I'm having a problem with an internet connection: ISP1 (primary): Connected to Ether1 of the Mikrotik RB750Gr3, configured with PPPoE and working correctly. ISP2 (secondary): ZTE ZXHN F6600P modem in bridge mode, connected to Ether3 of the Mikrotik. Static IP, correct NAT, correct router. This connection should act as a backup, but when it's activated, there's no internet access. Observed behavior: If I physically disconnect ISP1, ISP2 activates but without internet connectivity. I tested it by connecting a laptop directly to the ISP2 modem with a static IP (provided by ISP2), and it works fine. The ISP confirms that everything is correct on their end; they detect minimal traffic and the correct MAC address on Ether3. The notebook's MAC address was cloned for testing purposes on Ether3 → it still didn't work. Moving the ISP2 configuration to Ether1 (where ISP1 works) was attempted → without success.
There are approximately between 3 and 43 reasons why It doesn't work.
If you post your complete configuration, instructions here:
It may be possible to reduce to the lower number the things to check/change.
No Internet Access from Backup ISP
I'm having a problem with a backup ISP I've configured on the device. Once I disable and/or physically disconnect the primary ISP, I lose internet access on the terminals of my network.
Context:
ISP1 (primary): Connected to Ether1 of the Mikrotik RB750Gr3, configured with PPPoE and working correctly. ISP2 (secondary): ZTE ZXHN F6600P modem in bridge mode, connected to Ether3 of the Mikrotik. This link is supposed to act as a backup, but when it's activated, there's no internet access.
Observed behavior: If I physically disconnect ISP1, ISP2 activates but without internet connectivity. I tested it by connecting a laptop directly to the ISP2 modem with a static IP address (provided by ISP2), and it works fine. The ISP confirms that everything is correct on their end; they detect minimal traffic and the correct MAC address on ether4. An attempt was made to clone the laptop's MAC address on ether4, but it was unsuccessful.
For the filover, a distance of 2 is being set for the backup ISP and 1 for the primary ISP. The eth connections were reversed (isp1 -> eth3, isp2 -> eth1), but the behavior remains the same for isp2.
I need to know for sure if the problem is with my configuration of the ISP on the Mikrotik or if it originates directly from the provider.
Below is the current device configuration.
# nov/28/2025 19:26:02 by RouterOS 6.48.6
# software id = <SOFTWARE_ID_REDACTADO>
#
# model = <MODELO_ROUTER_REDACTADO>
# serial number = <SERIAL_ROUTER_REDACTADO>
/interface bridge
add comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether4 ] comment=WAN2
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN1 name=pppoe-out1 \
user=<USUARIO_PPPOE_REDACTADO>
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=5s enc-algorithm=des \
nat-traversal=no
add dh-group=modp1536 dpd-interval=5s enc-algorithm=3des name=dp-caseros \
nat-traversal=no
add dh-group=modp1536 dpd-interval=5s enc-algorithm=3des name=dp-varela \
nat-traversal=no
/ip ipsec peer
add address=<IP_PUBLICA_PEER_SITE1>/32 local-address=<IP_PUBLICA_WAN_PPPOE> \
name=dpt-caseros profile=dp-caseros
add address=<IP_PUBLICA_PEER_SITE2>/32 local-address=<IP_PUBLICA_WAN_SECUNDARIO> \
name=FlorencioVarela profile=dp-varela
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=modp1536
add enc-algorithms=3des name=dp-caseros pfs-group=none
add enc-algorithms=3des name=dp-varela pfs-group=none
/ip pool
add name=dhcp ranges=<POOL_DHCP_LAN_PRINCIPAL>
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=<IP_GATEWAY_LAN>/24 comment="LAN <RED_LAN_PRINCIPAL>" interface=bridge \
network=<RED_LAN_PRINCIPAL>
add address=<IP_PUBLICA_ISP2>/24 interface=ether4 network=<RED_PUBLICA_ISP2>
