Thanks for your answer but unfortunately, it doesn't work.
In fact my problem only appears when the priority of the default route (vlan-internet) changes. I put this mechanism to have 4G fail-over. If I can't ping the IP 8.8.4.4 through the vlan-internet interface, I increase the priority of the vlan-internet route to be higher than that of my 4G connection.
Everything works perfectly if I remove the 192.168.4.1 address on the vlan-internet interface. No possibility to use 2 ports and I want to access the ONT box to retrieve the metrics.
Below is my configuration. Thanks for any help.
/interface bridge
add name=bridge
add name=bridge-guest
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: xxxx, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: xxxx, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=ether1 name=vlan-internet vlan-id=100
/caps-man datapath
add arp=enabled bridge=bridge client-to-client-forwarding=yes l2mtu=1600 \
local-forwarding=yes mtu=1500 name=datapath-xxxx
add arp=disabled bridge=bridge-guest l2mtu=1600 mtu=1500 name=datapath-GUEST
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-xxxx
add authentication-types=wpa2-psk encryption=aes-ccm name=security-GUEST
/caps-man configuration
add country=france datapath=datapath-xxxx mode=ap name=cfg-xxxx security=\
security-xxxx ssid=xxxx
add country=france datapath=datapath-GUEST name=cfg-GUEST security=\
security-GUEST ssid=xxxx_Guest
/caps-man interface
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
mac-address=2C:C8:1B:59:A0:A8 master-interface=none mtu=0 name=\
xxxx-cap-couloir-2.4GHz radio-mac=2C:C8:1B:59:A0:A8 radio-name=\
2CC81B59A0A8
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
mac-address=2C:C8:1B:59:A0:A9 master-interface=none mtu=0 name=\
xxxx-cap-couloir-5GHz radio-mac=2C:C8:1B:59:A0:A9 radio-name=2CC81B59A0A9
add configuration=cfg-GUEST disabled=no l2mtu=1600 mac-address=\
2E:C8:1B:59:A0:A8 master-interface=xxxx-cap-couloir-2.4GHz mtu=0 name=\
xxxx-cap-couloir-guest-2.4GHz radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
mac-address=18:FD:74:60:83:B5 master-interface=none mtu=0 name=\
xxxx-cap-ext-2.4GHz radio-mac=18:FD:74:60:83:B5 radio-name=18FD746083B5
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
mac-address=18:FD:74:60:83:B6 master-interface=none mtu=0 name=\
xxxx-cap-ext-5GHz radio-mac=18:FD:74:60:83:B6 radio-name=18FD746083B6
add configuration=cfg-GUEST disabled=no l2mtu=1600 mac-address=\
1A:FD:74:60:83:B5 master-interface=xxxx-cap-ext-2.4GHz mtu=0 name=\
xxxx-cap-ext-guest-2.4GHz radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
mac-address=2C:C8:1B:59:A0:88 master-interface=none mtu=0 name=\
xxxx-cap-garage-2.4GHz radio-mac=2C:C8:1B:59:A0:88 radio-name=\
2CC81B59A088
add configuration=cfg-xxxx datapath=datapath-xxxx disabled=no l2mtu=1600 \
mac-address=2C:C8:1B:59:A0:89 master-interface=none mtu=0 name=\
xxxx-cap-garage-5GHz radio-mac=2C:C8:1B:59:A0:89 radio-name=2CC81B59A089
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] apn=orange authentication=pap \
default-route-distance=10 ip-type=ipv4 name=Orange use-network-apn=no \
use-peer-dns=no user=orange
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=vendor-class-identifier value="'neufbox_NB6V_xxxxxxxx'"
/ip ipsec peer
add address=v.xxxx.xxx exchange-mode=ike2 name="peer vpn.ike2.xxxx"
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256 name="profile vpn.ike2.xxxx"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=8h pfs-group=none
/ip pool
add name=dhcp-pool-xxxx ranges=192.168.10.50-192.168.10.100
add name=dhcp-pool-guest ranges=192.168.12.50-192.168.12.100
/ip dhcp-server
add add-arp=yes address-pool=dhcp-pool-xxxx interface=bridge name=dhcp-srv-xxxx
add address-pool=dhcp-pool-guest interface=bridge-guest name=dhcp-srv-guest
