I got Mikrotik RB450 and two ISP.
The first ISP is unlimited, so it is preffered.
The second one is paid by each GB and is used as backup when the first is not reachable.
# jan/02/1970 00:26:48 by RouterOS 6.6
# software id = EI2D-D754
#
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1_PPPoE
set [ find default-name=ether2 ] name=ether2_Zyxel
set [ find default-name=ether3 ] name=ether3_WAN3
set [ find default-name=ether4 ] comment=LAN name=ether4_masterLAN
set [ find default-name=ether5 ] master-port=ether4_masterLAN
/interface pppoe-client
add disabled=no interface=ether1_PPPoE name=pppoe-out1 password=secret1 use-peer-dns=yes user=user1
/ip neighbor discovery
set ether1_PPPoE comment=WAN
set ether4_masterLAN comment=LAN
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether4_masterLAN name=dhcp1
/port
set 0 name=serial0
/ip address
add address=192.168.88.1/24 interface=ether4_masterLAN network=192.168.88.0
/ip dhcp-client
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=ether2_Zyxel
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,8.8.8.8
/ip firewall filter
add chain=input comment=Allow_ping protocol=icmp
add chain=forward protocol=icmp
add chain=input comment=Accept_established_connections connection-state=established
add chain=forward connection-state=established
add chain=input comment=Accept_related_connections connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment=Drop_invalid_connections connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input comment=Allow_UDP protocol=udp
add chain=forward protocol=udp
add chain=forward comment=Acces_to_Internet_from_local_network src-address=192.168.88.0/24
add chain=input comment=Access_to_Mikrotik_only_from_our_local_network src-address=192.168.88.0/24
add action=drop chain=input comment=All_other_drop
add action=drop chain=forward
/ip firewall mangle
add action=change-mss chain=forward in-interface=ether2_Zyxel new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add action=change-mss chain=forward new-mss=1452 out-interface=ether2_Zyxel protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether2_Zyxel
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=10.10.10.1
/ip service
set telnet disabled=yes
set ssh address=192.168.88.0/24
set api disabled=yes
set api-ssl disabled=yes
Ok, it was configured by other person which is on vacations right now. It worked fine about 4 months.
The problem is that check of gateway is not working properly anymore for the first ISP, so my Mikrotik enabled my backup ISP.
I used that second backup ISP during last few days and then figured out how to disable check of gateway.
Ok, I also tried to change type of check from ping to arp. But Mikrotik uses default route during few seconds, then switches me to backup ISP again (no matter what check type is, ping or arp).
So I’m on my first unlimited ISP and it works fine so far (without any automatic switching).
What I would need is to ping 8.8.8.8 using the first ISP and if 8.8.8.8 is not reachable then switch to my second ISP. Then switch back if 8.8.8.8 is available again via the first ISP.
How do I perform it?
Please advise.
Hi again, it seems I figured out how to change setting to check my first ISP using ping google. I tested it using physical disconnect of ethernet connector and then connecting it again. Seems works.
# software id = EI2D-D754
#
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1_PPPoE
set [ find default-name=ether2 ] name=ether2_Zyxel
set [ find default-name=ether3 ] name=ether3_WAN3
set [ find default-name=ether4 ] comment=LAN name=ether4_masterLAN
set [ find default-name=ether5 ] master-port=ether4_masterLAN
/interface pppoe-client
add disabled=no interface=ether1_PPPoE name=pppoe-out1 password=mypassword1 use-peer-dns=yes user=myusername1
/ip neighbor discovery
set ether1_PPPoE comment=WAN
set ether4_masterLAN comment=LAN
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether4_masterLAN name=dhcp1
/port
set 0 name=serial0
/ip address
add address=192.168.88.1/24 interface=ether4_masterLAN network=192.168.88.0
/ip dhcp-client
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=ether2_Zyxel
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,8.8.8.8
/ip firewall filter
add chain=input comment=Allow_ping protocol=icmp
add chain=forward protocol=icmp
add chain=input comment=Accept_established_connections connection-state=established
add chain=forward connection-state=established
add chain=input comment=Accept_related_connections connection-state=related
add chain=forward connection-state=related
add action=drop chain=input comment=Drop_invalid_connections connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input comment=Allow_UDP protocol=udp
add chain=forward protocol=udp
add chain=forward comment=Acces_to_Internet_from_local_network src-address=192.168.88.0/24
add chain=input comment=Access_to_Mikrotik_only_from_our_local_network src-address=192.168.88.0/24
add action=drop chain=input comment=All_other_drop
add action=drop chain=forward
/ip firewall mangle
add action=change-mss chain=forward in-interface=ether2_Zyxel new-mss=1440 protocol=tcp tcp-flags=syn tcp-mss=1441-65535
add action=change-mss chain=forward new-mss=1452 out-interface=ether2_Zyxel protocol=tcp tcp-flags=syn tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether2_Zyxel
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=myisp1
add distance=1 gateway=10.10.10.1
add distance=1 dst-address=8.8.8.8/32 gateway=10.10.10.1 scope=10
/ip service
set telnet disabled=yes
set ssh address=192.168.88.0/24
set api disabled=yes
set api-ssl disabled=yes
The disadvantage of using 8.8.8.8 for this (which you also use for DNS) is that the DNS service stops working when the main internet service fails.
So at first you appear to have working internet, but after a while things start breaking down.
You need to use a different IP to statically route via ISP1 and check via ping, and to offer DNS service.
Of couse Google has a second IP, 8.8.4.4 which you could use.
as @pe1chl suggested, you should have at least two/three hosts for monitoring before any fail over is done, just to avoid any false alarm.
I always prefer scripting method because its more reliable, can give you pretty much accurate results, can perform various interesting bizzare functions like sending sms/email/annoying alarm sounds upon failover/failback etc.
Snippet:
# PING each host 10 times
:for i from=1 to=10 do={
if ([/ping $host1 count=1]=0) do={:set F ($F + 1)}
if ([/ping $host2 count=1]=0) do={:set F ($F + 1)}
};
upon failover/failback etc.