/ip dhcp-client
add comment=defconf interface=ether1-WAN1
add interface=ether3
/ip dhcp-server lease
add address=<IP_LAN_HOST_CRONOS> comment=CRONOS mac-address=<MAC_CRONOS> \
server=defconf
add address=<IP_LAN_CAMARA_02> client-id=<CLIENT_ID_CAMARA_02> comment=CAMARA02 \
mac-address=<MAC_CAMARA_02> server=defconf
add address=<IP_LAN_IMPL_FACTURACION> client-id=<CLIENT_ID_IMPL_FACTURACION> \
comment=IMPL-Facturacion mac-address=<MAC_IMPL_FACTURACION> server=defconf
add address=<IP_LAN_IMPL_ADMINISTRACION> client-id=<CLIENT_ID_IMPL_ADMINISTRACION> \
comment=IMPL-Administracion mac-address=<MAC_IMPL_ADMINISTRACION> server=defconf
add address=<IP_LAN_UBIQUITI_02> client-id=<CLIENT_ID_UBIQUITI_02> \
comment="Ubiquiti 02" mac-address=<MAC_UBIQUITI_02> server=defconf
add address=<IP_LAN_UBIQUITI_01> client-id=<CLIENT_ID_UBIQUITI_01> \
comment="Ubiquiti 01" mac-address=<MAC_UBIQUITI_01> server=defconf
add address=<IP_LAN_CAMARA_01> client-id=<CLIENT_ID_CAMARA_01> comment=CAMARA01 \
mac-address=<MAC_CAMARA_01> server=defconf
/ip dhcp-server network
add address=<RED_LAN_PRINCIPAL> dns-server=<DNS_INTERNO_1>,<DNS_INTERNO_2> \
gateway=<IP_GATEWAY_LAN>
/ip dns
set allow-remote-requests=yes servers=<DNS_PUBLICO_ISP1>,<DNS_PUBLICO_ISP2>,8.8.8.8,1.1.1.1
/ip dns static
add address=<IP_GATEWAY_LAN> comment=defconf name=<NOMBRE_DNS_ROUTER>
/ip firewall filter
add action=accept chain=input comment="Monitoreo zabbix" dst-port=161 \
protocol=udp src-address=<RED_MONITOREO_ZABBIX>
add action=accept chain=input comment="Permitir acceso remoto desde Forti" \
dst-port=22,80,443 protocol=tcp src-address=<RED_MONITOREO_ZABBIX>
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=ZABBIX_REMOTO dst-port=161 protocol=udp \
src-address=<RED_MONITOREO_ZABBIX>
add action=accept chain=input dst-address=<IP_PUBLICA_WAN_PPPOE> in-interface=\
pppoe-out1 protocol=icmp
add action=accept chain=input comment="Permitir WebFig WAN" dst-address=\
<IP_PUBLICA_WAN_PPPOE> dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether4
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1
add action=accept chain=srcnat comment=srnat-sslvpn dst-address=\
<RED_REMOTA_SSLVPN> src-address=<RED_LAN_PRINCIPAL>
/ip ipsec identity
add peer=dpt-caseros
add peer=FlorencioVarela
/ip ipsec policy
add comment="Tunel principal <RED_REMOTA_SITE_CASEROS> via Forti Pomar" \
dst-address=<RED_REMOTA_SITE_CASEROS> peer=dpt-caseros proposal=dp-caseros \
src-address=<RED_LAN_PRINCIPAL> tunnel=yes
add comment="VLAN <RED_REMOTA_VLAN_5> via Forti Florencio Varela" dst-address=\
<RED_REMOTA_VLAN_5> peer=FlorencioVarela proposal=dp-varela src-address=\
<RED_LAN_PRINCIPAL> tunnel=yes
add comment="VLAN <RED_REMOTA_VLAN_7> via Forti Florencio Varela" dst-address=\
<RED_REMOTA_VLAN_7> peer=FlorencioVarela proposal=dp-varela src-address=\
<RED_LAN_PRINCIPAL> tunnel=yes
add comment="Fase #2 para ssl vpn" dst-address=<RED_REMOTA_SSLVPN> peer=\
dpt-caseros src-address=<RED_LAN_PRINCIPAL> tunnel=yes
/ip route
add check-gateway=ping distance=2 gateway=<GATEWAY_PUBLICO_ISP2>
add disabled=yes distance=1 gateway=<GATEWAY_PUBLICO_SITE2>
add disabled=yes distance=1 gateway=<GATEWAY_PUBLICO_ISP1>
/snmp
set contact=zabbix enabled=yes location=<UBICACION_SNMP> trap-interfaces=all \
trap-version=2
/system clock
set time-zone-name=America/Argentina/Cordoba
/system identity
set name=<NOMBRE_ROUTER>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
To add when running from the Winbox or WebConfig terminal:
-
/ping 8.8.8.8 src-address=<ip_isp2> "This responds OK"
-
ping 8.8.8.8 interface= "This responds (timeout) and <ip_isp2> host unreachable"
-
ping <ip_gateway_isp2> interface= "This responds OK"
-
ping <ip_gateway_isp2> src-address=<ip_isp2> "This responds OK"
You have some mixed settings.
