I have a dual WAN setup using two DHCP clients and recursive routing (see config below) . When I physically remove the cable from the main WAN the device fails over to the secondary WAN as expected. However if I sever the connection further down in the chain so the link is still up but the gateway can no longer be pinged, it doesn't failover. What am I doing wrong? Thanks for the help!
(Running v6.48.7)
Full config below...
Code: Select all
# may/28/2023 18:16:01 by RouterOS 6.48.7
#
/interface bridge
add name=bridge1-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether12 ] name=ether12-Other
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=x.x.1.180-x.x.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1-LAN name=dhcp1
/interface bridge port
add bridge=bridge1-LAN interface=ether3
add bridge=bridge1-LAN interface=ether4
add bridge=bridge1-LAN interface=ether5
add bridge=bridge1-LAN interface=ether6
add bridge=bridge1-LAN interface=ether7
add bridge=bridge1-LAN interface=ether8
add bridge=bridge1-LAN interface=ether9
add bridge=bridge1-LAN interface=ether10
add bridge=bridge1-LAN interface=ether11
/ip firewall connection tracking
set enabled=yes
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=bridge1-LAN list=LAN
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
/ip address
add address=x.x.1.1/24 interface=bridge1-LAN network=x.x.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN1 script="if (\$bound\
=1) do={ \\\r\
\n/ip route set [find comment=\"VERIZON CF\"] distance=1 dst-address=1.1.1\
.1/32 gateway=\$\"gateway-address\" scope=10\r\
\n/ip route set [find comment=\"VERIZON GOOGLE\"] distance=1 dst-address=8\
.8.8.8/32 gateway=\$\"gateway-address\" scope=10\r\
\n}" use-peer-dns=no use-peer-ntp=no
add add-default-route=no disabled=no interface=ether2-WAN2 script="if (\$bound\
=1) do={ \\\r\
\n/ip route set [find comment=\"COMCAST-NAT CF\"] distance=2 dst-address=1\
.0.0.1/32 gateway=\$\"gateway-address\" scope=10\r\
\n/ip route set [find comment=\"COMCAST-NAT GOOGLE\"] distance=2 dst-addre\
ss=8.8.4.4/32 gateway=\$\"gateway-address\" scope=10\r\
\n}" use-peer-dns=no use-peer-ntp=no
/ip route
add check-gateway=ping comment="VERIZON DEFAULT CF" distance=1 gateway=\
1.1.1.1
add check-gateway=ping comment="VERIZON DEFAULT GOOGLE" distance=1 gateway=\
8.8.8.8
add check-gateway=ping comment="COMCAST-NAT ALT CF" distance=2 gateway=\
1.0.0.1
add check-gateway=ping comment="COMCAST-NAT ALT GOOGLE" distance=2 gateway=\
8.8.4.4
add comment="COMCAST-NAT CF" distance=2 dst-address=1.0.0.1/32 gateway=\
x.x.0.1 scope=10
add comment="VERIZON CF" distance=1 dst-address=1.1.1.1/32 gateway=\
x.x.x.1 scope=10
add comment="COMCAST-NAT GOOGLE" distance=2 dst-address=8.8.4.4/32 gateway=\
x.x.0.1 scope=10
add comment="VERIZON GOOGLE" distance=1 dst-address=8.8.8.8/32 gateway=\
x.x.x.1 scope=10
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=x.x.1.0/24 gateway=x.x.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.11,149.112.112.11
/ip firewall address-list
add address=x.x.1.2-x.x.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting dst-address-list=ddos-targets \
src-address-list=ddos-attackers
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=x.x.1.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!x.x.1.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/lcd
set color-scheme=dark default-screen=stats
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system package update
set channel=long-term
/system ups
add name="Network UPS" port=usbhid1
/tool bandwidth-server
set enabled=no