Community discussions

MikroTik App
 
katopz24
newbie
Topic Author
Posts: 27
Joined: Fri Sep 28, 2018 10:28 pm

MikroTik Failover with 2 WAN

Fri Sep 02, 2022 5:09 pm

PTPA
Hi All,

Please need your help on how to configure 2 WAN Failover in MirkoTik RouterOS?

Please see image below:
Image


I saw this, but is not working.
MikroTik Failover
Step 1: Add IP > Address (ISP1, ISP2 & LAN)
Step 2: IP > Firewall > NAT
	a) chain: srcnat		out-interface: ISP1	Action: masquerade
	b) chain: srcnat		out-interface: ISP2	Action: masquerade
Step 3: IP > Route
	a) dst: 0.0.0.0		gateway: ISP1 IP Address	and check gateway: ping
	b) dst: 0.0.0.0		gateway: ISP2 IP Address	and check gateway: ping
	3) dst: 0.0.0.0		gateway: ISP1 & ISP2 IP Address		and check gateway: ping
Step 4: Firewall > Mangle
    	a) Chain: input	in-interface: ISP1	action: mark_connection (ISP1_conn)	passthrough:TICK
  	b) Chain: input	in-interface: ISP2	action: mark_connection (ISP2_conn)	passthrough:TICK
  	c) Chain: output		connection-mark: ISP1_conn	Action: mark_routing (To_ISP1)	passthrough:TICK
  	d) Chain: output	connection-mark: ISP2_conn	Action: mark_routing (To_ISP2)	passthrough:TICK
	e) Chain: prerouting	in-interface: LAN	Action: accept
Step 5: IP > DNS
	8.8.8.8		Allow remote request: TICK
Step 6:
	Set PC static IP as per LAN series (bcoz I don’t declare DHCP till now) and check internet from browser.
Step 7:
	Set auto failover (if primary down then automatically on secondary link)
	For this IP > Route > set distance for both ISPs
If I down ISP1 > check


Thank you!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: MikroTik Failover with 2 WAN

Fri Sep 02, 2022 5:14 pm

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MikroTik Failover with 2 WAN

Fri Sep 02, 2022 8:24 pm

Post the entire config (minus any public WANIP info, or router software id) and I will have a look.
 
katopz24
newbie
Topic Author
Posts: 27
Joined: Fri Sep 28, 2018 10:28 pm

Re: MikroTik Failover with 2 WAN

Sat Sep 03, 2022 11:55 am

Post the entire config (minus any public WANIP info, or router software id) and I will have a look.
Hi,
Here's the config below.
# sep/03/2022 09:14:31 by RouterOS 6.49.6
# software id = ****
#
# model = 951Ui-2HnD

