Configure dual WAN with dynamic IPs

rkrisi · August 29, 2020, 7:14pm

Dear Community!

I want to configure my router to use 2 WAN connection and the second should be used only when the first and main WAN is not reachable.

However I’m stuck with the current config:
[] Both WAN uses dynamic IPs, so I can’t set default routes manually as most guide says
[] I need dhcp client on both interfaces.

Right now, both interface have the default route checked in dhcp client, but I want to configure the routes with custom distances (2nd WAN should have bigger distance).

Can someone help me how can I configure this?

My current config:

# aug/29/2020 21:14:22 by RouterOS 6.47.2
# software id = CK9Q-MRSJ
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460B1C119B
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz name=channel_2ghz
add band=5ghz-a/n/ac name=channel_5ghz
/caps-man datapath
add local-forwarding=yes name=datapath1
/interface bridge
add comment="VLAN filtered Bridge" name=bridge_vlan protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Main WAN"
set [ find default-name=ether2 ] comment=Pi-hole
set [ find default-name=ether3 ] comment=NAS
set [ find default-name=ether4 ] comment="TP-Link Switch"
set [ find default-name=ether5 ] comment=openHABian
set [ find default-name=ether9 ] comment="Fallback WAN"
set [ find default-name=ether10 ] comment="Management VLAN interface" poe-out=\
    off
/interface ovpn-server
add name=ovpn_agard user=agard
add name=ovpn_bandi user=bandi
add name=ovpn_kristof user=kristof
/interface vlan
add interface=bridge_vlan name=vlan_guest vlan-id=20
add interface=bridge_vlan name=vlan_iot vlan-id=30
add interface=bridge_vlan name=vlan_management vlan-id=99
add interface=bridge_vlan name=vlan_private vlan-id=10
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_iot
/caps-man configuration
add channel=channel_2ghz country=hungary datapath=datapath1 hide-ssid=yes \
    installation=any mode=ap name=config_iot_2ghz security=security_iot ssid=\
    atlas-IoT
add channel=channel_5ghz country=hungary datapath=datapath1 hide-ssid=yes \
    installation=any mode=ap name=config_iot_5ghz security=security_iot ssid=\
    atlas-IoT
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="ISP only" name=WAN
add comment="Contains all VLANs" name=VLAN
add comment="Access to all VLANs" name=PRIVATE
add comment="Needed for inside PATs" name=PRIVATE+WAN
add comment="VLAN Bridge" name=BRIDGE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment="Guest Profile" \
    eap-methods="" group-key-update=1h mode=dynamic-keys supplicant-identity=\
    MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h \
    management-protection=allowed mode=dynamic-keys name=profile_private \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h \
    management-protection=allowed mode=dynamic-keys name=profile_iot \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee \
    comment="Private Wi-Fi 5GHz" country=no_country_set disabled=no frequency=\
    5500 frequency-mode=superchannel mode=ap-bridge name=wlan_atlas \
    security-profile=profile_private ssid=atlas station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:B9 \
    master-interface=wlan_atlas multicast-buffering=disabled name=\
    wlan_atlas_guest ssid=atlas-Guest station-roaming=enabled wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BB \
    master-interface=wlan_atlas multicast-buffering=disabled name=\
    wlan_atlas_iot security-profile=profile_iot ssid=atlas-IoT station-roaming=\
    enabled wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n comment="Private Wi-Fi 2.4GHz" \
    country=hungary disabled=no distance=indoors frequency=auto mode=ap-bridge \
    name=wlan_fujijama security-profile=profile_private ssid=fujijama \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BA \
