One more Basic ISP Failover pppoe+wan

Hi,
I have one more very similar question but failed to find exact answer for my case, and there are million of options.

So I have PPPoE main line with flatrate that failes few times a day for few minutes due to dsl uplink death.
So i got 4G router from different provider limited to 50GB of traffic to be failover and connected it to. mikrotik via 192.168.0.1 on ether3

I want to use PPPoE when it is working, and those few minutes when it is not working to switch to Ether3, and then go back as soon as possible back to PPPoE, due to limited data.

I would like for my RDP connections to stay connected if possible.
I have managed to connect ether3, and mikrotik is aware that there is internet via ether3, and it knows when there is no connection on pppoe but does not switch to ether 3 when PPPoE dies.

https://ibb.co/VMRTVMG

There are too many options recomended for begginer to understand what is best option in this case and what route to go: distance, masquerade, netwatch, load balancing with PCC…

/export hide sensitive file=anynameyouwish

Hi,
Here it is:

# may/18/2021 14:35:18 by RouterOS 6.45.9
# software id = H8IP-FT07
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D9D7422
/interface bridge
add admin-mac=08:55:31:5E:37:13 auto-mac=no comment=defconf mtu=1480 name=\
    bridge
add name=bridge2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united states" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=Vulisha wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="united states" disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid="Vulisha 5GHz" \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="Amazon Update" regexp="^.+d1s31zyz7dcc2d.cloudfront.net.*\$|^.+amzdi\
    gital-a.akamaihd.net.*\$|^.+amzdigitaldownloads.edgesuite.net.*\$|^.+updat\
    es.amazon.com.*\$|^.+softwareupdates.amazon.com.*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=8h name=defconf
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none \
    stop-bits=1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1480 name=\
    pppoe-out1 profile=default-encryption user=frankvul
/queue simple
add burst-limit=768k/0 burst-threshold=768k/0 burst-time=1s/0s limit-at=\
    768k/0 max-limit=768k/0 name="Main Queue" target=192.168.1.0/24
add name="1PM bojler Filip " parent="Main Queue" target=192.168.1.30/32
add name="1PM bojler mater " parent="Main Queue" target=192.168.1.31/32
add name=1EM parent="Main Queue" target=192.168.1.40/32
add name="Plug S" parent="Main Queue" target=192.168.1.50/32
add max-limit=128k/2M name="Galaxy J7" parent="Main Queue" target=\
    192.168.1.248/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge2 comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireless access-list
add interface=wlan1 mac-address=C0:E4:34:60:97:EB
add interface=wlan1 mac-address=D0:37:45:71:EF:71
add interface=wlan1 mac-address=20:F4:78:27:02:34
add interface=wlan1 mac-address=F4:CF:A2:E3:AC:72
add interface=wlan1 mac-address=E0:98:06:B5:75:1A
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
add address=192.168.5.2/24 interface=ether1 network=192.168.5.0
add address=192.168.0.2/24 interface=ether3 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1 \
    use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.151 comment="Klima Daikin" mac-address=\
    C0:E4:34:60:97:EB server=defconf
add address=192.168.1.248 client-id=1:88:83:22:f0:30:f9 mac-address=\
    88:83:22:F0:30:F9 server=defconf
add address=192.168.1.120 client-id=1:64:90:c1:12:77:1 comment=\
    "Roborock S5max" mac-address=64:90:C1:12:77:01 server=defconf
add address=192.168.1.158 client-id=1:b8:27:eb:4b:36:a0 mac-address=\
    B8:27:EB:4B:36:A0 server=defconf
add address=192.168.1.152 client-id=1:28:24:ff:71:6d:85 mac-address=\
    28:24:FF:71:6D:85 server=defconf
add address=192.168.1.20 client-id=1:8:0:27:2d:7b:fe mac-address=\
    08:00:27:2D:7B:FE server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add chain=forward
add chain=forward
add action=drop chain=forward layer7-protocol="Amazon Update" protocol=tcp \
    src-port=80,443
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="towards to modem2" out-interface=\
    ether3
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system logging
add topics=wireless,debug
/tool graphing interface
add interface=pppoe-out1
/tool graphing queue
add simple-queue=1EM
add simple-queue="1PM bojler Filip "
add simple-queue="1PM bojler mater "
add simple-queue="Galaxy J7"
add simple-queue="Main Queue"
add simple-queue="Plug S"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=bridge name=tmon1

Interface should be bridge not ether2
add address=192.168.1.1/24 comment=defconf interface**=ether2** network=
192.168.1.0

Get rid of these as they are not useful.
add chain=forward
add chain=forward

IF ether3 is another DHCP client (WANIP) it doesnt need a separate bridge??
ether3 should be a WAN list member

For the source nat rules,
the first one change to out-interface=ppoe-out1

Now the most important settings you left out??
The IP routes??

