Page 1 of 1

simple 2 WAN failover

Posted: Sun Feb 09, 2014 10:50 pm
by slipkn67
Hi guys!
Just got my RB951G-2HnD
Somehow managed to make it work by following this guide:
http://www.youtube.com/watch?v=ulDefmf1ces
Now I need to connect my 2nd internet and make a failover configuration, where should I start?

Both internets are PPPoE and have same username/password.
1st provider has dynamic IP, 2nd is static.

Re: simple 2 WAN failover

Posted: Sun Feb 09, 2014 11:37 pm
by bingo220

Re: simple 2 WAN failover

Posted: Mon Feb 10, 2014 10:47 pm
by slipkn67
My current progress so far:
1. Connected cables like this:
port1 PPPoE1
port2 PPPoE2
port3 PC1
port4 PC2
port5 nothing

2. Upgraded to RouterOS 6.9.

3. Did reset all configurations.

4. Changed Routername in System -> Indentity:
RB951G

5. Changed admin password from blank in system -> password

6. In Interfaces:
Gave comments: WAN to ether1 and LAN to ether3.
Set ether3 as master port for ether4 and ether5.

7. In PPP added PPPoE client:
named it "PPPoE 50 mbps"
Interfaces: ether1
Set user/password
Turned ON "use peer DNS", "use default route"
nothing more here

8. Set google public DNS in IP -> DNS:
Servers: 8.8.8.8
Allow remote requests: ON
At this point I have working internet on my router, I try:
new terminal -> ping mikrotik.com and it works

9. Set time/date on router.
System -> SNTP client:
Enabled: ON
Mode: unicast
Primary NTP server: ru.pool.ntp.org
Secondary NTP server: europe.pool.ntp.org
System -> clock -> timezone/date -> Europe/Moscow

10. Joined wifi and ether3 as bridge1:
On ports tab I added ether3 and wlan1

11. Set IP adresses for the bridge in IP -> addresses:
Address: 192.168.88.1/24
Network: blank
Interface: bridge1

12. Created DHCP server for LAN clients in IP -> DHCP server -> DHCP setup:
DHCP server interface: bridge1
DHCP address space: 192.168.88.0/24
Gateway for DHCP network: 192.168.88.1
Addresses to give out: 192.168.88.2-192.168.88.254
DNS servers: 192.168.88.1
Lease time: 3 days

13. Set up wifi in Wireless -> Interfaces -> wlan1.
Wireless tab:
Advanced mode: ON
Mode: ap bridge
Band: 2Ghz-B/G/N
Channel width: 20mhz
SSID: RB951G
Wireless protocol: 802.11
DFS mode: no radar detect
Security profile: WPA2 (custom)
I created a new security profile:
Set name WPA2 and password, everything else I left as default

14. Set NAT in IP -> firewall -> NAT:
Out interface: "PPPoE 50 mbps"
Action: masquerade
In the video it says to select ether1, but internet doesn't work when I do that, so I select my PPPoE connection itself.
At this point I have working internet on my PC:
http://www.speedtest.net/result/3295818976.png

15. Did not set up a firewall.

Now internet works ok, I get stable 50 mbps. Anything else I should change before I move to configuring failover?

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 12:03 am
by slipkn67
simplest method http://wiki.mikrotik.com/wiki/Two_gateways_failover
/ip route add gateway=192.168.1.1 check-gateway=ping
/ip route add gateway=192.168.2.1 distance=2
When I type this nothing happens. I understand that I have to assign these IP addresses to ether1 and ether2 and then type this. But I don't know how to do that.
Why can't someone just post 5-6 lines of text of what to do like simple guide click here, type this, reboot, etc? I always do that when I help noobs on other forums.

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 12:26 am
by c0d3rSh3ll
If you have setup mangle correctly in the routes select pppoe interface instead of ip addres.
In the pppoe client interface unchek use-default-route.


Sent from my mobile phone using Tapatalk.

