My device: RB5009UG+S+
RouterOS 7.14.2
My setup
ISP1: ether8 - DHCP client - Primary
ISP2: ether7 - DHCP client - Backup
Local networks: default VLAN 192.168.1.1/24, guest: VLAN20 10.250.250.0/24
Config export below
Routing table below
I am trying to set up failover on my device so that if ISP1 on ether8 is down, the router switches to ISP2 on ether7. When ISP1 comes back up, the device should switch back to ISP1.
I am using the scripts found at https://gist.github.com/marfillaster/7a ... id=4233415
My problem is:
If I disconnect or bring ether8 down, the device switches to ISP2 ether7. - so all OK there
If instead I simulate an issue on ISP1, where the interface ether8 is still up, but no traffic is being forwarded, the device does not switch over to ISP2 on ether7.
I'm not entirely sure where the problem lies but i suspect the routing table is not being updated properly. When i simulate an ISP issue, there is no change in the routing table and nothing is being logged, so i think the connection issues is not detected properly.
This is my first Mikrotik device, so I am struggling to figure it out.
Code: Select all
/interface bridge
add admin-mac=48:A9:8A:AA:D4:AF auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface vlan
add comment=GuestVLAN interface=bridge name=GuestVLAN vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.100-192.168.1.199
add name=GuestJunkDHCP ranges=10.250.250.100-10.250.250.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=GuestJunkDHCP interface=GuestVLAN name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/routing table
add fib name=to_ISP1
add fib name=to_ISP2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=GuestVLAN internal-path-cost=10 path-cost=10 \
pvid=20
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether6,GuestVLAN vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=WAN1 interface=ether1 list=WAN
add comment=WAN2 interface=ether7 list=WAN
add comment=guest interface=GuestVLAN list=LAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.250.250.1/24 interface=GuestVLAN network=10.250.250.0
/ip dhcp-client
add comment="WAN1 - dist 1" interface=ether8 script=":if (\\\$bound=1) do={\\r\
\\\
\n \\n /ip/route/set [find where comment=\\\"ISP1\\\"] gateway=\\\$\
\\\"gateway-address\\\"\\r\\\
\n \\n}\\r\\\
\n \\n\\r\\\
\n \\n/ip/firewall/connection/remove [find connection-mark=\\\"ISP1_con\
n\\\"]\\r\\\
\n \\n/ip/firewall/connection/remove [find connection-mark=\\\"ISP2_con\
n\\\"]" use-peer-dns=no use-peer-ntp=no
add comment="WAN2 - dist 10" default-route-distance=10 interface=ether7 \
script=":if (\\\$bound=1) do={\\r\\\
\n \\n /ip/route/set [find where comment=\\\"ISP2\\\"] gateway=\\\$\
\\\"gateway-address\\\"\\r\\\
\n \\n}\\r\\\
\n \\n\\r\\\
\n \\n/ip/firewall/connection/remove [find connection-mark=\\\"ISP1_con\
n\\\"]\\r\\\
\n \\n/ip/firewall/connection/remove [find connection-mark=\\\"ISP2_con\
n\\\"]" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.250.250.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.250.250.1 \
netmask=24
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1,8.8.4.4 \
domain=something.something.com gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=local
add address=10.250.250.0/24 list=local
/ip firewall filter
add action=drop chain=forward comment=dropinternalfromGuest dst-address=\
192.168.1.0/24 src-address=10.250.250.0/24
add action=drop chain=input comment=dropinputfromguest src-address=\
10.250.250.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="bridge access" dst-address-list=\
local in-interface-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=established,related in-interface=ether8 \
new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=established,related in-interface=ether7 \
new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-list=!local dst-address-type=!local in-interface-list=LAN \
new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-list=!local dst-address-type=!local in-interface-list=LAN \
new-connection-mark=ISP2_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
in-interface-list=LAN new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
in-interface-list=LAN new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
dst-address-list=!local new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn \
dst-address-list=!local new-routing-mark=to_ISP2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
/ip route
add comment=ISP1 distance=1 dst-address=9.9.9.9/32 gateway=ether8 scope=10 \
target-scope=10
add comment=ISP2 distance=1 dst-address=8.26.56.26/32 gateway=ether7 scope=10 \
target-scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=9.9.9.9 \
scope=10 target-scope=11
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=8.26.56.26 \
scope=10 target-scope=11
add comment=ISP1 dst-address=64.6.64.6/32 gateway=ether8 scope=10
add comment=ISP1 dst-address=208.67.220.220/32 gateway=ether8 scope=10
add comment=ISP2 dst-address=208.67.222.222/32 gateway=ether7 scope=10
add comment=ISP2 dst-address=64.6.65.6/32 gateway=ether7 scope=10
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=64.6.64.6 \
routing-table=to_ISP1 scope=10 target-scope=11
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=64.6.65.6 \
routing-table=to_ISP1 scope=10 target-scope=11
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=\
208.67.222.222 routing-table=to_ISP2 scope=10 target-scope=11
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=\
208.67.220.220 routing-table=to_ISP2 scope=10 target-scope=11
/ip service
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Somewhere
/system identity
set name=Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=time.windows.com
/system package update
set channel=testing
/system watchdog
set auto-send-supout=yes send-email-from=someone@gmail.com \
send-email-to=myself@myemail.com send-smtp-server=smtp.gmail.com \
watchdog-timer=no
/tool e-mail
set from=someone@gmail.com port=587 server=smtp.gmail.com tls=starttls \
user=someone@gmail.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And:
Code: Select all
[admin@Router] > /ip/route/print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.33.1 1
0 IsH 0.0.0.0/0 8.26.56.26 1
1 IsH 0.0.0.0/0 9.9.9.9 1
D d 0.0.0.0/0 192.168.8.1 10
;;; ISP2
2 As 8.26.56.26/32 ether7 1
;;; ISP1
3 As 9.9.9.9/32 ether8 1
DAc 10.250.250.0/24 GuestVLAN 0
;;; ISP1
4 As 64.6.64.6/32 ether8 1
;;; ISP2
5 As 64.6.65.6/32 ether7 1
DAc 192.168.1.0/24 bridge 0
DAc 192.168.8.0/24 ether7 0
DAc 192.168.33.0/24 ether8 0
;;; ISP1
6 As 208.67.220.220/32 ether8 1
;;; ISP2
7 As 208.67.222.222/32 ether7 1
8 IsH 0.0.0.0/0 64.6.65.6 2
9 IsH 0.0.0.0/0 64.6.64.6 1
10 IsH 0.0.0.0/0 208.67.220.220 2
11 IsH 0.0.0.0/0 208.67.222.222 1
