I didn’t use any kid controls because I don’t think I need to. I’m using the firewall rule to reject traffic, should I be using kid controls?
My bad, you are correct, the simple suggestion was firewall rules in the forward chain.
However I think I would do it differently, personal preference and also if not using IPV6 would get rid of the firewall lists and most rules with it as well..
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=reject chain=forward comment=”not allowed Wan2” in-interface-list=!WAN2_Allowed \
out-interface=ether2 reject-with=icmp-network-unreachable
add action=accept chain=forward comment=”internet traffic” in-interface-list=LAN \
out-interface-list=WAN
add action=drop chain=forward comment=”drop all else'“
If you were not going to bother with ICMP reject etc………
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=”internet traffic” in-interface-list=LAN \
out-interface=ether1
add action=accept chain=forward comment=”internet traffic” in-interface-list=LAN \
src-address-list=WAN2_Allowed out-interface=ether2
add action=drop chain=forward comment=”drop all else'“
/ipv6 settings
set disable-ipv6=yes
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
Not really sure about this, but at first sight the reject rule should be moved "up", to become one of the first rules in "forward" chain, now, as last rule, It seems to me improbable that It really catches all It should.
Instead of looking for "comment" netwatch could look for gateway 192.168.10.1, I don't personally like using comment because It may happen, in six months or one year time that It Is changed without thinking about its relevamce.
That is one of the things I was going to play with to see what made the most sense. I was slightly surprised it worked as the last rule because I created it then forgot to move it.
When I set up any device, Server, configuration… we always document the process so that if someone else needs to work on it, or it needs to be done again, we have a guide. I figured I had typed it up, so I might as well share it. I don’t think I missed any steps, and I hope this helps someone out in the future.
This document will detail the steps to configure a Mikrotik router to failover to a secondary WAN connection (Starlink) in the event of WAN 1 (ISP connection) losing the ability to ping 8.8.8.8, signifying an outage. Using an address list allows you to control what devices are still allowed to access the internet while WAN 2 is handling traffic. Once 8.8.8.8 is again reachable, the system will return to normal operation with all devices allowed to the internet and utilising WAN 1
Set up Mikrotik router with standard primary WAN settings
go to IP->DHCP Client, select your WAN and set “Add Default Route” to NO
Go to IP -> routes and click New
In the comment type primary (This piece is critical as a script later will reference this comment)
Set dst. address to 0.0.0.0/0
Set Gateway to your WAN 1 gateway
Set Distance to 1
Apply, Okay
Set up Secondary WAN (Failover WAN)
Go to Bridge -> Ports and remove ether 2 (I am using ether 2 as my second WAN connection)
Go to Interfaces ->Interface List and click New
Set List to WAN
Set Interface to Ether 2
Apply, Okay
Go to IP -> DHCP Client and click New
Set Interface to Ether 2
Make sure “Set Default Route” is set to YES
Set Default Route Distance to 2
Apply, Okay
Set up the allowed device list
Go to ip -> Firewall ->addless Lists and click NEW
In the new address list, set the list name to WAN2_Allowed
In the address box, enter the IP address of a device you want to fail over to the backup WAN
Apply, Okay
Repeat these steps for each device you want to allow WAN 2 access to.
Go to IP -> Firewall Filter Rules and click New
Set Chain to Forward
Set Src. Address List to ! WAN2_Allowed
Set out interface to ether 2
Set Action to Reject
Set Reject to icmp network unreachable
Apply, Okay
Move this rule up to go just under the default Passthrough forward rule
Go to Tools -> Netwatch and select New
Set Host to 8.8.8.8
Set timeout to 1 second
Expand the Up section and add these 2 scripts on separate lines
/ip route enable [find comment=”primary”]
/ip firewall connection remove [find]
Expand the Down section and add these 2 scripts on separate lines
/ip route disable [find comment=”primary”]
/ip firewall connection remove [find}
Apply, Okay
I have some doubts on the way you remove connections (if needed/advised at all).
The matter had been discussed on the simple netwatch failover thread, starting here:
With the rules you currently have in the firewall filter table on the chain forward, because you have no other accept rules, then it works fine at the last position. If you want, you can move it up a little, just below the "defconf: drop invalid" rule, just in case you'd have more accept rules that you'll insert into the firewall in the future.
as I have shown above, I think, first the reject rule, then the standard allow lan-list to wan and then drop all else.
if reject is not required simply accept lan-list to ether1, accept allow_List to ether2, then drop all else
I am, in the same situation, however because my LAN has 2 routers connected, one RB5009 connected to Starlink, a hAP ax³ connected to FTTH, I have configure VRRP, and wrote a check script to check for 1.1.1.1/8.8.8.8 (because sometimes the core router of a provider stops working) to raise or lower the VRRP priority of ether device.
If both are up, use FTTH, if any breaks, use the other. Works nicely.
For the router/access, I have the guest access VLAN which has its own DHCP Server and an own subnet pool. That pool is denied access to the Starlink connection.
I should have mentioned that this is my spare test router, so it only has the default Firewall rules in it, it is behind another Mikrotik firewall, and I continually wipe it to set things up. so Generally, I would have more rules, and I would dig a little deeper into where the rule should be placed. I'm definitely still learning the ins and outs of routing and I appreciate everyone’s input and kindness. Too many other sites just have people jumping in to show how smart they are and how stupid you are, and for that reason, I try to get things as close as I can before reaching out for help.