Problem with failover to backup ISP

gigabyte091 · November 5, 2024, 5:38am

I tried to create failover to backup ISP, i followed a few Youtube videos where everything is explained but I stuck… I can’t get it to switch over to another ISP.

If I disconnect the cable from primary ISP it’s working, but if I simulate network outage by disconnecting WAN from the ISP router but router itself stays up I get the first route (marked as ISP1) as unreachable after 20 seconds but it doesn’t switch over to another route. I tried watched different videos but nothing worked…

Here is my test setup:

# 2024-11-05 06:31:28 by RouterOS 7.17beta2
# software id = 
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik- \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik- \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=backup interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
add add-default-route=no comment=backup interface=ether2
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.188.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.100 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Monitor ISP1" disabled=no distance=1 \
    dst-address=8.8.8.8/32 gateway=192.168.100.100 routing-table=main scope=\
    10 suppress-hw-offload=no target-scope=10
add comment="Monitor ISP2" disabled=no distance=1 dst-address=1.1.1.1/32 \
    gateway=192.168.188.1 routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping comment=ISP1 disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=11
add comment=ISP2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=11
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This is pure default configuration.

TheCat12 · November 5, 2024, 7:35am

I think the two default routes that are with direct gateways to the ISPs, i.e. the ones without comment, are messing around with the failover. Disable them and try tripping the ISP into switching over again

jaclaz · November 5, 2024, 9:05am

Provide the output of /ip route print, twice, once when in the “normal” state and once when you have the ISP WAN cable detached, as it will be more clear what actually happens.

As a side note, and JFYI, another possible approach (IMHO simpler):
http://forum.mikrotik.com/t/simpler-failover-for-two-gateways-i-found-working/169108/1

anav · November 5, 2024, 12:17pm

You have too many routes LOL

/ip route
add check-gateway=ping comment=ISP1 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 target-scope=12
add dst-address=8.8.8.8/32 gateway=192.168.100.100 routing-table=main scope=10 target-scope=11
++++++++++++++++++++
add check-gateway=ping distance=2 comment=ISP2 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12
add dst-address=1.1.1.1/32 gateway=192.168.188.1 routing-table=main scope=10 target-scope=11

Just ensure that you dont use 8.8.8.8 and 1.1.1.1 as dns servers in IP DNS.

gigabyte091 · November 5, 2024, 12:54pm

Yeah, those routes are added by DHCP client and there I only changed distance to 2 for backup internet connection.

@anav

On test setup I have adguard that have upstream DNS servers 8.8.8.8 and 1.1.1.1 and test router uses adguard as DNS. In real setup I will use adlist on Mikrotik instead of the Adguard.

So looking at your configuration, I should remove default routes created by dhcp client and make changes you wrote here.

anav · November 5, 2024, 12:57pm

Confusing words…
Lookiing at your config…

/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
add add-default-route=no comment=backup interface=ether2

a. based on the above, the router didnt create any default routes.
b. if they had created them, they dont show up on the config anyway
c. conclusion, they only can be there because you created them LOL.

jaclaz · November 5, 2024, 1:35pm

And again /ip route print will show whether the routes are static or dynamic or if coming from the dhcp, etc..

gigabyte091 · November 5, 2024, 3:44pm

True… I had a version where DHCP client created routes automatically.

@jaclaz

I will try to post it tomorrow as i test this at the office so i don’t have access to the router right now.

gigabyte091 · November 6, 2024, 6:55am

As soon as I disable routes I added and changed target scope as @ anav suggested everything is working.

When I check my public IP first I get IP from the office internet connection. I disable WAN and after 20 seconds or so first route become unreachable and second route became active and after checking public IP i get IP address from my backup internet provider.

Problem was indeed in too many routes.

Now route list looks like this:

[admin@MikroTik] > ip route p d
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp 
 0  As   ;;; ISP1
         dst-address=0.0.0.0/0 routing-table=main gateway=8.8.8.8 immediate-gw=192.168.100.100%ether1 check-gateway=ping distance=1 scope=10 target-scope=12 suppress-hw-offload=no 

 1   s   ;;; ISP2
         dst-address=0.0.0.0/0 routing-table=main gateway=1.1.1.1 immediate-gw=192.168.188.1%ether2 check-gateway=ping distance=2 scope=10 target-scope=12 suppress-hw-offload=no 

 2  As   ;;; Monitor ISP2
         dst-address=1.1.1.1/32 routing-table=main gateway=192.168.188.1 immediate-gw=192.168.188.1%ether2 distance=1 scope=10 target-scope=11 suppress-hw-offload=no 

 3  As   ;;; Monitor ISP1
         dst-address=8.8.8.8/32 routing-table=main gateway=192.168.100.100 immediate-gw=192.168.100.100%ether1 check-gateway=ping distance=1 scope=10 target-scope=11 suppress-hw-offload=no 

   DAc   dst-address=192.168.88.0/24 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10 target-scope=5 local-address=192.168.88.1%bridge 

   DAc   dst-address=192.168.100.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 target-scope=5 local-address=192.168.100.3%ether1 

   DAc   dst-address=192.168.188.0/24 routing-table=main gateway=ether2 immediate-gw=ether2 distance=0 scope=10 target-scope=5 local-address=192.168.188.252%ether2

anav · November 6, 2024, 11:26am

All as expected, check-ping basically attempts two pings every10 seconds to decide if the route is available…

gigabyte091 · November 6, 2024, 1:32pm

Thank you @anav, jaclaz and TheCat12 for the help. It’s working now like it’s supposed to.