Ether1 + LTE ROS 7 Recursive Failover

Howdy folks,

I updated my router to ROS 7 and configure failover from ether1 to lte1 based on the official Mikrotik website guide. In addition to this, I also made a small script to notify me in Telegram, based on periodically checking the main channel (ether1) via ping. The problem is that the notifications are triggered, but for some reason the channel (routes) doesn’t switch and work.
Here is my current config at the moment:

/interface list
add name=WAN
add name=LAN

/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=lte1 list=WAN

/routing table
add fib name=to_ISP1
add fib name=to_ISP2

/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=ISP1_conn out-interface=ether1
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=to_ISP1 out-interface=ether1
add action=mark-connection chain=output connection-mark=no-mark \
    connection-state=new new-connection-mark=ISP2_conn out-interface=lte1
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=to_ISP2 out-interface=lte1
/ip firewall nat
add action=masquerade chain=srcnat comment=ISP out-interface=ether1
add action=masquerade chain=srcnat comment=LTE out-interface=lte1
/ip route
add disabled=no distance=1 dst-address=1.1.1.1/32 gateway=1.2.3.4 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=10.100.100.10 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 pref-src="" routing-table=to_ISP1 scope=30 suppress-hw-offload=\
    no target-scope=11
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    8.8.8.8 pref-src="" routing-table=to_ISP1 scope=30 suppress-hw-offload=no \
    target-scope=11
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 pref-src="" routing-table=to_ISP2 scope=30 suppress-hw-offload=\
    no target-scope=11
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    8.8.8.8 pref-src="" routing-table=to_ISP2 scope=30 suppress-hw-offload=no \
    target-scope=11
add comment=ISP1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.2.3.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
add comment=ISP2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    10.100.100.10 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

/system script
add dont-require-permissions=no name=gw-check owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    if ([/ping interface=ether1 count=3 8.8.8.8]=0) do={\r\
    \n:local DeviceName [/system identity get name];\r\
    \n:local ChatID \"xxxxxxxxxxx\";\r\
    \n:local SendText \"\\E2\\9A\\A0 <b>Router - \$DeviceName:</b>%0AMain ISP \
    on \$DeviceName is DOWN!\";\r\
    \n#:log info \"ether1 gateway is down\";\r\
    \n/tool fetch url=\"https://api.telegram.org/botxxxxxxxxxxx:xxxxxxxxxxx/sendMessage\?chat_id=\$ChatID&parse_mode=HTML&text=\$\
    SendText\" keep-result=no;\r\
    \n}\r\
    \n"

Could someone tell me what I do wrong?

Well its not clear from your description the purposes of the WANS.
Assuming you use WAN1 as a primary and WAN2 as a failover, why are you mangling etc..… no need for basic scenario.

Simply
/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=isp1-gateway-IP routing-table=main
add distance=4 dst-address=0.0.0.0/0 gateway=isp2-gateway-IP routing-table=main

The problem is that you are simply copying information from the MT website and its rarely accurate to ones specific needs and is a generic example. They expect you to know ROS and adjust the config accordingly.

In other words avoid the complication of recursive routing, which is what you were looking at and using but without any knowledge on what it means or how to use it, and thus stay with simple.

To explain the above,
Routes work on the premise of tables. The primary table is the MAIN TABLE. This is where the router looks to see where to send traffic based on several factors.
a. Is the route active or not.
b. If two routes are active, within the same table, the router will choose the smallest destination
c. if the destinations are equal then the router looks at distance…

So in the example provided above you will see that the destinations are equal both state dst-address=0.0.0.0/0 which is basically a catch all for the www ( all possible addresses ).
Thus we use distance to ensure the primary is ISP1 and the secondary is ISP2.

The addition of check-gateway=ping is a way for the router to determine if a route is AVAILABLE ( some say ACTIVE). The ping occurs every 10 secs and if two pings result in no return the router makes the route inactive and thus the router will look for the next available route within the same table.
We dont use check-gateway=ping on the backup, because if thats not available, there are no other options to go to…

Thank you so much for your reply!

I tried to use mangle rules to mark packets so that pings only go through a specific interface - ether1 or lte1.

Simply
/ip route
add > check-gateway=ping > distance=> 2 > dst-address=0.0.0.0/0 gateway=isp> 1> -gateway-IP routing-table=main
add distance=> 4 > dst-address=0.0.0.0/0 gateway=isp> 2> -gateway-IP routing-table=main

The problem is that you are simply copying information from the MT website and its rarely accurate to ones specific needs and is a generic example. They expect you to know ROS and adjust the config accordingly.

In other words avoid the complication of recursive routing, which is what you were looking at and using but without any knowledge on what it means or how to use it, and thus stay with simple.

To explain the above,
Routes work on the premise of tables. The primary table is the MAIN TABLE. This is where the router looks to see where to send traffic based on several factors.
a. Is the route active or not.
b. If two routes are active, within the same table, the router will choose the smallest destination
c. if the destinations are equal then the router looks at distance…

So in the example provided above you will see that the destinations are equal both state dst-address=0.0.0.0/0 which is basically a catch all for the www ( all possible addresses ).
Thus we use distance to ensure the primary is ISP1 and the secondary is ISP2.

The addition of check-gateway=ping is a way for the router to determine if a route is AVAILABLE ( some say ACTIVE). The ping occurs every 10 secs and if two pings result in no return the router makes the route inactive and thus the router will look for the next available route within the same table.
We dont use check-gateway=ping on the backup, because if thats not available, there are no other options to go to…

Sometimes I faced a strange situation on my ISP, their gateway is available, but there is no Internet. Initially, I thought that their DNS was not working, but after changing the DNS to Google (8.8.8.8 and 8.8.4.4) I realized that the problem was of a completely different nature andI don’t know what exactly their problems are, so that’s all I came up with , this is to ping the availability of any address on the Internet, for example, DNS from Google - 8.8.8.8. After I changed the gateway check to 8.8.8.8, notifications began to arrive in Telegram, but the route still didn’t switch.

Well then if you have a flaky ISP in terms of connectivity then suggest you call them and ask why so?
In addition in your case recursive makes sense in that the router will be checking a WWW address such as 9.9.9.9 to confirm if there is connectivity or not and if not then switch to the other WAN.
The router is doing the work no need to mangle for pinging…

In this case…the proper format is as follows:.
Basically what we are saying is that we check the farthest hop DNS gateway to WWW (recursive route ) by utilizing the intermediary hop from router to DNS (resolving route)
The important items are to ensure the target scope is greater for the farther hops for each route
The scope has to be equal or less than the target scope of the next farthest hop.

/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=PrimaryISP-gatewayIP scope=10 target-scope=11
add comment=SecondaryISP distance=5 dst-address=0.0.0.0/0 gateway=SecondaryISP-gatewayIP scope=10 target-scope=30

Telegram would be handy to at least tell you when the active route is changed so you know that WAN2 is being used vice WAN1 etc…

anav, it works fine, thank you so much for your help! Damn, I even didn’t think that it was so easy to do in ROS 7.

p.s. I don’t think it’s necessary to create a new topic for this question, so I’ll ask it here. Is it possible to somehow catch route flags status changes from AS to USHI and pass it to the notification script?

that would be a question for someone that is an expert at RoS and good at scripting I am neither. Hopefully someone else will chime in.