Im trying to configure dual WAN failover on Mikrotik RB3011. For now both “WAN” ports are DHCP, i have 2 bridges designated to ether1 and ether2 ports and each one have own dhcp client which im simulating “ISP”
Gateway for WAN1: 192.168.238.1
Gateway for WAN2: 10.10.10.254
But problem is when i disconnect “ISP1” everything still works, but when i connect back ISP1 and disconnect ISP2 internet just go down.. Can someone point me what am i doing wrong?
BTW: When im connected to internet for some reason i cannot ping 8.8.8.8 but internet works normally.
Since your ISP’ is providing you DHCP for your WAN interfaces.
You can appropriately set your default-distance..
make your primary ISP be distance=1, secondary ISP be distance=2.
it will automatically failover and swap between links. However, usually requires the link to be DOWN [modem offline and no ethernet connectivity]. If you want to rely on a check-gateway=ping, then there is some ways to do that with DHCP interface. Easier to do when your ISP provides you static IP, as when your configuring that static ip route, you have option to add check-gateway.
On both DHCP client remove “add default route”
Remove all mangle and all routes you are set and paste this on terminal.
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip route
add comment="A - 1.1.1.1 must be reachable only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=192.168.238.1 scope=10
add comment="B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP" distance=10 gateway=1.1.1.1 check-gateway=ping
add comment="C - ISP2 is alternative Gateway" distance=20 gateway=10.10.10.254
Still the same issue, when i disconnect ISP2 (GW: 192.168.238.1), internet still goes down. But when i disconnect primary connection it still works fine.
[admin@MikroTik] /ip dhcp-client> {
{... /ip dhcp-client
{... set [find where interface=WAN2] interface=ether2
{... /ip firewall nat
{... remove [find where out-interface=ether1]
{... remove [find where out-interface=WAN2]
{... /interface bridge port
{... remove [find where bridge=WAN2]
{... /int bridge
{... remove [find where name=WAN2]
{... set bridge admin-mac=[/int ethernet get ether3 mac-address] auto-mac=no protocol-mode=none
{... }
failure: can not run on slave interface
Btw my ether1 port which is ISP1 si configured via QuickSet on web interface. Could that cause any issues?
And for some funny reason now it works just just other way around: when i disconnect ISP1 internet goes down and wont switch on ISP2
This is the export now:
# aug/04/2021 13:40:47 by RouterOS 6.48.3
# software id = 1PH9-QHR7
#
# model = RB3011UiAS
# serial number = E7E60E25645E
/interface bridge
add name=WAN2
add admin-mac=2C:C8:1B:B5:C8:BB auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan5-servisni vlan-id=5
add interface=bridge name=vlan15-guest vlan-id=15
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.50.10-192.168.50.254
add name=dhcp_pool1 ranges=192.168.5.2-192.168.5.254
add name=dhcp_pool2 ranges=192.168.15.2-192.168.15.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan5-servisni name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan15-guest name=dhcp2
/interface bridge port
add bridge=WAN2 comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Sekund\E1rn\ED konektivita" interface=ether2 list=WAN
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=192.168.50.0
add address=192.168.5.1/24 interface=vlan5-servisni network=192.168.5.0
add address=192.168.15.1/24 interface=vlan15-guest network=192.168.15.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no interface=WAN2
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.15.0/24 dns-server=192.168.15.1,1.1.1.1 gateway=192.168.15.1
add address=192.168.50.0/24 comment=defconf dns-server=192.168.50.1,1.1.1.1 gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.50.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP" distance=10 gateway=1.1.1.1
add comment="C - ISP2 is alternative Gateway" distance=20 gateway=10.10.10.254
add comment="A - 1.1.1.1 must be reachable only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=192.168.238.1 scope=10
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Please do not “Reply with quote” everytime, use “+ Post Reply” button or all come to a big mess…
The export is exactly like before, because is present a position error on script
I fix the script, paste again
Paste this on terminal without omit the { } !!!