/interface bridge
add admin-mac=**** arp=proxy-arp auto-mac=no fast-forward=no \
    mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] mac-address=**** name=\
    ether1-gateway
set [ find default-name=ether2 ] mac-address=**** name=\
    ether2-master-local
set [ find default-name=ether3 ] mac-address=**** name=\
    ether3-slave-local
set [ find default-name=ether4 ] mac-address=**** name=\
    ether4-slave-local
set [ find default-name=ether5 ] mac-address=**** name=\
    ether5-slave-local
/interface l2tp-client
add connect-to=**** disabled=no name=**** user=\
    ****
add connect-to=**** name=l2tp-out1 user=****
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-eC country=no_country_set disabled=no frequency=2457 \
    frequency-mode=manual-txpower mode=ap-bridge ssid=**** tx-power=\
    20 tx-power-mode=all-rates-fixed
/interface pptp-client
add connect-to=**** disabled=no name=**** user=\
    ****
add connect-to=**** disabled=no name=**** user=\
    ****
add connect-to=**** disabled=no name=**** user=****
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    ICC-Guest supplicant-identity=""
/interface wireless
add disabled=no mac-address=**** master-interface=wlan1 name=\
    ap-guest security-profile=ICC-Guest ssid=ICC-Guest wds-cost-range=0 \
    wds-default-cost=0
/ip dhcp-server
add authoritative=after-2sec-delay interface=ether1-gateway lease-time=3d \
    name=dhcp1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add comment="Main Local DHCP" name=default-dhcp ranges=\
    192.168.9.100-192.168.9.254
add comment="Guest WiFi DHCP" name=dhcp_pool1 ranges=11.11.11.2-11.11.11.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge-local lease-time=3d name=default
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
    interface=ap-guest name=dhcp2
/interface sstp-client
add connect-to=*** disabled=no name=**** profile=\
    default-encryption user=*** \
    verify-server-address-from-certificate=no
add connect-to=**** disabled=no name=**** profile=\
    default-encryption user=****
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether5-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1-gateway list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=bridge-local list=discover
add interface=l2tp-out1 list=discover
add interface=pptp-out1 list=discover
add interface=sstp-out1 list=discover
add interface=wlan1 list=discover
add interface=ap-guest list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=bridge-local list=mac-winbox
add interface=wlan1 list=mac-winbox
/ip address
add address=192.168.9.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.9.0
add address=192.168.9.1/24 comment="default configuration" interface=wlan1 \
    network=192.168.9.0
add address=192.168.22.10/24 interface=ether3-slave-local network=\
    192.168.22.0
add address=10.0.0.13 interface=pptp-out1 network=10.0.0.12
add address=****/30 disabled=yes interface=ether4-slave-local \
    network=****
add address=****/30 interface=ether4-slave-local network=\
    ****
add address=10.0.0.15 interface=sstp-out1 network=10.0.0.14
add address=10.0.0.17 disabled=yes interface=l2tp-out1 network=10.0.0.16
add address=192.168.8.1/24 disabled=yes interface=ether3-slave-local network=\
    192.168.8.0
add address=****/24 interface=ether1-gateway network=****
add address=11.11.11.1/24 interface=ap-guest network=11.11.11.0
/ip dhcp-client
add add-default-route=no comment="default configuration" disabled=no \
    interface=ether1-gateway
add default-route-distance=5 interface=ether3-slave-local
add interface=wlan1
/ip dhcp-server network
add address=11.11.11.0/24 comment="ICC-Guest WiFi" gateway=11.11.11.1
add address=192.168.9.0/24 comment="default configuration" dns-server=\
    192.168.9.1,8.8.8.8 gateway=192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    ****,****,****,****
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=reject chain=input dst-port=53 in-interface=ether4-slave-local \
    protocol=udp reject-with=icmp-network-unreachable
add action=accept chain=input comment="default configuration" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established disabled=yes
add action=accept chain=input comment="default configuration" \
    connection-state=related disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" \
    connection-state=established disabled=yes
add action=accept chain=forward comment="default configuration" \
    connection-state=related disabled=yes
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid disabled=yes
add action=accept chain=input comment="FTP File Server" dst-port=\
    ****,**** in-interface=ether1-gateway protocol=tcp
add action=drop chain=forward comment="ICC-Guest WiFi" dst-address=\
    192.168.9.0/24 src-address=11.11.11.0/24
add action=drop chain=forward dst-address=11.11.11.0/24 src-address=\
    192.168.9.0/24
add action=drop chain=input comment="drop ftp brute forcers" dst-port=**** \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=**** \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=**** \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=**** \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=**** \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=**** \
    protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    **** new-routing-mark=Out_Ether4 passthrough=yes
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    Out_Ether4 passthrough=yes src-address=192.168.9.4
add action=mark-routing chain=prerouting new-routing-mark=Out_Ether4 \
    passthrough=yes src-address=192.168.9.4
/ip firewall nat
# New_Angola_PPTP_Temp not ready
add action=accept chain=srcnat comment="_New_Angola_PPTP_Temp not ready" \
    dst-address=192.168.2.0/24 out-interface=New_Angola_PPTP_Temp
add action=masquerade chain=srcnat comment="default configuration" \
    dst-address=!192.168.0.0/16 out-interface=ether4-slave-local
add action=masquerade chain=srcnat comment="default configuration" \
    dst-address=!192.168.0.0/16 fragment=no hotspot="" out-interface=\
    ether1-gateway
add action=dst-nat chain=dstnat dst-address=**** dst-port=**** \
    in-interface=ether4-slave-local protocol=tcp to-addresses=192.168.9.4 \
    to-ports=****
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.4.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.5.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.6.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.7.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.8.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.10.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.11.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.12.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.13.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.14.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.15.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.16.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.17.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.18.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.19.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.20.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.21.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.22.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.23.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.25.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.26.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.27.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.28.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.29.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.31.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.32.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.33.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.34.0/24 out-interface=\
    ether3-slave-local
add action=masquerade chain=srcnat dst-address=192.168.35.0/24 out-interface=\
    ether3-slave-local
	
