Unable to Disable Static Routes from Script or CLI

AlbeeDC · January 1, 2025, 8:31am

I am encountering an unusual issue with my MikroTik hEX router. Specifically, I am unable to disable static IP routes via script or CLI after the router has been running for several hours.

The setup consists of a basic 3-WAN failover configuration, where traffic is routed through WAN2 if WAN1 fails, or through WAN3 if both WAN1 and WAN2 are down. Failover is managed using three NetWatch rules that monitor connectivity by pinging 1.1.1.1 from each WAN interface, with routing tables dictating the failover behavior.

To clarify, the failover mechanism operates as expected when initially tested. If I simulate an outage by disabling internet access on WAN1, for example, the system successfully switches to WAN2, and further failover to WAN3 occurs if both WAN1 and WAN2 are down.

However, after the router has been running for a few hours, attempting the same failover tests no longer works. The script configured in NetWatch fails to disable the required static IP routes, and attempting to disable the same routes manually via the CLI also yields no results. There are no error messages displayed. The issue is resolved temporarily by restarting the MikroTik router, after which the failover mechanism works as expected again.

I am out of ideas. I had planned to deploy this router full-time in my home setup, but this issue is preventing me from doing so. I just wanted a basic failover configuration, and while it initially works as expected, it inexplicably stops functioning after some time.

Any insights or suggestions to resolve this would be greatly appreciated.

Below is my config:

