Secondary WAN and failover setup hap ax2 (7.16) for a beginner

RouterOS Beginner Basics
1

Hello all! I am new to network setup, just basic knowledge, I just bought a Mikrotik hap ax2 , and I want to setup dual WAN failover with ISP modem (already in bridge mode) and 4g/LTE mobile internet modem.

The ISP modem connected to the ethernet1 (internet in) port and I am struggling to setup a secondary WAN to connect the LTE modem and transfer its internet through other ethernet ports. How should I start with it? I have factory defconfig in the Mikrotik, and from the basics, I would like to setup a failover setting in case of ISP internet is out! No special request just want automatic changeover.

I stuck at the setup the ether2-5 port as WAN ports to send internet through them. Do I even have to setup for failover system? I would appreciate any help from the first step from factory defconfig until the end.

Where should I start, where can I find a manual for it?

Thank you in advance!

2

The default is:
ether1:WAN
ether2-5:joined in a bridge LAN

What you have to do is to take ether2 (by convention the lower numbered ports are those that connect to the internet) out of the bridge, so that you will have:
ether1:WAN (1)
ether2:WAN (2)
ether3-5 joined in a bridge:LAN

Be careful to not lock yourself out by categorizing the whole bridge as WAN.

You should have:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

and
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN

This latter should become:
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=bridge list=LAN

Then long before attempting to setup failover you will need to separately configure the two interfaces, setting the dhcp client on them (if needed, defconf already has it on ether1) an /ip firewall nat srcnat or masquerade rule for each, and - if not dynamically created - two routes.

Once you will have the one and the other connections working (experiment by enabling and disabling the other route), we can start talking of failover setup.

Personally I would first make just the “normal” connection (via ether1) and test, it, then add the second connection (via ether2).

The easiest (IMHO) failover approach in a user case like yours is this one:
http://forum.mikrotik.com/t/simpler-failover-for-two-gateways-i-found-working/169108/1

It would be easier to assist you if you can get minimally familiar with the CLI[1], at least to export and post your current configuration, see if you can follow the instructions here:
http://forum.mikrotik.com/t/forum-rules/173010/1


[1] while using the GUI interface is much more comfortable to use for changing settings, a textual export or print is the best way to check what the settings are and to communicate them over the forum (much better than a bunch of tiny partial screenshots)

3

Hey!

Thank you for being so helpful! I have really basic knowledge of this network setup, near to 0 but trying to learn by myself, it is really hard, so respect your knowledge about this! I would appreciate if you can look in my setup and advise what I have to put in it to set up because I don’t know how to proceed with the DHCP Client, it shows invalid, and I have 0 knowledge about firewall rules. I don’t want to bother with this just really need some hand-holding for the beginning! I really appreciate your help!

# 2024-10-02 21:04:53 by RouterOS 7.16
# software id = xxxxxxxx
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_ISP poe-out=off
set [ find default-name=ether2 ] comment=LTE_WAN
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz comment=HomeSSid_5Ghz configuration.mode=ap \
    .ssid=HomeSSid_5Ghz disabled=no security.authentication-types=wpa2-psk \
    .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz comment=HomeSSid configuration.mode=ap .ssid=\
    HomeSSid disabled=no security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes
add configuration.mode=ap .ssid=SSidGuest mac-address=xxxxxxxxxxxxxx \
    master-interface=wifi1 name=wifi3
add comment="Guest WiFi" configuration.mode=ap .ssid=SSidGuest disabled=no \
    mac-address=xxxxxxxxxxxx master-interface=wifi2 name=wifi4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool ranges=192.168.0.50-192.168.0.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
# DHCP server can not run on slave interface!
add address-pool=dhcp-pool interface=ether2 name=dhcp1
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge filter
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward in-interface=wifi3
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
# Interface not active
add comment=LTE interface=ether2
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=xxxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
4

Don’t mistake me for a Mikrotik expert, I am also only a beginner, just knowing enough for basic configurations like yours.


/interface bridge port
add bridge=bridge comment=defconf interface=ether2

Your ether2 is still part of the bridge, hence the DHCP server error, that sees it as slave interface (its master being the bridge).
But it makes no sense to run a DHCP server on ether2, that port/interface is connected ONLY to the LTE modem/router and usually either It has a static IP address assigned or it is set as DHCP client.
Personally I would use a static address, as there is presumably only a single device (the Mikrotik router) connected to the LTE modem/router and both aren’t going to be moved around.
But a DHCP client Is fine as well, at the moment is inactive for the same reason, ether2 Is not (yet) a self-standing interface.

