Two WAN's into the router- but cant get WAN2 to work.

Hi All

we have a Mikrotik Router RB3011UiAS (arm) Firmware v6.49.7
Attached is my Running Configuration (we provision all routers from a template)

there is Two (2) Internet Service Providers coming into the router, 1 is the Primary connection and 2 is the backup connection.

I’ve setup that the IP Netwatch is pinging, should go out via the WAN1,

When Netwatch sees PING is down, it will run the DOWN script,
the DOWN script will change the Distance on the routes and will move to a lowest distance in order to utilize the backup ISP connected to the router to ETH2/WAN2,
it also updates the Dynamic DNS to know its new Public IP from WAN2

my problem is, when WAN1 goes down, the down script runs, but it seems it is not using ETH2/WAN2 (and there is no internet from the router)

we have plugged the cable (thats going to ETH2) into a laptop and programmed the laptop with the IP info as we provisioned for ETH2/WAN2 on the router, and on the laptop it worked fine
so i know the connection ISP2 is working fine


im willing to pay someone for thier time to help me figure this out and improve our template

# dec/08/2022 16:55:33 by RouterOS 6.49.7
# software id = EN0R-I5MX
#
# model = RouterBOARD 3011UiAS
# serial number = B00A0AA00000
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=ether1 ] name="WAN1 ETH1"
set [ find default-name=ether2 ] name="WAN2 ETH2"
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.15.30-192.168.15.199
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN lease-time=3d name=\
    dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
add bridge=LAN interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface="WAN1 ETH1" list=WAN
add interface="WAN2 ETH2" list=WAN
/ip address
add address=10.14.200.100/24 interface="WAN1 ETH1" network=10.14.200.0
add address=192.168.15.1/24 interface=LAN network=192.168.15.0
add address=19.50.40.214/29 interface="WAN2 ETH2" network=19.50.40.208
/ip dhcp-client
add default-route-distance=50 disabled=no interface="WAN2 ETH2" use-peer-dns=\
    no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=\
    192.168.15.1 gateway=192.168.15.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,4.2.2.1
/ip firewall address-list
add address=0.0.0.0/8 list="Blocked IP"
add address=127.0.0.0/8 list="Blocked IP"
add address=224.0.0.0/3 list="Blocked IP"
/ip firewall filter
add action=accept chain=input comment="MikroTik - Winbox Access" dst-port=\
    8291 protocol=tcp src-address-list=my_access
add action=accept chain=input comment="MikroTik - SSH Access" dst-port=7122 \
    protocol=tcp src-address-list=my_access
add action=accept chain=input dst-port=161 protocol=udp src-address-list=\
    my_access
add action=reject chain=forward comment="tcp reset" disabled=yes protocol=tcp \
    reject-with=tcp-reset
add action=drop chain=output dst-address=8.8.4.4 out-interface="!WAN1 ETH1" \
    protocol=icmp
add action=drop chain=output dst-address=1.1.1.2 out-interface="!WAN2 ETH2" \
    protocol=icmp
add action=drop chain=input comment="Dropp blocked IP" src-address-list=\
    "port scanners"
add action=drop chain=input comment="Drop port scanners" src-address-list=\
    "port scanners"
add action=drop chain=forward comment="Drop port scanners" src-address-list=\
    "port scanners"
add action=drop chain=input comment="Dropp blocked IP" src-address-list=\
    "Blocked IP"
add action=accept chain=input comment="ICMP" protocol=icmp \
    src-address-list=my_access
add action=accept chain=input comment="Monitoring" protocol=icmp \
    src-address-list=my_monitoring
add action=accept chain=input comment="input established WAN" \
    connection-state=established in-interface-list=WAN
add action=accept chain=input comment="input related WAN" connection-state=\
    related in-interface-list=WAN
add action=accept chain=forward comment="forward established WAN" \
    connection-state=established in-interface-list=WAN
add action=accept chain=forward comment="forward related WAN" \
    connection-state=related in-interface-list=WAN
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=forward comment="NMAP NULL scan" protocol=\
    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment=Winbox disabled=yes dst-port=8000 \
    protocol=tcp
