I've set up PPPoE as my primary WAN and I'd like to have my LTE connection as a standby in the event of reachability issues over the PPPoE WAN.
I have LTE setup and a secondary default route, but I am struggling to understand how to set up remote IP monitoring which then invokes a failover/failback based on the ability for the WAN to reach 8.8.8.8 for example.
If someone could guide me in the right direction it would really be appreciated!
Thanks! Dave
Here is my config:
Code: Select all
# jan/02/1970 23:18:01 by RouterOS 6.49.7
# software id = NNXJ-E18N
#
# model = RBD52G-5HacD2HnD
# serial number = HCJ081P5AW3
/interface bridge
add admin-mac=18:FD:74:11:88:B2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] name=ether3-WAN-4G
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
REMOVED@broadband.vodafone.co.uk
/interface lte
set [ find ] name=lte1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-1188B6 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="united kingdom" distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-1188B7 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=wap.vodafone.co.uk authentication=pap name=\
"Vodafone Internet" user=wap
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=Cato-IKEv2 responder=no
/ip ipsec policy group
add name=Cato-IKEv2
/ip ipsec profile
add dh-group=modp3072 enc-algorithm=aes-128 hash-algorithm=sha256 name=\
Cato-IKEv2
/ip ipsec peer
add address=185.114.123.217/32 exchange-mode=ike2 name=Cato-IKEv2-London \
profile=Cato-IKEv2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-gcm name=Cato-IKEv2 \
pfs-group=none
/ip pool
add name=dhcp ranges=172.20.20.50-172.20.20.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/queue simple
add name=queue1 target=172.20.20.0/24
add name=Zoom_Queue packet-marks=Zoom-packet parent=queue1 priority=1/1 \
target=172.20.20.0/24
add name="Other Traffic" packet-marks=no-mark target=172.20.20.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3-WAN-4G
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=172.20.20.1/24 comment=defconf interface=bridge network=\
172.20.20.0
/ip dhcp-client
add comment=defconf interface=ether1
# DHCP client can not run on slave interface!
add add-default-route=no comment=WAN2-4G disabled=no interface=ether3-WAN-4G \
use-peer-dns=no
/ip dhcp-server network
add address=172.20.20.0/24 comment=defconf gateway=172.20.20.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=172.20.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=3.7.35.0/25 list=Zoom
add address=3.21.137.128/25 list=Zoom
add address=3.22.11.0/24 list=Zoom
add address=3.23.93.0/24 list=Zoom
add address=3.25.41.128/25 list=Zoom
add address=3.25.42.0/25 list=Zoom
add address=3.25.49.0/24 list=Zoom
add address=3.80.20.128/25 list=Zoom
add address=3.96.19.0/24 list=Zoom
add address=3.101.32.128/25 list=Zoom
add address=3.101.52.0/25 list=Zoom
add address=3.104.34.128/25 list=Zoom
add address=3.120.121.0/25 list=Zoom
add address=3.127.194.128/25 list=Zoom
add address=3.208.72.0/25 list=Zoom
add address=3.211.241.0/25 list=Zoom
add address=3.235.69.0/25 list=Zoom
add address=3.235.82.0/23 list=Zoom
add address=3.235.71.128/25 list=Zoom
add address=3.235.72.128/25 list=Zoom
add address=3.235.73.0/25 list=Zoom
add address=3.235.96.0/23 list=Zoom
add address=4.34.125.128/25 list=Zoom
add address=4.35.64.128/25 list=Zoom
add address=8.5.128.0/23 list=Zoom
add address=13.52.6.128/25 list=Zoom
add address=13.52.146.0/25 list=Zoom
add address=13.114.106.166 list=Zoom
add address=18.157.88.0/24 list=Zoom
add address=18.205.93.128/25 list=Zoom
add address=50.239.202.0/23 list=Zoom
add address=50.239.204.0/24 list=Zoom
add address=52.61.100.128/25 list=Zoom
add address=52.81.151.128/25 list=Zoom
add address=52.81.215.0/24 list=Zoom
add address=52.197.97.21 list=Zoom
add address=52.202.62.192/26 list=Zoom
add address=52.215.168.0/25 list=Zoom
