I want to configure dual WAN on the Mikrotik HAP AX3 with campground Wi‑Fi as WAN1 and Starlink as WAN2, using automatic failover based on link health / connectivity checks. Starlink should take over only when WAN1 fails. Any help or guidance would be greatly appreciated. TIA

Here's something I was working on a while back to auto-configure dual wan deployments including linking to a zerotier network. It's setup as a script to run on boot after a reset configuration. This is designed for dual ethernet DHCP WAN connections so you'll need to do some tinkering to use the Wifi as a WAN Link (hint: station bridge)

You'll need to review the variables that are set (lines starting with ":global") to something appropriate to your configuration. All of the DNS servers noted are there for the policy based routing so that it ensures that the server is pingable through each WAN interface in order to decide which one to use, by default ether1)

Then the section on basic bridging will need to be adapted to the interface names of the HAPax3 you want to use here and add in your configuration for the Wifi. And also the embedded DHCP client scripts will need to be updated for the interfaces you've assigned for the WAN.

@KF4MMS

There are mainly two ways to obtain what you want.

1. Netwatch, here is the simplest approach possible:
   Simpler Failover for two Gateways I found working - #19 by jaclaz
2. recursive routing (basically you use a known reliable site as "virtual" gateway), here is the simplest way to make a recursive route explained:
   Simple recursive failover for bears of little brain

Since you are new, it is advised that you go through these, before anything else:
The twelve Rules of Mikrotik Club
GP & CSA (Good Practice and Common Sense Advice) for Mikrotik devices

Where?

Doh! Thanks for the heads up @jaclaz

Thanks for all the suggestions and ideas. Been working on this setup for 3 days and it is highly frustrating. Sometimes the commands to set things just simply do not change anything in the config. I was able to create my own SSID and join a PC to it but no internet. Mikrotik said it was a captive portal or client isolation on the wifi I was trying to connect to but this is not true and I can connect to the same wifi with a phone or pc.Maybe I am missing something and it's probably simple.

Sure, but don't worry, it is normal to have some initial issues, you need some time to get the knack of it.

When/if you are stuck, post your configuration together with description of yout network and what goals you have and someone will be able to give you some advice.

Instructions how to post the configuration here:
Forum rules - #5 by gigabyte091

Wow, I thought the export command would anonymize the exported config. Yikes, it wasn't even close! I think I got it now. Here my current config.

2026-06-07 05:33:06 by RouterOS 7.23.1

software id = XXXXXXXXXX-XXXXXX

model = XXXXXXXXXXXXXXXXXXXXX

serial number = XXXXXXXXXXXXXXXXX

/interface bridge add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=" XXXXXXXXXXXXX " disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wifi security add authentication-types=wpa2-psk disabled=no ft=no ft-over-ds=no name=sec1
/interface wifi security add authentication-types=wpa2-psk encryption=ccmp ft=no ft-over-ds=no name=uplink-sec wps=disable
/interface wifi security add authentication-types=wpa2-psk encryption=ccmp ft=no ft-over-ds=no name=clean-sec
/interface wifi security add authentication-types=wpa2-psk name=test-sec
/interface wifi configuration add channel.band=2ghz-n .width=20mhz mode=station name=wan-conf security=uplink-sec ssid="XXXXXXXXXXXXXX"
/interface wifi configuration add channel.band=2ghz-n .width=20mhz mode=station name=clean-conf security=clean-sec ssid="XXXXXXXXXXXXXX"
/interface wifi configuration add mode=station name=test-conf security=test-sec ssid="XXXXXXXXXXXXXX"
/interface wifi set [ find default-name=wifi2 ] configuration=test-conf disabled=no
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/system script add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "
/system script add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r
\n :foreach iface in=[/interface/wifi find where (configuration.mode="ap" && disabled=no)] do={\r
\n /interface/wifi wps-push-button $iface;}\r
\n "
/disk settings set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=wifi2 list=WAN
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client