In your post you talk of ether3 as connection for second ISP, but in the configuration the second WAN seems to be ether4.
In any case the port used normally needs to be:
- taken out of the (LAN) bridge
- have a DHCP client running
- be categorized as WAN in /interface list member
- be src-natted or masqueraded
BUT from your configuration:
- Your current ether4 Is still part of the bridge (but disabled) this may be enough to comply with condition #1 but to be sure you should remove It from bridge. ether3 Is still part of the bridge and not disabled.
- ether4 has not a DHCP client running (but ether3 has It)
- ether4 Is not categorized as WAN, nor It Is ether3
- ether4 Is masqueraded in /ip firewall nat, ether3 Is not. As a side note, usually instead of the single out-interface=ether4 usually out-interface-list=WAN Is used in masquerading
So you should choose one of the two and make sure that ALL the above 4 conditions are met for that interface.
Jaclaz,
Okay, now we're configuring ether4 for WAN2. Following your instructions, I've done the following:
1. Removed ether4 from the bridge.
2. You don't see DHCP on ether4 because it's configured with a static public IP address assigned by the ISP, as shown in `add address=<ISP2_PUBLIC_IP> interface=ether4-WAN2 network=<ASSIGNED_NETWORK_IP>`. The DHCP clients you see for ether3 are disabled.
3. I've categorized ether4 as a WAN; it appears as `WAN_BACKUP`.
4. I've disabled masquerading for ether4 and modified the masquerading, which you'll now see as `#1 masquerade srcnat WAN (out.interface.list)`, as you suggested. I've included the configuration with the modifications.
After this, however, I get the same behavior; I have no internet access when I disable ISP1, and I've performed the ping test to the gateway:
[admin@RouterOS] > ping <gateway_isp2> interface=ether4
SEQ HOST SIZE TTL TIME STATUS
0 <gateway_isp2> 56 255 2ms
1 <gateway_isp2> 56 255 2ms
2 <gateway_isp2> 56 255 2ms
3 <gateway_isp2> 56 255 1ms
4 <gateway_isp2> 56 255 1ms
5 <gateway_isp2> 56 255 1ms
sent=6 received=6 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=2ms
[admin@RouterOS] >
[admin@RouterOS] > ping 8.8.8.8 interface=ether4
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 timeout
1 8.8.8.8 timeout
2 <public_IP_ISP2> 84 64 988ms host unreachable
3 8.8.8.8 timeout
4 8.8.8.8 timeout
5 8.8.8.8 timeout
6 8.8.8.8 timeout
7 8.8.8.8 timeout
8 8.8.8.8 timeout
sent=9 received=0 packet-loss=100%
------------------------------------------------------------------------------------------
# nov/28/2025 22:09:50 by RouterOS 6.48.6
# software id = <SOFTWARE_ID_REDACTADO>
#
# model = <MODELO_ROUTER_REDACTADO>
# serial number = <SERIAL_ROUTER_REDACTADO>
/interface bridge
add comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether4 ] comment=WAN2
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN1 name=pppoe-out1 \
user=<USUARIO_PPPOE_REDACTADO>
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=5s enc-algorithm=des \
nat-traversal=no
add dh-group=modp1536 dpd-interval=5s enc-algorithm=3des name=dp-caseros \
nat-traversal=no
add dh-group=modp1536 dpd-interval=5s enc-algorithm=3des name=dp-varela \
nat-traversal=no
/ip ipsec peer