5

Thanks, so how should I proceed with it? Becouse if I set DHCP client shows invalid, should I set up other bridge for ether 2 or something else?

6

No, you just need to remove the ether2 from the bridge, leaving in the bridge only ether3,4,5.
Ether2, once outside the bridge, will be able to have a DHCP client enabled on it, just like it is now ether1.

in CLI that would be:

/interface bridge port
remove [ find interface=ether2 ]

Let see if I can help you visualize the setup.

Now your set ports are:

1 - ether1 -> WAN -> DSL modem router (DHCP client enabled)
2 - bridge -> LAN -> other devices (DHCP server running)
     | ether2 <any related setting is ignored because the settings for the bridge prevail>
     | ether3 <any related setting is ignored because the settings for the bridge prevail>
     | ether4 <any related setting is ignored because the settings for the bridge prevail>
     | ether5 <any related setting is ignored because the settings for the bridge prevail>

The first port is “independent”, the other four are “assembled together” in what functionally is a switch.

What you want to have is instead:

1 - ether1 -> WAN -> DSL modem router (DHCP client enabled)
2 - ether2 -> WAN -> LTE modem router (DHCP client enabled)
3 - bridge -> LAN -> other devices (DHCP server running)
     | ether3 <any related setting is ignored because the settings for the bridge prevail>
     | ether4 <any related setting is ignored because the settings for the bridge prevail>
     | ether5 <any related setting is ignored because the settings for the bridge prevail>

The first two ports are “independent”, the other three remain “assembled together” in what functionally is a switch.

7

So now I set as your said, if I connect the internet to that port the invalid disappears, but no internet coming through when I connect ISP to ether2, probably because of the firewall rules, or should I set other things as well?

setup now:

# 2024-10-03 11:52:49 by RouterOS 7.16
# software id = xxxxx
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_ISP poe-out=off
set [ find default-name=ether2 ] comment=WAN_LTE
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz comment=HomeSSid_5Ghz configuration.mode=ap \
    .ssid=HomeSSid_5Ghz disabled=no security.authentication-types=wpa2-psk \
    .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz comment=HomeSSid configuration.mode=ap .ssid=\
    HomeSSid disabled=no security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes
add configuration.mode=ap .ssid=SSidGuest mac-address=xxxxxxx \
    master-interface=wifi1 name=wifi3
add comment="Guest WiFi" configuration.mode=ap .ssid=SSidGuest disabled=no \
    mac-address=xxxxxx master-interface=wifi2 name=wifi4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool ranges=192.168.0.50-192.168.0.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge filter
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward in-interface=wifi3
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
# Interface not active
add comment=LTE interface=ether2
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=xxxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
8
  1. You are attempting to have two different subnets assigned from the single bridge. There are several approaches, two bridges but not advised or two vlans, very much advised.
    You already have two pools… just complete the config… and first add the vlans to the bridge.

/interface vlan
add interface=bridge name=vlan10-home vlan-id=10
add interface=bridge name=vlan20-guest vlan-id=20

/ip address
add address=192.168.88.1/24 interface=vlan10-home network=
192.168.88.0
add address=192.168.0.1/24 interface=vlan-20-guest network=
192.168.0.0

/ip dhcp-server
add address-pool=default-dhcp interface=vlan10-home name=defconf
add address-pool=dhcp-pool interface=vlan20-guest name=guestserver

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1

  1. Add another interface to distinguish guests from home users in terms of general router security.
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    add name=Trusted
    /interface list members
    add comment=defconf interface=ether1 list=WAN
    add interface=ether2 list=WAN
    add comment=defconf interface=vlan10-home list=LAN
    add comment=defconf interface=vlan20-guest list=LAN
    add interface=vlan10-home list=Trusted

  2. GET RID OF ALL BRIDGE FILTERS. These are advanced settings that are rarely used in basic configurations.

  3. Make changes as required.
    /interface bridge port
    add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=10
    add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
    add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
    add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi1 pvid=10
    add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi2 pvid=10
    add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi3 pvid=20
    add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi4 pvid=20