    master-interface=wlan_fujijama multicast-buffering=disabled name=\
    wlan_fujijama_guest ssid=atlas-Guest station-roaming=enabled \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:BB:5A:E3 \
    master-interface=wlan_fujijama multicast-buffering=disabled name=\
    wlan_fujijama_iot security-profile=profile_iot ssid=atlas-IoT \
    station-roaming=enabled wds-cost-range=0 wds-default-cost=0 wds-mode=\
    dynamic wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan_atlas comment="Private Wi-Fi 5GHz"
set wlan_fujijama comment="Private Wi-Fi 2.4GHz"
/interface wireless nstreme
set wlan_atlas comment="Private Wi-Fi 5GHz"
set wlan_fujijama comment="Private Wi-Fi 2.4GHz"
/ip hotspot profile
add hotspot-address=10.0.2.2 name=hsprof1
/ip kid-control
add name="Children control"
/ip pool
add name=dhcp_pool_private ranges=10.0.0.50-10.0.0.254
add name=dhcp_pool_guest ranges=10.0.2.3-10.0.2.254
add name=dhcp_pool_management ranges=10.0.99.3-10.0.99.254
add name=dhcp_pool_iot ranges=10.0.1.3-10.0.1.254
add name=dhcp_pool_ovpn ranges=10.0.98.10-10.0.98.254
/ip dhcp-server
add address-pool=dhcp_pool_private disabled=no interface=vlan_private \
    lease-time=1d name=dhcp_private
add address-pool=dhcp_pool_guest disabled=no interface=vlan_guest lease-time=1h \
    name=dhcp_guest
add address-pool=dhcp_pool_iot disabled=no interface=vlan_iot lease-time=1d \
    name=dhcp_iot
add address-pool=dhcp_pool_management disabled=no interface=vlan_management \
    lease-time=1h name=dhcp_management
/ppp profile
add dns-server=10.0.0.3 interface-list=PRIVATE local-address=10.0.98.2 name=\
    ppp_private remote-address=dhcp_pool_ovpn use-encryption=yes
/queue simple
add max-limit=2M/60M name="Limit Guest VLAN" target=vlan_guest
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    config_iot_2ghz
add action=create-dynamic-enabled hw-supported-modes=ac,an \
    master-configuration=config_iot_5ghz
/interface bridge port
add bridge=bridge_vlan interface=ether2 pvid=30
add bridge=bridge_vlan interface=sfp-sfpplus1
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=30
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=30
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_atlas pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_fujijama pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_fujijama_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_atlas_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether10 pvid=99
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_atlas_iot pvid=30
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_fujijama_iot pvid=30
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge_vlan tagged=bridge_vlan,ether2 untagged=\
    ether3,ether6,ether7,ether8,wlan_atlas,wlan_fujijama,ether9 vlan-ids=10
add bridge=bridge_vlan tagged=bridge_vlan,ether2 untagged=\
    wlan_fujijama_guest,wlan_atlas_guest vlan-ids=20
add bridge=bridge_vlan tagged=bridge_vlan untagged=ether10 vlan-ids=99
add bridge=bridge_vlan tagged=bridge_vlan untagged=\
    wlan_fujijama_iot,wlan_atlas_iot,ether2,ether5,ether4 vlan-ids=30
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=VLAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ppp_private
/interface list member
add interface=ether1 list=WAN
add interface=vlan_management list=VLAN
add interface=vlan_private list=VLAN
add interface=vlan_guest list=VLAN
add interface=vlan_management list=PRIVATE
add interface=vlan_private list=PRIVATE
add interface=ether1 list=PRIVATE+WAN
add interface=vlan_private list=PRIVATE+WAN
add interface=vlan_management list=PRIVATE+WAN
add interface=vlan_iot list=VLAN
add interface=bridge_vlan list=BRIDGE
add interface=ether9 list=WAN