add address=64.69.74.0/24 list=Zoom
add address=64.125.62.0/24 list=Zoom
add address=64.211.144.0/24 list=Zoom
add address=65.39.152.0/24 list=Zoom
add address=69.174.57.0/24 list=Zoom
add address=69.174.108.0/22 list=Zoom
add address=99.79.20.0/25 list=Zoom
add address=103.122.166.0/23 list=Zoom
add address=109.94.160.0/22 list=Zoom
add address=109.244.18.0/25 list=Zoom
add address=109.244.19.0/24 list=Zoom
add address=111.33.181.0/25 list=Zoom
add address=115.110.154.192/26 list=Zoom
add address=115.114.56.192/26 list=Zoom
add address=115.114.115.0/26 list=Zoom
add address=115.114.131.0/26 list=Zoom
add address=120.29.148.0/24 list=Zoom
add address=140.238.128.0/24 list=Zoom
add address=147.124.96.0/19 list=Zoom
add address=149.137.0.0/17 list=Zoom
add address=152.67.20.0/24 list=Zoom
add address=152.67.118.0/24 list=Zoom
add address=152.67.180.0/24 list=Zoom
add address=158.101.64.0/24 list=Zoom
add address=160.1.56.128/25 list=Zoom
add address=161.189.199.0/25 list=Zoom
add address=161.199.136.0/22 list=Zoom
add address=162.12.232.0/22 list=Zoom
add address=162.255.36.0/22 list=Zoom
add address=165.254.88.0/23 list=Zoom
add address=168.138.16.0/24 list=Zoom
add address=168.138.48.0/24 list=Zoom
add address=168.138.72.0/24 list=Zoom
add address=168.138.244.0/24 list=Zoom
add address=173.231.80.0/20 list=Zoom
add address=192.204.12.0/22 list=Zoom
add address=193.122.32.0/22 list=Zoom
add address=193.123.0.0/19 list=Zoom
add address=193.123.40.0/22 list=Zoom
add address=193.123.128.0/19 list=Zoom
add address=198.251.128.0/17 list=Zoom
add address=202.177.207.128/27 list=Zoom
add address=202.177.213.96/27 list=Zoom
add address=204.80.104.0/21 list=Zoom
add address=204.141.28.0/22 list=Zoom
add address=207.226.132.0/24 list=Zoom
add address=209.9.211.0/24 list=Zoom
add address=209.9.215.0/24 list=Zoom
add address=210.57.55.0/24 list=Zoom
add address=213.19.144.0/24 list=Zoom
add address=213.19.153.0/24 list=Zoom
add address=213.244.140.0/24 list=Zoom
add address=221.122.88.64/27 list=Zoom
add address=221.122.88.128/25 list=Zoom
add address=221.122.89.128/25 list=Zoom
add address=221.123.139.192/27 list=Zoom
add address=8.5.128.0/24 list=Zoom
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=add-dst-to-address-list address-list=Zoom address-list-timeout=\
none-dynamic chain=prerouting comment=\
"Add missing Zoom server IPs to FW List" dst-port=\
3478,3479,5090,5091,8801-8810 protocol=tcp
add action=add-dst-to-address-list address-list=Zoom address-list-timeout=\
none-dynamic chain=prerouting comment=\
"Add missing Zoom server IPs to FW List" dst-port=\
3478,3479,5090,5091,8801-8810 protocol=udp
add action=mark-connection chain=prerouting dst-address-list=Zoom dst-port=\
3478,3479,5090,5091,8801-8810 new-connection-mark=Zoom-Connection \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address-list=Zoom dst-port=\
3478,3479,5090,5091,8801-8810 new-connection-mark=Zoom-Connection \
passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-address-list=Zoom dst-port=\
80,443 new-connection-mark=Zoom-Connection passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=Zoom-Connection \
new-packet-mark=Zoom-packet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add generate-policy=port-strict mode-config=Cato-IKEv2 peer=Cato-IKEv2-London \
policy-template-group=Cato-IKEv2
/ip ipsec policy
set 0 comment="Local LAN" dst-address=10.2.0.0/24 group=Cato-IKEv2 proposal=\
Cato-IKEv2 src-address=172.20.20.0/24
add comment="Azure Server Subnet" dst-address=10.2.0.0/24 peer=\
Cato-IKEv2-London proposal=Cato-IKEv2 src-address=172.20.20.0/24 tunnel=\
yes
add comment="VPN Range Subnet" dst-address=10.41.0.0/16 peer=\
Cato-IKEv2-London proposal=Cato-IKEv2 src-address=172.20.20.0/24 tunnel=\
yes
/ip ssh
set always-allow-password-login=yes
/system identity
set name=Cullen-Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN