=127.0.0.1 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=185.228.168.9 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.222.222 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=94.140.14.14 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=94.140.15.15 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=8.20.247.20 scope=10
add distance=1 gateway=10.1.1.1 routing-mark=ISP1
add distance=2 gateway=10.2.2.1 routing-mark=ISP1
add distance=1 gateway=10.2.2.1 routing-mark=ISP2
add distance=2 gateway=10.1.1.1 routing-mark=ISP2
add distance=20 dst-address=185.228.168.9/32 type=blackhole
add distance=20 dst-address=208.67.220.220/32 type=blackhole
add distance=20 dst-address=208.67.222.222/32 type=blackhole
add distance=20 dst-address=94.140.14.14/32 type=blackhole
add distance=20 dst-address=94.140.15.15/32 type=blackhole
add distance=20 dst-address=8.20.247.20/32 type=blackhole
Triple
/interface bridge add name=bridge
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether5 list=WAN
add interface=ether4 list=WAN
add interface=ether3 list=WAN
/interface detect-internet set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether5 type=external
add interface=ether4 type=external
add interface=ether3 type=external
/ip settings set allow-fast-path=no
/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip firewall address-list add address=192.168.88.0/24 list=local
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="bridge access" dst-address-list=local in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether3 new-connection-mark=CONN3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether4 new-connection-mark=CONN2 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether5 new-connection-mark=CONN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN1 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN2 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=CONN3 passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=CONN1 in-interface=bridge new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CONN2 in-interface=bridge new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=CONN3 in-interface=bridge new-routing-mark=ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN1 new-routing-mark=ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN2 new-routing-mark=ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=CONN3 new-routing-mark=ISP3 passthrough=yes
/routing filter
add chain=dynamic-in distance=32 set-distance=1 set-route-comment=ISP3 set-scope=10
add chain=dynamic-in distance=33 set-distance=2 set-route-comment=ISP2 set-scope=10
add chain=dynamic-in distance=34 set-distance=3 set-route-comment=ISP1 set-scope=10
/ip dhcp-client
add default-route-distance=34 disabled=no interface=ether3 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP3_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN3\"]\
\n}" use-peer-dns=no use-peer-ntp=no
add default-route-distance=33 disabled=no interface=ether4 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP2_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN3\"]\
\n}" use-peer-dns=no use-peer-ntp=no
add default-route-distance=32 disabled=no interface=ether5 script="{\
\n :if (\$bound=1) do={\
\n /ip route set [/ip route find where comment=\"ISP1_VALIDATE\"] gateway=\$\"gateway-address\"\
\n } \
\n /ip firewall connection remove [find connection-mark=\"CONN1\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN2\"]\
\n /ip firewall connection remove [find connection-mark=\"CONN3\"]\
\n}" use-peer-dns=no use-peer-ntp=no
/ip route
add comment=ISP1_VALIDATE distance=1 dst-address=185.228.168.9/32 gateway=127.0.0.1 scope=10
add comment=ISP1_VALIDATE distance=1 dst-address=208.67.220.220/32 gateway=127.0.0.1 scope=10
add comment=ISP1_VALIDATE distance=1 dst-address=208.67.222.222/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=94.140.14.14/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=94.140.15.15/32 gateway=127.0.0.1 scope=10
add comment=ISP2_VALIDATE distance=1 dst-address=8.20.247.20/32 gateway=127.0.0.1 scope=10
add comment=ISP3_VALIDATE distance=1 dst-address=9.9.9.9/32 gateway=127.0.0.1 scope=10
add comment=ISP3_VALIDATE distance=1 dst-address=9.9.9.10/32 gateway=127.0.0.1 scope=10
add comment=ISP3_VALIDATE distance=1 dst-address=8.26.56.26/32 gateway=127.0.0.1 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=185.228.168.9 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.222.222 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=94.140.14.14 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=94.140.15.15 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.1/32 gateway=8.20.247.20 scope=10
add check-gateway=ping distance=1 dst-address=10.3.3.1/32 gateway=9.9.9.9 scope=10
add check-gateway=ping distance=1 dst-address=10.3.3.1/32 gateway=9.9.9.10 scope=10
add check-gateway=ping distance=1 dst-address=10.3.3.1/32 gateway=8.26.56.26 scope=10
add distance=1 gateway=10.1.1.1 routing-mark=ISP1
add distance=2 gateway=10.2.2.1 routing-mark=ISP1
add distance=3 gateway=10.3.3.1 routing-mark=ISP1
add distance=1 gateway=10.2.2.1 routing-mark=ISP2
add distance=2 gateway=10.1.1.1 routing-mark=ISP2
add distance=3 gateway=10.3.3.1 routing-mark=ISP2
add distance=1 gateway=10.3.3.1 routing-mark=ISP3
add distance=2 gateway=10.2.2.1 routing-mark=ISP3
add distance=3 gateway=10.1.1.1 routing-mark=ISP3
add distance=20 dst-address=185.228.168.9/32 type=blackhole
add distance=20 dst-address=208.67.220.220/32 type=blackhole
add distance=20 dst-address=208.67.222.222/32 type=blackhole
add distance=20 dst-address=94.140.14.14/32 type=blackhole
add distance=20 dst-address=94.140.15.15/32 type=blackhole
add distance=20 dst-address=8.20.247.20/32 type=blackhole
add distance=20 dst-address=9.9.9.9/32 type=blackhole
add distance=20 dst-address=9.9.9.10/32 type=blackhole
add distance=20 dst-address=8.26.56.26/32 type=blackhole
Any one here has workaround for route-cache=no? It’s causing high CPU usage which cuts throughput significantly. Setting route-cache=yes breaks routing.
