Community discussions

MikroTik App
 
Corbie
just joined
Topic Author
Posts: 20
Joined: Thu Apr 01, 2021 12:37 pm

Mikrotik Dual WAN Failover

Tue Aug 03, 2021 1:34 pm

Hi my fellow network admins,

Im trying to configure dual WAN failover on Mikrotik RB3011. For now both "WAN" ports are DHCP, i have 2 bridges designated to ether1 and ether2 ports and each one have own dhcp client which im simulating "ISP"

Image

Gateway for WAN1: 192.168.238.1
Gateway for WAN2: 10.10.10.254

My Routes:
Image

Hops:
Image

Mangle Rules:
add chain=output connection-state=new connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn out-interface=ether1
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1 out-interface=ether1
add chain=output connection-state=new connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn out-interface=ether2
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2 out-interface=ether2

I followed this guide: https://help.mikrotik.com/docs/pages/vi ... d=26476608

But problem is when i disconnect "ISP1" everything still works, but when i connect back ISP1 and disconnect ISP2 internet just go down.. Can someone point me what am i doing wrong?

BTW: When im connected to internet for some reason i cannot ping 8.8.8.8 but internet works normally.

Thanks and best regards,
 
toxicfusion
Member Candidate
Member Candidate
Posts: 267
Joined: Mon Jan 14, 2013 6:02 pm

Re: Mikrotik Dual WAN Failover

Tue Aug 03, 2021 5:21 pm

Since your ISP' is providing you DHCP for your WAN interfaces.

You can appropriately set your default-distance..

make your primary ISP be distance=1, secondary ISP be distance=2.

it will automatically failover and swap between links. However, usually requires the link to be DOWN [modem offline and no ethernet connectivity]. If you want to rely on a check-gateway=ping, then there is some ways to do that with DHCP interface. Easier to do when your ISP provides you static IP, as when your configuring that static ip route, you have option to add check-gateway.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Dual WAN Failover

Tue Aug 03, 2021 6:18 pm

Why are you mangling??
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik Dual WAN Failover

Tue Aug 03, 2021 7:54 pm

The forum is full of examples...

On both DHCP client remove "add default route"
Remove all mangle and all routes you are set and paste this on terminal.
/ip dns
set servers=1.1.1.1,8.8.8.8

/ip route
add comment="A - 1.1.1.1 must be reachable only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=192.168.238.1 scope=10
add comment="B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP" distance=10 gateway=1.1.1.1 check-gateway=ping
add comment="C - ISP2 is alternative Gateway" distance=20 gateway=10.10.10.254
 
Corbie
just joined
Topic Author
Posts: 20
Joined: Thu Apr 01, 2021 12:37 pm

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 1:52 pm

The forum is full of examples...

On both DHCP client remove "add default route"
Remove all mangle and all routes you are set and paste this on terminal.
/ip dns
set servers=1.1.1.1,8.8.8.8

/ip route
add comment="A - 1.1.1.1 must be reachable only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=192.168.238.1 scope=10
add comment="B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP" distance=10 gateway=1.1.1.1 check-gateway=ping
add comment="C - ISP2 is alternative Gateway" distance=20 gateway=10.10.10.254
Still the same issue, when i disconnect ISP2 (GW: 192.168.238.1), internet still goes down. But when i disconnect primary connection it still works fine.
Last edited by Corbie on Wed Aug 04, 2021 1:59 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 1:54 pm

paste actual
/export hide-sensitive
without remove anything, simply censoring sensitive data with *
 
