Dual Wan with Failover

xTheDoctah · September 2, 2021, 8:35pm

Hello everyone, I recently bought a RB760iGS and I was trying to use it as a router with the failover by connecting to ether1 and ether2 to two modem (ether1 to my VSDL Modem, ether2 to my LTE Modem). I followed the instruction that are on this page https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608, I’ve configured everything (I think) but I have one problem, If I disconnect the Ethernet 1 cable I can navigate, with the second connection, but if I disconnect the RJ11 from the VSDL (reproducing the “no internet issue”) keeps trying to pass through the Ether1 connection. And sometimes my modem(VSDL), try to redirect me to his login page in order to access the webpage I wanted to. Connected to the router I’ve also an Unifi AP and connected through the SFP port a switch.

Here is my configuration, I would really appreciate if you can take a look and tell me if I did something wrong. Thank you.

# sep/02/2021 22:15:05 by RouterOS 6.48.4
# software id = LI1W-MX7U
#
# model = RB760iGS
# serial number = E1F20E0DCED8
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_1 ranges=192.168.3.10-192.168.3.254
/ip dhcp-server
add address-pool=pool_1 disabled=no interface=bridge name=Server
/interface bridge port
add bridge=bridge interface=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether5 list=LAN
add interface=ether4 list=LAN
add interface=sfp1 list=LAN
/ip address
add address=192.168.3.1/24 interface=bridge network=192.168.3.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=192.168.2.100/24 interface=ether2 network=192.168.2.0
/ip dhcp-client
add !dhcp-options disabled=no interface=ether2
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.3.2 client-id=1:68:d7:9a:86:a7:9d comment="Access Point" \
    mac-address=68:D7:9A:86:A7:9D server=Server
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=192.168.1.1 \
    src-address=192.168.3.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.2.1 \
    src-address=192.168.3.0/24
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=VodaFiber_conn out-interface=\
    ether1 passthrough=yes
add action=mark-routing chain=output connection-mark=VodaFiber_conn \
    new-routing-mark=to_VodaFiber out-interface=ether1 passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=VodaLte_conn out-interface=\
    ether2 passthrough=yes
add action=mark-routing chain=output connection-mark=VodaLte_conn \
    new-routing-mark=to_VodaFiber out-interface=ether2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_VodaFiber
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=to_VodaFiber
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=to_VodaLte
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=to_VodaLte
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.2.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 scope=10
/system clock
set time-zone-name=Europe/Rome

ConnyMercier · November 7, 2021, 11:02pm

I think you have a Routing-Problem…

Quick-Test:

Ping to something directly via the Mikrotik-Device,
and then disconnect the RJ11 from the Modem…

You may lose a couple of ping, but it should switch over …

Problem 1: DHCP-Client
You have multiple Routing tables, but also have two “default” DHCP-Clients active…
In your Config they will both create default-Route (0.0.0.0/0) with distance 1 in the “MAIN” Routing-Table

Problem 2: Routing-Mark
If you don’t specify the Routing, all Traffic going THRU or OUT your Router
will be routed via the “MAIN” Routing-Table. At the moment you don’t have any rules for
Foward-Traffic. The Rules you added are only for Router Output-Traffic.

To quickly Test this :

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=8.8.8.8 new-connection-mark=to_VodaFiber passthrough=yes

Add this Rule to your mikrotik and try to ping 8.8.8.8 via a PC on your network.
and then disconnect the RJ11 from the Modem…
You may lose a couple of ping, but it should switch over …

anav · November 8, 2021, 1:07am

The config is hosed…

(1) /interface bridge port
add bridge=bridge interface=LAN

WRONG!!
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1

(2) /interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether5 list=LAN
add interface=ether4 list=LAN
add interface=sfp1 list=LAN

WRONG
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=bridge list=LAN

(3) Firewall rules…
Why do you not have any??
What is the intended purpose of the rules you do have??
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=192.168.1.1
src-address=192.168.3.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.2.1
src-address=192.168.3.0/24

(4) What is the purpose of your mangling rules. They are incomplete for Load Balancing?? and totally uneccesary for Failover scenarios.

(5) Describe how you want to use the two WAN connections.
Primary
Secondary (failover)?