Failover 4G Bridge Not Working

I have a problem that I am unable to solve. I have two internet connections on a Mikrotik CCR2116.

• The main connection is a GPON with fiber output and PPPoE.
• The second connection is in failover mode against a Zyxel LTE3301plus router-modem that is configured in bridge mode, so the public IP of the provider (CGNAT) is obtained by the Mikrotik interface.

I followed the instructions on the following Mikrotik help page, but without success. If I follow these instructions, I never get a ping from the “mobile_inet” interface because, according to what I've read (I don't know if it's true), when you use an Ethernet interface in bridge mode in Mikrotik and it's not PPPoE, it's not able to know what its nexthop is.

As recommended in the DHCP Client of “mobile_inet,” I marked the one that added the default route and set the distance to 2. This is what I did, and I have only managed to get the 4G interface to work properly when the PPPoE goes down, and I can also ping out from the router through the “mobile_inet” interface. The problem is that from the local network I am unable to access the internet via the 4G connection. I have masquerading for that connection and the “traceroute” dies at the Mikrotik.

I tried using Torch to see the traffic coming to the “mobile_inet” interface, but nothing is coming through, as if the masquerading is not working for some reason.

Could someone shed some light on this for me? Here is my configuration:

# 2026-02-06 15:14:55 by RouterOS 7.21rc6
# software id = XXXXXXX
#
# model = CCR2116-12G-4S+
# serial number = XXXXXXXXX
/disk
add slot=tmpfs tmpfs-max-size=5726623061 type=tmpfs
/interface bridge
add comment="Docker Bridge" name=docker-pihole protocol-mode=none
add name=docker-syslog protocol-mode=none
add comment="Red Decos Movistar" igmp-snooping=yes name=iptv-lan \
    protocol-mode=none
add comment="Red Local" frame-types=admit-only-vlan-tagged name=local-lan \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether10 ] comment="LAN - Switch POE"
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether5 ] name=iptv1
set [ find default-name=ether6 ] name=iptv2
set [ find default-name=ether7 ] name=iptv3
set [ find default-name=ether8 ] name=iptv4
set [ find default-name=ether12 ] comment="LAN - Cluster RPi" name=lan-rpi
set [ find default-name=ether1 ] comment="4G Internet" name=mobile_inet
set [ find default-name=ether3 ] comment=Wireshark name=mon_wireshark
set [ find default-name=sfp-sfpplus3 ] name=sfp-clusterpi
set [ find default-name=sfp-sfpplus2 ] comment="LAN - Mikrotik CSR326" name=\
    sfp-lan1
set [ find default-name=sfp-sfpplus4 ] advertise="10M-baseT-half,100M-baseT-ha\
    lf,100M-baseT-full,1G-baseT-half,1G-baseT-full,1G-baseX,2.5G-baseT,2.5G-ba\
    seX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR" comment="LAN - Netgear" \
    name=sfp-lan2
set [ find default-name=sfp-sfpplus1 ] comment="Modulo SFP Movistar" name=\
    sfp-movistar
set [ find default-name=ether2 ] comment="Switch APC" name=switch_apc
set [ find default-name=ether9 ] name=ups_apc
/interface veth
add address=172.16.0.2/24 container-mac-address=xxxxxxxxx dhcp=no \
    gateway=172.16.0.1 gateway6="" mac-address=xxxxxxxxx name=\
    veth-pihole
add address=172.16.1.2/24 container-mac-address=xxxxxxx dhcp=no \
    gateway=172.16.1.1 gateway6="" mac-address=xxxxxxxxxxx name=\
    veth-rsyslog
/interface wireguard
add comment="Acceso a VPS" disabled=yes listen-port=51820 mtu=1420 name=\
    wg-vps
/interface vlan
add comment="LAN - Administracion" interface=local-lan name=lan_admin \
    vlan-id=999
add comment="LAN - Cluster RPi" interface=local-lan name=lan_clusterpi \
    vlan-id=2000
