PTPA
Please need your help on how to configure 2 WAN Failover in MirkoTik RouterOS?
Please see image below:
MikroTik Failover
Step 1: Add IP > Address (ISP1, ISP2 & LAN)
Step 2: IP > Firewall > NAT
a) chain: srcnat out-interface: ISP1 Action: masquerade
b) chain: srcnat out-interface: ISP2 Action: masquerade
Step 3: IP > Route
a) dst: 0.0.0.0 gateway: ISP1 IP Address and check gateway: ping
b) dst: 0.0.0.0 gateway: ISP2 IP Address and check gateway: ping
3) dst: 0.0.0.0 gateway: ISP1 & ISP2 IP Address and check gateway: ping
Step 4: Firewall > Mangle
a) Chain: input in-interface: ISP1 action: mark_connection (ISP1_conn) passthrough:TICK
b) Chain: input in-interface: ISP2 action: mark_connection (ISP2_conn) passthrough:TICK
c) Chain: output connection-mark: ISP1_conn Action: mark_routing (To_ISP1) passthrough:TICK
d) Chain: output connection-mark: ISP2_conn Action: mark_routing (To_ISP2) passthrough:TICK
e) Chain: prerouting in-interface: LAN Action: accept
Step 5: IP > DNS
8.8.8.8 Allow remote request: TICK
Step 6:
Set PC static IP as per LAN series (bcoz I don’t declare DHCP till now) and check internet from browser.
Step 7:
Set auto failover (if primary down then automatically on secondary link)
For this IP > Route > set distance for both ISPs
If I down ISP1 > check
Thank you!
anav
September 2, 2022, 5:24pm
3
Post the entire config (minus any public WANIP info, or router software id) and I will have a look.
Hi,
# sep/03/2022 09:14:31 by RouterOS 6.49.6
# software id = ****
#
# model = 951Ui-2HnD
/interface bridge
add admin-mac=**** arp=proxy-arp auto-mac=no fast-forward=no \
mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] mac-address=**** name=\
ether1-gateway
set [ find default-name=ether2 ] mac-address=**** name=\
ether2-master-local
set [ find default-name=ether3 ] mac-address=**** name=\
ether3-slave-local
set [ find default-name=ether4 ] mac-address=**** name=\
ether4-slave-local
set [ find default-name=ether5 ] mac-address=**** name=\
ether5-slave-local
/interface l2tp-client
add connect-to=**** disabled=no name=**** user=\
****
add connect-to=**** name=l2tp-out1 user=****
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
20/40mhz-eC country=no_country_set disabled=no frequency=2457 \
frequency-mode=manual-txpower mode=ap-bridge ssid=**** tx-power=\
20 tx-power-mode=all-rates-fixed
/interface pptp-client
add connect-to=**** disabled=no name=**** user=\
****
add connect-to=**** disabled=no name=**** user=\
****
add connect-to=**** disabled=no name=**** user=****
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
ICC-Guest supplicant-identity=""
/interface wireless
add disabled=no mac-address=**** master-interface=wlan1 name=\
ap-guest security-profile=ICC-Guest ssid=ICC-Guest wds-cost-range=0 \
wds-default-cost=0
/ip dhcp-server
add authoritative=after-2sec-delay interface=ether1-gateway lease-time=3d \
name=dhcp1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add comment="Main Local DHCP" name=default-dhcp ranges=\
192.168.9.100-192.168.9.254
add comment="Guest WiFi DHCP" name=dhcp_pool1 ranges=11.11.11.2-11.11.11.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
interface=bridge-local lease-time=3d name=default
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
interface=ap-guest name=dhcp2
/interface sstp-client
add connect-to=*** disabled=no name=**** profile=\
default-encryption user=*** \
verify-server-address-from-certificate=no
add connect-to=**** disabled=no name=**** profile=\
default-encryption user=****
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether5-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1-gateway list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge-local list=discover
add interface=l2tp-out1 list=discover
add interface=pptp-out1 list=discover
add interface=sstp-out1 list=discover
add interface=wlan1 list=discover
add interface=ap-guest list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=bridge-local list=mac-winbox
add interface=wlan1 list=mac-winbox
/ip address
add address=192.168.9.1/24 comment="default configuration" interface=\
bridge-local network=192.168.9.0
add address=192.168.9.1/24 comment="default configuration" interface=wlan1 \
network=192.168.9.0
add address=192.168.22.10/24 interface=ether3-slave-local network=\
192.168.22.0
add address=10.0.0.13 interface=pptp-out1 network=10.0.0.12
add address=****/30 disabled=yes interface=ether4-slave-local \
network=****
add address=****/30 interface=ether4-slave-local network=\
****
add address=10.0.0.15 interface=sstp-out1 network=10.0.0.14
add address=10.0.0.17 disabled=yes interface=l2tp-out1 network=10.0.0.16
add address=192.168.8.1/24 disabled=yes interface=ether3-slave-local network=\
192.168.8.0
add address=****/24 interface=ether1-gateway network=****
add address=11.11.11.1/24 interface=ap-guest network=11.11.11.0
/ip dhcp-client
add add-default-route=no comment="default configuration" disabled=no \
interface=ether1-gateway
add default-route-distance=5 interface=ether3-slave-local
add interface=wlan1
/ip dhcp-server network
add address=11.11.11.0/24 comment="ICC-Guest WiFi" gateway=11.11.11.1
add address=192.168.9.0/24 comment="default configuration" dns-server=\
192.168.9.1,8.8.8.8 gateway=192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
****,****,****,****
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=reject chain=input dst-port=53 in-interface=ether4-slave-local \
protocol=udp reject-with=icmp-network-unreachable