/routing table
add disabled=no fib name=ONT
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=\
xxxx-cap-ext-5GHz signal-range=-120..-70 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=\
xxxx-cap-ext-2.4GHz signal-range=-120..-70 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
suggest-same-version
/caps-man provisioning
add action=create-enabled master-configuration=cfg-xxxx
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1
add bridge=bridge ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=bridge list=LAN
add interface=lte1 list=WAN
add interface=vlan-internet list=WAN
add interface=ether1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
#
set bridge=bridge caps-man-addresses=192.168.10.1 certificate=request \
enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.12.1/24 interface=bridge-guest network=192.168.12.0
add address=192.168.4.1/24 comment=ipont interface=vlan-internet network=\
192.168.4.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add add-default-route=no comment=isp1 dhcp-options=\
hostname,clientid,vendor-class-identifier interface=vlan-internet script="\
#affecte la gateway sur la route speciale pour le failover a chaque change\
ment d'IP\r\
\n# /system scheduler set VERIFY-FTTH disabled=yes\r\
\n#:delay 5s\r\
\n:global gw [/ip route get [find vrf-interface=vlan-internet] value-name=\
gateway];\r\
\n/ip\" route set [find comment=\"isp1\"] gateway=\$gw;\r\
\n#/system scheduler set VERIFY-FTTH disabled=no\r\
\n /ip cloud force-update" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 caps-manager=192.168.10.1 dns-server=\
192.168.10.1,1.1.1.1 domain=xxxx.local gateway=192.168.10.1 netmask=24 \
ntp-server=192.168.10.1
add address=192.168.12.0/24 dns-server=1.1.1.1,1.0.0.1 domain=guest.local \
gateway=192.168.12.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=87.225.75.208 list=block
add address=185.189.112.96 list=block
add address=95.70.58.91 list=block
add address=95.70.87.131 list=block
add address=92.37.143.160 list=block
add address=27.0.0.0/8 list=block
add address=185.104.184.106 list=block
add address=92.37.236.194 list=block
add address=192.168.1.0/24 comment="LAN Network" list=ournetwork
add address=95.70.121.30 list=block
add address=185.104.184.143 list=block
add address=95.70.57.104 list=block
add address=27.122.14.81 list=block
add address=173.245.48.0/20 list=cloudflare
add address=103.21.244.0/22 list=cloudflare
add address=103.22.200.0/22 list=cloudflare
add address=103.31.4.0/22 list=cloudflare
add address=141.101.64.0/18 list=cloudflare
add address=108.162.192.0/18 list=cloudflare
add address=190.93.240.0/20 list=cloudflare
add address=188.114.96.0/20 list=cloudflare
add address=197.234.240.0/22 list=cloudflare
add address=198.41.128.0/17 list=cloudflare
add address=162.158.0.0/15 list=cloudflare
add address=104.16.0.0/13 list=cloudflare
add address=172.64.0.0/13 list=cloudflare
add address=131.0.72.0/22 list=cloudflare
add address=104.24.0.0/14 list=cloudflare
add address=23.88.41.31 list=BetterUptime
add address=3.220.166.35 list=BetterUptime
add address=45.33.100.21 list=BetterUptime
add address=45.56.78.139 list=BetterUptime
add address=45.79.47.102 list=BetterUptime
add address=168.119.96.54 list=BetterUptime
add address=168.119.90.223 list=BetterUptime
add address=168.119.96.203 list=BetterUptime
add address=54.243.207.163 list=BetterUptime
add address=74.207.228.249 list=BetterUptime
add address=95.216.117.142 list=BetterUptime
add address=139.162.109.252 list=BetterUptime
add address=172.104.109.161 list=BetterUptime
add address=172.105.173.108 list=BetterUptime
add address=172.105.190.118 list=BetterUptime
add address=172.105.206.169 list=BetterUptime
add address=116.202.157.36 list=BetterUptime
add address=116.202.33.182 list=BetterUptime