  4. Add /interface bridge vlan settings
    add bridge=bridge tagged=bridge untagged=ether3,ether4,ether5,wifi1,wifi2 vlan-ids=10
    add bridge=bridge tagged=bridge untagged=wifi3,wifi4 vlan-ids=20

  5. modify neighbours discovery and Set internet detection to none.
    /ip neighbor discovery-settings
    set discover-interface-list=Trusted
    /interface detect-internet
    set detect-interface-list=NONE

  6. If not using IPV6, set to disabled and remove lists and rules leaving only two rules
    add chain=input action=drop
    add chain=forward action=drop

  7. Modify as per below:
    /tool mac-server
    set allowed-interface-list=NONE
    /tool mac-server mac-winbox
    set allowed-interface-list=Trusted

  8. MISSING WAN1 information.but why is the Router think its inactive.
    So you have some issue with your ISP tha needs to be resolved.

  9. Firewall rules are basically default so okay for the default setup but needs to be modified for the changes made.

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface-list=Trusted comment=“admin access” { consider further limiting by IP addresses → firewall address list }
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment=“users to services”
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment=“users to services”
add action=drop chain=input comment=“drop all else” { Put this rule in place after all the others so not to lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment=“Drop all else”

  1. For the last step on the bridge and vlan filtering turn vlan filtering on.

/interface bridge
add comment=defconf name=bridge vlan-filtering=yes

9

@anav
there is no reason why OP would want or should have two VLANs.
Very likely the double entry in:
/ip dhcp-server network
is a mistake/accident.
OP is a beginner and is trying to get the hang of a simple home/soho setup, no need for now to make it more complex than needed.

@bbmikrotik
You have to decide which addresses you use on your LAN that are set by the DHCP server on Mikrotik.
The default is 192.168.88.0/24:

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1

If you want to use 192.168.0.0/24 instead you disable that one and add the new one.

And you need to add an address in that range in:
/ip address
as well, temporarily you add the new address and disable (as opposed to remove) the defconf one.

Once you are satisfied with the settings LAN side, you connect the ISP modem/router to ether1, the LTE modem/router to ether2 and run:
/ip route print
and post the output, so that we can see which routes are dynamically created.

Anav’s point #6 is good advice, independently from VLANs, it is advised to change
/interface detect-internet
set detect-interface-list=all
to:
/interface detect-internet
set detect-interface-list=none

10

hey, so I connected my ISP to ether1 and LTE to ether2 as instructed and set up what I could.

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd+ 0.0.0.0/0 5.187.172.1 1
DAd+ 0.0.0.0/0 192.168.1.1 1
DAc 5.187.172.0/22 ether1 0
DAc 192.168.1.0/24 ether2 0
DAc 192.168.88.0/24 bridge 0

# 2024-10-03 17:50:18 by RouterOS 7.16
# software id = xxxxxx
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxx
/interface bridge
add admin-mac=xxxxxxxxxxx EB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_ISP poe-out=off
set [ find default-name=ether2 ] comment=WAN_LTE
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz comment=HomeSSid_5Ghz configuration.mode=ap \
    .ssid=HomeSSid_5Ghz disabled=no security.authentication-types=wpa2-psk \
    .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz comment=HomeSSid configuration.mode=ap .ssid=\
    HomeSSid disabled=no security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes
add configuration.mode=ap .ssid=SSidGuest mac-address=xxxxxxxxxx \
    master-interface=wifi1 name=wifi3
add comment="Guest WiFi" configuration.mode=ap .ssid=SSidGuest disabled=no \
    mac-address=xxxxxxxx master-interface=wifi2 name=wifi4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool ranges=192.168.0.50-192.168.0.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge filter
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward in-interface=wifi3
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
add comment=LTE interface=ether2
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=xxxxxxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
11

Im sorry jaclaz, but you clearly missed the boat.
The OP has two subnets, one for the home lan and one for the guest wifi.
Two vlans makes much sense to me.

As for the OP, good luck, advice not followed, your in good hands with jaclaz, out.