	
add action=dst-nat chain=dstnat comment="CCTV DVR KM28" dst-address=\
    **** dst-port=**** protocol=tcp to-addresses=**** \
    to-ports=****
add action=dst-nat chain=dstnat dst-address=**** dst-port=**** \
    protocol=tcp to-addresses=**** to-ports=****
add action=masquerade chain=srcnat dst-address=**** protocol=tcp \
    src-address=192.168.9.0/24

#Deleted other CCTV Configuration

	
	
	
add action=dst-nat chain=dstnat comment="FTP FILEZILLA" dst-port=**** \
    in-interface=ether1-gateway protocol=tcp to-addresses=****
add action=dst-nat chain=dstnat dst-port=**** in-interface=\
    ether1-gateway protocol=tcp to-addresses=****
add action=masquerade chain=srcnat comment="ICC-Guest WiFi" out-interface=\
    ap-guest src-address=11.11.11.0/24
/ip proxy
set cache-path=web-proxy1
/ip route
add distance=4 gateway=**** routing-mark=Out_Ether4
add distance=3 gateway=****
add distance=1 dst-address=10.0.0.12/32 gateway=pptp-out1 pref-src=10.0.0.13 \
    scope=10
add distance=1 dst-address=10.0.0.14/32 gateway=sstp-out1 pref-src=10.0.0.15 \
    scope=10
add disabled=yes distance=1 dst-address=10.0.0.16/32 gateway=l2tp-out1 \
    pref-src=10.0.0.17 scope=10
add distance=1 dst-address=10.10.10.1/32 gateway=\
    New_Angola_PPTP_Temp,New_AngolaL2tp,New_Office_sstp
add distance=1 dst-address=****/32 gateway=****
add distance=1 dst-address=****/32 gateway=****
add disabled=yes distance=1 dst-address=****/32 gateway=\
    ****
add distance=1 dst-address=192.168.2.0/24 gateway=****
add distance=2 dst-address=192.168.2.0/24 gateway=****
add distance=3 dst-address=192.168.2.0/24 gateway=****
add disabled=yes distance=2 dst-address=192.168.2.0/24 gateway=****
add distance=1 dst-address=192.168.3.0/24 gateway=****
add distance=1 dst-address=192.168.4.0/24 gateway=****
add distance=1 dst-address=192.168.5.0/24 gateway=****
add distance=1 dst-address=192.168.6.0/24 gateway=****
add distance=1 dst-address=192.168.7.0/24 gateway=****
add distance=1 dst-address=192.168.8.0/24 gateway=****
add distance=1 dst-address=192.168.100.0/24 gateway=****
add distance=1 dst-address=****/32 gateway=****
add distance=1 dst-address=****/32 gateway=****
/ip service
set telnet disabled=yes port=****
set ftp port=****
set www port=****
set ssh disabled=yes port=****
/port remote-access
add
/system clock
set time-zone-autodetect=no time-zone-name=Africa/Luanda
/system identity
set name=Master
/system leds
set 0 interface=wlan1 leds=wlan-led type=wireless-status
set 1 interface=ether1-gateway leds=led1
set 2 interface=ether2-master-local leds=led2
set 3 interface=ether3-slave-local leds=led3
set 4 interface=ether4-slave-local leds=led4
set 5 interface=ether5-slave-local leds=led5 type=interface-activity
/tool graphing interface
add allow-address=192.168.9.0/24 interface=ether1-gateway
/tool graphing queue
add allow-address=192.168.9.0/24
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MikroTik Failover with 2 WAN

Sat Sep 03, 2022 7:35 pm

I see your on vers6 software however I will provide the current ver7 format because that will work on both and when you transition to vers 7.5 stable for example... it should be seamless as far as routing goes...............
In general you really need to simplify all parts of your config.
For example your interface lists, forget discover and mactel, they are very old in approach (same with any discussion of slave and local, not used anymore) and simply use WAN, LAN, and Management.

