Hi - Just received one of these for testing, and have been able to get the LTE interface as “active” (After changing APN settings), but Its not being assigned an IP address? If I connect the same SIM into a phone, I get assigned an IP address/can browse internet etc?
Pretty much the only thing Ive changed in the config is the APN settings.
Any suggestions are appreciated.
Paste your config using export command.
Regards.
Thanks - No problems:
# 1970-01-02 01:16:49 by RouterOS 7.11.1
# software id = **ELIDED**
#
# model = L41G-2axD&FG621-EA
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-07E6DF disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=telstra.wap use-network-apn=no
add apn=Telstra.wap name="Telstra Internet"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system logging
add topics=lte
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Uncheck “Use Network APN” if it’s checked.
Thanks - “Use network APN” has always been unchecked.
What happens with “telstra.internet” as the APN?
Thank You!!! On the phone, it had telstra.wap as APN…just changed it to telstra.internet as you suggested, and now have an IP address and can ping etc!
Thanks again!
Now, next task is to setup WAN (Eth) port as prinary, and use the LTE as failover 
By default, if you unplug the ether1 WAN, it will fall over automatically. The order of default routes is based on the “default-route-distance”. By default DHCP-client (like what you’d use on a WAN) uses distance 1, and LTE APN profile (advanced tab) uses distance of 2. So unplugging WAN will cause it to switch to LTE (now some user may need refresh a page etc).
Now failover if the WAN modem is up, but internet is down elsewhere… that’s trickier for failover.
To add a WAN based on your config:
Thanks very much!
So by adding ether1 to the WAN list, traffic originating from the LAN will automatically be NAT’d? (Based on the NAT/masquerade rule configured under firewall)?
Cheers
Correct, step 3 puts into the WAN interface-list & the NAT rule is applied by membership in the WAN.
Failover is kinda tied to the IP > Firewall > Connections. So by default, traffic follows the path when traffic is NATed. So if you unplug ether1 to switch to LTE, those connection in firewall “Connections” tab have to timeout/fail, to “switch”. New one will be NAT, and tracked, based on the lowest distance (and active) 0.0.0.0 route in /ip/route
There is bunch of way to deal with failover, but I’d get two WAN working with a “hard failover” (e.g. unplugging ether1 WAN) first.
Thanks again for your assistance - Greatly appreciated…Ill test later this afternoon
Failover / failback, all working very nicely (Only dropping 1-2 packets)…Is failover achieved so quickly due to cable being disconnected (So default route is removed almost instantly?)…I think a ping to next-hop, or google dns servers (Via src of both “WAN’s” might be a better option as cable disconnects will be a rare occurrence…is the following guide the current recommended best-practice for failover? (Apologies, Im used to primarily Cisco kit )
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608
Thanks again.
RouterOS is pretty flexible so many way to do failover. The above approach is called “Route Failover”, see bottom of the summary of methods for failover/load balancing:
https://help.mikrotik.com/docs/display/ROS/Load+Balancing
Correct, an interface in a “down” state (e.g. unplugged or disabled in software) remove its route immediately. And, NAT rule should will deal connections when interface goes down.
I mention this method since if the use case for “travel”, this method is dirt simple. If you have a ethernet WAN, it will use that. If you don’t it uses LTE.
This is a valid middle-ground actually, checking next-hop using ping. All routes have a check-gateway=ping option. This is used by all more complex failover cases too.
check-gateway=ping on a /ip/route, will ping the next-hop and after three failed pings, it will disable the route. It ONLY checks next-hop, not “the internet” – but that’s better waiting for interface being down (e.g. using ONLY distance= in routes).
Since I’m guessing you’re using DHCP to get the WAN address from ether1, the DHCP client is what’s adding the default route to /ip/routes DYNAMICALLY. But there is not option there to add the “check-gateway=ping” option. But you can use a script in “Advance” tab… the script will run whenever an address is assigned and modify the route to check the next-hop ping to check the route:
:if ($bound=1) do={
/ip route set [ /routing/route/find dst-address="0.0.0.0/0" gateway=$"gateway-address" ] check-gateway=ping
}
And this is the “recursive routing” method. It depend on the 2 methods above to work. This method just abuses the routing table by using the check-gateway=ping to add an intermediate route via the host on internet you want to ping. But as the page describes, you need separate routing tables, etc. since that internet host your checking need to have a fixed route a specific WAN to check.
If you WAN uses DHCP or PPPoE or other dynamic WAN address, you still need a DHCP client script shown, but that part needs change. Mikrotik docs assume you have a IP static address for your WAN, so this method is actually especially complex for DHCP on ether1 and LTE as 2nd WAN – both have dynamic addresses.
Another forum member, @pcunite, has a initial/WIP guide for “MultiWAN” that covers the dynamic assignment part better than Mikrotik’s doc, see here http://forum.mikrotik.com/t/multiwan-with-routeros/163698/1
If just check a WAN’s via “next hop method” is good enough … I’d stop there. While “recursive routing” method totally works, lots of way the initial setup can go wrong…especially when you have dynamic WAN address…
Thanks once again for you extremelmely helpful info - Ill have a read today. DHCP for ether WAN is only for the test setup - In production, we will be assigning static /31’s (ie, the ether WAN IP will never change).
Cheers.
Yeah it’s the combo of dhcp-client and recursive routes that’s particularly complex.
If the primary WAN has a static IP, the docs are right** and relatively straightforward.
Assuming LTE is the last resort… then you don’t need to add the recursive route checks to that one. While for LTE, you can use the interface name “lte1” as the route destination (instead of IP), but that also get tricky too – if LTE last choice it’s easy, no recursive routes are needed.
Basically the recursive routing scheme documented in “WAN Failover” depends on static IPs… so if you have dynamic one, tricks are needed to make it work.
**Except they use DNS servers as the internet hosts to check… so you’d want to make sure you didn’t use any of those DNS servers as one used by hosts on your network (e.g. the DNS servers checked ONLY go out ONE WAN). In fact, it be better to NOT use the 8.8.8.8 and 208.67.222.222 stuff and use another IP address on internet to check for liveness.
Hello
I did the modem after remove configuration The modem was reset and it was not recognized by the Winbox program and I cannot access it
please guide me
Not sure what you by “modem after remove configuration”. I’d try physically powering off and see if shows up after powering on, if you haven’t already. Just “reboot” does not really reset the modem.
If you not running the latest RouterOS at least v7.12 (or v7.13 if you’re already at 7.12)… that be another thing to try. Also doing a System > RouterBoard > Update button (and reboot) so board firmware is also least version. Then try update the LTE Fireware in Interface > LTE as the 3rd step.
If that still doesn’t fix, might also want to do System > Reset Configuration and try again once at least version.