add interface=ether9 list=PRIVATE+WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private \
    enabled=yes netmask=16 require-client-certificate=yes
/interface wireless access-list
add comment=COMP1 interface=wlan_atlas mac-address=08:62:66:BC:8C:BF
add comment="Kristof iPhone" interface=wlan_atlas mac-address=40:9C:28:6C:0B:F4
add comment="Kristof iPad" interface=wlan_atlas mac-address=F4:5C:89:5D:9C:1C
add comment=SurfacePro interface=wlan_atlas mac-address=98:5F:D3:5E:A0:75 \
    vlan-mode=no-tag
/interface wireless cap
set certificate=request
/ip address
add address=10.0.99.2/24 interface=vlan_management network=10.0.99.0
add address=10.0.0.2/24 interface=vlan_private network=10.0.0.0
add address=10.0.2.2/24 interface=vlan_guest network=10.0.2.0
add address=10.0.1.2/24 interface=vlan_iot network=10.0.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether9 use-peer-dns=no use-peer-ntp=no
add disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.0.3 comment="Private Pi-hole" mac-address=B8:27:EB:06:5F:0F \
    server=dhcp_private
add address=10.0.2.3 client-id=ff:eb:6:5f:f:0:1:0:1:26:51:64:a7:b8:27:eb:6:5f:f \
    comment="Guest Pi-hole" mac-address=B8:27:EB:06:5F:0F server=dhcp_guest
add address=10.0.1.3 comment="IoT Pi-hole" mac-address=B8:27:EB:06:5F:0F \
    server=dhcp_iot
add address=10.0.0.10 client-id=1:8:62:66:bc:8c:bf comment="Kristof COMP1" \
    mac-address=08:62:66:BC:8C:BF server=dhcp_private
add address=10.0.1.130 comment="Kristof Floor Lamp" mac-address=\
    EC:FA:BC:12:83:9F server=dhcp_iot
add address=10.0.1.131 comment="Kristof Sign Lamp" mac-address=\
    C8:2B:96:10:AF:4F server=dhcp_iot
add address=10.0.1.120 comment="Living Room LED Bottom" mac-address=\
    DC:4F:22:C0:75:0A server=dhcp_iot
add address=10.0.1.110 comment="Kitchen LED Bottom" mac-address=\
    DC:4F:22:C0:74:57 server=dhcp_iot
add address=10.0.1.112 comment="Kitchen Lights" mac-address=EC:FA:BC:14:83:26 \
    server=dhcp_iot
add address=10.0.1.121 comment="Aquarium Lights" mac-address=EC:FA:BC:86:CD:DD \
    server=dhcp_iot
add address=10.0.1.100 comment="Bathroom Lamp" mac-address=B4:E6:2D:4A:5A:A4 \
    server=dhcp_iot
add address=10.0.1.122 comment="Living Room Floor Lamp" mac-address=\
    CC:50:E3:F3:AA:23 server=dhcp_iot
add address=10.0.1.180 comment="Terrace Lamp" mac-address=98:F4:AB:B9:24:21 \
    server=dhcp_iot
add address=10.0.1.101 comment="Bathroom Mirror Light" mac-address=\
    C8:2B:96:11:4F:B4 server=dhcp_iot
add address=10.0.1.123 comment="Ceiling Lights" mac-address=C8:2B:96:10:AB:53 \
    server=dhcp_iot
add address=10.0.1.102 comment="Washing Machine" mac-address=98:F4:AB:B8:6D:01 \
    server=dhcp_iot
add address=10.0.1.113 comment=Dishwasher mac-address=98:F4:AB:B8:64:0F server=\
    dhcp_iot
add address=10.0.1.114 comment="Kitchen Plate Lights" mac-address=\
    98:F4:AB:F3:43:E2 server=dhcp_iot
add address=10.0.1.111 comment="Kitchen LED Top" mac-address=DC:4F:22:C0:73:5B \
    server=dhcp_iot
add address=10.0.1.124 comment="Living Room Shelf LED" mac-address=\
    DC:4F:22:C0:7A:BB server=dhcp_iot
add address=10.0.1.10 comment="Xiaomi Robot Vacuum" mac-address=\
    78:11:DC:EB:54:08 server=dhcp_iot
add address=10.0.1.5 client-id=1:b8:27:eb:79:c6:f9 comment=MagicMirror \
    mac-address=B8:27:EB:79:C6:F9 server=dhcp_iot
add address=10.0.1.140 comment="R\E9ka Sony TV" mac-address=18:4F:32:AC:B0:A2 \
    server=dhcp_iot
add address=10.0.1.125 comment="Living Room TV" mac-address=08:9E:08:C0:BA:67 \
    server=dhcp_iot
add address=10.0.1.126 comment="Living Room Speaker" mac-address=\
    E4:F0:42:20:42:53 server=dhcp_iot
add address=10.0.1.132 comment="Kristof Shelf Lamp" mac-address=\
    D8:F1:5B:B0:4B:76 server=dhcp_iot
add address=10.0.1.11 client-id=1:50:13:95:bf:f7:dc comment=\
    "Living Room Camera" mac-address=50:13:95:BF:F7:DC server=dhcp_iot