add comment="LAN - DMZ" interface=local-lan name=lan_dmz vlan-id=900
add comment="LAN - Domotica" interface=local-lan name=lan_domotica vlan-id=70
add comment="LAN - Invitados" interface=local-lan name=lan_guest vlan-id=240
add comment="LAN - Multimedia" interface=local-lan name=lan_media vlan-id=200
add comment="LAN - Servidores" interface=local-lan name=lan_servers vlan-id=\
    100
add comment="LAN - Voz IP" interface=local-lan name=lan_voip vlan-id=150
add comment="Movistar - Inet" interface=sfp-movistar name=movistar_inet \
    vlan-id=6
add comment="Movistar - IPTv" interface=sfp-movistar name=movistar_iptv \
    vlan-id=2
add comment="Movistar - VoIP" interface=sfp-movistar name=movistar_voip \
    vlan-id=3
/interface pppoe-client
add allow=pap,chap comment="Movistar Inet" disabled=no interface=\
    movistar_inet max-mtu=1492 name=pppoe-movistar user=\
    adslppp@telefonicanetpa
/interface list
add comment="Movistar SFP VLANS" name=movistar_vlans
add name=WAN
/ip dhcp-server option
add code=240 comment="Movistar IPTv - OPCH Servers" name=movistar_iptv_opch \
    value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
add code=66 name=pxe_tftp value="s'10.0.100.1'"
add code=67 name=pxe_file value="s'bootcode.bin'"
add code=12 name=pi-cluster-4 value="s'pi-cluster-4'"
add code=12 name=pi-cluster-6 value="s'pi-cluster-6'"
add code=12 name=pi-cluster-7 value="s'pi-cluster-7'"
add code=12 name=pi-cluster-1 value="s'pi-cluster-1'"
add code=12 name=pi-cluster-2 value="s'pi-cluster-2'"
add code=12 name=pi-cluster-3 value="s'pi-cluster-3'"
add code=12 name=pi-cluster-5 value="s'pi-cluster-5'"
add code=12 name=pi-cluster-8 value="s'pi-cluster-8'"
add code=12 name=pi-cluster-9 value="s'pi-cluster-9'"
/ip dns forwarders
add dns-servers=10.0.100.2 name=local-dns verify-doh-cert=no
/ip ipsec peer
add address=matute29.almanzor10.net comment="Site2Site Matute29" \
    exchange-mode=ike2 name=Matute29
add exchange-mode=ike2 name=Roadwarrior passive=yes send-initial-contact=no
/ip ipsec policy group
add name=rw-policies
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=Site2Site
add name=roadwarrior pfs-group=none
/ip pool
add comment="Pool Administration LAN" name=pool_lan_admin ranges=\
    10.10.10.2-10.10.10.30
add comment="Pool Cluester RPi" name=pool_cluster_rpi ranges=\
    10.0.100.5-10.0.100.50
add comment="Pool Domotica LAN" name=pool_lan_domo ranges=\
    10.10.70.2-10.10.70.254
add comment="Pool Invitados LAN" name=pool_lan_guest ranges=\
    192.168.240.2-192.168.240.20
add comment="Pool Multimedia LAN" name=pool_lan_media ranges=\
    10.10.200.2-10.10.200.50
add comment="Pool Servidores LAN" name=pool_lan_servers ranges=\
    10.10.100.2-10.10.100.40
add comment="Pool VoIP LAN" name=pool_lan_voip ranges=10.10.150.2-10.10.150.4
add comment="Pool IPTv Decodificadores" name=pool_lan_iptv_deco ranges=\
    10.10.201.10-10.10.201.20
add comment="RoadWarrior VPN" name=pool_vpn ranges=10.10.2.10-10.10.2.30
/ip dhcp-server
add address-pool=pool_lan_admin comment="LAN - Administracion" interface=\
    lan_admin lease-script=lease-script lease-time=3d name=dhcp_admin
add address-pool=pool_cluster_rpi comment="LAN - Cluster RPi" interface=\
    lan_clusterpi lease-script=lease-script lease-time=1d name=dhcp_clusterpi
add address-pool=pool_lan_domo comment="LAN - Domotica" interface=\
    lan_domotica lease-script=lease-script lease-time=6h name=dhcp_domo
add address-pool=pool_lan_guest comment="LAN - Invitados" interface=lan_guest \
    lease-script=lease-script lease-time=2h name=dhcp_guest
add address-pool=pool_lan_media comment="LAN - Multimedia" interface=\
    lan_media lease-script=lease-script lease-time=12h name=dhcp_media
add address-pool=pool_lan_servers comment="LAN - Servidores" interface=\