add action=accept chain=input comment="default configuration" disabled=yes \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=yes
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes \
in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" \
connection-state=established disabled=yes
add action=accept chain=forward comment="default configuration" \
connection-state=related disabled=yes
add action=drop chain=forward comment="default configuration" \
connection-state=invalid disabled=yes
add action=accept chain=input comment="FTP File Server" dst-port=\
****,**** in-interface=ether1-gateway protocol=tcp
add action=drop chain=forward comment="ICC-Guest WiFi" dst-address=\
192.168.9.0/24 src-address=11.11.11.0/24
add action=drop chain=forward dst-address=11.11.11.0/24 src-address=\
192.168.9.0/24
add action=drop chain=input comment="drop ftp brute forcers" dst-port=**** \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=**** \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=**** \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=**** \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=**** \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=**** \
protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address=\
**** new-routing-mark=Out_Ether4 passthrough=yes
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
Out_Ether4 passthrough=yes src-address=192.168.9.4
add action=mark-routing chain=prerouting new-routing-mark=Out_Ether4 \
passthrough=yes src-address=192.168.9.4
/ip firewall nat
# New_Angola_PPTP_Temp not ready
add action=accept chain=srcnat comment="_New_Angola_PPTP_Temp not ready" \
dst-address=192.168.2.0/24 out-interface=New_Angola_PPTP_Temp
add action=masquerade chain=srcnat comment="default configuration" \
dst-address=!192.168.0.0/16 out-interface=ether4-slave-local
add action=masquerade chain=srcnat comment="default configuration" \
dst-address=!192.168.0.0/16 fragment=no hotspot="" out-interface=\
ether1-gateway
add action=dst-nat chain=dstnat dst-address=**** dst-port=**** \
in-interface=ether4-slave-local protocol=tcp to-addresses=192.168.9.4 \
to-ports=****
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.4.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.5.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.6.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.7.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.8.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.10.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.11.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.12.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.13.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.14.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.15.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.16.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.17.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.18.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.19.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.20.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.21.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.22.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.23.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.25.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.26.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.27.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.28.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.29.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.31.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.32.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.33.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.34.0/24 out-interface=\
ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.35.0/24 out-interface=\
ether3-slave-local
add action=dst-nat chain=dstnat comment="CCTV DVR KM28" dst-address=\
**** dst-port=**** protocol=tcp to-addresses=**** \
to-ports=****
add action=dst-nat chain=dstnat dst-address=**** dst-port=**** \
protocol=tcp to-addresses=**** to-ports=****
add action=masquerade chain=srcnat dst-address=**** protocol=tcp \
src-address=192.168.9.0/24
#Deleted other CCTV Configuration
add action=dst-nat chain=dstnat comment="FTP FILEZILLA" dst-port=**** \
in-interface=ether1-gateway protocol=tcp to-addresses=****
add action=dst-nat chain=dstnat dst-port=**** in-interface=\
ether1-gateway protocol=tcp to-addresses=****
add action=masquerade chain=srcnat comment="ICC-Guest WiFi" out-interface=\
ap-guest src-address=11.11.11.0/24
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=4 gateway=**** routing-mark=Out_Ether4
add distance=3 gateway=****
add distance=1 dst-address=10.0.0.12/32 gateway=pptp-out1 pref-src=10.0.0.13 \
scope=10
add distance=1 dst-address=10.0.0.14/32 gateway=sstp-out1 pref-src=10.0.0.15 \
scope=10
add disabled=yes distance=1 dst-address=10.0.0.16/32 gateway=l2tp-out1 \
pref-src=10.0.0.17 scope=10
add distance=1 dst-address=10.10.10.1/32 gateway=\
New_Angola_PPTP_Temp,New_AngolaL2tp,New_Office_sstp
add distance=1 dst-address=****/32 gateway=****
add distance=1 dst-address=****/32 gateway=****
add disabled=yes distance=1 dst-address=****/32 gateway=\
****
add distance=1 dst-address=192.168.2.0/24 gateway=****
add distance=2 dst-address=192.168.2.0/24 gateway=****
add distance=3 dst-address=192.168.2.0/24 gateway=****
add disabled=yes distance=2 dst-address=192.168.2.0/24 gateway=****
add distance=1 dst-address=192.168.3.0/24 gateway=****
add distance=1 dst-address=192.168.4.0/24 gateway=****