add action=accept chain=input comment=Winbox disabled=yes dst-port=6122 \
    protocol=tcp
add action=drop chain=forward disabled=yes dst-address-list=!my_host \
    dst-port=80,443 out-interface="WAN1 ETH1" protocol=tcp src-address=\
    !192.168.15.5
add action=drop chain=input comment="input drop wan" in-interface-list=WAN
add action=drop chain=forward comment="forward drop WAN" in-interface-list=\
    WAN out-interface=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface="WAN1 ETH1"
add action=masquerade chain=srcnat out-interface="WAN2 ETH2"
add action=dst-nat chain=dstnat comment=Switch1 dst-port=8010 \
    in-interface-list=WAN protocol=tcp src-address-list=my_host \
    to-addresses=192.168.15.210 to-ports=80
add action=dst-nat chain=dstnat dst-port=3030 protocol=tcp src-address-list=\
    my_host to-addresses=192.168.15.5 to-ports=3030
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip route
add check-gateway=ping comment="Default Route" distance=5 gateway=\
    10.14.200.1
add check-gateway=ping comment="Secondary Route" distance=10 gateway=\
    19.50.40.209
add check-gateway=ping comment=\
    "Route to check 4.2.2.1 connectivity via Secondary  Link" distance=10 \
    dst-address=1.1.1.2/32 gateway="WAN2 ETH2"
add check-gateway=ping comment=\
    "Route to check 8.8.4.4 connectivity via PRIMARY Link" distance=1 \
    dst-address=8.8.4.4/32 gateway=10.14.200.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.15.0/24 port=8089
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=informative-slideshow \
    read-only-mode=yes touch-screen=disabled
/system clock
set time-zone-name=America/New_York
/system identity
set name=my_router
/system logging
add action=remote prefix=my_router topics=info
add action=remote prefix=my_router topics=critical
add action=remote prefix=my_router topics=error
add action=remote prefix=my_router topics=warning
/system ntp client
set enabled=yes server-dns-names="pool.ntp.org,0.north-america.pool.ntp.org,1.\
    north-america.pool.ntp.org,2.north-america.pool.ntp.org,3.north-america.po\
    ol.ntp.org"
/system scheduler
add interval=1m name=DynDns on-event=DynDns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
    startup
/system script
add dont-require-permissions=yes name=down owner=admin policy=\
    reboot,read,write,policy,test source=":log warning \"PRIMARY link seems to\
    \_be DOWN - Running Down script\" \r\
    \n\r\
    \n/ip route set [find comment=\"Default Route\"] distance=15\r\
    \n\r\
    \n/ip firewall connection {:foreach i in [find protocol=\"tcp\"] do={remov\
    e \$i}}\r\
    \n/ip firewall connection {:foreach i in [find protocol=\"udp\"] do={remov\
    e \$i}}\r\
    \n\r\
    \n/ip  firewall filter set [find comment =\"tcp reset\"] disabled=no\r\
    \n\r\
    \ndelay delay-time=10\r\
    \n\r\
    \n/ip  firewall filter set [find comment =\"tcp reset\"] disabled=yes\r\
    \n\r\
    \n/system script run DynDnsF\r\
    \n\r\
    \n/tool e-mail send to=me@me.com subject=\"\$[/system \
    identity get name] network change\"  body=\"Primary connection failed and \
    successfully connected to secondary\""
add dont-require-permissions=yes name=up owner=admin policy=\
    reboot,read,write,policy,test source=":log warning \"PRIMARY link seems to\
    \_be UP - Running UP script\"\r\
    \n\r\
    \n/ip route set [find comment=\"Default Route\"] distance=5\r\
    \n\r\
    \n/ip firewall connection {:foreach i in= [find protocol=\"udp\"] do={remo\
    ve \$i}}\r\
    \n/ip firewall connection {:foreach i in= [find protocol=\"tcp\"] do={remo\
    ve \$i}}\r\
    \n\r\
    \n/ip  firewall filter set [find comment =\"tcp reset\"] disabled=no\r\
    \n\r\
    \ndelay delay-time=10\r\
    \n\r\
    \n/ip  firewall filter set [find comment =\"tcp reset\"] disabled=yes\r\
    \n\r\
    \n/system script run DynDnsF\r\
    \n\r\
    \n/tool e-mail send to=me@me.com subject=\"\$[/system \
    identity get name] network change\"  body=\"Primery connection is up and s\
    uccessfully connected\""
add dont-require-permissions=yes name=DynDns owner=admin policy=\
    reboot,read,write,policy,test source="# Set needed variables\r\
    \n:global username \"username\"\r\
    \n:global password \"password\"\r\
    \n:global hostname \"hostnmame.me.com\"\r\
    \n\r\
    \n:global dyndnsForce\r\
    \n:global previousIP \r\
    \n\r\