The configuration do not need any route because are create accordingly to login on pppoe and getting settings from dhcp client

Concur on ISP1, but what about ISP2?

dhcp create route. on this moment i’m writing a copy-paste solution
from 3/4 min are ready and I post here.

The ether3/bridge2 modem2 etc. are all useless.


Simply copy and paste, but RDP always disconnect, every solution you try.

{
/interface bridge
set bridge mtu=auto
/ip dhcp-client set [find] default-route-distance=20
/interface pppoe-client set [find] max-mru=1480 default-route-distance=10
/ip address
set [find where address=192.168.1.1/24] interface=bridge
/ip service
set ftp disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api-ssl disabled=yes
}

remove this two rules manually, with script is hard:

/ip firewall filter
add chain=forward
add chain=forward

And the IP on interface ether1? Useless if the IP come from DHCP

/ip address
remove [find where address=192.168.5.2/24 and interface=ether1]

Hi, thanks on the script, I will try it over the weekend,

Just to explain situation:
on pppoe is connected to ether1,
ether2 is basically useless, well maybe not even connected - > confirmed not even connected, just cable planned for future needs.
in ether3 is WAN/failover modem.

I prefer not using DHCP, i like fixed IP.
My main network is 192.168.1.0/24
192.168.5.1 is ISP modem that I use for pppoe connection.
192.168.0.1 is IP address od wan 4g modem

I added 192.168.5.2 so I can access 192.168.5.1 so I can restart ISP modem when needed, couldn’t access automatically for some reason.

I will delete bridge 2 modem2 and firewall rules

Also fixed MTU was recommended by one person because ISP modem chooses wrong one. EDIT I just saw pppoe still. has max MRU. I will keep auto in script then.

Regarding RDP it is fine, it will reconnect two times no help there and not a big problem

ip dhcp-client set [find] default-route-distance=20
is this line that connects to wan router in case of failure? Does it need to be dhcp-client?

Well who ever waited for weekend I did this script (without security part I will do that when I finish config) but it does not switch

