I have a Routerboard Hex and just purchased a SXT LTE6 as backup internet feed.
The Routerboard is set as Router and is connected in its Internet Port to a Starlink device. One Ethernet port is connected to a large Giga switch, which links a large network together, including (via microwave links) to a remote site.
At this remote site I have installed the new SXT LTE6, connected to the cellular network.
This is intended as a failover backup. What I want may not be possible, but:
Is there any way I can program the Routerboard to start using the SXT LTE6 for Internet if the Starlink fails?
I have seen the various failover scripts(?) but it is not clear to me how I can force the Routerboard router NOT to use its ‘Internet’ Port, but instead to use an IP address on the local LAN (via a single Ethernet port connected to the main Switch).
An additional question: The SXT LTE6 is set up as a Bridge. But it still has an external ‘Internet’ IP address with a box called “Firewall Router”. Is this some unique new system to mix a Bridge with a Router?
Well I suspect you will need to setup vlans, as the connection to the remote site ( the backup internet part ) will have to come on the same port and on a vlan to be terminated as a WAN connection on the HEX.,
I would probably upgrade to 7.16.2 but its not absolutely necessary.
However doing so would allow you to remotely reach via BTH wireguard VPN, both the router and the LXT for configuration/troubleshooting issues.
But, if you want something basic without VLANs or “passthrough”… I don’t see harm in leaving the hEX as is, and then put the SXT on the hEX LAN.
i.e. assuming all have default configuration, the most basic failover be to:
set the ip address of SXT to 192.168.88.2
setup SXT as bridge: i.e. disabled dhcp-server, add ether1 to bridge ports, remove ether1 from WAN in /interface/list,
make sure LTE is in WAN in /interface/list and NAT masquerade rule exists for WAN (or lte1 directly)
then…connect to the SXT to a LAN port on hEX
on hEX, then you add a route to the SXT with a higher distance=, so “/ip/route add gateway=192.168.88.2 distance=2”
That’s IMO most basic way to start. And it will failover if you physically unplug the starlink with just the above. But it will not catch other network failures. Now above let you test something, then move on to actually do better failover detection once the basic plumbing is working, which get to be more involved depending on needs.
Presumable your starlink is using DHCP client to get its address & using a public IP. In which case, you can add a “check-gateway=ping” to default route to starlink, which at least ping the earthstation to “test starlink is up”. To do this, you can add a script to the /ip/dhcp-client for starlink on hEX
:if ($bound=1) do={/ip route set [/ip route find gateway=$"gateway-address"] check-gateway=ping}
Finally, you could also perhaps use the SXT as a backup router using VRRP for your LAN – which means if SXT and HEX both were connect to LAN switch, then EITHER could provide routing for LAN even if one route hardware failed/powered-off/rebooted. But this could always be added later too.
Thanks for all that, I will work my way through the VLAN issue first.
Re the version: v6.49.17 was the latest update it just did, automatically.
I am not sure if the hardware allows for a even later version, if I find a way to download it.
I am scared to brick the unit…
hEX RB750Gr3 has enough RAM to run ROS 7, but maybe yours is actually one of the older RB750 versions? 64 MB of RAM is the minimum required.
In any case, to upgrade to ROS 7 from ROS 6, you have to set the update channel to upgrade before /system package update install. If successful, the first upgrade will take you to 7.12.* and set the update channel back to stable; you have to run /system packege update install again to get to the latest stable 7.* (at the time of writing, 7.16.2).
Regarding @Amm0’s suggestion to connect the SXT to the LAN of the hEX - just bear in mind that under the hood it is not as simple as it seems. If a router (the hEX in your scenario) finds out that the in-interface and the out-interface are the same for a packet, it informs the sender of that packet, by means of an ICMP message, that a better route is available in the same network. So when your PC initiates a TCP connection to www.some.site, it sends its SYN packet to the hEX, which forwards it to the destination via the SXT but also tells the PC to send the subsequent packets for the address of www.some.site to the hEX directly. Leaving aside all the firewall and NAT issues related to this, since they are irrelevant in this particular setup, some devices may not handle this properly. The probability that their connections fail is quite low as if the sender merely ignores the ICMP notification about availability of a better router, the hEX will keep forwarding the packets via SXT, i.e. the device has to misunderstand the notifications in a creative way to break its routing, but if some devices work OK when the Starlink connection is available and fail when it is not, this is the direction to dig in. Use of VRRP eliminates this as it makes the PC in the example above send already the first SYN packet to the SXT.
Whatever the WAN failover scenario where NAT is involved:
TCP connections fail at each WAN change, but new ones can be established without problems (depending on the particular application, some have to be re-established manually, though).
UDP connections that get periodically refreshed (like SIP registrations, IPsec or Wireguard sessions) usually need specific treatment after a WAN change if they keep passing through a device that did the NAT for one WAN even while routed via the other WAN. So this will become interesting if you eventually choose the VLAN approach where the hEX will use a dedicated VLAN to send the traffic to internet via the SXT.