12

Sorry but I beginner in this stuff, the guest wifi just a setup for somebody who comes and wanted to separate them from the main users, I only want to set up a failover config with a DSL main source and an LTE backup source (a lot of cameras, solar panel system and smart home systems in the house, it could be I will setup Starlink for backup or main in the future), I can disable guest wifi if it is just a pain in the ass. I am feeling lost, this is lots of info! Of course, I appreciate your help! Just don’t know exactly what it means if I want dual WAN failover config.

13

Not only to you, but there are logical priorities, that you are not taking into account, and as well you are not considering how the OP is a beginner.
Priorities (in my perverted mind):

  1. have a decent setup for 1 internet connection
  2. add a second connection
  3. add a failover of some kind between the two
  4. check that basic (single SSID) wireless works (not so given with the complexities of Mikrotik Ax settings)
    once the above are done
  5. betterings, VLANs, Guest wireless, etc.

Oww, come off it:
https://www.marriedtothesea.com/030306/gracious.jpg

@bbmikrotik
Ok, so:
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd+ 0.0.0.0/0 5.187.172.1 1 ← this one comes from the DHCP server of the ISP 1 modem/router (it is in bridge mode, right?)
DAd+ 0.0.0.0/0 192.168.1.1 1 ← this one comes from the DHCP server of the ISP2 LTE modem/router
DAc 5.187.172.0/22 ether1 0 ← this one comes from the DHCP server of the ISP 1 modem/router
DAc 192.168.1.0/24 ether2 0 ← this one comes from the DHCP server of the ISP2 LTE modem/router
DAc 192.168.88.0/24 bridge 0 ← this one is added automatically by the IP address assigned to the bridge

The two routes to 0.0.0.0/0 (the internet) have the same distance of 1, so they have the + sign as they are in ECMP.

If you disconnect the cable from ether1 you should get the internet from the LTE modem.

If you have not a connection, then this needs to be resolved/fixed.

Right now, if you remove the connection from ether2 and move the cable from ether1 to ether2 you should have the internet connection working as well.

Then, in DHCP client, change the distance of the routes:
/ip dhcp-client
add comment=defconf interface=ether1 default-route-distance=2
add comment=LTE interface=ether2 default-route-distance=1

And check again the /Ip route print
Now the route via LTE should be active, whilst the main one should be inactive (as it has a greater distance)
If you disable the route via LTE, the main one should become active.

And you are ready to follow the linked to failover method:
http://forum.mikrotik.com/t/simpler-failover-for-two-gateways-i-found-working/169108/1

14

Sadly if I disconnect the DSL or LTE from ether1 and put ether2, no internet connection, either LTE or DSL in ether1 gives back the internet.

This is how it looks like when the internet is connected to ether2:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAc 192.168.88.0/24 bridge 0

This is what it looks like when the internet is connected to ether1 and ether2 LTE disconnected:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 5.187.172.1 1
DAc 5.187.172.0/22 ether1 0
DAc 192.168.88.0/24 bridge 0

If I check Bridge-Ports menu only ether3-5 and wifi1-4 are there

15

Well, you had just posted an /ip route print where both ether1 and ether2 got their ip route just fine (so the DHCP client worked fine on both interfaces), now your /ip route print seems to show that it only works on ether1 and not (anymore) on ether2, so something has changed.
The main ISP modem creates a route to 5.187.xxx.yyyy, the LTE creates a route to 192.168.1.1, you posted those results.
You should be able to go back to the situation you were in when you posted that.

16

Yes the only change I turned off for the second result the LTE modem, if I turn on I will get the same result, the problem is when I disconnect ether1 internet is gone no internet going trough ether2

17

*deleted. time to take a nap :slight_smile:

18

But the same LTE modem works fine when connected to ether1?
In theory you should be able to connect either modem/router to either ether1 or ether2 and have the connection, the two interfaces are (should be) exactly the same for all that matters.

Since the LTE modem gives the routes, the DHCP server on it and the DHCP client on the Mikrotik are working.

What do you mean you have no internet?
Like you cannot navigate from your PC or you cannot ping (say) 8.8.8.8 (both from your PC and from the Mikrotik terminal)?