add address=10.0.1.12 comment="Xiaomi Air Purifier" mac-address=\
    34:CE:00:FB:DB:F3 server=dhcp_iot
add address=10.0.1.127 comment=Awair mac-address=70:88:6B:10:1E:8C server=\
    dhcp_iot
add address=10.0.1.6 client-id=1:12:42:e7:8f:9d:54 comment="Printer Server" \
    mac-address=12:42:E7:8F:9D:54 server=dhcp_iot
add address=10.0.1.13 comment="Paradox Alarm Interface" mac-address=\
    00:19:BA:0D:D5:53 server=dhcp_iot
add address=10.0.1.141 comment="Reka Desk Lamp" mac-address=40:31:3C:D0:D9:30 \
    server=dhcp_iot
add address=10.0.1.128 client-id=1:0:4:20:f0:af:64 comment=\
    "Living Room Harmony Hub" mac-address=00:04:20:F0:AF:64 server=dhcp_iot
add address=10.0.1.142 comment="R\E9ka Main Lamp" mac-address=E0:98:06:95:B1:B2 \
    server=dhcp_iot
add address=10.0.1.133 comment="Kristof Desk Lamp" mac-address=\
    78:11:DC:55:9E:00 server=dhcp_iot
add address=10.0.1.150 comment="Bedside Lamp Left" mac-address=\
    04:CF:8C:15:BD:5E server=dhcp_iot
add address=10.0.1.151 comment="Bedside Lamp Right" mac-address=\
    04:CF:8C:25:61:92 server=dhcp_iot
add address=10.0.1.4 client-id=1:dc:a6:32:d:4b:73 comment=openHABian \
    mac-address=DC:A6:32:0D:4B:73 server=dhcp_iot
add address=10.0.1.103 client-id=1:0:5:cd:fa:59:be comment=\
    "Bathroom HEOS Speaker" mac-address=00:05:CD:FA:59:BE server=dhcp_iot
add address=10.0.1.8 client-id=1:90:e:b3:6:6e:a7 comment=OSMC mac-address=\
    90:0E:B3:06:6E:A7 server=dhcp_iot
add address=10.0.1.14 client-id=1:0:d9:d1:ba:9f:1e comment=PlayStation \
    mac-address=00:D9:D1:BA:9F:1E server=dhcp_iot
add address=10.0.1.15 client-id=1:44:f0:34:88:88:7c comment="Kaon DVR" \
    mac-address=44:F0:34:88:88:7C server=dhcp_iot
add address=10.0.1.16 client-id=1:0:5:cd:9d:14:ac comment="Denon AVR-X3400H" \
    mac-address=00:05:CD:9D:14:AC server=dhcp_iot
add address=10.0.1.134 comment="Kristof Main Lamp" mac-address=\
    E0:98:06:95:B0:84 server=dhcp_iot
add address=10.0.1.7 client-id=1:d4:ca:6d:68:7f:ab comment=\
    "Mikrotik IoT Access Point" mac-address=D4:CA:6D:68:7F:AB server=dhcp_iot
add address=10.0.1.17 comment="Sensibo Sky" mac-address=34:15:13:FA:A1:1D \
    server=dhcp_iot
add address=10.0.1.104 comment="Withings Scale" mac-address=00:24:E4:47:FE:7E \
    server=dhcp_iot
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.3 gateway=10.0.0.2
add address=10.0.1.0/24 dns-server=10.0.1.3 gateway=10.0.1.2
add address=10.0.2.0/24 dns-server=10.0.2.3 gateway=10.0.2.2
add address=10.0.99.0/24 dns-server=8.8.8.8 gateway=10.0.99.2
/ip dns
set allow-remote-requests=yes servers=10.0.0.3
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.1.16 list=Stream
add address=10.0.1.103 list=Stream
add address=10.0.1.125 list=Stream
add address=10.0.1.126 list=Stream
add address=10.0.1.4 list=NAS
add address=10.0.1.8 list=NAS
add address=10.0.1.5 list=NAS
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=\
    established,related
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment="Allow vlan_private Full Access" \
    in-interface-list=PRIVATE
add action=accept chain=input comment="Streaming devices access network" \
    src-address-list=Stream
add action=accept chain=input comment="Allow openHAB to access router graphing" \
    dst-address=10.0.1.2 src-address=10.0.1.4
add action=accept chain=input comment="Accept CAPsMAN traffic" dst-port=\
    5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="Multicast IGMP" in-interface-list=VLAN \
    protocol=igmp
add action=drop chain=input comment=Drop connection-state=""
add action=accept chain=forward comment="Accept port forwards" \
    connection-nat-state=dstnat connection-state=new
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow openHAB to access COMP1" \
    dst-address=10.0.0.10 src-address=10.0.1.4