    lan_servers lease-script=lease-script lease-time=2w1d name=dhcp_servers
add address-pool=pool_lan_voip comment="LAN - VoIp" interface=lan_voip \
    lease-script=lease-script lease-time=9h name=dhcp_voip
add address-pool=pool_lan_iptv_deco comment="IPTv Decos" interface=iptv-lan \
    lease-script=lease-script name=dhcp-iptv
/ip ipsec mode-config
add address-pool=pool_vpn address-prefix-length=32 name=rw-conf \
    split-include=10.10.100.0/24,10.10.70.0/24,10.10.200.0/24 static-dns=\
    10.10.10.1 system-dns=no
/port
set 0 flow-control=xon-xoff
/routing rip instance
add disabled=no name=rip-movistar
/system logging action
set 3 remote=172.16.1.2
/container
add check-certificate=no dns=8.8.8.8 envlists=Main,pihole hostname=pihole \
    interface=veth-pihole layer-dir="" logging=yes mountlists=\
    pihole_etc,pihole_dns,pihole_resolv name=pihole remote-image=\
    pihole/pihole:latest root-dir=/nvme1/docker/containers/pihole \
    start-on-boot=yes workdir=/
add check-certificate=no envlists=Main,Admin hostname=rsyslog interface=\
    veth-rsyslog layer-dir="" logging=yes mountlists=syslog_etc,syslog_logs \
    name=syslog-ng remote-image=lscr.io/linuxserver/syslog-ng:latest \
    root-dir=/nvme1/docker/containers/rsyslog start-on-boot=yes workdir=/
/container config
set registry-url=https://registry-1.docker.io tmpdir=/nvme1/pull
/container envs
add key=PGID list=Admin value=0
add key=PUID list=Admin value=0
add key=TZ list=Main value=Europe/Madrid
add key=DNSMASQ_USER list=pihole value=root
add key=FTLCONF_dns_listeningMode list=pihole value=ALL
add key=FTLCONF_webserver_api_password list=pihole value=XXXXXXXXX
/container mounts
add dst=/etc/dnsmasq.d list=pihole_dns src=/nvme1/pihole/dnsmasq.d
add dst=/etc/pihole list=pihole_etc src=/nvme1/pihole/etc
add dst=/etc/resolv.conf list=pihole_resolv read-only=yes src=\
    /nvme1/pihole/resolv.conf
add dst=/config list=syslog_etc src=/nvme1/syslogng/etc
add dst=/var/log list=syslog_logs src=/nvme1/syslogng/logs
/ip smb
set enabled=no interfaces=lan_clusterpi
/interface bridge port
add bridge=local-lan comment="LAN - IF 1" frame-types=admit-only-vlan-tagged \
    interface=ether11
add bridge=local-lan comment="LAN - IF 2" edge=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=lan-rpi pvid=2000
add bridge=local-lan comment="LAN - IF 3" frame-types=admit-only-vlan-tagged \
    interface=sfp-lan2
add bridge=iptv-lan comment="IPTV - 1" interface=iptv1
add bridge=iptv-lan comment="IPTV - 2" interface=iptv2
add bridge=iptv-lan comment="IPTV - 3" interface=iptv3
add bridge=iptv-lan comment="IPTV - 4" interface=iptv4
add bridge=docker-pihole comment=Docker interface=veth-pihole
add bridge=local-lan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ups_apc pvid=100
add bridge=docker-syslog interface=veth-rsyslog
add bridge=local-lan interface=sfp-clusterpi pvid=2000
add bridge=local-lan frame-types=admit-only-vlan-tagged interface=sfp-lan1
/interface ethernet switch l3hw-settings
set autorestart=yes
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=local-lan comment="Red Local" tagged=\
    sfp-lan1,local-lan,sfp-lan2,sfp-clusterpi vlan-ids=\
    70,100,150,200,240,900,999
add bridge=local-lan tagged=local-lan,ether11,sfp-clusterpi vlan-ids=2000
/interface ethernet switch
set 0 l3-hw-offloading=yes qos-hw-offloading=yes
/interface list member
add comment="Movistar Internet" interface=pppoe-movistar list=movistar_vlans
add comment="Movistar IPTv" interface=movistar_iptv list=movistar_vlans
add comment="Movistar VoIP" interface=movistar_voip list=movistar_vlans
add interface=mobile_inet list=WAN
add interface=pppoe-movistar list=WAN
/interface wireguard peers
add allowed-address=10.0.0.0/24,10.10.0.0/16 client-allowed-address=::/0 \
