Hello guys I am trying to configura my mikrotik with 2 wan.. First wan with all the traffic until I lost connection, second wan only as backup (not unlimited MB plan), but when 1 wan recover connection stop using Wan2, remember only as backup in case we lost internet in wan 1
thanks in advance
Re: 1 wan unlimited, 2nd wan ONLY AS BACKUP
Hello,
take look at this:
https://wiki.mikrotik.com/wiki/Advanced ... _Scripting
It should give you idea.
take look at this:
https://wiki.mikrotik.com/wiki/Advanced ... _Scripting
It should give you idea.
-
-
TedjeVanEs
just joined
- Posts: 20
- Joined:
- Location: Aruba
Re: 1 wan unlimited, 2nd wan ONLY AS BACKUP
I am looking for the same. The reference you gave gives a hint, but I cannot seem to get it working. I have cable internet as my primary, unmetered connection. Dynamic ip, cable modem bridged.
Secondary failover is a Huawei LTE USB dongle. Also dynamic ip, but also NATted, i think.
There seems to be something wrong with my default routings. Cause even when primary is up, a lot of traffic going through LTE interface.
Secondary failover is a Huawei LTE USB dongle. Also dynamic ip, but also NATted, i think.
There seems to be something wrong with my default routings. Cause even when primary is up, a lot of traffic going through LTE interface.
Re: 1 wan unlimited, 2nd wan ONLY AS BACKUP
Here is a very simple example, essentially using route distances for decision making, and an open ended NAT.
Putting in the check-gateway filter speeds the decision making up for the failover.
Putting in the check-gateway filter speeds the decision making up for the failover.
Code: Select all
/interface lte
set [ find ] mac-address=36:4B:50:B7:EF:DA name=LTE-WAN
/interface bridge
add name=LOCAL-BRIDGE
/interface ethernet
set [ find default-name=ether1 ] name=ETH1-CM-WAN
set [ find default-name=ether2 ] name=ETH2-NAT
set [ find default-name=ether3 ] name=ETH3-NAT
set [ find default-name=ether4 ] name=ETH4-NAT
set [ find default-name=ether5 ] name=ETH5-NAT
/interface list
add name=WAN-INTERFACES
/ip pool
add name=LOCAL-DHCP ranges=192.168.117.101-192.168.117.199
/ip dhcp-server
add add-arp=yes address-pool=LOCAL-DHCP authoritative=yes disabled=no interface=LOCAL-BRIDGE lease-time=1h name=LOCAL-DHCP
/interface bridge port
add bridge=LOCAL-BRIDGE interface=ETH2-NAT
add bridge=LOCAL-BRIDGE interface=ETH3-NAT
add bridge=LOCAL-BRIDGE interface=ETH4-NAT
add bridge=LOCAL-BRIDGE interface=ETH5-NAT
/interface list member
add interface=ETH1-CM-WAN list=WAN-INTERFACES
add interface=LTE-WAN list=WAN-INTERFACES
/ip address
add address=192.168.117.1/24 interface=LOCAL-BRIDGE network=192.168.117.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ETH1-CM-WAN use-peer-dns=no use-peer-ntp=no
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=LTE-WAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.117.0/24 dns-server=192.168.117.1 gateway=192.168.117.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input connection-state=established,related in-interface-list=WAN-INTERFACES
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=input in-interface-list=WAN-INTERFACES
add action=drop chain=forward in-interface-list=WAN-INTERFACES
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=192.168.117.0/24
/ip service
set telnet address=192.168.117.0/24
set ftp address=192.168.117.0/24
set www address=192.168.117.0/24
set ssh address=192.168.117.0/24
set api address=192.168.117.0/24
set winbox address=192.168.117.0/24
set api-ssl address=192.168.117.0/24
/routing filter
add chain=dynamic-in set-check-gateway=ping
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.30
-
-
freemannnn
Forum Veteran
- Posts: 700
- Joined:
Re: 1 wan unlimited, 2nd wan ONLY AS BACKUP
What exactly this does? I have setup failover at a customer without this rule./routing filter
add chain=dynamic-in set-check-gateway=ping
-
-
TedjeVanEs
just joined
- Posts: 20
- Joined:
- Location: Aruba
Re: 1 wan unlimited, 2nd wan ONLY AS BACKUP
dskillin, thank you for the script. Will try it on Monday. I think I will completely reset the configuration, to make sure nothing of my previous tries interferes.
Re: 1 wan unlimited, 2nd wan ONLY AS BACKUP
It flags the routes set with check-gateway, which:What exactly this does? I have setup failover at a customer without this rule.
Failover will happen without this, it happens more efficiently when check-gateway is employed. Note, when you're using a STATIC route this option can be baked in instead of requiring the route filter.Periodically (every 10 seconds) check gateway by sending either ICMP echo request (ping) or ARP request (arp). If no response from gateway is received for 10 seconds, request times out. After two timeouts gateway is considered unreachable. After receiving reply from gateway it is considered reachable and timeout counter is reset.
