As they were for different customers I needed something that works with different LTE carriers AND works reliably where the WAN interface picks up its address details with DHCP - so this means as little static address configuration as possible is needed.
I managed to get it going without recursive routing overtly working and some route distance tweaks and I feel like it's a bit of a Rube Goldberg machine in the way it operates but it functions just fine.
What it does:
* Uses 8.8.4.4 to test for connectivity out the WAN interface when it's running.
* Uses gateway ping to 8.8.4.4 or WAN interface going down to move the default route to the LTE interface.
* Tested with:
- WAN device not connected at boot then later plugged in.
- WAN device connected at boot and on but not issuing DHCP (like VSDL not synced).
- WAN device initially working but not responding to traffic (like VDSL not synced or resycning).
* There is no 30 second timeout like you'd expect from recursive routing gateway ping failing. Default route switching is within seconds (not such a bad thing).
* Port 5 has a filter so any traffic on this interface can't use up LTE data (needed for a guest Wifi network to not consume LTE quota).
* LEDS 1-4 are signal level and LED5 comes on when LTE default route is active.
* Works with any WAN service that uses DHCP. Nothing static needed!
It's dodgy I know so am glad for any improvements and suggestions if any.
* The LED activation script works but needs some improvement with the use of a global to keep state so the log isn't written to with LED information every few seconds.
* It works on 7.1beta5 and may not work on any other version of ROS ever.
* Winbox 3.27 doesn't seem to show route state properly in the route window when things change with this version of ROS so you need to use "/ip/route/print interval=1" to see the correct information.
* I have hand changed a few things to generalise the script to what I deployed but didn't test loading it to a blank Château as I have no more available. I hope it loads OK.
* Don't forget to update your LTE firmware.
Code: Select all
# apr/27/2021 13:44:47 by RouterOS 7.1beta5
# software id = KBT6-0I2W
#
# model = RBD53G-5HacD2HnD
/interface bridge
add auto-mac=yes name=Bridge1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
ssid=MikroTik station-roaming=enabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
ssid=MikroTik station-roaming=enabled
/interface ethernet
set [ find default-name=ether1 ] name=EtherWAN
/interface lte
set [ find ] allow-roaming=no name=lte1
/interface list
add name=MACAllow
/interface lte apn
set [ find default=yes ] apn=connect default-route-distance=3 ip-type=ipv4 \
passthrough-subnet-selection=p2p use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=Bridge1 lease-time=12h \
name=dhcp1
/queue simple
add dst=EtherWAN max-limit=40M/100M name=Queue1 queue=\
pcq-upload-default/pcq-download-default target=192.168.0.0/24
/interface bridge port
add bridge=Bridge1 interface=ether2
add bridge=Bridge1 interface=ether3
add bridge=Bridge1 interface=ether4
add bridge=Bridge1 interface=ether5
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=MACAllow
/interface list member
add interface=Bridge1 list=MACAllow
add interface=ether5 list=MACAllow
/ip address
add address=192.168.0.1/24 interface=Bridge1 network=192.168.0.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add default-route-distance=10 disabled=no interface=EtherWAN script=":local gw\
\_[/ip dhcp-client get [find interface=EtherWAN ] gateway];\r\
\n/ip route set [find dst-address=8.8.4.4/32] gateway=\$gw;\r\
\n\r\
\n" use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
ntp-server=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=your.ipaddress.here list=IPALLOWLIST
/ip firewall filter
add action=accept chain=input comment="Accept ICMP Input" protocol=icmp
add action=accept chain=input comment="Accept established, related input" \
connection-state=established,related
add action=accept chain=forward comment="Accept established, related forward" \
connection-state=established,related
add action=accept chain=input comment="Allowlist Winbox" dst-port=8291 \
protocol=tcp src-address-list=IPALLOWLIST
add action=drop chain=forward comment="Drop guest/hotspot using LTE" \
in-bridge-port=ether5 out-interface=lte1
add action=drop chain=forward comment="Drop guest/hotspot using LTE" \
out-bridge-port=ether5 in-interface=lte1
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=drop chain=input comment="Drop anything else in on WAN" \
in-interface=EtherWAN log-prefix=DropWAN
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
/ip route
add disabled=no distance=2 dst-address=8.8.4.4/32 gateway=192.168.100.254 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=20
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Australia/Melbourne
/system identity
set name=ChateauMerde
/system leds
# using RSRP, modem-signal-threshold ignored
set 0 leds=led1,led2,led3,led4
add leds=led5 type=off
/system logging
add disabled=yes topics=debug
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=au.pool.ntp.org
/system package update
set channel=development
/system routerboard settings
set auto-upgrade=yes cpu-frequency=auto
/system scheduler
add interval=3s name=lte-led-status on-event=":local ltestate [/ip/route/find \
where gateway ~\"lte1\" dst-address ~\"0.0.0.0/0\" active];\r\
\n:if (\$ltestate) do={/system/leds/set [find leds=\"led5\"] type=on} else\
\_{/system/leds/set [find leds=\"led5\"] type=off};\r\
\n" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=apr/17/2021 start-time=19:49:26
/system script
add dont-require-permissions=no name=ltetest owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local ltestate [/ip/route/find where gateway ~\"lte1\" dst-address ~\"0.0.\
0.0/0\" active];\r\
\n:put \$ltestate;\r\
\n:if (\$ltestate) do={/system/leds/set [find leds=\"led5\"] type=on} else\
\_{/system/leds/set [find leds=\"led5\"] type=off};\r\
\n"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MACAllow
/tool mac-server mac-winbox
set allowed-interface-list=MACAllow