    comment=VPS endpoint-address=XXXXXXXXXX endpoint-port=51820 \
    interface=wg-vps name=peer1 persistent-keepalive=25s public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether13 network=\
    192.168.88.0
add address=1XXXXXXXX/9 comment="Movistar IPTv IP Address" interface=\
    movistar_iptv network=10.128.0.0
add address=192.168.50.1/24 comment="Switch APC IP Address" interface=\
    switch_apc network=192.168.50.0
add address=10.10.70.1/24 comment="LAN - Domotica IP" interface=lan_domotica \
    network=10.10.70.0
add address=10.10.100.1/24 comment="LAN - Servers IP" interface=lan_servers \
    network=10.10.100.0
add address=10.10.150.1/29 comment="LAN - VoIP IP" interface=lan_voip \
    network=10.10.150.0
add address=10.10.200.1/24 comment="LAN - Multimedia IP" interface=lan_media \
    network=10.10.200.0
add address=192.168.240.1/24 comment="LAN - Invitados IP" interface=lan_guest \
    network=192.168.240.0
add address=10.10.1.1/29 comment="LAN - DMZ" interface=lan_dmz network=\
    10.10.1.0
add address=10.10.10.1/24 comment="LAN - Administracion IP" interface=\
    lan_admin network=10.10.10.0
add address=10.0.100.1/24 comment="LAN - Cluster RPi IP" interface=\
    lan_clusterpi network=10.0.100.0
add address=192.168.20.1/29 comment="Monitoring & Wireshark IP" interface=\
    mon_wireshark network=192.168.20.0
add address=10.10.201.1/24 comment="IPTv Network" interface=iptv-lan network=\
    10.10.201.0
add address=172.16.0.1/29 comment="Docker Bridge IP" interface=docker-pihole \
    network=172.16.0.0
add address=172.16.1.1/29 comment="Docker Bridge IP" interface=docker-syslog \
    network=172.16.1.0
add address=10.0.0.2/24 comment="LAN - VPS" interface=wg-vps network=10.0.0.0
/ip dhcp-client
add add-default-route=no comment="Movistar VoIP IP Address" \
    default-route-tables=main !dhcp-options interface=movistar_voip \
    use-peer-ntp=no
add add-default-route=no comment="4G Router IP Address" default-route-tables=\
    main !dhcp-options interface=mobile_inet use-peer-dns=no use-peer-ntp=no
/ip firewall address-list
add address=10.10.2.10-10.10.2.20 comment=VPN list=allowed_to_router
add address=10.10.10.0/24 comment="LAN - Administracion" disabled=yes list=\
    TRUSTED_LAN
add address=10.10.70.0/24 comment="LAN - Domotica" disabled=yes list=\
    TRUSTED_LAN
add address=10.10.200.0/24 comment="LAN - Multimedia" disabled=yes list=\
    TRUSTED_LAN
add comment="DDOS: Who is being attacked" list=ddos-targets
add comment="DDDOS: Who is Attacking" list=ddos-attackers
/ip firewall filter
add action=accept chain=forward comment="Acceso desde VPS a Red Local" \
    in-interface=wg-vps
add action=accept chain=input comment="Acceso desde VPS al propio Router" \
    in-interface=wg-vps
add action=jump chain=forward comment="Anti DDoS Attacks" connection-state=\
    new in-interface-list=WAN ipsec-policy=in,none jump-target=detect-ddos
add action=return chain=detect-ddos comment="Mark and Drop SYN ACK attack" \
    dst-limit=32,32,src-and-dst-addresses/10s in-interface-list=WAN protocol=\
    tcp tcp-flags=syn,ack
add action=return chain=detect-ddos comment=DDOS dst-limit=\
    32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=10m chain=detect-ddos comment=DDOS
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos comment=DDOS
add action=reject chain=input comment="Anti Hack Exploit" content=user.dat \
    reject-with=icmp-network-unreachable
add action=drop chain=input comment="Anti Hack Exploit" content=user.dat
add action=drop chain=forward comment=\
    "Memcrashed - Amplification Attacks UDP 11211" dst-port=11211 protocol=\
    udp
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" \