add action=accept chain=forward comment="Allow Streaming on VLANs" \
    dst-address-list=Stream
add action=accept chain=forward comment="Allow Streaming on VLANs" \
    src-address-list=Stream
add action=accept chain=forward comment="Allow NAS Access" dst-address=\
    10.0.0.252 src-address-list=NAS
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Forward queries from openVPN" \
    in-interface-list=PRIVATE
add action=drop chain=forward comment=Drop connection-state=""
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=masquerade chain=srcnat comment=\
    "Allow internal access to servers using router's external IP addresses" \
    dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=masquerade dst-address=!10.0.0.0/16 \
    ipsec-policy=out,none out-interface-list=WAN src-address=10.0.0.0/16
add action=dst-nat chain=dstnat comment=NAS dst-port=18022 in-interface-list=\
    PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 to-ports=22
add action=dst-nat chain=dstnat comment="Transmission Web Interface" dst-port=\
    19091 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 \
    to-ports=9091
add action=dst-nat chain=dstnat comment=Transmission dst-port=49850 \
    in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 \
    to-ports=49850
add action=dst-nat chain=dstnat comment=HTTPS dst-port=61443 in-interface-list=\
    PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 to-ports=443
add action=dst-nat chain=dstnat comment=Lighttpd dst-port=61081 \
    in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 \
    to-ports=8080
add action=dst-nat chain=dstnat comment="OH  link" dst-port=61082 \
    in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 \
    to-ports=8081
add action=dst-nat chain=dstnat comment="Let's Encrypt cert auth" disabled=yes \
    dst-port=80 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=\
    10.0.1.4 to-ports=18484
/ip hotspot user
add name=admin
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=ovpn_agard
/ip smb
set comment=RB4011 domain=WORKGROUP enabled=yes interfaces=vlan_private
/ip smb shares
add directory=/hotspot name=hotspot
/ip smb users
add name=admin read-only=no
/ip ssh
set always-allow-password-login=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=vlan_private type=internal
add interface=vlan_guest type=internal
add interface=vlan_iot type=internal
/ppp secret
add name=kristof profile=ppp_private service=ovpn
add name=bandi profile=ppp_private service=ovpn
add name=agard profile=ppp_private remote-address=10.0.98.3 service=ovpn
/routing igmp-proxy interface
add interface=vlan_iot upstream=yes
add interface=vlan_private
add interface=vlan_guest
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=RB4011
/system leds
set 0 interface=vlan_private
add interface=wlan_fujijama leds="wlan_fujijama_signal1-led,wlan_fujijama_signal\
    2-led,wlan_fujijama_signal3-led,wlan_fujijama_signal4-led,wlan_fujijama_sign\
    al5-led" type=wireless-signal-strength
add interface=wlan_fujijama leds=wlan_fujijama_tx-led type=interface-transmit
add interface=wlan_fujijama leds=wlan_fujijama_rx-led type=interface-receive
/system logging
add topics=ovpn,debug
/system ntp client
set enabled=yes server-dns-names=\
    0.hu.pool.ntp.org,1.hu.pool.ntp.org,2.hu.pool.ntp.org,3.hu.pool.ntp.org
/tool e-mail
set address=smtp.gmail.com from="\"Mikrotik Router\" <radokristof12@gmail.com>" \
    port=587 start-tls=yes user=radokristof12@gmail.com
/tool graphing interface
add allow-address=10.0.0.0/16
/tool graphing queue
add allow-address=10.0.0.0/16
/tool graphing resource
add allow-address=10.0.0.0/16
add allow-address=10.0.99.0/24
/tool mac-server
set allowed-interface-list=PRIVATE
/tool mac-server mac-winbox
set allowed-interface-list=PRIVATE