# may/19/2021 22:01:55 by RouterOS 6.45.9
# software id = H8IP-FT07
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D9D7422
/interface bridge
add admin-mac=08:55:31:5E:37:13 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united states" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=Vulisha wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="united states" disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid="Vulisha 5GHz" \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="Amazon Update" regexp="^.+d1s31zyz7dcc2d.cloudfront.net.*\$|^.+amzdi\
    gital-a.akamaihd.net.*\$|^.+amzdigitaldownloads.edgesuite.net.*\$|^.+updat\
    es.amazon.com.*\$|^.+softwareupdates.amazon.com.*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=8h name=defconf
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none \
    stop-bits=1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface pppoe-client
add add-default-route=yes default-route-distance=10 disabled=no interface=\
    ether1 max-mru=1480 max-mtu=1480 name=pppoe-out1 profile=\
    default-encryption user=frankvul
/queue simple
add burst-limit=768k/0 burst-threshold=768k/0 burst-time=1s/0s limit-at=\
    768k/0 max-limit=768k/0 name="Main Queue" target=192.168.1.0/24
add name="1PM bojler Filip " parent="Main Queue" target=192.168.1.30/32
add name="1PM bojler mater " parent="Main Queue" target=192.168.1.31/32
add name=1EM parent="Main Queue" target=192.168.1.40/32
add name="Plug S" parent="Main Queue" target=192.168.1.50/32
add max-limit=128k/2M name="Galaxy J7" parent="Main Queue" target=\
    192.168.1.248/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireless access-list
add interface=wlan1 mac-address=C0:E4:34:60:97:EB
add interface=wlan1 mac-address=D0:37:45:71:EF:71
add interface=wlan1 mac-address=20:F4:78:27:02:34
add interface=wlan1 mac-address=F4:CF:A2:E3:AC:72
add interface=wlan1 mac-address=E0:98:06:B5:75:1A
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
add address=192.168.5.2/24 interface=ether1 network=192.168.5.0
add address=192.168.0.2/24 interface=ether3 network=192.168.0.0
/ip dhcp-client
add comment=defconf default-route-distance=20 dhcp-options=hostname,clientid \
    interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.151 comment="Klima Daikin" mac-address=\
    C0:E4:34:60:97:EB server=defconf
add address=192.168.1.248 client-id=1:88:83:22:f0:30:f9 mac-address=\
    88:83:22:F0:30:F9 server=defconf
add address=192.168.1.120 client-id=1:64:90:c1:12:77:1 comment=\
    "Roborock S5max" mac-address=64:90:C1:12:77:01 server=defconf
add address=192.168.1.158 client-id=1:b8:27:eb:4b:36:a0 mac-address=\
    B8:27:EB:4B:36:A0 server=defconf
add address=192.168.1.152 client-id=1:28:24:ff:71:6d:85 mac-address=\
    28:24:FF:71:6D:85 server=defconf
add address=192.168.1.20 client-id=1:8:0:27:2d:7b:fe mac-address=\
    08:00:27:2D:7B:FE server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward layer7-protocol="Amazon Update" protocol=tcp \
    src-port=80,443
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system logging
add topics=wireless,debug
/tool graphing interface
add interface=pppoe-out1
/tool graphing queue
add simple-queue=1EM
add simple-queue="1PM bojler Filip "
add simple-queue="1PM bojler mater "
add simple-queue="Galaxy J7"
add simple-queue="Main Queue"
add simple-queue="Plug S"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=bridge name=tmon1

Is it me or I don’t see on your export
/ip route
?
or maybe can you print your routing table to see how you make the failover

Read all posts...

/ip dhcp-client set [find] default-route-distance=20
/interface pppoe-client set [find] default-route-distance=10

check-gateway=ping on the primary wan, will allow the router to detect when it is not available and then the router will go to the next available route in Table main.
It will keep checking and when it comes back on line will switch back to the primary ISP.

Still not working, I added:

/ip route
add check-gateway=ping comment="Primary Default Route - Midco" distance=1 \
    gateway=pppoe-out1

But ot defaults to 0.0.0.0, I googled but I am not allowed to add custom ip for check ping, I see that is feature request from 10 years ago

Any more ideas, or should I try with netwatch as that option is mentioned.