Edit: as it turns out it’s allow-fast-path that conflicts.
I can’t get this to work. I have set up a lab environment with 10.[1/2].0.1/30 as two different ISPs, and using Google DNS to determine Internet connectivity. I used this guide, which seems to be the same as OP plus the mangling. Alas, I don’t have any Internet connectivity at all. Trying to ping something on the Internet from the router returns “no route to host”.
/interface list
add name=wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=172.30.0.10
/ip dhcp-server
add address-pool=pool1 disabled=no interface=ether3 name=server1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=wan
add interface=ether2 list=wan
/ip address
add address=10.1.0.2/30 interface=ether1 network=10.1.0.0
add address=10.2.0.2/30 interface=ether2 network=10.2.0.0
add address=172.30.0.1/24 interface=ether3 network=172.30.0.0
/ip dhcp-server network
add address=172.30.0.0/24 gateway=172.30.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=log chain=output routing-mark=to_ISP1
add action=log chain=output routing-mark=to_ISP2
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=ISP1_conn out-interface=ether1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn new-routing-mark=to_ISP1 out-interface=ether1 passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark connection-state=new new-connection-mark=ISP2_conn out-interface=ether2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn new-routing-mark=to_ISP2 out-interface=ether2 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=10.1.0.2
add action=src-nat chain=srcnat out-interface=ether2 to-addresses=10.2.0.2
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=to_ISP2
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=to_ISP2
add distance=1 dst-address=8.8.4.4/32 gateway=10.2.0.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=10.1.0.1 scope=10
/system clock
set time-zone-name=Europe/Stockholm
/ip route print details
# jun/23/2021 10:47:16 by RouterOS 6.46.8
# software id = FWIF-LI4F
#
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=8.8.8.8
gateway-status=8.8.8.8 recursive via 10.1.0.1 ether1
check-gateway=ping distance=1 scope=30 target-scope=10
routing-mark=to_ISP1
1 S dst-address=0.0.0.0/0 gateway=8.8.4.4
gateway-status=8.8.4.4 recursive via 10.2.0.1 ether2
check-gateway=ping distance=2 scope=30 target-scope=10
routing-mark=to_ISP1
2 A S dst-address=0.0.0.0/0 gateway=8.8.4.4
gateway-status=8.8.4.4 recursive via 10.2.0.1 ether2
check-gateway=ping distance=1 scope=30 target-scope=10
routing-mark=to_ISP2
3 S dst-address=0.0.0.0/0 gateway=8.8.8.8
gateway-status=8.8.8.8 recursive via 10.1.0.1 ether1
check-gateway=ping distance=2 scope=30 target-scope=10
routing-mark=to_ISP2
4 A S dst-address=8.8.4.4/32 gateway=10.2.0.1
gateway-status=10.2.0.1 reachable via ether2 distance=1 scope=10
target-scope=10
5 A S dst-address=8.8.8.8/32 gateway=10.1.0.1
gateway-status=10.1.0.1 reachable via ether1 distance=1 scope=10
target-scope=10
6 ADC dst-address=10.1.0.0/30 pref-src=10.1.0.2 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
7 ADC dst-address=10.2.0.0/30 pref-src=10.2.0.2 gateway=ether2
gateway-status=ether2 reachable distance=0 scope=10
8 ADC dst-address=172.30.0.0/24 pref-src=172.30.0.1 gateway=bridge
gateway-status=bridge reachable distance=0 scope=10
Just for the record, I have tried adding a default route statically pointing to 10.1.0.1, and everything works then.
Ah, sorry, missed this part.
Yes, you always need to have a default route in your ‘main’ table, because policy routing for router-originated traffic works like this:
- router tries to connect to google.com
- it looks up routing table ‘main’ looking for a route to google.com; if it can’t find any - the connection fails
- Firewall Mangle Output adjusts routing-mark for those outgoing packets
- routing process looks up corresponding routing table to find “final” route (this step is called “Routing Adjustment” in Packet Flow diagram)
Probably, that also can be solved by adding two routing rules to lookup packets from ‘main’ in your to_ISP1 and to_ISP2 tables, but that’s less obvious. And needs checking
Hi,
I said “everything” works, but what I meant was “something” works. The actual failover still doesn’t.
How are the “main” default routes supposed to look? I tried adding one for each WAN interface, with distances 3 and 4, respectively, but it doesn’t help with the failover, and the router can only escape via primary ISP.
Can you verify that the route marking is done correctly? I’ve seen people do that in a few different ways, so I’m not sure about that.
I must be doing something fundamentally wrong, but I have no idea what.
Thanks for your help!
We are talking about router’s traffic failover, right? Not clients’ traffic?
How do you check that? What does “/ip route print details” show when you expect something to go another direction compared to what you observe?