# 2025-01-01 16:23:18 by RouterOS 7.16.2
# software id = 7UXP-FZDD
#
# model = E50UG
# serial number = HHXXXXXTTEC
/interface bridge
add name=bridge1.LAN1
add disabled=yes name=bridge2.LAN2
/interface ethernet
set [ find default-name=ether1 ] name=ether1.WAN1
set [ find default-name=ether2 ] name=ether2.WAN2
set [ find default-name=ether3 ] name=ether3.WAN3
set [ find default-name=ether4 ] name=ether4.LAN1
set [ find default-name=ether5 ] name=ether5.LAN2
/ip pool
add name=LAN1 ranges=10.0.0.60-10.0.0.254
add name=LAN2 ranges=172.0.1.2-172.0.1.254
/ip dhcp-server
add address-pool=LAN1 interface=bridge1.LAN1 lease-time=1d name=LAN1
# Interface not running
add address-pool=LAN2 interface=bridge2.LAN2 lease-time=1d name=LAN2
/routing table
add disabled=no fib name=WAN1
add disabled=no fib name=WAN2
add disabled=no fib name=WAN3
add disabled=no fib name="Ping via WAN1"
add disabled=no fib name="Ping via WAN2"
add disabled=no fib name="Ping via WAN3"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=bridge1.LAN1 interface=ether4.LAN1
add bridge=bridge1.LAN1 interface=ether5.LAN2
/interface detect-internet
set detect-interface-list=all
/ip address
add address=10.0.0.1/24 interface=bridge1.LAN1 network=10.0.0.0
add address=172.0.1.1/24 interface=bridge2.LAN2 network=172.0.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no interface=ether1.WAN1 script=":if (\$bound=1) do={\r\
    \n  /ip route set [find where comment=\"WAN1\"] gateway=\$\"gateway-addres\
    s\";/ip route set [find where comment=\"Ping via WAN1\"] gateway=\$\"gatew\
    ay-address\";/ip route set [find where comment=\"Default route via WAN1\"]\
    \_gateway=\$\"gateway-address\";/tool/netwatch set [find where comment=\"P\
    ing via WAN1\"] src-address=\$\"lease-address\" disabled=no;/routing rule \
    set [find where comment=\"Ping via WAN1\"] src-address=\$\"lease-address\"\
    \r\
    \n} else={\r\
    \n  /ip route set [find where comment=\"WAN1\"] disabled=yes;/ip route set\
    \_[find where comment=\"Default route via WAN1\"] disabled=yes\r\
    \n}" use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether2.WAN2 script=":if (\$bound=1) do={\r\
    \n  /ip route set [find where comment=\"WAN2\"] gateway=\$\"gateway-addres\
    s\";/ip route set [find where comment=\"Ping via WAN2\"] gateway=\$\"gatew\
    ay-address\";/ip route set [find where comment=\"Default route via WAN2\"]\
    \_gateway=\$\"gateway-address\";/tool/netwatch set [find where comment=\"P\
    ing via WAN2\"] src-address=\$\"lease-address\" disabled=no;/routing rule \
    set [find where comment=\"Ping via WAN2\"] src-address=\$\"lease-address\"\
    \r\
    \n} else={\r\
    \n  /ip route set [find where comment=\"WAN2\"] disabled=yes;/ip route set\
    \_[find where comment=\"Default route via WAN2\"] disabled=yes\r\
    \n}" use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether3.WAN3 script=":if (\$bound=1) do={\r\
    \n  /ip route set [find where comment=\"WAN3\"] gateway=\$\"gateway-addres\
    s\";/ip route set [find where comment=\"Ping via WAN3\"] gateway=\$\"gatew\
    ay-address\";/ip route set [find where comment=\"Default route via WAN3\"]\
    \_gateway=\$\"gateway-address\";/tool/netwatch set [find where comment=\"P\
    ing via WAN3\"] src-address=\$\"lease-address\" disabled=no;/routing rule \
    set [find where comment=\"Ping via WAN3\"] src-address=\$\"lease-address\"\
    \r\
    \n} else={\r\
    \n  /ip route set [find where comment=\"WAN3\"] disabled=yes;/ip route set\
    \_[find where comment=\"Default route via WAN3\"] disabled=yes\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.0.18 comment="RaspberryPi Docker" mac-address=\
    CC:CC:CC:CC:CC:CC server=LAN1
add address=10.0.0.11 comment=SynologyNAS mac-address=CC:CC:CC:CC:CC:CC \
    server=LAN1
add address=10.0.0.12 comment="Epson WF C5790" mac-address=CC:CC:CC:CC:CC:CC \
    server=LAN1
add address=10.0.0.15 comment="RaspberryPi OctoPrint" mac-address=\
    CC:CC:CC:CC:CC:CC server=LAN1
add address=10.0.0.16 comment="RaspberryPi PiKVM" mac-address=\
    CC:CC:CC:CC:CC:CC server=LAN1
add address=10.0.0.17 comment="RaspberryPi HomeAssistant" mac-address=\
    CC:CC:CC:CC:CC:CC server=LAN1
add address=10.0.0.31 comment="Oasis Mini" mac-addressCC:CC:CC:CC:CC:CC\
    server=LAN1
add address=10.0.0.42 comment="Sony PlayStation Portal" mac-address=\
    CC:CC:CC:CC:CC:CC server=LAN1
add address=10.0.0.41 client-id=1:CC:CC:CC:CC:CC:CC comment=\
    "Sony PlayStation 5" mac-address=CC:CC:CC:CC:CC:CC server=LAN1
add address=10.0.0.13 client-id=1:CC:CC:CC:CC:CC:CC comment=SynologyRouter2 \
    mac-address=CC:CC:CC:CC:CC:CC server=LAN1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
add address=172.0.1.0/24 gateway=172.0.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1 verify-doh-cert=yes
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=output disabled=yes dst-address=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1.WAN1
add action=masquerade chain=srcnat out-interface=ether2.WAN2
add action=masquerade chain=srcnat out-interface=ether3.WAN3
add action=dst-nat chain=dstnat comment="PS Remote Play" dst-port=8572 \
    protocol=udp to-addresses=10.0.0.41 to-ports=8572
add action=dst-nat chain=dstnat comment="PS Remote Play" dst-port=9303 \
    protocol=udp to-addresses=10.0.0.41 to-ports=9303
add action=dst-nat chain=dstnat comment="PS Remote Play" dst-port=9308 \
    protocol=udp to-addresses=10.0.0.41 to-ports=9308
add action=dst-nat chain=dstnat comment="PS Remote Play" dst-port=9297 \
    protocol=udp to-addresses=10.0.0.41 to-ports=9297
add action=dst-nat chain=dstnat comment="SN DownloadStation" dst-port=16881 \
    protocol=tcp to-addresses=10.0.0.11 to-ports=16881
add action=dst-nat chain=dstnat comment="SN DownloadStation" dst-port=16881 \
    protocol=udp to-addresses=10.0.0.11 to-ports=16881
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=tcp \
    to-addresses=10.0.0.11 to-ports=32400
/ip route
add comment=WAN2 disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    123.123.123.1 routing-table=main suppress-hw-offload=no
add comment=WAN1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    456.456.456.1 routing-table=main suppress-hw-offload=no
add comment="Ping via WAN1" disabled=no distance=1 dst-address=1.1.1.1/32 \
    gateway=456.456.456.1 routing-table="Ping via WAN1" scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Ping via WAN3" disabled=no distance=1 dst-address=1.1.1.1/32 \