Code: Select all
/ip route add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.1
-
-
TedjeVanEs
just joined
- Posts: 20
- Joined:
- Location: Aruba
Re: 1 wan unlimited, 2nd wan ONLY AS BACKUP
dskillin, thank you again for the script. It is working! I did a complete reset and started clean.
I hope you don't mind if I have some more questions:
- Why are all eth interfaces member of Bridge Local? Isn't it faster to make one master and the rest slaves? Or is that the fasttrack connection now?
- I have limited data on the LTE, is there any way to prevent big data hoggers, like youtube consuming it too fast?
- Why is this input rule needed? I understood normally the only input I want to accept from outside into my router are VPN connections.
- Don't I need some rule in the forward chain to allow new tcp connections origination from LAN side?
I hope you don't mind if I have some more questions:
- Why are all eth interfaces member of Bridge Local? Isn't it faster to make one master and the rest slaves? Or is that the fasttrack connection now?
- I have limited data on the LTE, is there any way to prevent big data hoggers, like youtube consuming it too fast?
- Why is this input rule needed? I understood normally the only input I want to accept from outside into my router are VPN connections.
Code: Select all
add action=accept chain=input connection-state=established,related in-interface-list=WAN-INTERFACESRe: 1 wan unlimited, 2nd wan ONLY AS BACKUP
I'm glad the script is working for you.
I used a local bridge for simplicity, it's hard to guess exactly what you have on your side...some devices don't have switch options, and other configs may have distracted or confused the issue. Ports off my router are trunks, someone else may be using them as access ports in to various VLAN. Configure them to suit your specific needs and performance objectives.
Accepting established,related on the WAN allows traffic you've initiated to pass through the router. Note the input and forward drops on the WAN interfaces. Again, a very simple config with basic WAN related protection. Adding to your VPN only, you almost certainly are going to want things you request to be allowed through the firewall (DNS, HTTP, HTTPS). Should you not allow established,related you won't be browsing the web.
There are a few schools on how to handle internal interfaces, if you choose to be restrictive, then yes you would need allow rules between your internal networks. The sample I gave assumed a flat topology, with no need for restriction.
To reduce bandwidth hogs you can take a few different approaches. The most simple would be to outright block sites or systems of concern. You could also look at queues, that will start to get things complicated. The below rules will slow everything on LTE down to 512k, you can be more precise or creative with marking traffic.
I used a local bridge for simplicity, it's hard to guess exactly what you have on your side...some devices don't have switch options, and other configs may have distracted or confused the issue. Ports off my router are trunks, someone else may be using them as access ports in to various VLAN. Configure them to suit your specific needs and performance objectives.
Accepting established,related on the WAN allows traffic you've initiated to pass through the router. Note the input and forward drops on the WAN interfaces. Again, a very simple config with basic WAN related protection. Adding to your VPN only, you almost certainly are going to want things you request to be allowed through the firewall (DNS, HTTP, HTTPS). Should you not allow established,related you won't be browsing the web.
There are a few schools on how to handle internal interfaces, if you choose to be restrictive, then yes you would need allow rules between your internal networks. The sample I gave assumed a flat topology, with no need for restriction.
To reduce bandwidth hogs you can take a few different approaches. The most simple would be to outright block sites or systems of concern. You could also look at queues, that will start to get things complicated. The below rules will slow everything on LTE down to 512k, you can be more precise or creative with marking traffic.
Code: Select all
/ip firewall mangle
add action=mark-packet chain=forward in-interface=LTE-WAN new-packet-mark=LTE-LIMIT passthrough=no
/queue simple
add max-limit=512k/512k name=LTE-IN-LIMIT packet-marks=LTE-LIMIT queue=ethernet-default/ethernet-default target=""
-
-
TedjeVanEs
just joined
- Posts: 20
- Joined:
- Location: Aruba
Re: 1 wan unlimited, 2nd wan ONLY AS BACKUP
The rate limiting will solve most of my problems, and I can add rules to block certain ip's / ranges.
I also get the accepting established and related tcp connections from WAN in the FORWARD chain. What confuses me, is that I need to accept them on the INPUT chain. Is that because of DNS requests originating in the router?? The rule is needed, without it, not much surfing da interwebs, that I tested 
(Perhaps I'm going off-topic now...)
Thank you, your script did exactly the failover needed. I hope the original topic starter is happy too
I understand I need traffic going through the firewall...
Accepting established,related on the WAN allows traffic you've initiated to pass through the router. Note the input and forward drops on the WAN interfaces. Again, a very simple config with basic WAN related protection. Adding to your VPN only, you almost certainly are going to want things you request to be allowed through the firewall (DNS, HTTP, HTTPS). Should you not allow established,related you won't be browsing the web.
...
I also get the accepting established and related tcp connections from WAN in the FORWARD chain. What confuses me, is that I need to accept them on the INPUT chain. Is that because of DNS requests originating in the router?? The rule is needed, without it, not much surfing da interwebs, that I tested (Perhaps I'm going off-topic now...)
Thank you, your script did exactly the failover needed. I hope the original topic starter is happy too