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 12:52 am
by slipkn67
I thought I could use the router without a firewall. I was wrong. Some noobs try to bruteforce my admin password:
http://imageshack.com/a/img842/2361/zr00.png

So I need a simple firewall to protect the router.
I make an address list for LAN: 192.168.88.0/24
Then on filter rules tab I add a rule:
Chain: input
Advanced -> Src. Address list: LAN
Action: accept

And 2nd rule:
Chain: input
Action: drop

I saw that on this video:
http://www.youtube.com/watch?v=ulDefmf1ces
But it interferes with needed traffic too. For example, I can't even load diablo3.

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 12:58 am
by slipkn67
If you have setup mangle correctly
Never heard of it.
I just wanted a router for failoever. I was choosing between tp link470+ and some used linksys with tomato firmware from ebay, but they both were 100mbps, so I went for this.

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 1:02 am
by slipkn67
get a mikrotik router they said
it's easy to setup they said

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 1:51 am
by bingo220
In the both pppoe-interfaces uncheck "use-default-route". (thx c0d3rSh3ll)
In the "IP-Services" disable unnecessary services.
Delete all firewall rules.
Delete all NAT rules.
/ip route
add distance=1 gateway=PPPoE1 comment="Default route to WAN1 (distance1)"
add distance=2 gateway=PPPoE2 comment="Default route to WAN2 (distance2)"

/ip firewall nat
add chain=srcnat out-interface=PPPoE1 action=masquerade
add chain=srcnat out-interface=PPPoE2 action=masquerade

/ip firewall address-list
add list=lan-ip address=192.168.88.0/24 comment="All IP of my LAN"

/ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop input invalid connection packets"
add chain=forward connection-state=invalid action=drop comment="Drop forward invalid connection packets"
add chain=input connection-state=established action=accept comment="Allow input established connections"
add chain=forward connection-state=established action=accept comment="Allow forward established connections"
add chain=input connection-state=related action=accept comment="Allow input related connections"
add chain=forward connection-state=related action=accept comment="Allow forward related connections"
add chain=input src-address-list=lan-ip action=accept comment="Allow all input for local net "
add chain=forward src-address-list=lan-ip action=accept comment="Allow all forward for local net "
add chain=input action=accept protocol=icmp comment="Allow input Ping"
add chain=forward action=accept protocol=icmp comment="Allow forward Ping"
add chain=input action=drop comment="All other inputs drop"
add chain=forward action=drop comment="All other forwards drop"

/ip neighbor discovery set ether1 discover=no
/ip neighbor discovery set ether2 discover=no

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 3:50 am
by c0d3rSh3ll
If you have setup mangle correctly
Never heard of it.
I just wanted a router for failoever. I was choosing between tp link470+ and some used linksys with tomato firmware from ebay, but they both were 100mbps, so I went for this.
Sorry. I thought you need a load balance through pcc method.
"bingo220" has the complete script

Sent from my mobile phone using Tapatalk.

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 7:20 pm
by slipkn67
hi it's me again! I think bingo220's version almost worked. I renamed both my PPPoE connections as PPPoE1 and PPPoe2 to match the code and typed everything like bingo220 posted. When I was on pppoe1 everything wokred perfectly. Then I turned pppoe1 off in Interfaces and router switched to pppoe2. Websites loaded fine, like nothing happened.
But when I enable pppoe1 some websites do not load, forum.mikrotik.com stops loading, youtube looks like this:
http://imageshack.com/a/img855/149/4z13.png
diablo3 doesn't load too.
Now I'm writing this from pppoe2, if I enable pppoe1 back then this whole forum won't display for me.

Re: simple 2 WAN failover

Posted: Tue Feb 11, 2014 9:25 pm
by bingo220
Теоретически, проблем быть не должно.
1. Проверьте, что убраны галочки "use-default-route" на обоих интерфейсах pppoe.
2. Убеждаемся, что в ДНС записаны общедоступные серверы, дабы к ним был доступ с обоих подключений.
3. Нормальная реакция, если не разорвались старые сессии (фактически же маршрут с дистанцией 2 не отключался). Тогда просто перезагрузить браузер/игру т.п.
4. На старых версиях была проблема невозврата дефолтного маршрута - пункт "Workaround 1" в этой статье http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting , но это в более закрученном рутинге, с использованием рекурсивов.
Более, к сожалению, ничего умного в голову, на данный момент, не приходит.