    \n# print some debug info\r\
    \n# :log info (\"UpdateDynDNS: username = \$username\")\r\
    \n# :log info (\"UpdateDynDNS: password = \$password\")\r\
    \n:log info (\"UpdateDynDNS: hostname = \$hostname\")\r\
    \n:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\r\
    \n\r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\
    path=\"/dyndns.checkip.html\"\r\
    \n:delay 1\r\
    \n:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n:local resultLen [:len \$result]\r\
    \n:local startLoc [:find \$result \": \" -1]\r\
    \n:set startLoc (\$startLoc + 2)\r\
    \n:local endLoc [:find \$result \"</body>\" -1]\r\
    \n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n# Remove the # on next line to force an update every single time - usefu\
    l for debugging,\r\
    \n# but you could end up getting blacklisted by DynDNS!\r\
    \n\r\
    \n#:set dyndnsForce true\r\
    \n\r\
    \n# Determine if dyndns update is needed\r\
    \n# more dyndns updater request details http://www.dyndns.com/developers/s\
    pecs/syntax.html\r\
    \n\r\
    \n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
    \n   :set dyndnsForce false\r\
    \n   :set previousIP \$currentIP\r\
    \n   :log info \"\$currentIP or \$previousIP\"\r\
    \n   /tool fetch user=\$username password=\$password mode=http address=\"m\
    embers.dyndns.org\" \\\r\
    \n      src-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$cu\
    rrentIP&wildcard=no\" \\\r\
    \n      dst-path=\"/dyndns.txt\"\r\
    \n   :delay 1\r\
    \n   :local result [/file get dyndns.txt contents]\r\
    \n   :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
    \n   :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
    \n   :put (\"Dyndns Update Result: \".\$result)\r\
    \n} else={\r\
    \n   :log info (\"UpdateDynDNS: No dyndns update needed\")\r\
    \n}"
add dont-require-permissions=yes name=DynDnsF owner=admin policy=\
    reboot,read,write,policy,test source="# Set needed variables\r\
    \n:global username \"username\"\r\
    \n:global password \"password\"\r\
    \n:global hostname \"hostname.me.com\"\r\
    \n\r\
    \n:global dyndnsForce\r\
    \n:global previousIP \r\
    \n\r\
    \n# print some debug info\r\
    \n# :log info (\"UpdateDynDNS: username = \$username\")\r\
    \n# :log info (\"UpdateDynDNS: password = \$password\")\r\
    \n:log info (\"UpdateDynDNSF: hostname = \$hostname\")\r\
    \n:log info (\"UpdateDynDNSF: previousIP = \$previousIP\")\r\
    \n\r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\
    path=\"/dyndns.checkip.html\"\r\
    \n:delay 1\r\
    \n:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n:local resultLen [:len \$result]\r\
    \n:local startLoc [:find \$result \": \" -1]\r\
    \n:set startLoc (\$startLoc + 2)\r\
    \n:local endLoc [:find \$result \"</body>\" -1]\r\
    \n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n# Remove the # on next line to force an update every single time - usefu\
    l for debugging,\r\
    \n# but you could end up getting blacklisted by DynDNS!\r\
    \n\r\
    \n:set dyndnsForce true\r\
    \n\r\
    \n# Determine if dyndns update is needed\r\
    \n# more dyndns updater request details http://www.dyndns.com/developers/s\
    pecs/syntax.html\r\
    \n\r\
    \n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
    \n   :set dyndnsForce false\r\
    \n   :set previousIP \$currentIP\r\
    \n   :log info \"\$currentIP or \$previousIP\"\r\
    \n   /tool fetch user=\$username password=\$password mode=http address=\"m\
    embers.dyndns.org\" \\\r\
    \n      src-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$cu\
    rrentIP&wildcard=no\" \\\r\
    \n      dst-path=\"/dyndns.txt\"\r\
    \n   :delay 1\r\
    \n   :local result [/file get dyndns.txt contents]\r\
    \n   :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
    \n   :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
    \n   :put (\"Dyndns Update Result: \".\$result)\r\
    \n} else={\r\
    \n   :log info (\"UpdateDynDNS: No dyndns update needed\")\r\
    \n}"
/tool e-mail
set address=ms.domain.com from="My Router <me@me.com>" start-tls=\
    yes user=me@me.com
/tool netwatch
add down-script="/system script run down" host=8.8.4.4 interval=30s timeout=\
    5s up-script="/system script run up"

