Dual WAN Config Help (2 Sites with own Mikrotik Router and own ISP)

nelld · February 24, 2025, 3:30pm

Hi All,

I hope you can help me or point me to the right direction how to enable this.
I have 2 network sites connected via outdoor wireless PTP.
What I wanted to configure is dual wan setup wherein if ISP of Network 1 goes down it will use Network 2 WAN and vice versa using the PTP wireless connection.
I managed to configure Network 1 with dual wan with auto failover but I am not sure how to configure Network 2 to use the Network 1 ISP as its backup connection (dual wan auto failover) using the same outdoor wireless PTP.

Do I just add a static route in Router 2 using the IP address of CPE client as its gateway?

Here’s my network setup. Apologies it’s just in a tabular format.
Network Set-up.png

BartoszP · February 24, 2025, 4:21pm

On the first page of “New posts” there is a current topic about DUAL WAN. Have you read it?

http://forum.mikrotik.com/t/finally-made-dual-wan-work/182174/1

anav · February 24, 2025, 4:33pm

There are probably a number of approaches.
In concept, what you want to do is assume for either network that the ptp connection is a WAN2 incoming so to speak.
For me this means considering at least two vlans across that connection and each is used to terminate to a WAN2 connection on the receiving network.

So lets assume vlan setup on both devices
Network One
vlan-5 home subnet
vlan-10 guest subnet
vlan-20 secondary WAN ( local lan traffic goes out this if Primary WAN is down )
vlan-30 Network2 subnet traffic coming in here for their backup WAN
Define all vlans to the bridge.

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gateway-ip table=main
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.20.1 table=main

/ip address
add address=192.168.5.1 interface=vlan5 network=192.168.5.0
etc.
add address=192.168.20.2/30 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/30 interface=vlan30 network=192.168.30.0

/interface list member
add interface=ether1 list=WAN
add interface=vlan20 list=WAN
add interface=vlan30 list=LAN
add interface=vlan5 list=LAN
etc.

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=PTP-interface
/interface bridge vlan
add bridge=bridge tagged=bridge,PTP-interface vlan-id=20,30

/ip firewall
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN

Network Two
vlan-6 home subnet
vlan-15 guest subnet
vlan-20 Network1 subnet traffic coming in here for their backup WAN
vlan-30 ( local lan traffic goes out this if Primary WAN is down )
Define all vlans to the bridge.

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP2-gateway-ip table=main
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.30.1 table=main

/ip address
add address=192.168.6.1 interface=vlan5 network=192.168.5.0
etc.
add address=192.168.20.1/30 interface=vlan20 network=192.168.20.0
add address=192.168.30.2/30 interface=vlan30 network=192.168.30.0

/interface list member
add interface=ether1 list=WAN
add interface=vlan30 list=WAN
add interface=vlan20 list=LAN
add interface=vlan6 list=LAN
etc.

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=PTP-interface
/interface bridge vlan
add bridge=bridge tagged=bridge,PTP-interface vlan-id=20,30

/ip firewall
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This is off the top of the head, I am sure there is a more elegant way of doing so, LIke using VRRP etc… so that users on both sides only see ONE Virtual WAN and the routers decide
one master one slave( which router WAN termination is being used at any particular time )

anav · February 24, 2025, 4:33pm

A more elegant approach is using VRRP, however this does not permit Network1 to use ISP1 and Network1 to use ISP2, basically both Networks will use the master router connection to the internet, and if not available switch to the backup.

nelld · February 24, 2025, 7:32pm

Yes I did, however my set up is different since I have two different networks with their own routers and ISP.
I am trying to avoid another Wireless PTP from Network 1 to Network 2 in order to have secondary link in Network 2 using ISP 1 as it’s backup WAN.
Network 1 is fully functional with dual wan auto failover recursive.

nelld · February 24, 2025, 7:34pm

There are probably a number of approaches.
In concept, what you want to do is assume for either network that the ptp connection is a WAN2 incoming so to speak.
For me this means considering at least two vlans across that connection and each is used to terminate to a WAN2 connection on the receiving network.

So lets assume vlan setup on both devices
Network One
vlan-5 home subnet
vlan-10 guest subnet
vlan-20 secondary WAN ( local lan traffic goes out this if Primary WAN is down )
vlan-30 Network2 subnet traffic coming in here for their backup WAN
Define all vlans to the bridge.

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gateway-ip table=main
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.20.1 table=main

/ip address
add address=192.168.5.1 interface=vlan5 network=192.168.5.0
etc.
add address=192.168.20.2/30 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/30 interface=vlan30 network=192.168.30.0

/interface list member
add interface=ether1 list=WAN
add interface=vlan20 list=WAN
add interface=vlan30 list=LAN
add interface=vlan5 list=LAN
etc.

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=PTP-interface
/interface bridge vlan
add bridge=bridge tagged=bridge,PTP-interface vlan-id=20,30

/ip firewall
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN

Network Two
vlan-6 home subnet
vlan-15 guest subnet
vlan-20 Network1 subnet traffic coming in here for their backup WAN
vlan-30 ( local lan traffic goes out this if Primary WAN is down )
Define all vlans to the bridge.

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP2-gateway-ip table=main
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.30.1 table=main

/ip address
add address=192.168.6.1 interface=vlan5 network=192.168.5.0
etc.
add address=192.168.20.1/30 interface=vlan20 network=192.168.20.0
add address=192.168.30.2/30 interface=vlan30 network=192.168.30.0

/interface list member
add interface=ether1 list=WAN
add interface=vlan30 list=WAN
add interface=vlan20 list=LAN
add interface=vlan6 list=LAN
etc.

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=PTP-interface
/interface bridge vlan
add bridge=bridge tagged=bridge,PTP-interface vlan-id=20,30

/ip firewall
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This is off the top of the head, I am sure there is a more elegant way of doing so, LIke using VRRP etc… so that users on both sides only see ONE Virtual WAN and the routers decide
one master one slave( which router WAN termination is being used at any particular time )

Thanks a lot. I really appreciate your time. I will give this a try until I find a simpler approach.

anav · February 24, 2025, 10:34pm

Okay I will work on this but I would use VRRP after all, but do it twice, so two VRRPs running across each router.
In instance1, network1 is primary and thus all ROUTER1 users with use this ISP1
In instance2, network2 is primary and thus all ROUTER2 users would use this ISP2

In case of failure of any one ISP, the other will automatically kick in.
Its a bit more complex than single VRRP, but single VRRP would only use one ISP and keep the other for back up.
I believe it will work better than my previous solution…