Community discussions

MikroTik App
 
rostyvyg
just joined
Topic Author
Posts: 14
Joined: Tue Oct 09, 2018 8:41 pm

How to Set Up a Second WAN Port for Failover? SOLVED

Tue Jun 28, 2022 11:56 pm

I have a MikroTik hAP AC RouterBoard, Triple Chain Access Point 802.11ac (RB962UiGS-5HacT2HnT-US).
I changed the configuration to use it as a wifi hotspot for my home devices with WAN connected to my Mikrotik 52 Metal (which works as WiFi booster) and the WAN port on ether5 as opposed to the default configuration ether1 (to power 52 Metal via POE). I also set up the router to have 192.168.98.1 IP address and DHCP server on LAN and to obtain the IP address automatically from WAN. This worked well for a few years but I recently acquired Starlink, which I am able to power from the POE injector and want to use as a primary WAN source leaving Mikrotik 52 Metal extender for failover (my current WAN provider is quite flaky). I want the priority to go to Starlink which I plan to connect to ether4.

What changes do I have to make to the router configuration?

My current working configuration is below:
# jun/27/2022 16:51:46 by RouterOS 6.49.6
# software id = KRZN-YWXP
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7D**A72F*A
/interface bridge
add admin-mac=CC:2D:E0:E0:13:7F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] auto-negotiation=no speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=Lastochka \
    supplicant-identity="" wpa-pre-shared-key=5163613392 wpa2-pre-shared-key=\
    5*************2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=Lastochka ssid=Lastochka_2G station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=\
    ap-bridge security-profile=Lastochka ssid=Lastochka_5G station-roaming=\
    enabled wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=\
    192.168.98.0
/ip dhcp-client
add disabled=no interface=ether5
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf gateway=192.168.98.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=arp distance=1 dst-address=192.168.100.1/32 gateway=ether5 \
    pref-src=0.0.0.0
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTik-Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Last edited by rostyvyg on Wed Jun 29, 2022 11:09 pm, edited 1 time in total.
 
rostyvyg
just joined
Topic Author
Posts: 14
Joined: Tue Oct 09, 2018 8:41 pm

Re: How to Set Up a Second WAN Port for Failover? SOLVED

Wed Jun 29, 2022 11:07 pm

OK, after some pain and suffering this is what I come up with: I removed ether4 from the bridge and created a new WAN port with ether4. I added DHCP client to ether4 with "Create default route" option enabled. Starlink connects to ether4. Mikrotik 52 Metal connects to ether5. DHCP client on ether5 has the "create default rule" option disabled. Since 52 Metal is configured with a static IP address to be a gateway with 192.168.88.1 I added a rule directing all traffic to 192.168.88.1 with a distance of 3. Now, when Starlink Dishy is stowed or offline the DHCP client on ether4 can not obtain an IP address and does not create a route to the Starlink gateway. Thus all traffic gets directed to 192.168.88.1 through ether5. The moment Starlink gets online and gives ether4 DHCP client an IP address a default rule directing traffic to the Starlink Gateway gets created and since the distance of the default rule is 1 this takes precedence over the static route to 52 Metal Gateway which has a distance of 3.

Now, the static route to 192.168.100.1 was added to allow to manage Starlink either via an app or via a browser. Interestingly enough, when Starlink first powers up it gives ether4 DHCP client an address from the 192.168.100.1/24 range and creates a default route. The lease is very short and gets renewed every 5 seconds until Starlink gets online and substitutes this address with the Internet address after which moment you can't manage Starlink without the static route mentioned above.

This is the working configuration for that setup:
# jun/29/2022 15:42:45 by RouterOS 6.49.6
# software id = KRZN-YWXP
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A*D0*A**F8A
/interface bridge
add admin-mac=CC:2D:E0:E*:13:*F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether4 ] advertise=100M-half,100M-full comment=\
    Starlink name=ether4-WAN1
set [ find default-name=ether5 ] auto-negotiation=no comment=\
    "Mikrotik 52 Metal" name=ether5-WAN2 speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=Lastochka \
    supplicant-identity="" wpa-pre-shared-key=51*******2 wpa2-pre-shared-key=\
    5163613392
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=Lastochka ssid=Lastochka_2G station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=\
    ap-bridge security-profile=Lastochka ssid=Lastochka_5G station-roaming=\
    enabled wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5-WAN2 list=WAN
add interface=ether4-WAN1 list=WAN
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=\
    192.168.98.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether5-WAN2
add disabled=no interface=ether4-WAN1
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf gateway=192.168.98.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=3 gateway=192.168.88.1
add check-gateway=arp distance=3 dst-address=192.168.88.1/32 gateway=\
    ether5-WAN2 pref-src=0.0.0.0
add check-gateway=arp distance=1 dst-address=192.168.100.1/32 gateway=\
    ether4-WAN1 pref-src=0.0.0.0
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTik-Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: 0xAA55 and 43 guests