Hello, this is the configuration I’m using at the moment. I’m also using PPoE and Static address for ISP1/ISP2. Be aware that you can’t use PPoE interface for recursive.
/ip route
add distance=1 gateway=10.1.1.1 //This can be any address but it has to be the same in the check-gateway //Main Link//
add distance=2 gateway=10.2.2.2 //BackUp Link//
add distance=1 dst-address=8.8.4.4/32 gateway=ISP1 scope=10 //ISP1 checks google dns1
add distance=1 dst-address=8.8.8.8/32 gateway=ISP2 scope=10 //ISP2 checks google dns2
add distance=1 dst-address=208.67.220.220/32 gateway=ISP1 scope=10 //ISP1 checks open dns1 if google dns1 fails.
add distance=1 dst-address=208.67.222.222/32 gateway=ISP2 scope=10 //ISP2 checks open dns2 if google dns2 fails.
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=8.8.8.8 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=208.67.220.220 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=208.67.222.222 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=8.8.4.4 scope=10
This is the multiple hosts check variant of the dual wan fail over from the mikrotik wiki page. It check one DNS and if this DNS fail, then it checks the second DNS. Only if both checks fail it switches to the backup lane.
As I said you have to check if the remote gateway of the PPoE is constant because if it’s changing on every new connection the recursion won’t work and the fail over won’t work. You have to exclude the eth port which you want to use for the backup ISP from the bridge (I guess you already did that)
I’m also not deep in Mikrotik and I’m still experimenting but I hope it’ll help you with your configuration.
the DHCP server settings, domain should be empty, not 8.8.4.4.
You put 8.8.4.4 as 2nd DNS server if you click on the winbox on the DHCP server setting , but don;t put it into domain.
In DHCP-CLIENT: you need to DISABLE “add default route” else router does always use default route!
masquerade: I don;t know why you give source address…? Is it needed? Do you have addresses that don;t need masquerade?
Your choice of “virtual hop” address of 10.xxx is dangerous as you also use 10.xxx as local address… It should work
but better use something really outside your local 10.xxx/16 subnet.
Draid:
If I look at your routes, is really only one active?
RPI/draid:
you do not need the virtual hops. The Google GW as hop by itself is enough . Check out other posts on this.
PS: You don’t do any load balancing with PCC, is this on purpose or do you really just want failover?
the DHCP server settings, domain should be empty, not 8.8.4.4.
You put 8.8.4.4 as 2nd DNS server if you click on the winbox on the DHCP server setting , but don;t put it into domain.
Oops, you’re right, I’ll fix this, but I guess this isn’t really related to my problem.
In DHCP-CLIENT: you need to DISABLE “add default route” else router does always use default route!
Should I disable for PPPoE too?
masquerade: I don;t know why you give source address…? Is it needed? Do you have addresses that don;t need masquerade?
I read somewhere that If I don’t specify the source address the router masquerades every packet even if the destination is in the same network as the source, and it means a lot more CPU usage. Isn’t it true?
you do not need the virtual hops. The Google GW as hop by itself is enough . Check out other posts on this.
yes you also need to disable the default route for PPPoE.
else the failover will not work and it will always use the default PPPoE route.
You will define the routes later on “by hand”. But those added routes always have a higher
distance than the default routes…thus do not create default route.
masquerading on out interface WAN_xxx is done only for packets leaving the router via the defined interface.
Local traffic will not get masqueraded and will not create any additional CPU load.
Well the route with distance 2 is for sure inactive. The fail-over works like a charm however I can’t say with a 100% certenty that it’s the best way or that it lacks any flows as I’m still trying different things with the Tik. The configuration was taken from the wiki so I guess it has to be verified. I’ve checked if one of the DNS servers fails and it for sure keeps the link until both are down. Aslo I’m not using PCC as initially I needed only fail-over but I’m yet to test load balancing just for the sake of it.
yes you also need to disable the default route for PPPoE.
else the failover will not work and it will always use the default PPPoE route.
You will define the routes later on “by hand”. But those added routes always have a higher
distance than the default routes…thus do not create default route.
Oh, I see, thanks for the clarification.
masquerading on out interface WAN_xxx is done only for packets leaving the router via the defined interface.
Local traffic will not get masqueraded and will not create any additional CPU load.
So I need one rule for ISP1-UPC (DHCP) interface, and one for pppoe-telekom, right?
Check out this post for more background on the failover setup.
viewtopic.php?f=2&t=145970&p=719949#p719949
Hmm. I read the whole thread, but it’s still not clear to me why I don’t need to use a virtual hop. Can you show me an example route config for this?
But it only tests one host per WAN (8.8.8.8 for WAN1 and 8.8.4.4 for WAN2), doesn’t it? So if 8.8.8.8 is down, all traffic goes to WAN2. So it’s not too robust. How can I check 2 hosts per WAN without the virtual hops?
Hmm. Sorry, but it’s not clear to me. Can you show me an example with two host checks without virtual hops?
I could manage to create a working setup with virtual hops:
But If I add the routing marks (from the wiki page) it doesn’t work anymore:
Why? Should I create some firewall rules (mangle)?
Other topic: I’d like to setup an email alert if the second line will be active? Is it possible?
(it’s based on original idea from Chupaka)
