Hi, i have the following scenario in almost six customers with the same problem:
ether1: WAN1
ether2: WAN2
ether3: LAN

WAN1 is primary connection with distance 1
WAN2 is backup connection with distance 2
I set recursive routes for WAN1 with ping detection so when WAN1 loses connection, the WAN2 becomes active. The failover is working perfectly fine, when primary connection down, the backup is working.
The problem is that there's no way to reach the router from WAN2 from outside, and no way to route specific traffic from LAN to WAN2, not even the router can ping to 8.8.4.4 thru WAN2 if WAN1 is not failing. So to use WAN2 i need to link down WAN1 first.
Only in one customer with (i think) the same configuration i can use WAN1 and WAN2 both from outside and inside, use mangle, routing marks, pings, etc thru WAN2.
In some customers I have static routing, in others, have dynamic routing... I can't find the cause of the problem.
I would appreciate any help. Thanks in advance

What do you mean reach wan2 from the outside.
It sounds as if you configured the router with incomplete requirements.

Who need outside access in WAN2 and for what reasons??

I mean access to winbox from backup connection.
That's not very important because i can access from primary connection, and in case the primary fails, the failover to the backup connection is working fine and i can access anyway to winbox (only if primary fails).
The big problem is there is no way to send particular traffic from LAN thru WAN2 (backup) if WAN1 is working.

Here is the config in one of the routerboard's customer with the problem metioned above:

Deleted for security reasons

What do you mean connect to winbox from The internet.
That is a big security NO NO.

Is this the rule you are using.................uh oh!!
add action=accept chain=input comment="allow whitelist" in-interface-list=WAN \
src-address-list=whitelist

EVEN WORSE, couldnt imagine it being worse but here it is.......
add action=accept chain=input comment="winbox remote management" dst-port=\
8291 protocol=tcp

Was your intention really, I mean really to allow anyone on the Router AND the Internet Access to your Router over the port you are using for winbox??
This rule DEFEATS the main purpose of the rule you placed just before it. If it wasnt so sad I would be laughing.
Please tell me your config is gleaned from watching youtube videos!!

The only methods tor reach and configure the router from the outside should be.
a. VPN to router first, then use winbox
b. Use port knocking and at least via PPP VPN
c. Use SSTP (such as winbox remote).

For a business applcation only a. is generally acceptable.
For home use all three are suitable.

I use both wireguard VPN and SSTP.

++++++++++++++++++++++++++++++++++++++++
As far as config goes, complex queuing beyond my knowledge, but
maybe one point is that ether5 needs to be part of the LAN interface!!
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether5 list=LAN

I am also uncomfortable when one uses two pools from the same subnet, but thats just me and is probably perfectly legit!
add name=dhcp ranges=192.168.10.100-192.168.10.200
add name=pool-guest ranges=192.168.11.2-192.168.11.254
add name=l2tp-dhcp ranges=192.168.10.80-192.168.10.99.

Further I dont understand the lt2p having a pool, but no server, no IP address etc.......

Generally speaking having this as an available service on the router is also a security risk (unencrypted)
set www address=192.168.10.0/24

Final comment, I see a bunch of mangle rules (which I avoid like the plague) but they seem to be geared towards facebook and whatsapp.
To my knowledge this traffic cannot be denied or managed in any way being https traffic but if it works for you??????

In terms of failover, its hard to make any judgements (IP route) when one only sees one of the WAN connections in the config

Thanks for your reply, I really appreciate the security advice. The whitelist is only for my ip address so I can have unlimited access to the router from outside. Why is that a security risk if my IP is the only in whitelist?