Re: simple 2 WAN failover

Posted: Wed Mar 29, 2017 10:38 pm
by kd6icz
get a mikrotik router they said
it's easy to setup they said
Hahahahaha! Right.... I would rather have a root canal than have to mess with ANY of my Mikrotik boxes.

So many things I want them to do but avoid at all costs. This topic is one of them. Still no clear instructions for guys like me that only go up to layer 2 of the 7 layer stack. GUI people! GUI! Not scripts!

Re: simple 2 WAN failover

Posted: Mon Oct 16, 2017 9:08 am
by arafat586
Here is the complete tutorial 2 WAN failover https://www.youtube.com/watch?v=6k76D-cLE1o

Re: simple 2 WAN failover

Posted: Tue Oct 17, 2017 6:32 am
by cwachs
I'm coming back trying to solve this on my router...

I have 2 WANs. One has a /30 gateway connection and a /24 of public space assigned to me. It is the primary WAN that all traffic should flow over.
WAN 2 has a DHCP address on the WAN side and no public space.

My LAN port has a handful of VLANs on it with various private IPs as well as the /24 broken down into /28's, /29's and /30's. All this works great.

In our IP/Routes, WAN1 is distance 1 and WAN2 is distance 2.

We want to be able to check with PINGs the status of each WAN. However, the gateway for WAN1 is connected to it via fiber and in the same equipment rack so I really want to check farther down the road (ideally, 8.8.8.8 or something) so we know when the path is really dead. Same for WAN2.

When I create a rule forcing a ping to a destination to flow over WAN2, it immediately fails:
add check-gateway=ping distance=1 gateway=200.212.57.97
add check-gateway=ping distance=2 gateway=24.8.116.1
add comment="Force PING through WAN 2" distance=1 dst-address=216.228.192.69/32 gateway=24.8.116.1 \
    scope=11
I turn off that rule, it pings just fine via WAN1. This is true from both the router ping tool and any machine behind the router. I have masquerade rules built to masquerade all private and public IPs when they transit WAN2.

I guess I end up with 2 questions:

1) Thoughts on why I can't force a ping down WAN2?
2) A better way to check if a WAN is up other than a ping test to the gateway? Is this a trick for netwatch instead?

Re: simple 2 WAN failover

Posted: Fri Jan 04, 2019 2:19 am
by rfritz80
In order for you to have a fail over, lets say Site 1 were you want the Fail over to be in place has 2 WANS you are allowing in. So Site 1 Router, will need some setup. Lets say we are using a new Router 4011 with 10 ports. :)
So Site 1 has an IP Address with the Network 192.168.254.0/24
Site 2 Router has an IP address with the Network 172.16.1.0/24 its ISP That comes in isn't important because you will be setting up Router 1 with Router 2 detail information on how to get out, router 2 already knows how to get to its WAN and out, as long as it has been setup properly
You will be pulling the Second Fail Over with Router 2, there really isn't anything you need to do with Router 2 because its bringing in the extra source of internet feed if WAN1 goes down. So weather you are using a cable connection or Wireless Communication, these are the steps you will need to follow.

Step 1: Determine the Ports you are going to use, by default ether1 is off the bridge and is the designated WAN1 and we want to use ether10 as the second WAN2.
Step 2: Access the Bridge, click Bridge, > Click the Ports Tab > Remove ether10 from the bridge!
Step 3: Name your ports Ether 1 to WAN1 and Ether10 to WAN2. Click Interfaces: Double click on Ether1 and Rename to WAN1 and Double click ether10 and rename to WAN2.
Step 4: Now here comes the more interesting part. Lets say WAN1 has the IP Address 192.168.254.50/24 its Gateway: 192.168.254.1 /24 Its Network 192.168.254.0 and Subnet mask is /24 255.255.255.0> WAN2 is 172.16.1.10/24 GW 172.16.1.1 Network 172.16.1.0 Mask 255.255.255.0
> We need to set these IP addresses to the fixed Interfaces we removed from the bridge, WAN1 and WAN2
> Click IP > Addresses >
Click the "+" to add a new Address.
Type in for the IP Address: 192.168.254.50/24 and select the Interface WAN1