    dst-port=25,26,587 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
    1d chain=forward comment="Detect and add-list SMTP virus or spammers" \
    connection-limit=30,32 dst-port=25,26,587 limit=2,1:packet protocol=tcp
add action=drop chain=input comment="Block DNS" dst-port=53 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Block DNS" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" \
    dst-port=500,4500 in-interface=pppoe-movistar protocol=udp
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward connection-state=established,related
add action=drop chain=input comment="Eliminar acceso directos al router" \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Eliminar redirecciones directas" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting comment="Prioridad a 4 IPTV" \
    new-priority=4 out-interface=movistar_iptv
add action=set-priority chain=postrouting comment="Prioridad a 1 Inet" \
    new-priority=1 out-interface=pppoe-movistar
add action=set-priority chain=postrouting comment="Prioridad a 4 VoIP" \
    new-priority=4 out-interface=movistar_voip
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.0.0/24
add action=masquerade chain=srcnat src-address=172.16.1.0/24
add action=masquerade chain=srcnat comment="SFP Module" dst-address=\
    192.168.100.1 out-interface=sfp-movistar
add action=masquerade chain=srcnat comment="4G Router" dst-address=\
    192.168.1.0/24 out-interface=mobile_inet
add action=masquerade chain=srcnat comment="Masquerade 4G Inet" ipsec-policy=\
    out,none out-interface=mobile_inet
add action=masquerade chain=srcnat comment="Masquerade Movistar SFP" \
    ipsec-policy=out,none out-interface-list=movistar_vlans
add action=dst-nat chain=dstnat comment="HAProxy Redirect" dst-port=443 \
    in-interface=pppoe-movistar protocol=tcp to-addresses=10.0.100.2 \
    to-ports=443
add action=dst-nat chain=dstnat comment="HAProxy Redirect" dst-port=80 \
    in-interface=pppoe-movistar protocol=tcp to-addresses=10.0.100.2 \
    to-ports=80
add action=dst-nat chain=dstnat comment="HAProxy Redirect" dst-port=8080 \
    in-interface=pppoe-movistar protocol=tcp to-addresses=10.0.100.2 \
    to-ports=8080
add action=dst-nat chain=dstnat comment="UNIFI Device Status" dst-port=3478 \
    in-interface=pppoe-movistar protocol=udp to-addresses=10.10.100.30 \
    to-ports=3478
add action=dst-nat chain=dstnat comment="XBOX Online Game" dst-port=88 \
    in-interface=pppoe-movistar protocol=udp to-addresses=10.10.200.44
add action=dst-nat chain=dstnat comment="XBOX Online Game" dst-port=3074 \
    in-interface=pppoe-movistar protocol=udp to-addresses=10.10.200.44
add action=dst-nat chain=dstnat comment="XBOX Online Game" dst-port=3074 \
    in-interface=pppoe-movistar protocol=tcp to-addresses=10.10.200.44
add action=dst-nat chain=dstnat comment="XBOX Online Game" dst-port=3544 \
    in-interface=pppoe-movistar protocol=udp to-addresses=10.10.200.44
/ip firewall raw
add action=drop chain=prerouting log-prefix=FW_BLOCKED: src-address-list=\
    block
add action=drop chain=prerouting dst-address-list=block
add action=drop chain=output dst-address-list=block
add action=drop chain=prerouting comment=DDOS dst-address-list=ddos-targets \
    log=yes log-prefix=DDOS-ATTACK src-address-list=ddos-attackers
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set rtsp disabled=no
/ip ipsec identity
add auth-method=digital-signature certificate="VPN Server" comment=\
    "Site2Site Matute29" generate-policy=port-strict peer=Matute29 \
    remote-certificate="Matute29 VPN Cert"
add auth-method=digital-signature certificate="VPN Server" comment=\
    "Abraham Mobile" generate-policy=port-strict mode-config=rw-conf peer=\
    Roadwarrior policy-template-group=rw-policies remote-certificate=\