Corbie
just joined
Topic Author
Posts: 20
Joined: Thu Apr 01, 2021 12:37 pm

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 2:01 pm

paste actual
/export hide-sensitive
without remove anything, simply censoring sensitive data with *
# aug/04/2021 13:00:46 by RouterOS 6.48.3
# software id = 1PH9-QHR7
#
# model = RB3011UiAS
# serial number = E7E60E25645E
/interface bridge
add name=WAN2
add admin-mac=2C:C8:1B:B5:C8:BB auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan5-servisni vlan-id=5
add interface=bridge name=vlan15-guest vlan-id=15
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.50.10-192.168.50.254
add name=dhcp_pool1 ranges=192.168.5.2-192.168.5.254
add name=dhcp_pool2 ranges=192.168.15.2-192.168.15.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan5-servisni name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan15-guest name=dhcp2
/interface bridge port
add bridge=WAN2 comment=defconf interface=ether2 trusted=yes
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=WAN2 interface=ether2 list=WAN
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=192.168.50.0
add address=192.168.5.1/24 interface=vlan5-servisni network=192.168.5.0
add address=192.168.15.1/24 interface=vlan15-guest network=192.168.15.0
/ip dhcp-client
add add-default-route=no comment=defconf disabled=no interface=ether1
add add-default-route=no disabled=no interface=WAN2
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.15.0/24 dns-server=192.168.15.1,1.1.1.1 gateway=192.168.15.1
add address=192.168.50.0/24 comment=defconf dns-server=192.168.50.1,1.1.1.1 gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.50.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment="Block guest-vlan to servis-vlan" dst-address=192.168.5.0/24 src-address=192.168.15.0/24
add action=drop chain=input comment="Block guest-vlan to LAN" dst-address=192.168.50.0/24 src-address=192.168.15.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=WAN2
/ip route
add check-gateway=ping distance=10 gateway=1.1.1.1
add distance=20 gateway=10.10.10.254
add distance=1 dst-address=1.1.1.1/32 gateway=192.168.238.1 scope=10
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 2:16 pm

understood.
wait 12 min.
Last edited by rextended on Wed Aug 04, 2021 2:29 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 2:28 pm

>script fix on next post<
Last edited by rextended on Wed Aug 04, 2021 2:59 pm, edited 1 time in total.
 
Corbie
just joined
Topic Author
Posts: 20
Joined: Thu Apr 01, 2021 12:37 pm

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 2:35 pm

Paste this on terminal without omit the { } !!!
{
/ip dhcp-client
set [find where interface=WAN2] interface=ether2
/ip firewall nat
remove [find where out-interface=ether1]
remove [find where out-interface=WAN2]
/interface bridge port
remove [find where bridge=WAN2]
/int bridge
remove [find where name=WAN2]
set bridge admin-mac=[/int ethernet get ether3 mac-address] auto-mac=no protocol-mode=none
}

[admin@MikroTik] /ip dhcp-client> {
{... /ip dhcp-client               
{... set [find where interface=WAN2] interface=ether2
{... /ip firewall nat                                
{... remove [find where out-interface=ether1]
{... remove [find where out-interface=WAN2]  
{... /interface bridge port                
{... remove [find where bridge=WAN2]
{... /int bridge                    
{... remove [find where name=WAN2]
{... set bridge admin-mac=[/int ethernet get ether3 mac-address] auto-mac=no protocol-mode=none
{... }                                                                                         
failure: can not run on slave interface
Btw my ether1 port which is ISP1 si configured via QuickSet on web interface. Could that cause any issues?
And for some funny reason now it works just just other way around: when i disconnect ISP1 internet goes down and wont switch on ISP2

This is the export now:
# aug/04/2021 13:40:47 by RouterOS 6.48.3
# software id = 1PH9-QHR7
#
# model = RB3011UiAS
# serial number = E7E60E25645E
/interface bridge
add name=WAN2
add admin-mac=2C:C8:1B:B5:C8:BB auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan5-servisni vlan-id=5
add interface=bridge name=vlan15-guest vlan-id=15
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.50.10-192.168.50.254
add name=dhcp_pool1 ranges=192.168.5.2-192.168.5.254
add name=dhcp_pool2 ranges=192.168.15.2-192.168.15.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan5-servisni name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan15-guest name=dhcp2
/interface bridge port
add bridge=WAN2 comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Sekund\E1rn\ED konektivita" interface=ether2 list=WAN
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=192.168.50.0
add address=192.168.5.1/24 interface=vlan5-servisni network=192.168.5.0
add address=192.168.15.1/24 interface=vlan15-guest network=192.168.15.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no interface=WAN2
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.15.0/24 dns-server=192.168.15.1,1.1.1.1 gateway=192.168.15.1
add address=192.168.50.0/24 comment=defconf dns-server=192.168.50.1,1.1.1.1 gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.50.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP" distance=10 gateway=1.1.1.1
add comment="C - ISP2 is alternative Gateway" distance=20 gateway=10.10.10.254
add comment="A - 1.1.1.1 must be reachable only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=192.168.238.1 scope=10
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 2:54 pm

Please do not "Reply with quote" everytime, use "+ Post Reply" button or all come to a big mess...