All true @sindy. I do normally use VRRP on the LANs, so forgot the ICMP would further delay “fail-back”. My generalized worry is always over-engineering failover so that itself produces outages, like here starlink should be pretty reliable, so failover should be pretty rare… So if perhaps “reopening a tab” is needed after failover, that may not be end of world for some failover cases. If more rapid failover/failback is desired, all the approaches do start getting more involved/complex.
Since we’re talking about a hEX and SXT, neither are especially powerful routers & there is already a switch… So my thought be to use VRRP on LAN, so either SXT or HEX could be the “main” router", with the VRRP priority being on HEX. This has the add benefit if upgrade and/or end with messed up configuration, the other router allows the main LAN to still work. And the defaults on both routers have a firewall, WAN on ether1/lte1… so VRRP largely means change the default LAN IP address from .1 on each router to .2 and .3 & a new VRRP interface with 192.168.88.1. If VLANs are added, then those too need VRRP interface, and separate .2 and .3 IP address on the VLAN interface on each router.
@All: I am afraid most of this is going way over my head.
I am familiar with basic routing etc; but not with the microtik / Winbox interface.
I have changed the SXT to another IP /24 network (192.168.51.254) , Left everything as default (Bridge, radio interface at WAN). NAT is checked.
I added an IP Route (Gateway) to it from the Hex, but I get a ‘Not available’ for the STX Gateway on 192.168.51.254. (It does show on the Winbox on my PC, but I cannot connect to it)
Unless you need Wireguard, OpenVPN over UDP, chacha20poly1305 encryption in IPsec, or json serialization/deserialization (or some other one of the many little improvements of the scripting language), I can see no reason to switch to ROS 7.
I have a rb5009 with Starlink in bypass mode as WAN1 and then the LHGG LTE6 as secondary backup with LTE Passthrough. I also have recursive routes setup and use Netwatch for the failover along with a script for telegram notifications when WAN1 is down.
Starlink script in IP/DHCP Client/Ether1-WAN/Advanced
@sk0003
I managed to get SXT LTE6 “Ether1” into Passthrough Interface mode. I should still be able to reach it via Ether2 for programming.
Its default IP address is still 192.168.188.1
So how am I suppsed to connect to it? In your Starlink script, that IP address 192.5.5.241, where does that come from? It that the Starlink DHCP supplied address?
If so, this could change any time? And the $“gateway-address”, is that internally set or do I have to set it?
Then, I have tried before to set a Route to the IP address of the SXT which is on another network. This does not work. It cannot reach it.
You also seem to have a WAN2. I only have a single WAN. The SXT is on the LAN… Can I still use your system>
Once you have it in passthrough mode like in the videos, you should be able to see it in Winbox as a neighboring device through your router. You would access it through the management VLAN which was in the video.
THe 192.5.5.241 is the IP that is being pinged in my recursive route for the primary. Instead of 8.8.8.8, Google’s IP for example.
This is what I have in my IP/Routes. You can see the primary is the one with the 192.5.5.241 and the secondary is with 8.8.4.4.
Then in netwatch the following. It only checks the primary. If down, it auto switches over because of the ip/routes setup above and runs a script to send a message via a telegram bot.
@sk0003 and all;
I spend 2 days on this, lost my entire system 8 times and had to reset to factory settings, etc.
So what I got right now:
In the SXT LTE6 I set up a new Vlan called "net". As per video, I set the LTE in passtrhough to "net". I should not have to do anything else.
In the Hex, I also added the Vlan "net" and I added a Default Route to it with a distance of 3. Route shows as 'net reachable' in blue.
I have NOT yet added any scripts; just manually testing.
In the Hex, when I try to ping 8.8.8.8 from the Tools/Ping using the Interface "net" it does not work.
When I ping 8.8.8.8 from my PC, and I pull the plug on the Starlink, I lose internet. When I plug it back on, it does not come back, and I have to reset my PC Ethernet interface.
In all my tests, I have not been able to get from my Hex to the Internet via the SXT. Not when it is in default Bridge mode, and not when it is in Passthrough mode.
SXT:
/interface/lte/apn> pr
NAME APN ADD-DEFAULT-ROUTE DEFAULT-ROUTE-DISTANCE PASSTHROUGH-INTERFACE
0 * default internet yes 2 net
Hex:
/ip route> pr
DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 S 0.0.0.0/0 net 3
2 ADC 192.168.1.0/24 192.168.1.195 ether1 0
3 ADC 192.168.50.0/24 192.168.50.254 bridge 0
4 ADC 192.168.188.0/24 192.168.188.2 net 0
I am not seeing the “man” VLAN which is the management VLAN. That is how you access the LTE. Have you followed through the video exactly as it says? I will print the configs from mine in a bit.