Click the "+" again>
Type in IP Address 172.16.1.10/24 and select the Interface WAN2

Now we need some NAT Rules! Because we have 2 different Subclass Address going on here>
Click IP > Firewall > Click the NAT TAB >
Here you should see a default masquerade rule,
You will want to make sure that this NAT rule is setup as the following, so click the default rule and open it.
General Tab>
Chain: srcnat
Out. Interface: WAN1

Action TAB:
Masquerade:

Click Ok!

Copy this rule or add a new rule and do the same setup but, in Out. Interface in general tab, change this to WAN2:

Next you will need to set the following IP Route Rules:
Click IP > Click Routes>
Click the "+" and add a new route:

Click in the Gateway Box: Type 192.168.254.1
Click in the Check Gateway Box: Ping
Click the Distance Box: Type in 1
Click ok:

Click the "+" Again to add a new Route:
Click in the Gateway Box: 172.16.1.1
Click in the Check Gateway Box: Ping
Click the Distance Box: type 2

Note: The Route with the lowest Distance number will be its priority the router will use to default all traffic out through

Now you can setup Mangle Rules within the Firewall, to allow for Load Balancing and Fail over to work, but the Fail Over really works with the IP Routes, Mangle Rules will allow you to use it for Load Balancing as my understanding goes.

I hope this helps and works out for you all.

Btw if you are doing this with Wireless Setup. Say you have a Wireless Radio and you are feeding the Second WAN2 to Router 1, you will want to setup the Wireless Radios with IP addresses you excluded from Router 2. so for instances,

Router 2 site: has the Access Point and you set that up with an IP Address 172.16.1.7 /24
Router 1 Site: Has the Bridge Radio you will set this up with IP address 172.16.1.8/24 and plug that into Ether10 (WAN2)
Remember that you need to setup the IP address for WAN2 with a different IP address for Router 2 to be used, so the IP address configuration Should be for WAN2 172.16.1.10/24

I hope this helps and isn't to confusing.

Re: simple 2 WAN failover

Posted: Fri Jan 04, 2019 2:22 am
by rfritz80
I'm coming back trying to solve this on my router...

I have 2 WANs. One has a /30 gateway connection and a /24 of public space assigned to me. It is the primary WAN that all traffic should flow over.
WAN 2 has a DHCP address on the WAN side and no public space.

My LAN port has a handful of VLANs on it with various private IPs as well as the /24 broken down into /28's, /29's and /30's. All this works great.

In our IP/Routes, WAN1 is distance 1 and WAN2 is distance 2.

We want to be able to check with PINGs the status of each WAN. However, the gateway for WAN1 is connected to it via fiber and in the same equipment rack so I really want to check farther down the road (ideally, 8.8.8.8 or something) so we know when the path is really dead. Same for WAN2.

Because you are setting up Routes, and unless your routers a physically or remotely connected, you wont be able to, you have to use a Routing Protocol like OSPF or BGP, or your flavor of choices. Also you need to keep in mind that the routers have different LANs and you need routes to those LAN IP addresses.



When I create a rule forcing a ping to a destination to flow over WAN2, it immediately fails:
add check-gateway=ping distance=1 gateway=200.212.57.97
add check-gateway=ping distance=2 gateway=24.8.116.1
add comment="Force PING through WAN 2" distance=1 dst-address=216.228.192.69/32 gateway=24.8.116.1 \
    scope=11
I turn off that rule, it pings just fine via WAN1. This is true from both the router ping tool and any machine behind the router. I have masquerade rules built to masquerade all private and public IPs when they transit WAN2.

I guess I end up with 2 questions:

1) Thoughts on why I can't force a ping down WAN2?
2) A better way to check if a WAN is up other than a ping test to the gateway? Is this a trick for netwatch instead?