The export is exactly like before, because is present a position error on script

I fix the script, paste again

Paste this on terminal without omit the { } !!!
{
/interface bridge port
remove [find where bridge=WAN2]
/ip dhcp-client
set [find where interface=WAN2] interface=ether2
/ip firewall nat
remove [find where out-interface=ether1]
remove [find where out-interface=WAN2]
/int bridge
remove [find where name=WAN2]
set bridge admin-mac=[/int ethernet get ether3 mac-address] auto-mac=no protocol-mode=none
}
 
Corbie
just joined
Topic Author
Posts: 20
Joined: Thu Apr 01, 2021 12:37 pm

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 3:06 pm

It still says: "failure: it can not run on slave interfaces"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 4:29 pm

do manually each operation:

on /interface bridge port remove ether2 from bridge WAN2

on /ip dhcp-client set the DHCP client on interface ether2 instead of bridge WAN2

on bridge delete the WLAN2 bridge

on remaining bridge set the admin-mac to the mac-address of ether3 and protocol-mode to none
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Dual WAN Failover

Wed Aug 04, 2021 7:28 pm

Config feedback.

(1) Why do you use a bridge for WAN.
All you need is either dhcp client
or manually add IP address..

(2) Do all your ports connect to smart devices (ones that can read vlan tags).

(3) why do you even define vlans, they are not used??

(4) Input chain is for traffic to and fro the router (WAn to router, router to WAN, lan to Router and Router to LAN) and thus trying to block vlans from each other is done in the wrong chain. Remove the rules below.
The Forward chain is for WAN to LAN, LAN to LAN and LAn to WAN traffic
add action=drop chain=input comment="Block guest-vlan to servis-vlan" dst-address=192.168.5.0/24 src-address=192.168.15.0/24
add action=drop chain=input comment="Block guest-vlan to LAN" dst-address=192.168.50.0/24 src-address=192.168.15.0/24

5. So after deleting the rules in four. lets accomplish the same thing a bit more neatly.

Take this rule --> add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
that states dont allow any WAN to LAN traffic that is not intended for port forwarding and simply change it to allow port forwarding and then
create a last rule that simply drops all other traffic. So this last rule will block not only the WAN to LAN traffic but LAN to LAN (WHAT YOU WANT FOR YOUR VLANS!!) and LAN to WAN. Reading this slowly you should realize that the router comes default to allow traffic unless you block it. By putting the drop all else rule at the end, we have turned the forward chain into a block all except for what we allow (much superior). Now you should realize that this rule blocks LAN to WAn as already stated so we need to ensure you add back intended internet outbound traffic.

SO from
input chain:
add action=drop chain=input comment="Block guest-vlan to servis-vlan" dst-address=192.168.5.0/24 src-address=192.168.15.0/24
add action=drop chain=input comment="Block guest-vlan to LAN" dst-address=192.168.50.0/24 src-address=192.168.15.0/24
forward chain:
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN


TO
add action=accept chain=forward comment="allow port fowarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN ***
add action=accept chain=forward in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward comment="drop all else"

*** if you have no intention of port forwarding, another advantage of changing this rule is that you can now disable it temporariily or remove it without affecting anything else.
 
Corbie
just joined
Topic Author
Posts: 20
Joined: Thu Apr 01, 2021 12:37 pm

Re: Mikrotik Dual WAN Failover

Fri Aug 06, 2021 11:27 am

@anav

1.) Oh i didnt know i can just assign address and it will act as WAN interface. Still new to mikrotik but that kind of fixed all my issues. Thanks

2.) Its just connected to L3 switch which have assigned vlans on specific ports.

3.) They are in use on the switch - access points, which broadcast ssid for normal lan and guest-vlan, in servis-lan they are gonna be synology, cctv, etc.

4.) I read input means -> to router but if i do for example:
add action=drop chain=input comment="Block guest-vlan to LAN" dst-address=192.168.50.0/24 src-address=192.168.15.0/24
ip for mikrotik is: 192.168.50.1
Does it completely cut off guest-vlan from the router? Or router will just be inaccesible and everything will still works? cause i didnt wanted guest to access router from guest-vlan (like webinterface, etc) but let internet works. So i planned to do both rules: forward and input.

5.)The rule was already when i bought the router so i didnt touch anything default in firewall
but still doesnt understand how it can block lan to lan traffic? i thought it just block everything from WAN interfaces

6.) Last question about WAN failover:
When i did properly without bridging. it works flawlessly i used @rextended method.

But what about when ISP2 will be VDSL and i will have VDSL modem in bridge connected to mikrotik and let mikrotik handle PPPoE connection. Can will be failover still be done by routing and set gateway to specific interface not ip adress or something like that?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Mikrotik Dual WAN Failover

Fri Aug 06, 2021 12:05 pm

Yes, if the ISP2 is pppoe-client and is the failover,
you can remove rule "C" and on pppoe-out1 set add-default-route with distance 20

Who is online

Users browsing this forum: Bing [Bot], jookraw, Wave and 45 guests