All smart devices get their IP address on the Managmenet LAN or vlan, and the admin is normally connected on this network.
IF you have a trusted subnet, then put this single subnet on the management interface list.

In any case...........
Its very hard to discern what you are doing and what the routing tables should look like.
It is also unclear why you are mangling ISP1 and ISP 2 traffic at this point. Mangling is normally not required for simple failover!!!

Will assume that ether1 is the Primary WAN and ether3? is the secondary failover WAN..

(1) Remove the first line here in yellow because the pppoe settings are all done under that menu and not this menu!!
/ip dhcp-client
add add-default-route=no comment="default configuration" disabled=no interface=ether1-gateway
add default-route-distance=5 interface=ether3-slave-local


(2) It is not clear to me what the first two routes are, but will assume they have nothing to do with the two ISP connections and can be ignored. ????
/ip route
add distance=4 gateway=**** routing-mark=Out_Ether4
add distance=3 gateway=****


(3) Since you have the default routes selected for both pppoe and whatever is on ether3, its hard to provide advice as they are not normally visible on a config, but I will play as if we were doing it manually and then you can adjust accordingly.
/ip route
add check-gateway=ping comment=Primary ISP distance=1 dst-address=0.0.0.0/0 gateway=Primary-gatewayIP (table=main)
add comment=SecondaryISP distance=2 dst-address=0.0.0.0/0 gateway=Secondary-gatewayIP (table=main)

In this setup all traffic will go to ISP1 and if its not available will switch to ISP2 and when ISP1 comes back on line will revert back to ISP2.


NOT
a) dst: 0.0.0.0 gateway: ISP1 IP Address and check gateway: ping
b) dst: 0.0.0.0 gateway: ISP2 IP Address and check gateway: ping
3) dst: 0.0.0.0 gateway: ISP1 & ISP2 IP Address and check gateway: ping


You only need to check ping on the primary and why do you have the third entry (note that on all three the distances are missing).

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What other requirements do you have that are not clearly stated regarding what ISP users should be going out on???
 
katopz24
newbie
Topic Author
Posts: 27
Joined: Fri Sep 28, 2018 10:28 pm

Re: MikroTik Failover with 2 WAN

Mon Sep 05, 2022 12:32 pm

I see your on vers6 software however I will provide the current ver7 format because that will work on both and when you transition to vers 7.5 stable for example... it should be seamless as far as routing goes...............
In general you really need to simplify all parts of your config.
For example your interface lists, forget discover and mactel, they are very old in approach (same with any discussion of slave and local, not used anymore) and simply use WAN, LAN, and Management.

All smart devices get their IP address on the Managmenet LAN or vlan, and the admin is normally connected on this network.
IF you have a trusted subnet, then put this single subnet on the management interface list.

In any case...........
Its very hard to discern what you are doing and what the routing tables should look like.
It is also unclear why you are mangling ISP1 and ISP 2 traffic at this point. Mangling is normally not required for simple failover!!!

Will assume that ether1 is the Primary WAN and ether3? is the secondary failover WAN..

(1) Remove the first line here in yellow because the pppoe settings are all done under that menu and not this menu!!
/ip dhcp-client
add add-default-route=no comment="default configuration" disabled=no interface=ether1-gateway
add default-route-distance=5 interface=ether3-slave-local


(2) It is not clear to me what the first two routes are, but will assume they have nothing to do with the two ISP connections and can be ignored. ????
/ip route
add distance=4 gateway=**** routing-mark=Out_Ether4
add distance=3 gateway=****


(3) Since you have the default routes selected for both pppoe and whatever is on ether3, its hard to provide advice as they are not normally visible on a config, but I will play as if we were doing it manually and then you can adjust accordingly.
/ip route
add check-gateway=ping comment=Primary ISP distance=1 dst-address=0.0.0.0/0 gateway=Primary-gatewayIP (table=main)
add comment=SecondaryISP distance=2 dst-address=0.0.0.0/0 gateway=Secondary-gatewayIP (table=main)

In this setup all traffic will go to ISP1 and if its not available will switch to ISP2 and when ISP1 comes back on line will revert back to ISP2.