    gateway=789.789.789.1 routing-table="Ping via WAN3" suppress-hw-offload=no
add comment="Ping via WAN2" disabled=no distance=1 dst-address=1.1.1.1/32 \
    gateway=123.123.123.1 routing-table="Ping via WAN2" scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Default route via WAN2" disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=123.123.123.1 routing-table=WAN2 suppress-hw-offload=no
add comment="Default route via WAN3" disabled=no distance=3 dst-address=\
    0.0.0.0/0 gateway=789.789.789.1 routing-table=WAN3 scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="Default route via WAN1" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=456.456.456.1 routing-table=WAN1 suppress-hw-offload=no
add comment=WAN3 disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    789.789.789.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set www address=10.0.0.0/24,192.168.216.0/24
set www-ssl address=10.0.0.0/24,192.168.216.0/24 disabled=no
/ip upnp
set allow-disable-external-interface=yes enabled=yes show-dummy-rule=no
/ip upnp interfaces
add disabled=yes interface=ether1.WAN1 type=external
add interface=ether2.WAN2 type=external
add disabled=yes interface=ether3.WAN3 type=external
add interface=bridge1.LAN1 type=internal
/routing rule
add action=lookup-only-in-table comment=\
    "Route Tester (Just change the Src. Address and Table)" disabled=no \
    src-address=10.0.0.98/32 table=WAN3
add action=lookup-only-in-table comment="Ping via WAN1" disabled=no \
    dst-address=1.1.1.1/32 src-address=456.456.456.53 table="Ping via WAN1"
add action=lookup-only-in-table comment="Ping via WAN2" disabled=no \
    dst-address=1.1.1.1/32 src-address=123.123.123.148 table="Ping via WAN2"
add action=lookup-only-in-table comment="Ping via WAN3" disabled=no \
    dst-address=1.1.1.1/32 src-address=789.789.789.111 table="Ping via WAN3"
add action=lookup-only-in-table comment="Speedtest1 to WAN1" disabled=no \
    src-address=10.0.0.22/32 table=WAN1
add action=lookup-only-in-table comment="Speedtest2 to WAN2" disabled=no \
    src-address=10.0.0.23/32 table=WAN2
add action=lookup-only-in-table comment="Speedtest3 to WAN3" disabled=no \
    src-address=10.0.0.24/32 table=WAN3
add action=lookup comment="SynologyRouter2 to WAN2" disabled=no src-address=\
    10.0.0.13/32 table=WAN2
add action=lookup comment="PS Portable to WAN2" disabled=no src-address=\
    10.0.0.42/32 table=WAN2
/system clock
set time-zone-name=Asia/Manila
/system note
set note="10---17 - hass\r\
    \n10---18 - Docker\r\
    \n10---19 - Docker Wifi\r\
    \n10---20 - Portainer\r\
    \n10---30 - Portainer apps"
/system script
add dont-require-permissions=yes name="Ping via WAN1 - Up" owner=\
    albeedc policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip route set [find where comment=\"WAN1\"] disabled=no\r\
    \n/ip route set [find where comment=\"Default route via WAN1\"] disabled=n\
    o\r\
    \n/routing rule set [find where comment=\"Route LAN IP to WAN1\"] disabled\
    =no"
add dont-require-permissions=yes name="Ping via WAN1 - Down" owner=\
    albeedc policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip route set [find where comment=\"WAN1\"] disabled=yes\r\
    \n/ip route set [find where comment=\"Default route via WAN1\"] disabled=y\
    es"
add dont-require-permissions=yes name="Ping via WAN2 - Up" owner=\
    albeedc policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip route set [find where comment=\"WAN2\"] disabled=no\r\
    \n/ip route set [find where comment=\"Default route via WAN2\"] disabled=n\
    o\r\
    \n/routing rule set [find where comment=\"Route LAN IP to WAN2\"] disabled\
    =no"
add dont-require-permissions=yes name="Ping via WAN2 - Down" owner=\
    albeedc policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip route set [find where comment=\"WAN2\"] disabled=yes\r\
    \n/ip route set [find where comment=\"Default route via WAN2\"] disabled=y\
    es"
add dont-require-permissions=yes name="Ping via WAN3 - Up" owner=\
    albeedc policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip route set [find where comment=\"WAN3\"] disabled=no\r\
    \n/ip route set [find where comment=\"Default route via WAN3\"] disabled=n\
    o\r\
    \n/routing rule set [find where comment=\"Route LAN IP to WAN3\"] disabled\
    =no"
add dont-require-permissions=yes name="Ping via WAN3 - Down" owner=\
    albeedc policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip route set [find where comment=\"WAN3\"] disabled=yes;/ip route set [fin\
    d where comment=\"Default route via WAN3\"] disabled=yes"
/tool netwatch
add comment="Ping via WAN1" disabled=no down-script="/ip route set [find where\
    \_comment=\"WAN1\"] disabled=yes\r\
    \n/ip route set [find where comment=\"Default route via WAN1\"] disabled=y\
    es" host=8.8.8.8 http-codes="" interval=5s src-address=456.456.456.53 \
    test-script="" type=icmp up-script="/ip route set [find where comment=\"WA\
    N1\"] disabled=no\r\
    \n/ip route set [find where comment=\"Default route via WAN1\"] disabled=n\
    o\r\
    \n/routing rule set [find where comment=\"Route LAN IP to WAN1\"] disabled\
    =no"
add comment="Ping via WAN2" disabled=no down-script="/ip route set [find where\
    \_comment=\"WAN2\"] disabled=yes\r\
    \n/ip route set [find where comment=\"Default route via WAN2\"] disabled=y\
    es" host=1.1.1.1 http-codes="" interval=5s src-address=123.123.123.148 \
    test-script="" type=icmp up-script="/ip route set [find where comment=\"WA\
    N2\"] disabled=no\r\
    \n/ip route set [find where comment=\"Default route via WAN2\"] disabled=n\
    o\r\
    \n/routing rule set [find where comment=\"Route LAN IP to WAN2\"] disabled\
    =no"
add comment="Ping via WAN3" disabled=no dns-server=1.1.1.1 down-script="/ip ro\
    ute set [find where comment=\"WAN3\"] disabled=yes\r\
    \n/ip route set [find where comment=\"Default route via WAN3\"] disabled=y\
    es" host=1.1.1.1 http-codes="" interval=5s src-address=789.789.789.111 \
    test-script="" type=icmp up-script="/ip route set [find where comment=\"WA\
    N3\"] disabled=no\r\
    \n/ip route set [find where comment=\"Default route via WAN3\"] disabled=n\
    o\r\
    \n/routing rule set [find where comment=\"Route LAN IP to WAN3\"] disabled\
    =no"

