Mikrotik Dual WAN Static IP Failover

I wanted to setup a dual WAN / failover connection between wireless and fiber for a site, but couldn’t use a simple gateway-check due to the gateways being reachable even if the internet was down. I thought it would be simple, and ultimately was very simple, but it took way too long sifting through convoluted and confusing, mostly-unrelated config dumps, dead mikrotik wiki pages and countless forum posts to find the super-simple solution.

To be clear: this setup will work with Static IPs. I’ve seen several configs that reference a PPPoE connection and maybe even some with DHCP, but I’ve not been able to test this functionality. If you know the gateway IP for the DHCP server and you don’t add a default route, I assume that DHCP will work with this setup, but couldn’t guarantee it.

Mikrotik dual wan routing

Here it is:

/ip route
add check-gateway=ping distance=1 gateway=1.1.1.1
add check-gateway=ping distance=2 gateway=8.8.8.8
add check-gateway=ping distance=1 dst-address=1.1.1.1/32 gateway=192.168.10.1 scope=10
add check-gateway=ping distance=1 dst-address=8.8.8.8/32 gateway=192.168.11.1 scope=10

Just replace 192.168.10.1 with your primary WAN gateway IP and 192.168.11.1 with your backup gateway IP. The above code will create the default routes to your gateways, and if the primary is down, it’ll flop over to the backup connection until the gateway is reachable on the primary connection.

I found this fantastic info over on maxdesk.com along with instructions for those who want to check multiple remote hosts before counting a link as down.

How to setup / use failover config

Based on reading forum posts I know that some people who want this functionality may not know how to actually use it, so I’ll briefly go over what you’ll need to make it work under a narrow set of conditions. I’m not an expert on this by any stretch, just a person who found the right settings online and knows how to make it work for my own setup.

What you need:

  • IP addresses on your WAN interfaces
  • Masquerade rules for each WAN interface
  • IP address on a bridge or interface for LAN connections
  • DHCP server if you need it off the LAN interface or bridged ports

IP addresses on WAN interfaces

Assuming port #1 is your primary ISP, port #2 is your backup. Rename as needed.

/ip address
add address=192.168.10.10/24 interface="ether1 - WAN1-FIBER" network=192.168.10.0
add address=192.168.11.10/24 interface="ether2 - WAN2-WIRELESS" network=192.168.11.0

¹ If you need to get an IP via DHCP via one or both of your WAN interfaces, use this:

/ip dhcp-client
add add-default-route=no disabled=no interface="ether1 - WAN1-FIBER"
add add-default-route=no disabled=no interface="ether2 - WAN2-WIRELESS"

¹ This is untested, you will need to know the gateway IP(s) for IP > Route

Masquerade rules for both WAN interfaces

/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN1-FIBER"
add action=masquerade chain=srcnat out-interface="ether2 - WAN2-WIRELESS"

IP Address for LAN, bridge or interface

/ip address 
add address=192.168.37.1/29 interface="ether4 - LAN2ROUTER" network=192.168.37.0

DCHP Pool and DHCP Server

I’m using an extended DHCP lease time and a /29 for the local network, but if you need lots of IPs or only want 1 IP, modify as needed.

/ip pool
add name=dhcp_pool0 ranges=192.168.37.2-192.168.37.6
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface="ether4 - LAN2ROUTER" lease-time=4w2d name=dhcp1
/ip dhcp-server network
add address=192.168.37.0/29 gateway=192.168.37.1

Hopefully the simplicity and straightforwardness of this will help some people. Again, I am barely familiar with this myself, but if you have questions, feel free to ask and I’ll see if I can help.

Related Articles:

Posted on Published

Leave a Reply

Your email address will not be published. Required fields are marked *