add address=<IP_PUBLICA_PEER_SITE1>/32 local-address=<IP_PUBLICA_WAN_PPPOE> \
name=dpt-caseros profile=dp-caseros
add address=<IP_PUBLICA_PEER_SITE2>/32 local-address=<IP_PUBLICA_WAN_SECUNDARIO> \
name=FlorencioVarela profile=dp-varela
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=modp1536
add enc-algorithms=3des name=dp-caseros pfs-group=none
add enc-algorithms=3des name=dp-varela pfs-group=none
/ip pool
add name=dhcp ranges=<POOL_DHCP_LAN_PRINCIPAL>
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=pppoe-out1 list=WAN
add comment=ISP_BACKUP interface=ether4 list=WAN
/ip address
add address=<IP_GATEWAY_LAN>/24 comment="LAN <RED_LAN_PRINCIPAL>" interface=bridge \
network=<RED_LAN_PRINCIPAL>
add address=<IP_PUBLICA_ISP2>/24 interface=ether4 network=<RED_PUBLICA_ISP2>
/ip dhcp-client
add comment=defconf interface=ether1-WAN1
add interface=ether3
/ip dhcp-server lease
add address=<IP_LAN_HOST_CRONOS> comment=CRONOS mac-address=<MAC_CRONOS> \
server=defconf
add address=<IP_LAN_CAMARA_02> client-id=<CLIENT_ID_CAMARA_02> comment=CAMARA02 \
mac-address=<MAC_CAMARA_02> server=defconf
add address=<IP_LAN_IMPL_FACTURACION> client-id=<CLIENT_ID_IMPL_FACTURACION> \
comment=IMPL-Facturacion mac-address=<MAC_IMPL_FACTURACION> server=defconf
add address=<IP_LAN_IMPL_ADMINISTRACION> client-id=<CLIENT_ID_IMPL_ADMINISTRACION> \
comment=IMPL-Administracion mac-address=<MAC_IMPL_ADMINISTRACION> server=defconf
add address=<IP_LAN_UBIQUITI_02> client-id=<CLIENT_ID_UBIQUITI_02> \
comment="Ubiquiti 02" mac-address=<MAC_UBIQUITI_02> server=defconf
add address=<IP_LAN_UBIQUITI_01> client-id=<CLIENT_ID_UBIQUITI_01> \
comment="Ubiquiti 01" mac-address=<MAC_UBIQUITI_01> server=defconf
add address=<IP_LAN_CAMARA_01> client-id=<CLIENT_ID_CAMARA_01> comment=CAMARA01 \
mac-address=<MAC_CAMARA_01> server=defconf
/ip dhcp-server network
add address=<RED_LAN_PRINCIPAL> dns-server=<DNS_INTERNO_1>,<DNS_INTERNO_2> \
gateway=<IP_GATEWAY_LAN>
/ip dns
set allow-remote-requests=yes servers=\
<DNS_PUBLICO_ISP1>,<DNS_PUBLICO_ISP2>,8.8.8.8,1.1.1.1
/ip dns static
add address=<IP_GATEWAY_LAN> comment=defconf name=<NOMBRE_DNS_ROUTER>
/ip firewall filter
add action=accept chain=input comment="Monitoreo zabbix" dst-port=161 \
protocol=udp src-address=<RED_MONITOREO_ZABBIX>
add action=accept chain=input comment="Permitir acceso remoto desde Forti" \
dst-port=22,80,443 protocol=tcp src-address=<RED_MONITOREO_ZABBIX>
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=ZABBIX_REMOTO dst-port=161 protocol=udp \
src-address=<RED_MONITOREO_ZABBIX>
add action=accept chain=input dst-address=<IP_PUBLICA_WAN_PPPOE> in-interface=\
pppoe-out1 protocol=icmp
add action=accept chain=input comment="Permitir WebFig WAN" dst-address=\
<IP_PUBLICA_WAN_PPPOE> dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether4
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat comment=srnat-sslvpn dst-address=\
<RED_REMOTA_SSLVPN> src-address=<RED_LAN_PRINCIPAL>
/ip ipsec identity
add peer=dpt-caseros
add peer=FlorencioVarela
/ip ipsec policy
add comment="Tunel principal <RED_REMOTA_SITE_CASEROS> via Forti Pomar" \
dst-address=<RED_REMOTA_SITE_CASEROS> peer=dpt-caseros proposal=dp-caseros \
src-address=<RED_LAN_PRINCIPAL> tunnel=yes