AlbeeDC · January 1, 2025, 10:53am

Please watch the video I made for this issue.

Video 1: This is me trying to disable/enable the static route “WAN1” via CLI after leaving the router on for more than 2 hours. I cannot disable any route from CLI but I can manually disable it via the WebUI.
https://albeedc.com/public/Mikrotik%20-%20Before%20Restarting.mp4

Video 2: This is me trying to disable/enable the static route “WAN1” via CLI after restarting the router. As you can see, I can execute the command without issues
https://albeedc.com/public/Mikrotik%20-%20After%20Restarting.mp4

BartoszP · January 1, 2025, 11:28am

Are you sure that CLI command finds what you want? Try to “print” the result of “find” to check if “set” command really gets what you want it to get.

AlbeeDC · January 1, 2025, 5:46pm

I am. If you check on the second video I shared. I’m using the same command that I am using on the first video and that is working.

AlbeeDC · January 2, 2025, 3:38pm

Is there any way I can move this post under General? I feel like this is not really a scripting issue?

rextended · January 2, 2025, 4:46pm

I don’t think this is a problem that forum users can address.

Contact directly MikroTik support@mikrotik.com providing Supout.rif and detailed description.
And please update this topic with results/given answers.

Do NOT post Supout.rif to any forum members.

Thanks.

AlbeeDC · January 4, 2025, 1:00am

Thanks. I’ll reach out to them today when I get home.

Update on this issue:

It appears this is indeed a bug. As a temporary workaround, I managed to resolve the problem by disabling all hardware offloading settings and enabling all “Suppress-HW offloading” options on my router. This is disappointing, as these features are designed to reduce CPU load and improve overall performance.