Src.address getting ignored netwatch

Codynorris · June 7, 2024, 6:30am

Hi,
Trying to set up Netwatch for my LTE failover. It pings 1.1.1.1 and switches to LTE when the main connection fails. However, it continues to ping 1.1.1.1 through the LTE connection and mistakenly reports that the main route is fine, causing it to switch back to the main connection, which then fails to ping again. This results in an endless loop of switching between LTE and the main connection. I’ve set the Src. address in Netwatch to the IP of the main ISP, but it seems to ignore that setting. Below are my configuration and logs.

/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=“” sms-read=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=pool1 ranges=192.168.xx.xx-192.168.xx.xx
/ip dhcp-server
add address-pool=pool1 interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=ether1 list=WAN
/ip address
add address=103.95.xx.xx comment=WAN1 interface=ether1 network=103.95.xx.xx
add address=192.168.xx.xx/24 interface=bridge network=192.168.xx.xx
/ip dhcp-server network
add address=192.168.xx.xx/24 dns-server=192.168.xx.xx gateway=192.168.xx.xx netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.xx.xx comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=none comment=MAINROUTE disabled=no distance=1 dst-address=0.0.0.0/0 gateway=103.95.xx.xx pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Australia/Brisbane
/system identity
set name=“4g backup”
/system logging
add topics=debug
/system note
set show-at-login=no
/tool netwatch
add disabled=no down-script=“/ip route disable [find comment="MAINROUTE"]\r
\n:log error "ISP1 is down"” host=1.1.1.1 http-codes=“” interval=7s src-address=103.95.xx.xx startup-delay=0s test-script=“” timeout=1s type=icmp
up-script=“/ip route enable [find comment="MAINROUTE"]\r
\n:log warning "ISP1 is up"”
/tool sniffer
set filter-interface=lte1

stevemarple · June 29, 2024, 9:50am

I also see that src-address is ignored. I have a Chateau LTE6 AX and I am using an LTE connection as a backup for a FTTP connection. Testing the FTTP connection with

/tool/ping 1.1.1.1 interface=pppoe-out1

gives ping times < 5ms.

Using

/tool/ping 1.1.1.1 interface=lte1

gives ping times > 50ms. So /tool/ping is using the expected interface and the significant difference in times can be used as a check for netwatch.

When I set the src-address in /tool/netwatch to the lte1 IP address the status response times I get for type=simple, icmp, or tcp-conn are all much less than 50ms, the connections cannot have used LTE. When I test with type=http-get or https-get with a server I own I can see from the access.log file that the connections came from the pppoe-out1 IP address.

My workaround is this

/ip route
add comment="Force 4.2.2.1 to use FTTP network (for Netwatch)" disabled=no distance=1 dst-address=4.2.2.1/32 gateway=pppoe-out1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Force 4.2.2.2 to use LTE network (for Netwatch)" disabled=no distance=1 dst-address=4.2.2.2/32 gateway=lte1 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10

The 4.2.2.x Level 3 servers are only used by netwatch so adding special routes hasn’t caused a problem so far.

Did you report the problem to Mikrotik?

own3r1138 · June 29, 2024, 10:38am

Same here, using the local IP address of the WG peer in Netwach as an src-address doesn’t pass the traffic through the WG tunnel, instead, it goes out from the main interface.

anav · June 29, 2024, 12:50pm

The OP, original poster shows no route information at all, either from the config or snapshot of actual winbox ip route setup, so not enough info.

yccit · June 30, 2024, 2:58am

Simply change 1.1.1.1 to your public ip of ether1. And use 30 sec interval

stevemarple · July 4, 2024, 10:39am

As the OP didn’t reply to say it had been reported to Mikrotik I have now reported it (SUP-158089).