I’ve googled for a while about how to make dual WAN failover and I think one of the good ways I’ve found is using recursive routing.
I’m currently following this guide, and it suggests adding these routes (I’ve adjusted gateway to meet my config):
Thanks for link.
I’ve reread it and I do have everything configured, except for routing-mark part in rules which is seemed to be removed(?) as my RouterOS 7.0 highlights this parameter as invalid.
What half implementation did you mean that I haven’t done?
Here’s screenshot to illustrate what routes I have and that invalid one that doesn’t work for some reason https://i.imgur.com/S5dSY8d.png
I also figured that changing target scope to 11 (default is 10) marks this route as valid. However still nothing makes it recursive route.
As for the gateway that has to be IP address - apparently it doesn’t have to, as route is marked as valid when I use interface name. And dynamic routes are using interfaces name too.
I’ve tried to switch it to IP just in case but nothing changes - that route still works but again nothing makes this route (or it’s ‘parent’) recursive.
The only thing I would focus in on is distance and not scope. Which was missing in your first rule.
I tend to not box myself into corner Nothing lower than one, so I use 5, and 10
Well, that surely makes sense but.. there are dynamically created routes with distance 0, 1 and 2
So I’d assume my custom routes with distance 5 and higher would just never be used, right?
Also, I’ve managed to make these routes ‘work’ and with that I mean none of them are marked as invalid anymore by tweaking scope of one route and target scope of the other.
However, they are not marked as recursive. Any idea why? https://i.imgur.com/1M0vPkk.png
Okay I see the problem,
I wasnt specific in my example because I made an assumption of you were simply using gateway1 to hide your WANIP gateways but apparently you think the name of the interface suffices, not so, you need the actual IP address.
So let me rephrase my Suggestions.
PS. I use distance 5 and 10 so that if the case arises I can put in distance before, between, or after the ones already in play. Max flex!!
For example I ended up using two external addresses to check connectivity, also 9.9.9.9 and thus used a distance in between to differentiate between the two DNS address i was checking.
PPS. I looked at my Route results in the config and my first route…
add dst-address=1.1.1.1/32 gateway=IP of my primary, distance=5 and the scope=10 and the target scope=10
The second rule where one only checks ping results and in my config displays 0.0.0.0/0 for destination and a scope of 30 and a target scope of 10
The third rule for the secondary wan, also results in a destination address of 0.0.0.0/0 and a scope of 30 and a target scope of 10.
Conclusion I don’t know now, why I set on the first rule a scope and target scope of 10 to match??? But it works.
I copy-pasted rules you proposed - they do not work https://i.imgur.com/Ii8GTkh.png
The reason why my routes from previous screenshot work is because these two (scope of one and target scope of the other) - match https://i.imgur.com/7qFVnsl.png
I am still not sure why they are not marked as recursive routes.
On a side note, I am not sure why are you so convinced that gateway is 100% has to be ip address. Because it is not. Interface’s name does work.
(1) Get rid of this… set to NONE.
/interface detect-internet
set detect-interface-list=all
(2) FIX THIS,
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
SHOULD BE
/ip address
add address=192.168.1.1/24 interface**=bridge1** network=192.168.1.0
(3) Duplicate rule remove… (the first rule covers this).
add action=masquerade chain=srcnat comment=“default rule” out-interface=
ether1
(4) Why are you using a whole bunch of netmap rules. Are you mapping public IPs to private IPs??
(5) It appears they are for port forwarding and if so DO NOT USE netmap. USE dstnat!!!
ex.
add action=dst-nat chain=dstnat comment=
“Radmin port forwarding (from mikrotikwan:48991 to 192.168.1.2:4899”
dst-port=48991 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2
to-ports=4899
(6) What is this for…
/ip service
**set www address=**192.168.1.0/24 port=33388
SHOULD BE DISABLED and is a Security RISK.
NO ACCESS TO THE ROUTER ITSELF SHOULD BE DONE FROM THE WAN SIDE. The safe way to access the router is to VPN into the LAN and then access the router.
(7) AND THEN the FW rules… A mess!!
SAME ISSUE. You have the default winbox port (which you should change anyway) BEING OPENED UP to the internet and regardless if you a WANIP allowed list is NOT SECURE and a terrible security practice. Have the admin access the router via VPN to be able to modify the config IF NOT ON SITE.
WIPE IT CLEAN START NEW.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment={ADD ANY RULES REQUIRED FOR VPN INPUT PORTS}
add action=accept chain=input comment="Allow ADMIN to Router"=\
AdminAccess src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
{NOTE: Only put the last rule (drop all) when the admin access rule is in place!!}
...
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN" \
in-interface=bridge1 out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
"DROP ALL other FORWARD traffic"
{
:global isp1gateway ether1
:global isp2gateway lte1
/ip dhcp-client
set [find] add-default-route=no
/interface lte apn
set [ find ] add-default-route=no
/ip route
remove [find where dynamic=no]
add comment="ISP1 is preferred Gateway" distance=1 gateway=$isp1gateway
add comment="ISP2 is alternative Gateway" distance=2 gateway=$isp2gateway
add comment="1.1.1.1 must be reachabble only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=$isp1gateway scope=10
add comment="8.8.8.8 must be reachabble only from ISP2" distance=1 dst-address=8.8.8.8/32 gateway=$isp2gateway scope=10
add check-gateway=ping comment="Check if reachable 1.1.1.1 = ISP1 Working" distance=1 gateway=1.1.1.1
add check-gateway=ping comment="Check if reachable 8.8.8.8 = ISP2 Working" distance=1 gateway=8.8.8.8
add check-gateway=ping comment="If ISP1 fail, still check when is reachable again 1.1.1.1" distance=2 gateway=1.1.1.1
add check-gateway=ping comment="If ISP2 fail, still check when is reachable again 8.8.8.8" distance=2 gateway=8.8.8.8
add comment="Virtual ping to maintain router calc for ISP1" distance=20 dst-address=1.1.1.1/32 type=blackhole
add comment="Virtual ping to maintain router calc for ISP2" distance=20 dst-address=8.8.8.8/32 type=blackhole
}
I am facing similar issue, I want to set a recursive fail over for 3 ISP. Tried with two ISP to test, but the route rule which uses goes “static” state.