add distance=1 dst-address=192.168.5.0/24 gateway=****
add distance=1 dst-address=192.168.6.0/24 gateway=****
add distance=1 dst-address=192.168.7.0/24 gateway=****
add distance=1 dst-address=192.168.8.0/24 gateway=****
add distance=1 dst-address=192.168.100.0/24 gateway=****
add distance=1 dst-address=****/32 gateway=****
add distance=1 dst-address=****/32 gateway=****
/ip service
set telnet disabled=yes port=****
set ftp port=****
set www port=****
set ssh disabled=yes port=****
/port remote-access
add
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Luanda
/system identity
set name=Master
/system leds
set 0 interface=wlan1 leds=wlan-led type=wireless-status
set 1 interface=ether1-gateway leds=led1
set 2 interface=ether2-master-local leds=led2
set 3 interface=ether3-slave-local leds=led3
set 4 interface=ether4-slave-local leds=led4
set 5 interface=ether5-slave-local leds=led5 type=interface-activity
/tool graphing interface
add allow-address=192.168.9.0/24 interface=ether1-gateway
/tool graphing queue
add allow-address=192.168.9.0/24
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
anav
September 3, 2022, 4:35pm
5
I see your on vers6 software however I will provide the current ver7 format because that will work on both and when you transition to vers 7.5 stable for example… it should be seamless as far as routing goes…
All smart devices get their IP address on the Managmenet LAN or vlan, and the admin is normally connected on this network.
In any case…
Will assume that ether1 is the Primary WAN and ether3? is the secondary failover WAN..
(1) Remove the first line here in yellow because the pppoe settings are all done under that menu and not this menu!!/ip dhcp-client
(2) It is not clear to me what the first two routes are, but will assume they have nothing to do with the two ISP connections and can be ignored. ???/ip route a) dst: 0.0.0.0 gateway: ISP1 IP Address and check gateway: ping
You only need to check ping on the primary and why do you have the third entry (note that on all three the distances are missing).
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
What other requirements do you have that are not clearly stated regarding what ISP users should be going out on???
I see your on vers6 software however I will provide the current ver7 format because that will work on both and when you transition to vers 7.5 stable for example… it should be seamless as far as routing goes…
All smart devices get their IP address on the Managmenet LAN or vlan, and the admin is normally connected on this network.
In any case…
Will assume that ether1 is the Primary WAN and ether3? is the secondary failover WAN..
(1) Remove the first line here in yellow because the pppoe settings are all done under that menu and not this menu!!/ip dhcp-client
(2) It is not clear to me what the first two routes are, but will assume they have nothing to do with the two ISP connections and can be ignored. ???/ip route a) dst: 0.0.0.0 gateway: ISP1 IP Address and check gateway: ping
You only need to check ping on the primary and why do you have the third entry (note that on all three the distances are missing).
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
What other requirements do you have that are not clearly stated regarding what ISP users should be going out on???
Hi,
Btw, for your additional information, here’s our network diagram image below.
ITA Router - this is a isp company to provide connection to our stores. (No internet, just a local connection or VPN)
Red drawing - I will put the connection in eth5 to obtain a internet from the other office via Access Point.
Any question, please let me know.
Thanks
For simple failover, you can literally just define multiple static default routes, set the metric higher on the secondary connection, and then enable check-gateway or netwatch for each one.
It gets a little more complicated if the gateway is up, but the internet is unreachable via that route, but nothing too crazy.
anav
September 5, 2022, 5:13pm
8
Yup the basic idea being.
(1) Basic routes needed for both
(2) Done! If you needed a subnet to only go out ISP2, then you would create a third route which mirrors the failover router plus…routing-mark=useWAN2
(3) Create routing rule to put this into effect.add src-address=LAN_subnet action=lookup table=useWAN2
Note: Using action=lookup means if the route to wan2 is down, in otherwords your connection to ISP2 is down, the router is allowed to look for alternate routes and will find in Table main the route to ISP1.action=lookup-only-in-table then if ISP2 is not available the LAN will have no route and no traffic will pass.
Yup the basic idea being.
(1) Basic routes needed for both
(2) Done! If you needed a subnet to only go out ISP2, then you would create a third route which mirrors the failover router plus…routing-mark=useWAN2
(3) Create routing rule to put this into effect.add src-address=LAN_subnet action=lookup table=useWAN2
Note: Using action=lookup means if the route to wan2 is down, in otherwords your connection to ISP2 is down, the router is allowed to look for alternate routes and will find in Table main the route to ISP1.action=lookup-only-in-table then if ISP2 is not available the LAN will have no route and no traffic will pass.
This is very very helpful and more detailed. You’ve already help me before. You are amazing!
Thanks for your help! This is now resolved!
Cheers!
anav
September 6, 2022, 12:08pm
10
As long as you understand what your config is doing, thats the main point.
