Hi
I have hEX S with fibre connection, I would like to add LTE backup for the connectivity.
connected HUWAEI USB dongle which I could see that the GW was added automatically once plugged in- I changed the APN and the check gateway to ping, I changed the metric to 2 and unplugged the Fibre connectivity and it didn't work. waited for few seconds. still nothing

1. can I do test with unplugging the network card? how can I simulate this failure?
2. Should it be bounced within few seconds or more than that? is that behaviour is normal and how can I change it?

thanks a lot guys

I found this but I couldn't make it work
https://blog.ligos.net/2018-03-01/Mikro ... lover.html

configured route to the lte1 gateway with distance of 2 (Changed for the test to be 1) but it didn't work
on NAT table I could see a rule that reflects to WAN access but I couldn't attached difference interface to lead access to LTE as WAN2 (only to WAN)
how can I export the configuration to share with you?

tnx

You know the drill, no config no way to comment on what the issue is........

How do i export?

Go to terminal menu selection in winbox.

Type /export hide-sensitive file=anynameyouwish

Go to Files menu selection in winbox
Right click the file and download to your pc
Open file in notepadd++

Copy and paste the file to here.
Just ensure your wanip and wanip gateway if showing are removed.
Best to use the code tags around the text black square with white brackets

.

(1) What is is this??
/interface lte apn
add apn=publicip.net.il name=PUB
add apn=PUB name=apn1

Is that part of the lte wan connection?? If so it needs to be added to
WAN interface member list.

(2) Try disabling this rule to see if there is any effect, not sure of its purpose/value??
/interface detect-internet
set detect-interface-list=all

(3) I prefer not to show folks my winbox port and thus I only have it as required in IP services (and remove it for any configs I show) and not in any firewall rules. In IP services you configure the winbox port and where it can be configured from. This can be the subnet for example, and have the firewall rule limit to specific IPs. You also under TOOLS have MAC_SERVER - here you can select the mac_winbox-server and can limit access to INTERFACE LIST of your choice!! So lots of way to provide security.

/ip firewall filter
add action=accept chain=input comment="WinBox Wan Administration" dst-port=\
8291 protocol=tcp src-address=x.x.x.x

Also, as admin you need full access to the router not just the winbox port.
Use of firewall address list vice single address is handy because you can add or subtrack devices quickly without monkeying with the firewall rule.
(your desktop, smartphone using MT app, tablet, laptop etc........)

Also I have no idea what kind of IP address the src-address you got there, as your range is 192.168.88.x.......... I hope that is not some outside WAN IP??????

Finally, I would change the default port number to something else, like 34221.


(4) The NAT rules look messy! Did you do this??

The first set have duplicates unless you have forgotten to make one set UDP and the second set TCP??
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9981 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.200 to-ports=9981
add action=dst-nat chain=dstnat dst-port=9982 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.200 to-ports=9982
add action=dst-nat chain=dstnat dst-port=9981 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.200 to-ports=9981
add action=dst-nat chain=dstnat dst-port=9982 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.200 to-ports=9982

add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp \
to-addresses=192.168.88.249 to-ports=22
add action=dst-nat chain=dstnat dst-address=test dst-port=9981 \ ??????
protocol=tcp to-addresses=192.168.88.200

The stuff below is really grotesque!!

add action=masquerade chain=srcnat out-interface=ether1 (DUPLICATE and can get rid of)
add action=dst-nat chain=dstnat dst-address= dst-port=9982 \
protocol=tcp to-addresses=192.168.88.200
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat dst-address=192.168.88.200 dst-port=9981 \
out-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.200 dst-port=9982 \
out-interface=bridge protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="allow remote mikrotik" dst-address=\
dst-port=80 in-interface=ether1 protocol=tcp src-address=\
1.1.1.1 to-addresses=192.168.88.1 to-ports=80
add action=dst-nat chain=dstnat comment="allow remote 8291" dst-port=8291 \
in-interface=ether1 protocol=tcp to-addresses=192.168.88.1 to-ports=8291
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=ether1 \
protocol=tcp to-addresses=192.168.88.1 to-ports=443
add chain=srcnat


These below are particularly worrisome. Are you opening up winbox unencrypted tot he outside world??
Not sure which device resides on 192.168.88.1 ?? Same with 443.

add action=dst-nat chain=dstnat comment="allow remote 8291" dst-port=8291 \
in-interface=ether1 protocol=tcp to-addresses=192.168.88.1 to-ports=8291 ?????????

add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=ether1 \
protocol=tcp to-addresses=192.168.88.1 to-ports=443 ???????????????

I cannot get to the core of your issues yet the LTE, because the rest is so hosed.
Lets fix things slowly.

(1) First, is your normal WANIP a fixed static IP or a dynamic WANIP?
Will assume your backup WANIP through LTE is dynamic.
(2) Do add that LTE interface, noted above to the WAN interface list.
(3) Can you clarify what IP this is....... /ip firewall filter
add action=accept chain=input comment="WinBox Wan Administration" dst-port=\
8291 protocol=tcp src-address=x.x.x.x


With that info we can move on to fix the NAT rules up.
Then we can take a look at routing issues.

Hi
The ip mentioned was just a test to see if i could reach over 4G using TikApp. Its not a static rule.

The APN itself is PUB and is written in the WAN interfaces.
The Nat rules you see were tested with some hairpin nat rules for some testing purposes.
This device is holding some lab environment so thats the reason for the messy rules.

I managed to solve it
there was a bad route configured.
now all works!
for those who intrested see the how to

https://blog.ligos.net/2018-03-01/Mikro ... lover.html

e.g. I did a mass cleanup of the uncesessary NAT rules that I had in the lab.
so thanks @anav for the followup

https://blog.ligos.net/2018-03-01/Mikro ... lover.html

Good writeup. That's pretty much how I did it, except that I used an Android phone in USB tethering mode, which gives you an LTE interface automatically (it acts like a 4G stick in that regard).

Never thought of using phone like that except when travelling, but nice job!!
For my home I use recursive routing, a very simliar setup to yours, and as well have a script on my DHCP client for the primary service, that takes a new gateway and puts in in the route rule, so that the switch is always automatic if they change the gateway/wanip.

Never thought of using phone like that except when travelling, but nice job!!

The LTE interface RouterOS creates isn't really one, you can't talk directly to the 4G network through it. It behaves more like an P2P Ethernet interface with a NAT router & DHCP server on the other end (much like the 'Remote NDIS' interface you get under Windows). But it works pretty much out of the box.

Yes thats the reason i did a mistake by configured the route.

Sent from my SM-A705FN using Tapatalk

Hi! I was arranging backup plan and was thinking how to inform users and admins about switching to the backup and vice versa.

Finally in the netwatch I added sending emails and fetching messages using pushbullet, eg I hope that in some moment Mikrotic may add its own push service to the mobile app.

Regarding usual users, which will experience significant decrease in the speed I didn't find a universal solution... Injection using web-proxy, I suppose, will not work...

It's interesting, which methods do you use?

That's a great feature needed. I don't monitor that and i would love to.

Sent from my SM-A705FN using Tapatalk