Hi, can somebody please help me indicating the necessary steps, thanks
I’ve an LTE connected to the mpain Mikrotik, it gets the IP from provider and the distance 2 as default route, so if the mein link goes down Mikrotik knows where to send packets, but what if the link still up and just internet stopped working?
Chec gateway > ping, will be enough? What it will ping? Can I specify an address? Seams not..
And should I indicate also pref source? To avoid it uses the LTE to ping.. then can’t discover the status of the main WAN.
After how much time the main gateway will be used, as the ping again works? possible to configure a time?
Any other things should I consider?
Now the main question:
On the WiFi I’ve created an SSID for guests, I don’t want it works when the LTE only access internetm how can I do it?
Should I run a script, depending on the result of the ping from the main WAN, to enable LTE and disable for example the guest bridge? and when the ping appears again, do the opposite?
Thank you!
Not sure what you mean…
The bad situation is where the connection to the ISP is up but the ISP is not connected to the WWW. In this case the router has no idea.
If the connection to the ISP is down, the router will see that and make the route inactive and your backup will be utilized.
It sounds like you want recursive routing which uses a DNS address on the www to confirm connectivity goes beyond the ISP.
Search in the forums,
Is the guest network a VLAN?
If VLAN, one way is using routing table with only main WAN and use a lookup-only-in rule (/routing/rule) based on the guest VLAN subnet to select a main-only route table (/routing/table).
If not, you can create a /ip/firewall filter rule to create drop rule based on the wifi-guest interface to lte1 on postrouting.
In terms of failover, it’s kinda escalating scale of complexity to improve detection of a “failure”. So, starting with easy:
Only distance=1 on WAN1 & distance=2 on LTE - it WAN1 will only failover if the cable is unplugged/disconnected (or disabled in config)
#1 plus adding check-gateway=ping on WAN1 0.0.0.0/0 route in /ip/route - this pings your ISP first router (nexthop), and failover in under a minute, but does not check “internet is working” just that your router can ping your ISP’s router. If your WAN1 is using /ip/dhcp-client to get it’s address, a script on the dhcp-client is need to set the check-gateway=ping
More complex, but using “recursive routing”, can be used for failover. This allow you check ANY particular host on the internet to see if internet is up. Mikrotik example pings Google DNS to check if it’s up, and assume WAN1 has internet if it does. This approach also requires setting up routing tables and connection marking. See https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608
More customizable but even more complex, but Netwatch rules can be used, but they require same routing tables and firewall marking as #3 since netwatch. So it failover on stuff like “jitter”, but it’s a lot of custom scripts/config to use it.
I’d recommend #2. check-gateway=ping on WAN1 does catch should catch if the ISP modem/ONT cannot get to the ISP headend, e.g. “the last mile”. Now if your ISP upstream is also flaky or there are multiple hops between you and ISP’s upstream, well #3 may help. #4 is not a cookie-cutter approach, so routing tables/rules need for #3 kinda prerequisite for using netwatch.
Thank you guys! Really useful infos!
The WAN1 is simply a static IP, thanks god (!), and I’m using the ping rule, it’s effective.. switchesh and switches back in about 10/20 seconds, the only trouble I faced is that the main cash terminal didn’t want more solve names by DNS with LTE (while phones connected to wifi did amd I speedtested the LTE too), it was pinging 8.8.8.8 but couldn’t send a nslookup, a swithc back to WAN1 solved the problem, going back to LTE faced again the problem, but after some minutes all was ok. Probalbly it was needed to flush the DNS cache on that Win10, but why it occous, sounds strange.
About filtering out the guests network, I also suppose netwatch can be a very easy solution, if I can understand how could I ping with a specific source IP (WAN1 and not LTE), is that possible?
Then I’ve just to turn off the public bridge. I’m not using VLAN for it, I’m using a provider which authorize remotely a new client, and tell the router to allow it to internet, it’s a script.
You should be able to add a /ip/firewall/filter rule to action=drop chain=postrouting dst-interface=lte1 with the src-interface= to wifiXX or wlanXX interface.
If you read the linked to method by Filo, he is using 8.8.8.8 as ping destination for netwatch to monitor and he uses a “mark connection” in mangle to mark any request to 8.8.8.8 to go through the secondary routing table “DSL” that contains only a route that goes through the DSL gateway.
The netwatch script then enables the LTE route in the “main” table (that has two routes, one through DSL with higher distance and one through LTE, with a lower distance but normally disabled), while still attempting to ping the 8.8.8.8 through the route in the “DSL” table, the actual DSL route in “main” table is never touched, as it becomes active or inactive because of the lower distance of the LTE route.
I presume that you can have the same effect adding a “narrow” route for just 8.8.8.8 (/32) in the “main” routing table, like it is done for the “recursive” method, however.
Thanks, actually I’m using CAPs to allow access guests by a second SSID which stay into the public bridge, the router serves DHCP on that network but the gateway is connected to several scripts for autentication.. so I can’t simply filter by src interface. I may filter the gusts subnet..
Please tell me if I?m not right, chain=postrouting is for Mangle and I don’t see it on filter rules, as for drop I can’t find it under mangle. SHould I mangle and mark packets, then drop them on filter rules?
Thanks
That looks like the Mikrotik Hotspot rules. So assuming non-guests using a normal SSID, you might be able to use the hotspot= match in a filter rule. I can not test it but something like:
/ip/firewall/filter/add hotspot=auth chain=output out-interface=lte1 action=drop
/ip/firewall/filter/add hotspot=from-client chain=output out-interface=lte1 action=drop
Unfortunately I cn’t find a way to use hotspot in the filter rule, anywhere else too..
ANyway, I’ve created a postrouting mangle with src address the subnet for guests and out interface LTE1, and I marked packets. Then I’ve created a filter rule foward with that mark and drop action, I thin it should work somehow
Thanks jaclaz a lot for your explanation! Actaully as I have a simple WAN config it works good with ping.
It still interesting now why Mikrotik doesn’t let us ping with a specific source address