can anyone recommend anything please ?
I’m stuck cant figure this out

ALSO I’m going to provision another router and test if the IP configuration works on it

More important then trying to get netwatch to do something that may or may not be feasible.

Detail the requirements so that they are understood. You have two wans how should they be available to your users or sets of users?
For example why do you need to change distance dynamically?
That implies requirements you havent well articulated. Most people set those as fixed.
More explanation may lead to a much simpler efficient solution.

WAN1 has a Distance of 5
WAN2 has a Distance of 15

the DOWN script will change WAN1 to a distance of 25, so WAN2 is being utilized

WOW that is phucking useless feedback.
I asked for requirements not more configuration nonsense.,

WHY. do you need to change the WAN distance, what is it that the user need to be able to do…

WAN2’s Distance it set to 10, i don’t change it

I am changing the distance for WAN1 to make sure that the router has failedover to WAN2, and all traffic will go out via WAN2 (because it has a lower distance now)
(DOWN script gives WAN1 route a higher distance - 25, so it wont be used)


my script also updates DynDNS

and clears all connections (otherwise in the past, we had seen some connection will stay with WAN1 even after failing over)

what makes you think that when WAN1 is not available the router will not look to WAN2..
Thats how the router works it looks for a working route and distance is certainly a useful parameter to drive all users to the lower working Route.
But if its not up, the router will look for the next available route …

in theory your approach is something that would work

but in our setup, we already have many of our deployed routers configured like this,

possibly the designer of this approach was trying to avoid flipping between routes if one route is temporarily not available - and rather manage (Netwatch needs to see ping unreachable for x amount of time, before executing a script) when to failover, and also run other scripts (update DynDNS, Send a Email) etc

so with that in mind,

by reviewing my config, is there anything noticeable what the issue could be ?

Look into recursive routes.
That’s how I used to do it.

add action=drop chain=output dst-address=8.8.4.4 out-interface=“!WAN1 ETH1” protocol=icmp
add action=drop chain=output dst-address=1.1.1.2 out-interface=“!WAN2 ETH2” protocol=icmp

I also did not work with such a rule in the firewall, I replaced it with the next version and it worked, I did not look for the cause

add action=drop chain=output dst-address=8.8.4.4 out-interface=“WAN2 ETH2” protocol=icmp
add action=drop chain=output dst-address=1.1.1.2 out-interface=“WAN1 ETH1” protocol=icmp

Hogwash,No need for output rules in basic routes… unneccessary complications..
This is a typical bloated config when trying to add every bright idea youtube video to ones config and not based on what the OPs requirements actually are…

As stated, basic recursive routing should do the trick in terms of ensuring a public IP site can be reached which verifies connection to ISP and ISP connection to the real world.

ANAV,

I am trying to work out…
2 ISPs into my router.
Then use basic recursive routes.
BUT Make a Mangle Rule for each ISP and Keep them BOTH HOT.
Then take those feeds into the combiner I built.
Feed the output of the combiner back, to the network and make that a VLAN.
(If I were smarter… I would land both SSIDs in the same IP scope… but have one SSID use one gateway HOT, and the other use the combiner as the gateway.)

Right now I have it about 1/2 done…
So I have HOT and Bonded as my 2 SSID.
WHY??? Because my HOT feed it 3 times faster than the combiner and has a public IP.
But when I was on the bonded feed… I ripped the plug out of the wall on ISP 1… video call didn’t even stutter.

Still working on it.

Start your own thread LOL…

Seriously, sounds interesting,
recursive check, two wans is fairly easy…
both hot, yes need mangle rules to ensure traffic entering leaves via same WAN ( and could be used to get specific LAN traffic to go out a specific WAN)

You lost me at put into a combiner, sounds like you work on a farm

that rule affects ICMP, to 8.8.4.4 and 1.1.1.2
but im having an issue with ANY packets going out via WAN2

Get the wan2 to work steadily. Turn off wan1 and get stable router operation if wan2 is the only internet provider.
And only after that move on to debugging the automatic switch to backup.
Often ISPs use binding by MAC address, so the laptop may have access, but the router in its place does not, then you need to change the MAC address.

I have not used recursive routing since 7.x

Had it working sold in 6.x and could even climb up the pipe on the back up using mangle rules.

Tried using this last night on a test router…
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608

It doesn’t work…

This is why I wanted to build a solution that bonds INFRONT of the Tik.

Not looking forward to the hours of trying the same thing a hundred times looking for different results.

After spending all day on recursive with 7.x I had to go back to 6.x

This page did not help
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608

Maybe, Problems is here:

/ip route
add check-gateway=ping comment=“Default Route” distance=5 gateway=
10.14.200.1
add check-gateway=ping comment=“Secondary Route” distance=10 gateway=
19.50.40.209
add check-gateway=ping comment=
“Route to check 4.2.2.1 connectivity via Secondary Link” distance=10[/color]
dst-address=1.1.1.2/32 gateway=“WAN2 ETH2”
add check-gateway=ping comment=
“Route to check 8.8.4.4 connectivity via PRIMARY Link” distance=1
dst-address=8.8.4.4/32 gateway=10.14.200.1