Dual WAN Woes.

DirectIT · October 7, 2024, 1:21pm

Hi.
I have two internet connections. WAN1 (DHCP For the family) and WAN2 (PPPoE for my business I run from home)

I have a network of 172.16.0.1/23 - DHCP range is 172.16.0.10-172.16.0.250
The reserved IP for my work stuff is in the range of 172.16.1.x

I want all traffic from 172.16.0.x to go via WAN1, and all traffic from 172.16.1.x to go via WAN2. But I just cant get it to work. I’m a sort of noob. Not to networking, just MikroTik.

Here’s my config.
Thanks in advance…
Doug

# 2024-10-07 14:11:46 by RouterOS 7.16

# model = RB750Gr3

/interface bridge
add admin-mac=DC:2C:6E:DF:DF:BE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=Three
/interface pppoe-client
add add-default-route=yes interface=ether2 name=pppoe-out1 password=\
    xxxxxxxxxxxxxxxx user=xxxxxxxxxxxxxxxxx@xxxxxxxxxxxxx.net
/disk
set sd1 media-interface=none media-sharing=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.0.1-172.16.0.250
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/routing table
add comment=To-Three disabled=no fib name=To-Three
add comment=To-ICUK disabled=no fib name=To-ICUK
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=Three interface=ether1 list=WAN
/ip address
add address=172.16.0.1/23 comment=defconf interface=bridge network=172.16.0.0
add address=192.168.8.10/24 interface=ether1 network=192.168.8.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=172.16.1.110 address-lists=DIT client-id=1:a8:64:f1:47:f5:68 \
    mac-address=A8:64:F1:47:F5:68 server=defconf
/ip dhcp-server network
add address=172.16.0.0/23 comment=defconf dns-server=172.16.0.1 gateway=\
    172.16.0.1 netmask=23
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=lo servers=8.8.8.8,1.1.1.1
/ip dns static
add address=172.16.0.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.0.0/16 list=PrivateNetworks
add address=172.16.0.0/12 list=PrivateNetworks
add address=10.0.0.0/8 list=PrivateNetworks
add address=172.16.1.1-172.16.1.250 list=DIT
add address=172.16.0.1-172.16.0.250 list=OtherLAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Out Via ICUK" disabled=no \
    dst-address-list=!PrivateNetworks in-interface-list=LAN new-routing-mark=\
    To-ICUK passthrough=no src-address-list=DIT
add action=mark-routing chain=prerouting comment="Out Via Three" disabled=no \
    dst-address-list=!PrivateNetworks in-interface-list=LAN new-routing-mark=\
    To-Three passthrough=no src-address-list=OtherLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add comment=Three disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.8.1 routing-table=To-Three scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=ICUK disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 routing-table=To-ICUK scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 dhcp-client
add comment=Three interface=ether1 request=address
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · October 7, 2024, 3:28pm

Very reasonable request.
Couple of questions…
Assuming the PPOE is a public IP?? if not is WAN1 a public IP

Do you port forward to any servers on family LAN?
Do you have any VPNs required …
If not, you should consider at least wireguard vpn so that you can access your router config while away or from any location when required.

+++++++++++++++
A network diagram will help you plan the setup. Its clear that you need two different subnets
So its not clear if you have two subnets behind the router
HOME 172.16.0.0/.24 ??
and
WORK 172.16.1.0/24 ??

There are two ways to handle this,
a. If all ports save one are for home,
then assign address and subnet directly to single work port
assign all other ports to bridge and bridge gets the other subnet.

b. use vlans and assign two subnets to vlans and attach them to the bridge.
assign bridge ports as required
assign bridge vlans as required.

SO in summary we need to provide some structure so its easy to flow data from WANs to internal subnets and apply firewall rules etc…

DirectIT · October 7, 2024, 3:49pm

PPPoE(WAN2) is a public address. WAN1 is (don’t shout) dble natted from a Mobile Broadband router.

No - It’s just for outbound connections. No inbound.

No VPNs are needed.

Currently, it’s just one 172.16.0.0/23

mszru · October 7, 2024, 4:48pm

Try disabling the fasttrack firewall rule. It does not play nice with mangling.

If you don’t need to handle incoming connections I would use a simple routing rule instead of mangling:

/routing/rule/add src-address=172.16.1.0/24 action=lookup table=To-ICUK

In this case you can keep your fasttrack firewall rule enabled.

anav · October 7, 2024, 5:17pm

Without a specific subnet to differentiate, then its more complicated as you will need to mangle and use a firewall address list to identify the IPs that are considered business.
If you have the business on a different subnet, then the routing rule method is more viable.

What is keeping you from adding another subnet??
Which ports are used for business and which ports are used for home on the router?

DirectIT · October 8, 2024, 6:48am

Try disabling the fasttrack firewall rule. It does not play nice with mangling.

