I have two Wan connections that were both connected to my router via dhcp and I used a simple wan failover script using route distances in case one went down, the other kicked in. This has been working great until our main connection changed to using pppoe instead.
Now when if our main connection goes down, the second wan doesnt kick in. I’ve also noticed that a dynamically connected route has been created for our public ip address (123.456.0.10 ) and what I assume is our ISP’s gateway (123.456.0.1).
I’ve attached a pic to show.
Has anyone any suggestions how I can setup a failover now?
thanks
AS it happened I had to do a full reset this morning so here is the config at the moment. I’ve only the basic setup done to get things up and running but I tried the failover again using routes and it still doesnt work. When I remove the default route’s cable it doesnt change to unreachable like it used to do.
# nov/27/2018 15:20:36 by RouterOS 6.43.4
# software id = 5BUL-L32B
#
# model = 1100AHx2
# serial number = 57320536C056
/interface ethernet
set [ find default-name=ether3 ] name=LAN
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=WAN1 name=\
WAN1-pppoe user=ppoeusername
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
/ip address
add address=192.168.0.1/24 interface=LAN network=192.168.0.0
add address=192.168.10.50/24 interface=WAN2 network=192.168.10.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1-pppoe
/ip route
add check-gateway=ping distance=1 gateway=WAN1-pppoe
add distance=2 gateway=WAN2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24
set api disabled=yes
set winbox address=192.168.0.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=
/system routerboard settings
set silent-boot=no
So I’ve my router up and running again ater the reset, But the failover still isnt working. I’ve attached the settings below and a grab of the routes from win box.
I do have internet access from WAN2 via vlan300, but if I disable the WAN1 and/or WAN1-pppoe nothing else routes through WAN2, except vlan300. I was able to setup a failover easily before WAN1 became a PPPoe connection. I’ve tried scripts and marking but nothing works.
# dec/04/2018 14:52:15 by RouterOS 6.43.4
# software id = 5BUL-L32B
#
# model = 1100AHx2
# serial number = 57323465789
/interface bridge
add fast-forward=no name=LAN-Bridge
add fast-forward=no name=Wan2_Vlan_bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether10 ] mac-address=E4:8F:8C:8F:1E:43
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=WAN1 name=WAN1-pppoe user=ppoe_user
/interface vlan
add comment="office" interface=LAN-Bridge name=vlan200 vlan-id=200
add comment="guest" interface=LAN-Bridge name=vlan300 vlan-id=300
/interface bonding
add mode=802.3ad name="LAN Link" slaves=ether10,ether9 transmit-hash-policy=\
layer-2-and-3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan200-pool ranges=20.20.20.10-20.20.20.254
add name=Guest-pool ranges=192.168.10.60-192.168.10.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=vlan200-pool disabled=no interface=vlan200 name=vlan200-dhcp
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=LAN-Bridge interface="LAN Link"
add bridge=LAN-Bridge interface=ether8
add bridge=LAN-Bridge interface=ether7
add bridge=LAN-Bridge interface=ether6
add bridge=LAN-Bridge interface=ether5
add bridge=LAN-Bridge interface=ether4
add bridge=LAN-Bridge interface=ether3
add bridge=Wan2_Vlan_bridge interface=WAN2
add bridge=Wan2_Vlan_bridge interface=vlan300
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=WAN1-pppoe list=WAN
add interface=LAN_Link list=LAN
add interface=WAN2 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.0.1/24 interface=LAN-Bridge network=192.168.0.0
add address=192.168.10.50/24 interface=WAN2 network=192.168.10.0
add address=20.20.20.1/24 interface=vlan200 network=20.20.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-relay
add dhcp-server=192.168.0.2,192.168.0.3 disabled=no interface=ether3 name="Windows DNS server"
/ip dhcp-server network
add address=20.20.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=20.20.20.1
add address=192.168.0.0/24 dns-server=192.168.0.10,192.168.0.11 domain=local gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.50
/ip dns
set servers=192.168.0.2,192.168.0.3
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input log=yes protocol=icmp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=drop chain=input log=yes