add comment="VLAN <RED_REMOTA_VLAN_5> via Forti Florencio Varela" dst-address=\
<RED_REMOTA_VLAN_5> peer=FlorencioVarela proposal=dp-varela src-address=\
<RED_LAN_PRINCIPAL> tunnel=yes
add comment="VLAN <RED_REMOTA_VLAN_7> via Forti Florencio Varela" dst-address=\
<RED_REMOTA_VLAN_7> peer=FlorencioVarela proposal=dp-varela src-address=\
<RED_LAN_PRINCIPAL> tunnel=yes
add comment="Fase #2 para ssl vpn" dst-address=<RED_REMOTA_SSLVPN> peer=\
dpt-caseros src-address=<RED_LAN_PRINCIPAL> tunnel=yes
/ip route
add check-gateway=ping distance=2 gateway=<GATEWAY_PUBLICO_ISP2>
add disabled=yes distance=1 gateway=<GATEWAY_PUBLICO_SITE2>
add disabled=yes distance=1 gateway=<GATEWAY_PUBLICO_ISP1>
/snmp
set contact=zabbix enabled=yes location=<UBICACION_SNMP> trap-interfaces=all \
trap-version=2
/system clock
set time-zone-name=America/Argentina/Cordoba
/system identity
set name=<NOMBRE_ROUTER>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Ok, now the four conditions are met:
- OK:
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether3
- Static address instead of DHCP, OK.
/ip address
add address=<IP_GATEWAY_LAN>/24 comment="LAN <RED_LAN_PRINCIPAL>" interface=bridge \
network=<RED_LAN_PRINCIPAL>
add address=<IP_PUBLICA_ISP2>/24 interface=ether4 network=<RED_PUBLICA_ISP2>
- OK,
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=pppoe-out1 list=WAN
add comment=ISP_BACKUP interface=ether4 list=WAN
- yes, OK
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether4
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
So, what remains are firewall and routes.
At firest sight firewall seems fine, let's check routes.
It would help if you could replace only the first three octets with letters, i.e. - example - your real <IP_PUBLICA_ISP2>/24 is (say)192.168.1.25/24 anonymize it as a.,b.c.25/24, as it is easier to read/check, <RED_PUBLICA_ISP2> would likely become a.b.c.0.
What is the output of:
/ip route print
?
And of:
/tool traceroute 8.8.8.8
?
Another question, of course it depends from the specific ISP and contract you have, but are you sure that your router should have a /24 address (usually they give a /29 or narrower subnet).
Hi Jaclaz,
Thank you first of all for your willingness to help me with this.
Here are the results of the routes and traceroute:
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 pppoe-out1 1
1 S 0.0.0.0/0 a.b.c.254 2
2 X S 0.0.0.0/0 d.e.f.165 1
3 X S 0.0.0.0/0 g.h.i.1 1
4 ADC j.k.l.48/32 g.h.i.24 pppoe-out1 0
5 ADC a.b.c.0/24 a.b.c.155 ether4 0
6 ADC m.n.o.0/24 m.n.o.1 bridge 0
[admin@RouterOS] >
[admin@RouterOS] > /tool traceroute x.y.z.8 src-address=a.b.c.155
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 j.k.l.48 0% 14 1.5ms 2.5 1.5 6.8 1.2
2 100% 14 timeout
3 100% 14 timeout
4 j.m.n.234 7.7% 13 1.7ms 2 1.6 2.5 0.3
5 o.p.q.198 0% 13 1.8ms 2 1.6 3 0.4
6 r.s.t.29 0% 13 3ms 2.8 1.8 3.8 0.6
7 u.v.w.147 0% 13 3ms 4.7 1.8 31.4 7.7
8 x.y.z.8 0% 13 3.3ms 3.1 2.1 3.4 0.4
[admin@RouterOS] >
Here's the anonymized ISP information
ip: a.b.c.155/24
mas: 255.255.255.0
Ge: a.b.c.254
dns: e.f.g.1
a.b.d.1
I've been trying to figure out what the problem is for a week now. I hope you can help me solve this problem if it's a problem with the Mikro's configuration.