If you don’t need to handle incoming connections I would use a simple routing rule instead of mangling:
/routing/rule/add src-address=172.16.1.0/24 action=lookup table=To-ICUK
In this case you can keep your fasttrack firewall rule enabled.

I tried this, but as before, as soon as I bring up the PPPOE interface, nothing can go out.

DirectIT · October 8, 2024, 6:50am

If fairness, the above was a YouTube video creation.
There’s nothing too complicated here. I just have portals that I use for business that I have locked down only to be able to access from a static IP Address (PPPoE connection)
I don’t mind having 1,2 or 55 subnets. Unfortunately, it’s just one wifi network in the house, and in my cabin in the garden, that is connected to ETHER5 in the router.

mszru · October 8, 2024, 6:59am

Your pppoe-out1 interface is not a member of the WAN list and masquerading isn’t happening. Please add it there.

DirectIT · October 8, 2024, 10:26am

Just wanna say thanks for all your replies.
I’ve tried adjusting using all your suggestions, but I just couldn’t get it working.
So I started again. slightly simpler config.
Same as before. 172.16.0.x go out from WAN1(Three) and 172.16.1.x go out from WAN2(ICUK)
172.16.0.x (DHCP) will NOT connect to the internet. However now, 172.16.1.x (DHCP Static) WILL connect fine, and using the WAN2(ICUK) connection..

# 2024-10-08 11:16:58 by RouterOS 7.16
# model = RB750Gr3
/interface bridge
add admin-mac=DC:2C:6E:DF:DF:BE auto-mac=no comment=defconf name=LANBridge
/interface ethernet
set [ find default-name=ether2 ] name=ICUK
set [ find default-name=ether1 ] name=Three
/interface pppoe-client
add disabled=no interface=ICUK name=ICUKPPPoE password=xxxxxxxxxx \
    user=xxxxxxxxxxxxxxxxx
/disk
set sd1 media-interface=none media-sharing=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN-DHCP ranges=172.16.0.2-172.16.0.250
/ip dhcp-server
add address-pool=LAN-DHCP interface=LANBridge lease-time=1d name=DHCP-Lan
/routing table
add disabled=no fib name=to-ICUK
add disabled=no fib name=to-Three
/disk settings
set auto-media-interface=LANBridge auto-media-sharing=yes auto-smb-sharing=\
    yes
/interface bridge port
add bridge=LANBridge comment=defconf interface=ether3
add bridge=LANBridge comment=defconf interface=ether4
add bridge=LANBridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=LANBridge list=LAN
add comment=defconf interface=Three list=WAN
add interface=ICUKPPPoE list=WAN
/ip address
add address=172.16.0.1/23 comment=defconf interface=LANBridge network=\
    172.16.0.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=Three
/ip dhcp-server lease
add address=172.16.1.250 client-id=1:38:ca:84:da:1c:ac mac-address=\
    38:CA:84:DA:1C:AC server=DHCP-Lan
/ip dhcp-server network
add address=172.16.0.0/23 comment=defconf dns-server=172.16.0.1 gateway=\
    172.16.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.0.0.1,1.1.1.1
/ip dns static
add address=172.16.0.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.0.0/8 list=Private
add address=172.16.0.0/12 list=Private
add address=192.168.0.0/16 list=Private
add address=172.16.1.2-172.16.1.253 list=DITLan
add address=172.16.0.2-172.16.0.253 list=OtherLan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input comment="Sticky ICUK" in-interface=\
    ICUKPPPoE new-connection-mark=WAN-ICUK passthrough=yes
add action=mark-connection chain=input in-interface=Three \
    new-connection-mark=WAN-THREE passthrough=yes
add action=mark-routing chain=output connection-mark=WAN-ICUK \
    new-routing-mark=to-ICUK passthrough=yes
add action=mark-routing chain=output connection-mark=WAN-THREE \
    new-routing-mark=to-Three passthrough=yes
add action=accept chain=prerouting in-interface=ICUKPPPoE
add action=accept chain=prerouting in-interface=Three
add action=accept chain=prerouting dst-address-type=local src-address-type=\
    local
add action=accept chain=prerouting dst-address-list=Private
add action=mark-routing chain=prerouting comment=PBR-ICUKUsers \
    new-routing-mark=to-ICUK passthrough=no src-address-list=DITLan
add action=mark-routing chain=prerouting comment=PBR-Three-Users \
    new-routing-mark=to-Three passthrough=no src-address-list=OtherLan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ICUKPPPoE
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=Three
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Three routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=ICUKPPPoE \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ICUKPPPoE \
    routing-table=to-ICUK scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Three routing-table=\
    to-Three scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=1.1.1.1/32 gateway=\
    ICUKPPPoE routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=1.0.0.1/32 gateway=\
    Three routing-table=main scope=10 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=yes down-script="/ip firewall mangle set [find comment=\"PBR-Thre\
    e-Users\"] new-routing-mark=to-ICUK" host=1.0.0.1 http-codes="" interval=\
    10s name="" test-script="" timeout=10ms type=simple up-script="/ip firewal\
    l mangle set [find comment=\"PBR-Three-Users\"] new-routing-mark=to-Three"
add disabled=yes down-script="/ip firewall mangle set [find comment=\"PBR-ICUK\
    Users\"] new-routing-mark=to-Three" host=1.1.1.1 http-codes="" interval=\
    10s name="" test-script="" timeout=10ms type=simple up-script="/ip firewal\
    l mangle set [find comment=\"PBR-ICUKUsers\"] new-routing-mark=to-ICUK"