add action=drop chain=input comment=\
"drop all traffic brute force attack sources" log=yes src-address-list=\
sshblacklist
add action=add-src-to-address-list address-list=sshblacklist \
address-list-timeout=1h chain=input comment=\
"add new failed sshdarkgreylist to sshblacklist" connection-state=new \
dst-port=22 protocol=tcp src-address-list=sshdarkgreylist
add action=add-src-to-address-list address-list=sshdarkgreylist \
address-list-timeout=1m chain=input comment=\
"add new failed sshgreylist to sshdarkgreylist" connection-state=new \
dst-port=22 protocol=tcp src-address-list=sshgreylist
add action=add-src-to-address-list address-list=sshgreylist \
address-list-timeout=1m chain=input comment=\
"add new failed sshlightgreylist to sshgreylist" connection-state=new \
dst-port=22 protocol=tcp src-address-list=sshlightgreylist
add action=add-src-to-address-list address-list=sshlightgreylist \
address-list-timeout=1m chain=input comment=\
"new connections to sshlightgreylist" connection-state=new dst-port=22 \
protocol=tcp
add chain=input comment="Accept established and related packets" \
connection-state=established,related
add action=accept chain=input comment=\
"Accept all connections from local network" in-interface=LAN-Bridge
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
ch should not exist in public network" in-interface=WAN1-pppoe \
src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet whi\
ch should not exist in public network" in-interface=Wan2_Vlan_bridge \
src-address-list=NotPublic
add chain=forward comment="Accept established and related packets" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=WAN1-pppoe
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=\
Wan2_Vlan_bridge
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" in-interface=WAN1-pppoe \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" in-interface=Wan2_Vlan_bridge \
src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
internet which should not exist in public network" dst-address-list=\
NotPublic in-interface=LAN-Bridge
add action=drop chain=forward comment="Drop all packets in local network which\
\_does not have local network address" in-interface=LAN-Bridge \
src-address=!192.168.0.0/24
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=WAN1-pppoe
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=\
Wan2_Vlan_bridge
add action=add-src-to-address-list address-list=udpflood \
address-list-timeout=30s chain=input connection-limit=30,32 protocol=udp \
tcp-flags=""
add action=drop chain=input src-address-list=udpflood
add action=add-src-to-address-list address-list=outUDPflood \
address-list-timeout=30s chain=output connection-limit=30,32 limit=\
1,5:packet protocol=udp
add action=drop chain=output src-address-list=outUDPflood
add action=reject chain=input comment=SECURITY content=user.dat reject-with=\
icmp-network-unreachable
add action=drop chain=input content=user.dat
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1-pppoe
add action=masquerade chain=srcnat out-interface=Wan2_Vlan_bridge
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set udplite disabled=yes
set dccp disabled=yes
/ip route
add distance=2 gateway=WAN2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/24
set api disabled=yes
set winbox address=192.168.0.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=vpn
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Method 1 - Dual WAN failover with SINGLE remote host ping check (ISP1 - Static IP; ISP2 - PPPoE)
We have two uplinks: MAIN (GW1 IP - 88.196.6.185) and BACKUP (PPoE GW IP: 10.10.1.1) - usually those gateways are ISP routers.
So we need to monitor our gateways connectivity with external Hosts (thos Hosts can be whatever you think is stable enough - some webpage/server addresses. I´m using Google DNS serverver for this checking (Host1 = 8.8.8.8; Host2 = 8.8.4.4))
Host1 via GW1 and Host2 via GW2
First we create routes to thoe Hosts via corresponding gateways:
/ip route
add dst-address=Host1(8.8.8.> > gateway=GW1(88.196.6.185) scope=10
add dst-address=Host2(8.8.4.4) gateway=GW2(10.10.1.1) scope=10
Create default routes with different Distances
/ip route
add distance=1 gateway=Host1(8.8.8.> > check-gateway=ping
add distance=2 gateway=Host2(8.8.4.4) check-gateway=ping
> gateway=GW1(88.196.6.185) scope=10