NOT
a) dst: 0.0.0.0 gateway: ISP1 IP Address and check gateway: ping
b) dst: 0.0.0.0 gateway: ISP2 IP Address and check gateway: ping
3) dst: 0.0.0.0 gateway: ISP1 & ISP2 IP Address and check gateway: ping


You only need to check ping on the primary and why do you have the third entry (note that on all three the distances are missing).

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What other requirements do you have that are not clearly stated regarding what ISP users should be going out on???

Hi,
Thank you for your effort, I appreciate it!

Btw, for your additional information, here's our network diagram image below.

Image

ITA Router - this is a isp company to provide connection to our stores. (No internet, just a local connection or VPN)
PBX - Connected to Office in other Country (but not included in the image; because its only connected to switch)

Red drawing - I will put the connection in eth5 to obtain a internet from the other office via Access Point.

Any question, please let me know.

Thanks
Last edited by katopz24 on Tue Sep 06, 2022 5:17 pm, edited 1 time in total.
 
t4thfavor
just joined
Posts: 18
Joined: Tue Apr 13, 2021 4:40 pm

Re: MikroTik Failover with 2 WAN

Mon Sep 05, 2022 4:32 pm

For simple failover, you can literally just define multiple static default routes, set the metric higher on the secondary connection, and then enable check-gateway or netwatch for each one.

It gets a little more complicated if the gateway is up, but the internet is unreachable via that route, but nothing too crazy.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MikroTik Failover with 2 WAN  [SOLVED]

Mon Sep 05, 2022 8:13 pm

Yup the basic idea being.

(1) Basic routes needed for both
add dst-address=0.0.0.0/0 gwy=ISP1-gwy check-gateway=ping distance=5
add dst-address=0.0.0.0/0 gwy=ISP2-gwy distance=10

(2) Done! If you needed a subnet to only go out ISP2, then you would create a third route which mirrors the failover router plus........
add dst-address=0.0.0.0/0 gwy=ISP2-gwy distance=10 routing-mark=useWAN2

(3) Create routing rule to put this into effect.
add src-address=LAN_subnet action=lookup table=useWAN2

Note: Using action=lookup means if the route to wan2 is down, in otherwords your connection to ISP2 is down, the router is allowed to look for alternate routes and will find in Table main the route to ISP1.
If you select action=lookup-only-in-table then if ISP2 is not available the LAN will have no route and no traffic will pass.
 
katopz24
newbie
Topic Author
Posts: 27
Joined: Fri Sep 28, 2018 10:28 pm

Re: MikroTik Failover with 2 WAN

Tue Sep 06, 2022 11:14 am

Yup the basic idea being.

(1) Basic routes needed for both
add dst-address=0.0.0.0/0 gwy=ISP1-gwy check-gateway=ping distance=5
add dst-address=0.0.0.0/0 gwy=ISP2-gwy distance=10

(2) Done! If you needed a subnet to only go out ISP2, then you would create a third route which mirrors the failover router plus........
add dst-address=0.0.0.0/0 gwy=ISP2-gwy distance=10 routing-mark=useWAN2

(3) Create routing rule to put this into effect.
add src-address=LAN_subnet action=lookup table=useWAN2

Note: Using action=lookup means if the route to wan2 is down, in otherwords your connection to ISP2 is down, the router is allowed to look for alternate routes and will find in Table main the route to ISP1.
If you select action=lookup-only-in-table then if ISP2 is not available the LAN will have no route and no traffic will pass.
This is very very helpful and more detailed. You've already help me before. You are amazing!

Thanks for your help! This is now resolved!

Cheers!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: MikroTik Failover with 2 WAN

Tue Sep 06, 2022 3:08 pm

As long as you understand what your config is doing, thats the main point.

Who is online

Users browsing this forum: cmmike, holvoetn, svh79, Vyizis and 49 guests