The route with gateway ppoe-out1 is A (active) "(and at the same D Dynamic and S static, this is strange but irrelevant, possibly it has to do with ppoe).
The route with gateway a.b.c.254 is (right now) NOT active (because it has a higher distance of 2) and S static.
The following two routes are disabled.
The following three routes are ADC (Active, Dynamic, Connect, they are generated automatically from the ip addresses assigned).
Your traceroute shows that the connection happens through j.k.l.48 so via ppoe-out1.
In theory if you disable (temporarily) the route:
0 ADS 0.0.0.0/0 pppoe-out1 1
(provided that it can be disabled, otherwise, still temporarily, disconnect the cable from ether1) and you repeat the two tests, you should see the route:
1 S 0.0.0.0/0 a.b.c.254 2
become AS instead of S and the traceroute (of course if connectivity works) should have as first hop a.b.c.254 (or maybe a.b.c.155?).
Try this and post results.
I understand.
I'll be able to perform these tests with PPPoE disabled in a couple of days, as it's not possible right now.
All the information and tests I can do these days are remotely, connecting to WebConfig from ISP1's public IP address.
If there's anything else I can do for now, please let me know. Otherwise, I'll wait until I can be on-site to perform the test with ISP1 disabled.
Yep, I understand the difficulties with working "remote", of course there is no hurry.
It is still possible that there is something in the firewall (though I cannot see anything obviously "wrong"), but it is better to go in order and do these tests first.
You should also update RouterOS to latest v6 version (v6.49.19 if I recall correctly), but this also is better done when physical presence near the router is possible.
Yes, the update will eventually load. But my priority right now is to get ISP2 working properly, or at least rule out the possibility that the problem stems from the Mikrotik's configuration, so I can decide whether to change ISPs or routers.
I'll share the results as soon as I can run this test. If you have any other tests in mind that I should run with ISP1 disabled, please let me know so I can perform them when I'm on-site.
I should mention that I only have short periods for testing, as ISP1 is operational on my network and we depend on it full-time.
The mentioned test will take little time "offline", the issues (if any) will come if the test is not successful, and there will be need to further troubleshoot.
Then we will need to think of which failover method is suitable, there are basically two methods:
- using recursive routing
- using netwatch
The netwatch one can also be divided into several methods, depending on the way the check is performed (but for some you would need to update to v7.x).
BTW, which model of router is yours? Some (older) models are better kept at v6.x, because they have too few resources (CPU, RAM, storage) to work well with v.7.
Okay, I understand.
The router is a Mikrotik RB750Gr3.
Hi jaclaz,
I've run tests disabling ISP1 PPPoE, here are the results:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 X S ;;; Regla marcada para pruebas aisladas de ether4-WAN2
0.0.0.0/0 a.b.c.254 5
1 A S 0.0.0.0/0 a.b.c.254 2
2 X S 0.0.0.0/0 d.e.f.165 1
3 X S 0.0.0.0/0 g.h.i.1 1
4 ADC a.b.c.0/24 a.b.c.155 ether4 0
5 ADC m.n.o.0/24 m.n.o.1 bridge 0
[admin@RouterOS] >
You'll see a new route I created to perform an isolated test with a mangle rule and force the route out through ether4. I disabled this route, as well as the rule itself, for this test.
Here's the tracerouter result.
[admin@RouterOS] > /tool traceroute 8.8.8.8
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 a.b.c.254 0% 24 2.3ms 1.9 1.5 2.3 0.2
2 p.q.r.42 0% 24 1.8ms 2.2 1.8 2.8 0.2
3 p.q.r.146 0% 24 8.6ms 10.3 1.3 27.9 7.7
4 s.t.u.192 0% 24 1.4ms 1.6 1.3 2.1 0.2
5 v.w.y.111 0% 24 3ms 3.2 3 3.6 0.2
6 u.v.w.169 0% 24 3.5ms 3.4 3 3.6 0.1
7 8.8.8.8 0% 24 3ms 3.3 3 3.5 0.1
-- [Q quit|D dump|C-z pause]
Additionally, run the ping command from the Winbox terminal.