    "Abraham Mobile"
/ip ipsec policy
add dst-address=10.20.0.0/16 level=unique peer=Matute29 proposal=Site2Site \
    src-address=10.10.0.0/16 tunnel=yes
add comment=rw-policies dst-address=10.10.2.0/24 group=rw-policies proposal=\
    roadwarrior src-address=0.0.0.0/0 template=yes
/ip route
add comment="Comprobar DNS desde Movistar" disabled=no distance=1 \
    dst-address=1.0.0.1/32 gateway=pppoe-movistar routing-table=main scope=10 \
    suppress-hw-offload=no
add check-gateway=ping comment="Check Fibra" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=11
add comment="Chequear DNS via Simyo 4G" disabled=no distance=1 dst-address=\
    8.8.8.8/32 gateway=mobile_inet routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Default Route -Backup" disabled=no distance=2 \
    dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main \
    suppress-hw-offload=no target-scope=11
add disabled=no dst-address=192.168.1.0/24 gateway=mobile_inet routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.100.0/24 gateway=sfp-movistar \
    routing-table=main suppress-hw-offload=no
/ip tftp
add ip-addresses=10.0.100.0/24 real-filename=nvme1/tftp/rpi-firm \
    req-filename=.*
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 comment="Movistar IPTv Upstream" interface=\
    movistar_iptv upstream=yes
add comment="Movistar IPTv Downstream Decos" interface=iptv-lan
/routing rip interface-template
add disabled=no instance=rip-movistar interfaces=movistar_voip,movistar_iptv \
    mode=passive
/snmp
set enabled=yes trap-interfaces=local-lan trap-version=2
/system clock
set time-zone-name=Europe/Madrid
/system health settings
set fan-min-speed-percent=15%
/system logging
set 3 action=disk
add action=remote topics=health
add action=remote topics=system
add disabled=yes topics=ipsec,debug
add action=remote topics=critical
add topics=health
add action=remote topics=script,error
add topics=tftp,debug
/system ntp client
set enabled=yes
/system ntp server
set broadcast-addresses=10.10.200.1,10.10.10.1 enabled=yes manycast=yes \
    multicast=yes
/system ntp client servers
add address=es.pool.ntp.org
/system package update
set channel=testing
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add comment="Actualiza las IP Publicas en Cloudflare" interval=5m name=\
    schedule_update_cloudflare on-event=\
    "/system script run update_cloudflare" policy=\
    read,write,policy,test,sniff start-time=startup
add name=global-scripts on-event=\
    "/system/script { run global-config; run global-functions; }" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1d name=check-routeros-update on-event=\
    "/system/script/run check-routeros-update;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=5m name=dhcp-to-dns on-event="/system/script/run dhcp-to-dns;" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add name=fw-addr-lists@startup on-event="/system/script/run fw-addr-lists;" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=2h name=fw-addr-lists on-event=\
    "/system/script/run fw-addr-lists;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system watchdog
set watchdog-timer=no
/tool netwatch
add disabled=no down-script="/interface wireguard set [find name=\"wg-vps\"] d\
    isabled=no\
    \n/log warning \"--- FIBRA CAIDA: VPN ACTIVADA ---\"" host=1.0.0.1 \
    interval=10s test-script="" timeout=2s type=simple up-script="/interface w\
    ireguard set [find name=\"wg-vps\"] disabled=yes\
    \n/log info \"--- FIBRA OK: VPN DESACTIVADA ---\""
/tool sniffer
set filter-mac-address=XXXXXXXXXX/XXXXXXXXXX \
    filter-operator-between-entries=and filter-stream=yes filter-vlan=2000 \
    streaming-enabled=yes streaming-server=10.10.10.19:5555