anav · October 8, 2024, 8:36pm

Going to take the easy way out.
All traffic will go out WAN1, by default and thus we only have to ‘force’ business traffic out WAN2.

First fix the mistake already noted:
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=Three interface=ether1 list=WAN
add interface=ICUKPPPoE list=LAN

I am familiar with how to accomplish via recursive so will do that first and try netwatch second…

Create the firewall address list for business users.
/ip firewall address-list
add address=172.16.1.1-172.16.1.254 list=BUSINESS

/ip firewall mangle
{ mark the traffic from the lan business devices }
add action=mark-connections chain=forward in-interface-list=LAN src-address=list=BUSINESS
dst-address-type=!local connection-mark=no-mark new-connection-mark=WAN-ICUK passthrough=yes
{ route the traffic out the special table for WAN2 }
add action=mark-routing chain=prerouting connection-mark=WAN-ICUK
new-routing-mark=To-ICUK passthrough=no }

NOTE on forward chain firewall rule add to fastrack rule connection-mark=no-mark (so all normal user traffic will get advantage of fast track)

Create the manual routes

/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=ether1 routing-table=main
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=ICUKPPPoE routing-table=main

Now by default all users will use WAN1 for internet and if its unavailable, users will be sent to WAN2.
Next we ensure that business user are not captured by the above as per the mangle rule and we create the route for them to go to.

add dst-address=0.0.0.0/0 gateway=ICUKPPPoE routing-table=To-ICKUK

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Then we are faced with the task of figuring out, what happens if WAN2 is down, assuming you also want the business users,
to keep working and thus we need them to go to WAN1…
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ICUKPPPoE routing-table=To-ICKUK
add distance=2 dst-address=0.0.0.0/0 gateway=ether1 routing-table=To-ICKUK

In this way, we are now saying for the business users traffic, we identified and captured your outgoing traffic and are sending out via WAN2,
If WAN2 is not available then we are sending it out WAN1 and when WAN2 comes back, then use that.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
That is the basic routing premise. Next we add the recursive nature by checking a WWW address to ascertain valid connection with the internet.
There is no change to the special table routes.

/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12
add distance=2 dst=address=1.1.1.1/32 gateway=ether1 routing-table=main scope=10 target-scope=11
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12
add distance=4 dst-address=9.9.9.9/32 gateway=ICUKPPPoE routing-table=main scope=10 target-scope=11

add check-gateway=ping dst-address=0.0.0.0/0 gateway=ICUKPPPoE routing-table=To-ICKUK
add distance=2 dst-address=0.0.0.0/0 gateway=ether1 routing-table=To-ICKUK[/i]

anav · October 8, 2024, 9:43pm

Here is my attempt at using netwatch LOL. No promises and hopefully somebody can point out if there are errors.

/ip route
{ WAN1 }
add dst-address=0.0.0.0/0 gateway=ether1 routing-table=main
add dst-address=1.1.1.1/32 gateway=ether1 routing-table=main
add distance=2 dst-address=1.1.1.1 black-hole=yes routing-table=main
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ WAN2 }
add distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=main
add distance=2 dst-address=9.9.9.9/32 gateway=pppoe-out1 routing-table=main
add distance=3 dst-address=9.9.9.9 black-hole=yes routing-table=main
{ special Table routes }
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=To-ICKUK
add distance=2 dst-address=0.0.0.0/0 gateway=ether1 routing-table=To-ICKUK

/tool netwatch
add comment="CHECK WAN1" down-script="/ip route disable [find dst-address=0.0.0.0/0 and gateway=ether1]" host=1.1.1.1 type=simple interval=10s Timeout=5s
up-script="/ip route enable [find dst-address=0.0.0.0/0 and gateway=ether1]"

add comment="CHECK WAN2" down-script="/ip route disable [find dst-address=0.0.0.0 and gateway=pppoe-out1]" host=9.9.9.9 type=simple interval=10s Timeout=5s
up-script="/ip route enable [find dst-address=0.0.0.0/0 and gateway=pppoe-out1]"