I wanted to setup a dual WAN / failover connection between wireless and fiber for a site, but couldn’t use a simple gateway-check due to the gateways being reachable even if the internet was down. I thought it would be simple, and ultimately was very simple, but it took way too long sifting through convoluted and confusing, mostly-unrelated config dumps, dead mikrotik wiki pages and countless forum posts to find the super-simple solution.
To be clear: this setup will work with Static IPs. I’ve seen several configs that reference a PPPoE connection and maybe even some with DHCP, but I’ve not been able to test this functionality. If you know the gateway IP for the DHCP server and you don’t add a default route, I assume that DHCP will work with this setup, but couldn’t guarantee it.
Mikrotik dual wan routing
Here it is:
/ip route add check-gateway=ping distance=1 gateway=188.8.131.52 add check-gateway=ping distance=2 gateway=184.108.40.206 add check-gateway=ping distance=1 dst-address=220.127.116.11/32 gateway=192.168.10.1 scope=10 add check-gateway=ping distance=1 dst-address=18.104.22.168/32 gateway=192.168.11.1 scope=10
Just replace 192.168.10.1 with your primary WAN gateway IP and 192.168.11.1 with your backup gateway IP. The above code will create the default routes to your gateways, and if the primary is down, it’ll flop over to the backup connection until the gateway is reachable on the primary connection.
I found this fantastic info over on maxdesk.com along with instructions for those who want to check multiple remote hosts before counting a link as down.
How to setup / use failover config
Based on reading forum posts I know that some people who want this functionality may not know how to actually use it, so I’ll briefly go over what you’ll need to make it work under a narrow set of conditions. I’m not an expert on this by any stretch, just a person who found the right settings online and knows how to make it work for my own setup.
What you need:
- IP addresses on your WAN interfaces
- Masquerade rules for each WAN interface
- IP address on a bridge or interface for LAN connections
- DHCP server if you need it off the LAN interface or bridged ports
IP addresses on WAN interfaces
Assuming port #1 is your primary ISP, port #2 is your backup. Rename as needed.
/ip address add address=192.168.10.10/24 interface="ether1 - WAN1-FIBER" network=192.168.10.0 add address=192.168.11.10/24 interface="ether2 - WAN2-WIRELESS" network=192.168.11.0
¹ If you need to get an IP via DHCP via one or both of your WAN interfaces, use this:
/ip dhcp-client add add-default-route=no disabled=no interface="ether1 - WAN1-FIBER" add add-default-route=no disabled=no interface="ether2 - WAN2-WIRELESS"
¹ This is untested, you will need to know the gateway IP(s) for IP > Route
Masquerade rules for both WAN interfaces
/ip firewall nat add action=masquerade chain=srcnat out-interface="ether1 - WAN1-FIBER" add action=masquerade chain=srcnat out-interface="ether2 - WAN2-WIRELESS"
IP Address for LAN, bridge or interface
/ip address add address=192.168.37.1/29 interface="ether4 - LAN2ROUTER" network=192.168.37.0
DCHP Pool and DHCP Server
I’m using an extended DHCP lease time and a /29 for the local network, but if you need lots of IPs or only want 1 IP, modify as needed.
/ip pool add name=dhcp_pool0 ranges=192.168.37.2-192.168.37.6 /ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface="ether4 - LAN2ROUTER" lease-time=4w2d name=dhcp1 /ip dhcp-server network add address=192.168.37.0/29 gateway=192.168.37.1
Hopefully the simplicity and straightforwardness of this will help some people. Again, I am barely familiar with this myself, but if you have questions, feel free to ask and I’ll see if I can help.