{
/interface bridge port
remove [find where bridge=WAN2]
/ip dhcp-client
set [find where interface=WAN2] interface=ether2
/ip firewall nat
remove [find where out-interface=ether1]
remove [find where out-interface=WAN2]
/int bridge
remove [find where name=WAN2]
set bridge admin-mac=[/int ethernet get ether3 mac-address] auto-mac=no protocol-mode=none
}
(1) Why do you use a bridge for WAN.
All you need is either dhcp client
or manually add IP address..
(2) Do all your ports connect to smart devices (ones that can read vlan tags).
(3) why do you even define vlans, they are not used??
(4) Input chain is for traffic to and fro the router (WAn to router, router to WAN, lan to Router and Router to LAN) and thus trying to block vlans from each other is done in the wrong chain. Remove the rules below.
The Forward chain is for WAN to LAN, LAN to LAN and LAn to WAN traffic
add action=drop chain=input comment=“Block guest-vlan to servis-vlan” dst-address=192.168.5.0/24 src-address=192.168.15.0/24
add action=drop chain=input comment=“Block guest-vlan to LAN” dst-address=192.168.50.0/24 src-address=192.168.15.0/24
So after deleting the rules in four. lets accomplish the same thing a bit more neatly.
Take this rule → add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
that states dont allow any WAN to LAN traffic that is not intended for port forwarding and simply change it to allow port forwarding and then
create a last rule that simply drops all other traffic. So this last rule will block not only the WAN to LAN traffic but LAN to LAN (WHAT YOU WANT FOR YOUR VLANS!!) and LAN to WAN. Reading this slowly you should realize that the router comes default to allow traffic unless you block it. By putting the drop all else rule at the end, we have turned the forward chain into a block all except for what we allow (much superior). Now you should realize that this rule blocks LAN to WAn as already stated so we need to ensure you add back intended internet outbound traffic.
SO from input chain:
add action=drop chain=input comment=“Block guest-vlan to servis-vlan” dst-address=192.168.5.0/24 src-address=192.168.15.0/24
add action=drop chain=input comment=“Block guest-vlan to LAN” dst-address=192.168.50.0/24 src-address=192.168.15.0/24
forward chain:
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
TO
add action=accept chain=forward comment=“allow port fowarding” connection-nat-state=dstnat connection-state=new in-interface-list=WAN ***
add action=accept chain=forward in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward comment=“drop all else”
*** if you have no intention of port forwarding, another advantage of changing this rule is that you can now disable it temporariily or remove it without affecting anything else.
1.) Oh i didnt know i can just assign address and it will act as WAN interface. Still new to mikrotik but that kind of fixed all my issues. Thanks
2.) Its just connected to L3 switch which have assigned vlans on specific ports.
3.) They are in use on the switch - access points, which broadcast ssid for normal lan and guest-vlan, in servis-lan they are gonna be synology, cctv, etc.
4.) I read input means → to router but if i do for example:
add action=drop chain=input comment="Block guest-vlan to LAN" dst-address=192.168.50.0/24 src-address=192.168.15.0/24
ip for mikrotik is: 192.168.50.1
Does it completely cut off guest-vlan from the router? Or router will just be inaccesible and everything will still works? cause i didnt wanted guest to access router from guest-vlan (like webinterface, etc) but let internet works. So i planned to do both rules: forward and input.
5.)The rule was already when i bought the router so i didnt touch anything default in firewall
but still doesnt understand how it can block lan to lan traffic? i thought it just block everything from WAN interfaces
6.) Last question about WAN failover:
When i did properly without bridging. it works flawlessly i used @rextended method.
But what about when ISP2 will be VDSL and i will have VDSL modem in bridge connected to mikrotik and let mikrotik handle PPPoE connection. Can will be failover still be done by routing and set gateway to specific interface not ip adress or something like that?