add address=172.105.169.250 list=BetterUptime
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="CAP to CAPsMAN" dst-port=5246,5247 \
in-interface-list=!WAN protocol=udp
add action=accept chain=input disabled=yes log-prefix="nn " src-address=\
10.0.88.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.10.0/24 \
log-prefix="nn " src-address=10.0.88.0/24
add action=accept chain=input src-address=10.0.88.0/24
add action=accept chain=input comment=";;;conf for router from other site" \
src-address=192.168.1.0/24
add action=accept chain=input " src-address=192.168.100.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.10.0/24
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=\
192.168.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=xxxx.xxx.xxxx generate-policy=\
port-strict mode-config=request-only my-id=user-fqdn:xxxx@xxxx.xxx peer=\
"peer vpn.ike2.xxxx" remote-id=fqdn:v.xxxx.xxx
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=10.0.88.0/24
add dst-address=192.168.1.0/24 level=unique peer="peer vpn.ike2.xxxx" \
src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.100.0/24 level=unique peer="peer vpn.ike2.xxxx" \
src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.1.0/24 level=unique peer="peer vpn.ike2.xxxx" \
src-address=192.168.4.0/24 tunnel=yes
/ip route
add comment=isp1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
vlan-internet pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="betteruptime heartbeat" disabled=no distance=1 dst-address=\
172.66.41.22/32 gateway=lte1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.66.42.234/32 gateway=lte1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/snmp
set contact=sd@xxxx.xxx enabled=yes location=xxxx trap-version=2
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=xxxx-ROUTER01
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.8
add address=time.google.com
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
add address=137.74.194.70
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=3m name=BETTERUPTIME-HEARTBEAT on-event=BETTERUPTIME-HEARTBEAT \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=00:00:00
add interval=15s name=FAILOVER-4G on-event=FAILOVER-4G policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=00:00:00
/system script
add dont-require-permissions=no name=FAILOVER-4G owner=root policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
script test liason principale\r\
\n:global mode;\r\
\n\r\
\n:local number1 \"+33xxxxxxxxx\";\r\
\n:local iptest1 \"8.8.4.4\";\r\
\n:local date;\r\
\n:local time;\r\
\n:set date [/system clock get date];\r\
\n:set time [/system clock get time];\r\
\n\r\
\n:local MSGUP \"\$date \$time Liaison FTTH OK!\";\r\
\n:local MSGDOWN \"\$date \$time Liaison FTTH DOWN!\";\r\
\n\r\
\n:local result [/ping \$iptest1 count=4 interface=vlan-internet interval=\
2];\r\
\n\r\
\n:if (\$result > 1 && \$mode != \"SFR\") do={\r\
\n /ip route set [find comment=\"isp1\"] distance=1;\r\
\n\t\t\t:set mode \"SFR\";\r\
\n\t\t\t/ip address disable [find comment=\"ipont\"];\r\
\n delay 10;\r\
\n /ip address enable [find comment=\"ipont\"];\r\
\n\t\t\t/tool sms send port=lte1 phone-number=\$number1 message=\$MSGUP;\r\
\n\t\t\t/log warning \"Good: Liaison FTTH UP\";\r\
\n}\r\
\n:if (\$result = 0 && \$mode != \"4G\") do={\r\
\n\t\t\t/ip route set [find comment=\"isp1\"] distance=100;\r\
\n\t\t\t:set mode \"4G\";\r\
\n\t\t\t/tool sms send port=lte1 phone-number=\$number1 message=\$MSGDOWN;\
\r\
\n\t\t\tlog error \"ERROR: Liaison FTTH DOWN\";\r\
\n}"
add dont-require-permissions=no name=BETTERUPTIME-HEARTBEAT owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="/tool fetch url=\"https://betteruptime.com/api/v1/heartbeat/xxxxxxxxxxx keep-result=no"
/tool sms
set port=lte1 receive-enabled=yes