Hi everyone, its my first post here. Im not new to routerOS but im still a beginner.
Here is my problem.
We have a client who had only one ISP connected to a main MK RB1100AHx2 and everything worked fine. Then they installed a second ISP with better bandwitdh to use as main and leave the other ISP for failover. But they installed it in another side of the building impossible to connect to the main MK. So we ended up installing a second MK RB4011iGS+ next to that connection.
The RB1100AHx2 controlled everything. VPN, DHCP, port forwarding, DDNS etc. So i had to pass all configurations to the RB4011iGS+ and leave the other as a simple switch.
At the time I didnt knew what to do to enable a failover between both connections so I endedup not using the first ISP at all until I managed to know how to do it. Time passed and couldn’t learn how to do it because I was always busy.
But then then the main ISP failed hard and had to travel there to solve the problem. I was freaking out because of my own actions of not learning how to do it before.
I ended up solving it doing something I think its awful and disgusting but it works.
So, it was like this.
Main MK:
IP: 192.168.0.1/24
DHCP: 192.168.0.100-254
VPN/Port Forwarding/DDNS
Second MK:
IP: 192.168.0.2/24
DHCP: NONE
And what I did was change the IP address from main MK to second MK and move all VPN/Port Forwarding/DDNS there but leave DHCP on main MK.
Main MK:
IP: 192.168.0.2/24
DHCP: 192.168.0.100-254
Second MK:
IP: 192.168.0.1/24
DHCP: NONE
VPN/Port Forwarding/DDNS
I hated it, but it worked.
Now with a little more knowleadge I managed to do something else in lab.
This is the config of what should be the MAIN MK
# 2025-12-17 15:07:38 by RouterOS 7.20.4
# software id = //////
#
# model = RB2011UiAS-2HnD
# serial number = //////
/interface bridge
add name=LAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN PRINCIPAL"
set [ find default-name=ether6 ] name="ether6 - NOTEBOOK"
set [ find default-name=ether7 ] name="ether7 - SWITCH"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.20.0.3-172.20.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=LAN interface="ether6 - NOTEBOOK"
add bridge=LAN interface="ether7 - SWITCH"
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
/ip address
add address=172.20.0.1/24 comment="main network" interface=LAN network=172.20.0.0
add address=172.21.0.2/24 comment="ip for secondary isp" interface=LAN network=172.21.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add add-default-route=no default-route-tables=main interface="ether1 - WAN PRINCIPAL" use-peer-dns=no
/ip dhcp-server lease
add address=172.20.0.254 client-id=1:54:bf:64:26:3a:ab mac-address=54:BF:64:26:3A:AB server=dhcp1
/ip dhcp-server network
add address=172.20.0.0/24 dns-server=172.20.0.1 gateway=172.20.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN PRINCIPAL"
add action=dst-nat chain=dstnat dst-port=5900 protocol=tcp to-addresses=172.20.0.254 to-ports=5900
/ip route
add comment="Checkeo Route2" disabled=no distance=5 dst-address=8.8.8.8/32 gateway=172.21.0.1 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Checkeo Route1" disabled=no distance=1 dst-address=1.1.1.1/32 gateway=10.100.105.1 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=Route1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=\
30 suppress-hw-offload=no target-scope=30
add check-gateway=ping comment=Route2 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=\
30 suppress-hw-offload=no target-scope=30
/lcd interface pages
set 0 interfaces=\
"sfp1,ether1 - WAN PRINCIPAL,ether2,ether3,ether4,ether5,ether6 - NOTEBOOK,ether7 - SWITCH,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=MKNEWOFFICE
And here is the config of the secondary MK
# 2025-12-17 15:06:37 by RouterOS 7.20.4
# software id = //////
#
# model = RB493
# serial number = //////
/interface bridge
add name=LAN
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN SECONDARY"
set [ find default-name=ether6 ] name="ether6 - NOTEBOOK"
set [ find default-name=ether7 ] name="ether7 - SWITCH"
/ip pool
add name=dhcp_pool0 ranges=172.21.0.2-172.21.0.254
/port
set 0 name=serial0
/interface bridge port
add bridge=LAN interface=ether5
add bridge=LAN interface="ether6 - NOTEBOOK"
add bridge=LAN interface="ether7 - SWITCH"
add bridge=LAN interface=ether8
/ip address
add address=172.20.0.2/24 comment="sw address" interface=LAN network=172.20.0.0
add address=172.21.0.1/24 comment="gw address for secondary isp" interface=LAN \
network=172.21.0.0
/ip dhcp-client
add default-route-tables=main interface="ether1 - WAN SECONDARY"
/ip dhcp-server
add address-pool=dhcp_pool0 interface=*C name=dhcp1
/ip dhcp-server network
add address=172.21.0.0/24 gateway=172.21.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN SECONDARY"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=MKOLDOFFICE
So here, the failover work fine with recursive routing.
What I did was in the secondary created a network that does not have DHCP and mascared the packets so anything with an IP of that network could access internet. And in the main MK created a adress and a route to access that network if the main ISP fails. It works fine. And more clean (I think) than what I did before.
But know, the problem lies with port forwarding.
If the main ISP doesnt fail all goes well. But if it fails and the second ISP goes live, i lose all redirections (only have one right now, but I cant access it)
And I think its because of the lack of redirections in the second MK.
So, how do I manage to keep everything external connected if my main ISP fails ?
And, the weird failover that i managed to do is something a normal person would do ?
Sorry for the big post and any typos. Not my first language.
Thanks!