The relevant settings of the two interfaces are seemingly identical, and both are WAN, so the masquerade rule applies to both as well as the (default) firewall rules:

/interface ethernet
set [ find default-name=ether1 ] comment=WAN_ISP poe-out=off
set [ find default-name=ether2 ] comment=WAN_LTE
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip dhcp-client
add comment=defconf interface=ether1
add comment=LTE interface=ether2
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Still, there is something that I cannot understand in your report(s).
With both devices connected you had (in Green the ether1, in red the ether2 related routes):

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd+ 0.0.0.0/0 5.187.172.1 1
DAd+ 0.0.0.0/0 192.168.1.1 1
DAc 5.187.172.0/22 ether1 0
DAc 192.168.1.0/24 ether2 0
DAc 192.168.88.0/24 bridge 0

When you have only the ISP modem connected to ether1 you have (correctly):

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 5.187.172.1 1
DAc 5.187.172.0/22 ether1 0
DAc 192.168.88.0/24 bridge 0

When you have only the LTE modem on ether2 you should have:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.1.1 1
DAc 192.168.1.0/24 ether2 0
DAc 192.168.88.0/24 bridge 0

If you can reproduce the first one (with both routers connected and the 4 routes, the 2 green and the 2 red ones) what happens when you disconnect ether1?
The two green routes should disappear, but the two red ones should remain.
And if you remove the LTE from ether2 the two routes should disappear, and return, exactly the same, when you connect the LTE to ether1.

19

So, the setups in pont by point

  1. Ether1 - DSL, Ether2- LTE connected:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd+ 0.0.0.0/0 5.187.172.1 1
DAd+ 0.0.0.0/0 192.168.1.1 1
DAc 5.187.172.0/22 ether1 0
DAc 192.168.1.0/24 ether2 0
DAc 192.168.88.0/24 bridge 0

Internet works on my macbook and my mobile as well, everything is normal as should be, speedtest speed: 600mbit/s

  1. Ether1 - LTE, Ether2- DSL connected:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP

  • Columns: DST-ADDRESS, GATEWAY, DISTANCE
  • DST-ADDRESS      GATEWAY      DISTANCE
  • DAd 0.0.0.0/0 192.168.1.1 1
  • DAc 192.168.1.0/24 ether1 0
  • DAc 192.168.88.0/24 bridge 0

Internet work as should be of course at limited speed as LTE coverage is moderate 2-3 mbit/s as expected

  1. Ether1 - none(disconnected) Ether2- DSL connected:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT

  • Columns: DST-ADDRESS, GATEWAY, DISTANCE
  • DST-ADDRESS      GATEWAY  DISTANCE
  • DAc 192.168.88.0/24 bridge 0

No connection, cannot open web pages etc.

  1. Ether1 - none(disconnected) Ether2- LTE connected:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP

  • Columns: DST-ADDRESS, GATEWAY, DISTANCE
  • DST-ADDRESS      GATEWAY      DISTANCE
  • DAd 0.0.0.0/0 192.168.1.1 1
  • DAc 192.168.1.0/24 ether2 0
  • DAc 192.168.88.0/24 bridge 0

So my biggest surprise, there is internet works perfectly… but when I connect only DSL to ether2 no connection via webpages etc, so no internet, I just guessing why but I am not sure, it could be because of IP pool setup or the setup what previous commenter said (point number 6) -( Anav’s point #6 is good advice, independently from VLANs, it is advised to change
/interface detect-internet
set detect-interface-list=all
to:
/interface detect-internet
set detect-interface-list=none)

So my question is correct operation, and if I do not modify my firewall with this setting, is it okay? Am I safe from attacks as before?

20

/interface detect internet is not part of the firewall, it is something that very few people actually use, let alone need, and is known to mess things in some subtle ways in some configurations.
Disabling it is usually advised, see:
http://forum.mikrotik.com/t/what-is-detect-internet-for/159604/1

In the best cases it does nothing useful, in the worst it may mess with DHCP (which seems like your case, though it has to be tested if it is actually connected to your issue).

Summing it up, your report says:
DSL works on ether1 but not on ether2.
LTE works on BOTH ether1 and ether2.

This makes me think that the issue is related to something in the DSL modem/router that is somehow providing the IP address via DHCP to ether1 but not to ether2, (which is what comes out from your /ip route print outputs posted)
Maybe you need to reboot the DSL router after having moved the DSL connection from ether1 to ether2?

The fact that the LTE works indifferently on ether1 and ether2 is a confirmation that (on Mikrotik’s side) the two ports are set exactly in the same manner (good).

In any case, you can keep the DSL on ether1 (working) and the LTE on ether2 (working).