I am not sure to understand what is the desired/expected working.
A dual wan failover setup means - normally - that the second WAN is never used until the first one fails.

Anyway, post the output of:
/ip route print

I think you misunderstood me. Of course, I know that in Failover mode, one works and the other doesn't, and that the secondary connection kicks in when the primary one fails, which is what I'm doing by manually disabling the PPPoE interface.

What I'm saying is that if I disable the pppoe interface, the 4G route doesn't come up because it can't ping through the interface since, as I've read, you can't add an interface to the gateway of a route that isn't pppoe or another one that I can't remember because it can't resolve the nexthop.

Here are the routes

image1196×150 23 KB

If I disable PPPoe:

image1270×396 59.1 KB

As a side note, you are using recursive on both routes.

You don't need (nor normally want) to use recursive on the last failover (the 2nd in your case).
The idea is that:

1. if Wan1 works -> use Wan1
2. If Wan1 doesn't work -> use Wan2

The check is only on Wan1 as - if Wan1 doesn't work:
2.1) if Wan2 works -> you have internet
2.2) if Wan2 doesn't work ->you don't have internet
there is no alternative (a third WAN), so there is nothing that can change if the recursive on 2nd Wan marks the route as unreachable.

I asked for the output of /ip route print because I am more familiar with the tags of that output, screnshots may be equivalent but they are more difficult for me to parse.

The issue is likely in the "gateway=mobile_inet" setting.

The gateway should be the IP address of "next hop".

Normally, with the Zyxel set as router, it would be the Zyxel router lan side address, with it configured in bridge mode you should set it to the gateway the ISP provides.

That should happen though the DHCP client, since you have chosen to use "add-default-route=no" and use manual routes, you need a DHCP client script, like:

to update the gateway to the IP provided by the ISP.

Or - since as said you don't really need to check recursively WAN2 - you could let the default route be created by the DHCP client, forcing the distance to 2.

I did what you told me to do. I set it to automatically use the default route with distance=2, and now I have ping from the router but not from the local network.

image1477×642 171 KB

Now, if I stop the PPPoE interface, the default 4G route is activated, but I don't have ping from the computer.

image1427×792 192 KB

And here is the traceroute.

image584×360 11 KB

/ip route print

Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, r - RIP, d - DHCP; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#      DST-ADDRESS       GATEWAY                    ROUTING-TABLE  DISTANCE
;;; Check Fibra
0  Is  0.0.0.0/0         1.0.0.1                    main                  1
  DAdH 0.0.0.0/0         10.127.26.62               main                  2
;;; Comprobar DNS desde Movistar
1  Is  1.0.0.1/32        pppoe-movistar             main                  1
  DAcH 10.0.100.0/24     lan_clusterpi              main                  0
  DAcH 10.10.1.0/29      lan_dmz                    main                  0
  DAcH 10.10.10.0/24     lan_admin                  main                  0
  DAcH 10.10.70.0/24     lan_domotica               main                  0
  DAcH 10.10.100.0/24    lan_servers                main                  0
  DAcH 10.10.150.0/29    lan_voip                   main                  0
  DAcH 10.10.200.0/24    lan_media                  main                  0
  DAcH 10.10.201.0/24    iptv-lan                   main                  0

The routes overall seem fine to me.

Maybe now you are having issues in either /ip firewall filter or /ip firewall nat.

When pinging fails are you having timeout , host unreachable or no route to host?

What happens attempting to ping the gateway (10.127.26.62)?

This should work the same no matter if WAN1 is enabled or not, but you should have in the /ip route print (like you have on the scrrenshot) a DACH route for 10.127.26.62/30 on interface mobile_inet.

Yes, I have it. That's why I find it strange that I can't access the internet. I've pinged the gateway and can't reach it, but as you can see in the configuration, I have masquerade for the mobile_inet interface.

image818×289 50.6 KB

image536×225 20.6 KB

Hello everyone,

It works now!!!!! For those of you who have a similar problem, here's the solution:

The problem occurs when L3 HW OFFLOAD is enabled. By default, all ports are selected, so what happens if it is enabled? Since one of the Ethernet ports included is the one that provides access to the 4G router, it uses the Marvell switch chip instead of the CPU, so from what I've read, it bypasses the NAT rules and therefore the masquerade. I disabled L3 HW Offloading on the 4G port and it started working perfectly.

image662×379 33.5 KB

What needs to be disabled:

image742×508 67.6 KB

Good.