[admin@RouterOS] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 119 3ms
1 8.8.8.8 56 119 3ms
2 8.8.8.8 56 119 3ms
3 8.8.8.8 56 119 3ms
4 8.8.8.8 56 119 3ms
5 8.8.8.8 56 119 3ms
6 8.8.8.8 56 119 3ms
7 8.8.8.8 56 119 3ms
sent=8 received=8 packet-loss=0% min-rtt=3ms avg-rtt=3ms max-rtt=3ms
[admin@RouterOS] >
As you can see, we have positive results in these internal tests from the Mikrotik, however I still can't access the internet from the workstations. Here's a ping I performed from one of them:
C:\Users\alexander.rojas>ping 8.8.8.8 -n 5
Haciendo ping a 8.8.8.8 con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Respuesta desde a.b.2.1: Red de destino inaccesible.
Respuesta desde a.b.2.1: Red de destino inaccesible.
Estadísticas de ping para 8.8.8.8:
Paquetes: enviados = 5, recibidos = 2, perdidos = 3
(60% perdidos),
Where a.b.2.1 is the LAN gateway.
Regards.
I await your feedback.
Regards.
The good news are that the Mikrotik is connecting to the internet, so ISP2 is configured correctly.
The route through a.b.c.254 is AS (Active, Static) as it should be, and it is confirmed by the traceroute output.
BUT you cannot access from your PC on LAN the internet (I presume that pinging from the PC the LAN of the router - i.e. the bridge - is working):
/ip address
add address=<IP_GATEWAY_LAN>/24 comment="LAN <RED_LAN_PRINCIPAL>" interface=bridge \
network=<RED_LAN_PRINCIPAL>
To confirm, try running from the PC a traceroute (tracert in Windows) towards 8.8.8.8, the first hop should be the IP address of the bridge (and after that "nothing").
So what remains are firewall and nat.
NAT is fine, you are natting anything that tries to go out from any of the interfaces in the WAN list (that includes the ether4):
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
So only firewall remains.
Please post again your last full configuration, so that it can be re-checked.
Here's the result of the tracert:
C:\Users\alexander.rojas>tracert 8.8.8.8
Traza a 8.8.8.8 sobre caminos de 30 saltos como máximo.
1 192.168.2.1 informes: Red de destino inaccesible.
Traza completa.
C:\Users\alexander.rojas>
I did this from a workstation as you indicated.
Here's the current Mikrotik configuration:
# dec/01/2025 17:06:50 by RouterOS 6.48.6
# software id = G8D9-ZKIL
#
# model = RB750Gr3
# serial number =
/interface bridge
add comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether4 ] comment=WAN2
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN1 name=pppoe-out1 \
user=
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=5s enc-algorithm=des \
nat-traversal=no
add dh-group=modp1536 dpd-interval=5s enc-algorithm=3des name=dp-caseros \
nat-traversal=no
add dh-group=modp1536 dpd-interval=5s enc-algorithm=3des name=dp-varela \
nat-traversal=no
/ip ipsec peer
add address=d.g.h.49/32 local-address=g.h.i.24 name=dpt-caseros \
profile=dp-caseros
add address=d.i.j.42/32 local-address=d.e.f.166 name=\
FlorencioVarela profile=dp-varela
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=modp1536
add enc-algorithms=3des name=dp-caseros pfs-group=none
add enc-algorithms=3des name=dp-varela pfs-group=none
/ip pool
add name=dhcp ranges=m.n.o.10-m.n.o.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN1 list=WAN
add interface=pppoe-out1 list=WAN
add comment=ISP_BACKUP interface=ether4 list=WAN
/ip address
add address=m.n.o.1/24 comment="LAN m.n.o.0/24" interface=bridge \
network=m.n.o.0
add address=a.b.c.155/24 interface=ether4 network=a.b.c.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN1
add interface=ether3
/ip dhcp-server lease