Sob · August 29, 2020, 7:49pm

You can use dhcp lease script to update routes:

https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client#Lease_script_example

If it looks complicated, it can be made much simpler:

http://forum.mikrotik.com/t/dual-dynamic-isp-wan-dual-lan-setup/132893/5

rkrisi · August 29, 2020, 7:52pm

Thanks this looks great! However sometimes the dhcp client not loses it’s address (still bound) and still there is no internet access… If I’m right, this will only work if the dhcp client goes immediately down if the internet is also down…

Also I’m wondering why most of the guides don’t just set 2 routes with different distances. What is wrong with this approach? I saw this in some guides, but only a few, without any real description…

Sob · August 29, 2020, 9:46pm

Actually, I wasn’t reading carefully. If you’d be interested only in changing default route distance, DHCP client has default-route-distance parameter, so you can just set it there and you don’t need anything else. If you want better detection whether connections works or not, you may try e.g. Advanced Routing Failover without Scripting. And lease scripts will be useful for that, because the example config is for static addresses.

rkrisi · August 29, 2020, 10:06pm

Thanks! I have tried setting the default route distance in dhcp client. It sets the correct distance, however my “main” WAN is down (distance=1) and it still won’t use failover WAN (distance=2) no matter what I do.

Sob · August 29, 2020, 10:23pm

Dynamic default route doesn’t check gateway. You can change that with routing filters:

http://forum.mikrotik.com/t/feature-suggestion-check-gateway-when-using-dhcp-client/109968/3

But even if gateway is reachable, it still doesn’t guarantee that internet will work, because there can be something broken futher in ISP’s network.

rkrisi · August 29, 2020, 10:38pm

Well this is kinda works, but the response is not that great. What would be the best setup to test if a link is really up (like pinging a 3rd party website - Google DNS or anything) and works with dynamic IPs as well?
The Advanced Failover without Scripting looks promising but I can’t really get it to work

Also I don’t understand why I can’t set a manual static route to a dhcp client interface. Adding a default route 0.0.0.0/0 with the selected interface is not working. I need to type in the IP there to get it working…

Sob · August 29, 2020, 11:30pm

Interface can be gateway only when it’s point to point type, because there’s only one device on the other end and it receives everything. Ethernet can have many different devices connected at the same time, so traffic must be sent to gateway’s MAC address (which router gets automaticaly from IP address). And that’s true even when only one device is connected.

Best solution is subjective. If you need to make sure that internet really works, you need to test something beyond your ISP’s network. Personally I don’t like pinging Google or something I have no control over, but unless you have some reliable servers of your own, that’s the way to go. And the advanced failover config works, try harder.

rkrisi · August 30, 2020, 9:45am

So it seems that the Advanced Failover is what I really want. I will try again and see if it works