Dual PPPoE Wan failover with specific port

Nightcry97 · January 27, 2025, 9:12pm

Hello. I have a CRS109-8G-1S-2HnD-IN set up with two PPPoE Connections with failover and i need to route some traffic from the backup Wan to a specific machine and I’m kinda lost.
I prepared another bridge and only added one port with other address and made a dhcp serv for it. I need to metion that I’m new to Mikrotik Routers and RouterOS and everything I learned, I did from internet and youtube.

Any help would be highly appreciated. Thank you

panisk0 · January 28, 2025, 9:57am

you need to build an additional routing table to support both routes at the same time

https://help.mikrotik.com/docs/spaces/ROS/pages/59965508/Policy+Routing

full version for both links:

/routing table
add disabled=no fib name=to_WAN_pppoe1
add disabled=no fib name=to_WAN_pppoe2

/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=to_WAN_pppoe1
add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-table=to_WAN_pppoe2

/routing rule
add routing-mark=to_WAN_pppoe1 table=to_WAN_pppoe1
add src-address=1.1.1.0/24 table=to_WAN_pppoe1
add routing-mark=to_WAN_pppoe2 table=to_WAN_pppoe2
add src-address=2.2.2.0/24 table=to_WAN_pppoe2
add action=lookup src-address=192.168.1.111/32 table=to_WAN_pppoe2

short version only for 2nd link:

/routing table
add disabled=no fib name=to_WAN_pppoe2

/ip route
add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-table=to_WAN_pppoe2

/routing rule
add routing-mark=to_WAN_pppoe2 table=to_WAN_pppoe2
add src-address=2.2.2.0/24 table=to_WAN_pppoe2
add action=lookup src-address=192.168.1.111/32 table=to_WAN_pppoe2 #<–LAN PC 2pppoe route

TheCat12 · January 28, 2025, 11:27am

An edited version of @panisk0’s short version will do the job because his is a bit overcomplicated and there are some things whose logic I don’t understand (for example the use of routing marks):

/routing table
add fib name=to_WAN_pppoe2

/ip route
add dst-address=0.0.0.0/0 gateway="backup_PPPoE_interface" routing-table=to_WAN_pppoe2

/routing rule
add action=lookup-only-in-table dst-address="LAN_subnet" table=main
add action=lookup-only-in-table src-address="Specific_Machine_IP" table=to_WAN_pppoe2

panisk0 · January 28, 2025, 12:47pm

@TheCat12 ← you created a to_WAN_pppoe2 table that doesn’t have a default gateway
He wrote that failover was working properly, I believe that the main table is ok.

/ip route
add dst-address=0.0.0.0/0 gateway=“backup_PPPoE_interface” routing-table=to_WAN_pppoe2

TheCat12 · January 28, 2025, 2:10pm

It has a gateway - the failover PPPoE interface can act as one since we’re talking about a PtP protocol

The main table routing rule, if that’s what’s concerning you, ensures that local traffic doesn’t get routed over the PPPoE link

panisk0 · January 28, 2025, 7:34pm

How should it be to handle the default gateway in the to_WAN_pppoe2 table?

/ip route
add dst-address=0.0.0.0/0 gateway="backup_PPPoE_interface"

/ip route
add dst-address=0.0.0.0/0 gateway="backup_PPPoE_interface" routing-table=to_WAN_pppoe2

TheCat12 · January 28, 2025, 8:28pm

I saw my mistake, forgot to add the routing table parameter, thank you!

panisk0 · January 28, 2025, 8:37pm

then what’s this for? since * = main
in the to_WAN_pppoe2 table you change the src-address

/routing rule
add action=lookup-only-in-table dst-address="LAN_subnet" table=main

@TheCat12 - do you think this is enough?

/routing table
add fib name=to_WAN_pppoe2

/ip route
add dst-address=0.0.0.0/0 gateway="backup_PPPoE_interface" routing-table=to_WAN_pppoe2

/routing rule
add action=lookup-only-in-table src-address="Specific_Machine_IP" table=to_WAN_pppoe2

TheCat12 · January 28, 2025, 8:45pm

Quite sure that would suffice. The first routing rule you quote, as I said in a previous post, ensures that local traffic dosn’t get routed through the WG tunnel. The second one is the policy based routing and if the failover is configured correctly, there should be no need for additional routes in the main table

panisk0 · January 28, 2025, 9:00pm

I also add routing mark for firewall mangle (not required in 7.x)

/routing rule
add routing-mark=to_WAN_pppoe2 table=to_WAN_pppoe2

and adds a WAN connection address to handle outgoing connections via the backup (example, isp gw: 2.2.2.1 mikrotik ip: 2.2.2.2)

/routing rule
add src-address=2.2.2.0/30 table=to_WAN_pppoe2

for me it will be complete:

/routing table
add fib name=to_WAN_pppoe2

/ip route
add dst-address=0.0.0.0/0 gateway="backup_PPPoE_interface" routing-table=to_WAN_pppoe2

/routing rule
add routing-mark=to_WAN_pppoe2 table=to_WAN_pppoe2
add src-address=2.2.2.0/30 table=to_WAN_pppoe2
add action=lookup-only-in-table src-address="Specific_Machine_IP" table=to_WAN_pppoe2

…and similarly for to_WAN_pppoe1
This will ensure that no matter which gateway has a greater distance, both will be reachable from the WAN.