Interface not active

add interface=wifi2 name=client1
/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 in-interface=lo src-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat out-interface=wifi2
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock set time-zone-name=America/New_York
/system ntp client set enabled=yes
/system ntp client servers add address=time.google.com
/system routerboard mode-button set enabled=yes on-event=dark-mode
/system routerboard wps-button set enabled=yes on-event=wps-accept
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

Yep, though you should select the configuration you posted and hit the button </> that will make it into "code" (basically include it between three leading backticks and three ending backticks, in some cases you need to add "RouterOS" to have the code properly formatted.
I.e. (replaced backticks with apostroph):
'''
this is code
'''
or:
'''RouterOS
this is code
'''

Also - for whatever reason - you export was made with the "terse" option, that makes everything less readable (but easier to copy/paste single lines).

Here it is hopefully properly converted and formatted (moved /system script at the bottom):

# 2026-06-07 05:33:06 by RouterOS 7.23.1
# software id = XXXXXXXXXX-XXXXXX
# model = XXXXXXXXXXXXXXXXXXXXX
# serial number = XXXXXXXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=" XXXXXXXXXXXXX " disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] configuration=test-conf disabled=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=no ft-over-ds=no name=sec1
add authentication-types=wpa2-psk encryption=ccmp ft=no ft-over-ds=no name=uplink-sec wps=disable
add authentication-types=wpa2-psk encryption=ccmp ft=no ft-over-ds=no name=clean-sec
add authentication-types=wpa2-psk name=test-sec
/interface wifi configuration
add channel.band=2ghz-n .width=20mhz mode=station name=wan-conf security=uplink-sec ssid="XXXXXXXXXXXXXX"
add channel.band=2ghz-n .width=20mhz mode=station name=clean-conf security=clean-sec ssid="XXXXXXXXXXXXXX"
add mode=station name=test-conf security=test-sec ssid="XXXXXXXXXXXXXX"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wifi2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
# Interface not active
add interface=wifi2 name=client1
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wifi2
add action=masquerade chain=srcnat out-interface=ether1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "

add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r
\n :foreach iface in=[/interface/wifi find where (configuration.mode="ap" && disabled=no)] do={\r
\n /interface/wifi wps-push-button $iface;}\r
\n "

Well, damn. It works perfectly now. Was I even close with my initial config or was it your magic with the added lines of code on the end of the config file?

Maybe you just rebooted the device, point #23:
GP & CSA (Good Practice and Common Sense Advice) for Mikrotik devices
or - sometimes it happens - it is just voodoo.

Your wifi settings are still (IMHO) a mess, they should be reviewed and re-organized along the DRY principle:
https://en.wikipedia.org/wiki/Don't_repeat_yourself

You should use one (or two in your case) configuration and security settings and two channels and leave the radios in /interface wifi set with just a configuration, a security and a channel.
Check the example given here:

It is more readable compared to have settings spread here and there, in any case use "print detail" and "print detail config" to see the whole settings applied to each interface.

Thank you all for the help, advice, and suggestions. I really appreciate everyone taking the time to point me in the right direction.

I'm up and running now, and I'll be reviewing the WiFi settings to clean things up a bit. I have noticed one issue: when I connect Starlink to port 1, I occasionally have to disable wifi2 and then unplug/reconnect my laptop on one of the LAN ports (2-5) before internet access starts working properly. That tells me there is probably still some tweaking to do with the failover configuration.

That said, the setup is completely usable at this point and is doing what I need it to do. I'll continue fine-tuning it as I learn more about MikroTik.

Thanks again for all the assistance, and I hope everyone enjoys the rest of their weekend!

Well, the configuration you posted has no provisions for failover (no recursive routes, nor netwatch scripts), if you have issues, once things have "stabilized" a little, post again your current configuration and surely someone will be able to find the issue.

I cleaned up the WiFi configuration and profiles a lot. I also have failover working now but not using Netwatch ……yet. Probably a poor man’s failover for now but it works nonetheless.