add address=m.n.o.242 comment=CRONOS mac-address=00:01:A9:14:E3:1C \
server=defconf
add address=m.n.o.226 client-id=1:a8:41:f4:58:50:59 comment=CAMARA02 \
mac-address=A8:41:F4:58:50:59 server=defconf
add address=m.n.o.223 client-id=1:0:21:b7:63:68:35 comment=\
IMPL-Facturacion mac-address=00:21:B7:63:68:35 server=defconf
add address=m.n.o.222 client-id=1:0:21:b7:61:39:1f comment=\
IMPL-Administracion mac-address=00:21:B7:61:39:1F server=defconf
add address=m.n.o.144 client-id=1:d0:21:f9:33:0:2c comment="Ubiquiti 02" \
mac-address=D0:21:F9:33:00:2C server=defconf
add address=m.n.o.137 client-id=1:d0:21:f9:33:6:32 comment="Ubiquiti 01" \
mac-address=D0:21:F9:33:06:32 server=defconf
add address=m.n.o.78 client-id=1:a8:41:f4:58:4f:51 comment=CAMARA01 \
mac-address=A8:41:F4:58:4F:51 server=defconf
/ip dhcp-server network
add address=m.n.o.0/24 dns-server=q.r.s.9,q.r.s.8 gateway=\
m.n.o.1
/ip dns
set allow-remote-requests=yes servers=\
j.k.m.165,a.b.d.1,x.y.z.8,y.z.a.1
/ip dns static
add address=m.n.o.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Monitoreo zabbix" dst-port=161 \
protocol=udp src-address=q.r.s.0/24
add action=accept chain=input comment="Permitir acceso remoto desde Forti" \
dst-port=22,80,443 protocol=tcp src-address=q.r.s.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=ZABBIX_REMOTO dst-port=161 protocol=udp \
src-address=q.r.s.0/24
add action=accept chain=input dst-address=g.h.i.24 in-interface=\
pppoe-out1 protocol=icmp
add action=accept chain=input comment="Permitir WebFig WAN" dst-address=\
g.h.i.24 dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=output disabled=yes new-routing-mark=\
linea2_route passthrough=no src-address=a.b.c.155
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether4
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat comment=srnat-sslvpn dst-address=\
z.a.b.0/24 src-address=m.n.o.0/24
/ip ipsec identity
add peer=dpt-caseros
add peer=FlorencioVarela
/ip ipsec policy
add comment="Tunel principal q.r.s.0/24 via Forti Pomar" dst-address=\
q.r.s.0/24 peer=dpt-caseros proposal=dp-caseros src-address=\
m.n.o.0/24 tunnel=yes
add comment="VLAN t.u.v.0/24 via Forti Florencio Varela" dst-address=\
t.u.v.0/24 peer=FlorencioVarela proposal=dp-varela src-address=\
m.n.o.0/24 tunnel=yes
add comment="VLAN w.x.y.0/24 via Forti Florencio Varela" dst-address=\
w.x.y.0/24 peer=FlorencioVarela proposal=dp-varela src-address=\
m.n.o.0/24 tunnel=yes
add comment="Fase #2 para ssl vpn" dst-address=z.a.b.0/24 peer=\
dpt-caseros src-address=m.n.o.0/24 tunnel=yes
/ip route
add check-gateway=ping comment=\
"Regla marcada para pruebas aisladas de ether4-WAN2" disabled=yes \
distance=5 gateway=a.b.c.254 routing-mark=linea2_route
add check-gateway=ping distance=2 gateway=a.b.c.254
add disabled=yes distance=1 gateway=d.e.f.165
add disabled=yes distance=1 gateway=g.h.i.1
/snmp
set contact=zabbix enabled=yes location=boedo trap-interfaces=all \
trap-version=2
/system clock
set time-zone-name=America/Argentina/Cordoba
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I canot see anything "wrong" in Nat or firewall, but you have connection between client and bridge and between ether4 and internet, so the issue must be there, i.e between bridge and ether4.
Let's wait if some other members can spot where the issue Is.
Can you try to see with /ip address print how many IP addresses are listed for ether4? Also, while testing, maybe temporarily disable the IPsec policies.
You currently have a DHCP client entry enabled on ether3 that should be disabled.
You can try an upgrade to the latest long-term version 6.49.18 too.