# may/22/2021 23:07:35 by RouterOS 6.45.9
# software id = H8IP-FT07
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D9D7422
/interface bridge
add admin-mac=08:55:31:5E:37:13 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united states" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=Vulisha wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="united states" disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid="Vulisha 5GHz" \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="Amazon Update" regexp="^.+d1s31zyz7dcc2d.cloudfront.net.*\$|^.+amzdi\
    gital-a.akamaihd.net.*\$|^.+amzdigitaldownloads.edgesuite.net.*\$|^.+updat\
    es.amazon.com.*\$|^.+softwareupdates.amazon.com.*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=8h name=defconf
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none \
    stop-bits=1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface pppoe-client
add add-default-route=yes default-route-distance=10 disabled=no interface=\
    ether1 max-mru=1480 max-mtu=1480 name=pppoe-out1 profile=\
    default-encryption user=frankvul
/queue simple
add burst-limit=768k/0 burst-threshold=768k/0 burst-time=1s/0s limit-at=\
    768k/0 max-limit=768k/0 name="Main Queue" target=192.168.1.0/24
add name="1PM bojler Filip " parent="Main Queue" target=192.168.1.30/32
add name="1PM bojler mater " parent="Main Queue" target=192.168.1.31/32
add name=1EM parent="Main Queue" target=192.168.1.40/32
add name="Plug S" parent="Main Queue" target=192.168.1.50/32
add max-limit=128k/2M name="Galaxy J7" parent="Main Queue" target=\
    192.168.1.248/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether3 list=WAN
/interface wireless access-list
add interface=wlan1 mac-address=C0:E4:34:60:97:EB
add interface=wlan1 mac-address=D0:37:45:71:EF:71
add interface=wlan1 mac-address=20:F4:78:27:02:34
add interface=wlan1 mac-address=F4:CF:A2:E3:AC:72
add interface=wlan1 mac-address=E0:98:06:B5:75:1A
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
add address=192.168.5.2/24 interface=ether1 network=192.168.5.0
add address=192.168.0.2/24 interface=ether3 network=192.168.0.0
/ip dhcp-client
add comment=defconf default-route-distance=20 dhcp-options=hostname,clientid \
    interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.151 comment="Klima Daikin" mac-address=\
    C0:E4:34:60:97:EB server=defconf
add address=192.168.1.248 client-id=1:88:83:22:f0:30:f9 mac-address=\
    88:83:22:F0:30:F9 server=defconf
add address=192.168.1.120 client-id=1:64:90:c1:12:77:1 comment=\
    "Roborock S5max" mac-address=64:90:C1:12:77:01 server=defconf
add address=192.168.1.158 client-id=1:b8:27:eb:4b:36:a0 mac-address=\
    B8:27:EB:4B:36:A0 server=defconf
add address=192.168.1.152 client-id=1:28:24:ff:71:6d:85 mac-address=\
    28:24:FF:71:6D:85 server=defconf
add address=192.168.1.20 client-id=1:8:0:27:2d:7b:fe mac-address=\
    08:00:27:2D:7B:FE server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward layer7-protocol="Amazon Update" protocol=tcp \
    src-port=80,443
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="Primary Default Route - Midco" distance=1 \
    gateway=pppoe-out1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system logging
add topics=wireless,debug
/tool graphing interface
add interface=pppoe-out1
/tool graphing queue
add simple-queue=1EM
add simple-queue="1PM bojler Filip "
add simple-queue="1PM bojler mater "
add simple-queue="Galaxy J7"
add simple-queue="Main Queue"
add simple-queue="Plug S"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=bridge name=tmon1

do you deliberatly do not provide DNS to your devices?
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
missing: dns-server=192.168.1.1 ???


the IP must go on bridge, not on ether2, if etehr2 is on bridge:
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0

this IP can cause conflict, remove (or disable) it
/ip address
add address=192.168.0.2/24 interface=ether3 network=192.168.0.0

if WAN / failover is on ether3, why dhcp client is on ether1 ???
/ip dhcp-client
add comment=defconf default-route-distance=20 dhcp-options=hostname,clientid interface=ether1 use-peer-dns=no

set this to “none” (on pppoe-client do not work as expected)
/interface detect-internet
set detect-interface-list=all


remove this, is useless until all other settings are changed
/ip route
add check-gateway=ping comment=“Primary Default Route - Midco” distance=1 gateway=pppoe-out1

Same observations… here.
I am not familiar with pppoe

Modify the current ppoe client (get rid of all the junk added) so it looks like the standard setup
{generic example}
/interface pppoe-client
add name=pppoe-out1 user=user password=passwd interface=ether1
service-name=internet disabled=no

Delete any routes you made so its clean.
Anything with AS !!! as the first entry for example

In the DHCP client settings
DELETE the current entry,
Then create a new one,
for interface enter /select pppoe-out1
Do not check peer dns or peer ntp
Do set default route to YES!

Since your WAN2 seems to be a fixed wanip coming in on ether3 using the IP Address there is OK.
But here you will need to manually add an IP route.

destination will be 0.0.0.0 gateway will be 192.168.0.1

Now post your config (after you also fix the items pointed out… DNS and bridge vice ether2)
/export hide-sensitive file=anynameyouwish

Answers in red:

Answers in red as well:

So I have this now

# may/23/2021 23:53:36 by RouterOS 6.45.9
# software id = H8IP-FT07
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D9D7422
/interface bridge
add admin-mac=08:55:31:5E:37:13 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united states" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=Vulisha wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="united states" disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid="Vulisha 5GHz" \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="Amazon Update" regexp="^.+d1s31zyz7dcc2d.cloudfront.net.*\$|^.+amzdi\
    gital-a.akamaihd.net.*\$|^.+amzdigitaldownloads.edgesuite.net.*\$|^.+updat\
    es.amazon.com.*\$|^.+softwareupdates.amazon.com.*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.150-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=8h name=defconf
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=usb1 parity=none \
    stop-bits=1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface pppoe-client
add add-default-route=yes default-route-distance=10 disabled=no interface=\
    ether1 max-mru=1480 max-mtu=1480 name=pppoe-out1 profile=\
    default-encryption user=frankvul
/queue simple
add burst-limit=768k/0 burst-threshold=768k/0 burst-time=1s/0s limit-at=\
    768k/0 max-limit=768k/0 name="Main Queue" target=192.168.1.0/24
add name="1PM bojler Filip " parent="Main Queue" target=192.168.1.30/32
add name="1PM bojler mater " parent="Main Queue" target=192.168.1.31/32
add name=1EM parent="Main Queue" target=192.168.1.40/32
add name="Plug S" parent="Main Queue" target=192.168.1.50/32
add max-limit=128k/2M name="Galaxy J7" parent="Main Queue" target=\
    192.168.1.248/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether3 list=WAN
/interface wireless access-list
add interface=wlan1 mac-address=C0:E4:34:60:97:EB
add interface=wlan1 mac-address=D0:37:45:71:EF:71
add interface=wlan1 mac-address=20:F4:78:27:02:34
add interface=wlan1 mac-address=F4:CF:A2:E3:AC:72
add interface=wlan1 mac-address=E0:98:06:B5:75:1A
/ip address
add address=192.168.5.2/24 interface=ether1 network=192.168.5.0
add address=192.168.0.2/24 interface=ether3 network=192.168.0.0
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dhcp-server lease
add address=192.168.1.151 comment="Klima Daikin" mac-address=\
    C0:E4:34:60:97:EB server=defconf
add address=192.168.1.248 client-id=1:88:83:22:f0:30:f9 mac-address=\
    88:83:22:F0:30:F9 server=defconf
add address=192.168.1.120 client-id=1:64:90:c1:12:77:1 comment=\
    "Roborock S5max" mac-address=64:90:C1:12:77:01 server=defconf
add address=192.168.1.158 client-id=1:b8:27:eb:4b:36:a0 mac-address=\
    B8:27:EB:4B:36:A0 server=defconf
add address=192.168.1.152 client-id=1:28:24:ff:71:6d:85 mac-address=\
    28:24:FF:71:6D:85 server=defconf
add address=192.168.1.20 client-id=1:8:0:27:2d:7b:fe mac-address=\
    08:00:27:2D:7B:FE server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,192.168.1.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward layer7-protocol="Amazon Update" protocol=tcp \
    src-port=80,443
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=20 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system logging
add topics=wireless,debug
/tool graphing interface
add interface=pppoe-out1
/tool graphing queue
add simple-queue=1EM
add simple-queue="1PM bojler Filip "
add simple-queue="1PM bojler mater "
add simple-queue="Galaxy J7"
add simple-queue="Main Queue"
add simple-queue="Plug S"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=bridge name=tmon1

Heey it seems to be working now, thanks guys! I will monitor it for few more days but it seems good!

My apologies for earlier comments I have since read up on how hte pppoe client is setup so have a better appreciation of what you are attempting to do!

Upon review items.

(1) why is ether 3 disabled?
/interface bridge port
add comment=defconf disabled=yes interface=ether3

(2) Recommend setting to NONE
/interface detect-internet
set detect-interface-list=all

(3) The address for your ppoe interface makes no sense, did you add it?
All the magic is one in the pppoe client.
Remove this address attached to ether 1
/ip address
add address=192.168.5.2/24 interface=ether1 network=192.168.5.0

(4) where I want to focus is your IP routes.
All that is showing in your config is the following
/ip route
add check-gateway=ping distance=20 gateway=192.168.0.1

So one cannot get a sense what is really occurring,
What I need for you to do is take a jpeg of your routes
Just be careful to hide numbers, I am providing an example so you know what I mean.
See how the actual IP address info is covered up!!!

I didn’t even need to cover IP as it is changed on every DSL. downlink, and that is more than often

So to sum up todays situation:
Failover now WORKS, and thanks a lot guys on that, but it is quite slow, it takes sometimes over 30 seconds to switch from pppoe to WAN. I found this script as alternative :

/tool netwatch
add disabled=no down-script="/interface ethernet disable ether1 \n\r\n /interface ethernet enable ether1" host=172.16.0.1 interval=00:00:05 timeout=1s up-script=""

I wonder would that be better option than check-gateway? It seems as bit dirty solution