Regarding to my main problem, here is the configured routes:

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 8.8.8.8 1
1 DS 0.0.0.0/0 192.168.3.1 2
2 A S 8.8.8.8/32 192.168.2.1 1
3 ADC 192.168.2.0/24 192.168.2.2 ether1 0
4 ADC 192.168.3.0/24 192.168.3.2 ether2 0
5 ADC 192.168.10.0/24 192.168.10.1 bridge 0
6 ADC 192.168.11.0/24 192.168.11.1 bridge-guest 0

Because that provides you with very little security actually.
Any public IP can be spoofed on the internet and what you have done:

a. The first rule basically says my bank vault is open to anyone with the right key. The key is not some encrypted algorithm, its not even a strong password,
its only an IP addresses. Therefore, its easily hackable by those who know what they are doing.

b. The second rule is basically says, anybody, can access my router on this port, they dont need even need a key. Also easily hackable by those that know what they are doing.

EASY Pickings..........

The fact that I have to explain this to you means you dont know what you are doing with this router and should NOT have deviated from the default settings until you did!!!
What I called mindlessly brave, but at least we can nip this in the bud now.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Once we fix security the other stuff can be addressed.
Can you confirm you get public IPs from your ISP providers?
Obviously, one doesnt show their public IP or public gateway IP, on a config here and thus most if they want to show config just replace with letters or false numbers...
Reason I ask is that I dont see any public IP gateways in your Ip routes??

I don't imagine how an attacker can know what is the only ip whitelisted, and even if would know the IP, wont gain access to the router spoofing that address, thanks anyway for the advice.

Can anyone help me with the problem that there is no traffic thru wan2 when wan1 is active? even marking traffic to pass thru the wan2 route?
Thanks

Final comment, I see a bunch of mangle rules (which I avoid like the plague) but they seem to be geared towards facebook and whatsapp.
To my knowledge this traffic cannot be denied or managed in any way being https traffic but if it works for you??????

In terms of failover, its hard to make any judgements (IP route) when one only sees one of the WAN connections in the config

Related to your question, yes it works very well to block instagram and facebook traffic with that mangle and filter rules.

Sorry my rule of thumb is not to provide any assistance to an insecure router setup.
Nothing matters unless that is fixed.
Perhaps others less scrupulous will assist.
Will keep an eye on the thread though.................

You are right regarding security issues, i have fixed in another customer with same failover problem. This is the configuration: (with some time i will fixit in every customer)

# oct/12/2021 18:58:34 by RouterOS 6.48.1
# software id =
#
# model = RB951Ui-2nD
# serial number =
/interface l2tp-server
add name=l2tp-XXXX user=xxxx
/interface bridge
add admin-mac=74:4D:28: arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=Telecentro mac-address=\
74:4D:28:
set [ find default-name=ether2 ] comment=Fibertel mac-address=\
74:4D:28:
set [ find default-name=ether3 ] mac-address=74:4D:28:
set [ find default-name=ether4 ] mac-address=74:4D:28:
set [ find default-name=ether5 ] mac-address=74:4D:28:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.199
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=default-dhcp name=l2tp remote-address=default-dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp enabled=yes use-ipsec=\
required
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=l2tp-XXXX list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1
add default-route-distance=2 disabled=no interface=ether2 use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
8.8.8.8,8.8.4.4,1.1.1.1
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="deny external dns request" \
connection-state=new dst-port=53 in-interface-list=WAN log-prefix=\
dnsqueries protocol=udp
add action=drop chain=input connection-state=new dst-port=53 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="vpn l2tp" protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=drop chain=input comment="block WAN ping" in-interface-list=WAN \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set dccp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=xxx.xxx.154.129
add distance=1 dst-address=xxx.xxx.154.129/32 gateway=xxx.xxx.220.1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=XXXX profile=l2tp service=l2tp
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=XXXXXXXXXXXXX
/system ntp client
set enabled=yes primary-ntp=168.96.251.195 secondary-ntp=200.160.7.186 \
server-dns-names=8.8.8.8,8.8.4.4,1.1.1.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Just had a quick look and looks way better.
Are the customers responsible for configuring the router.
Or is that the purpose. of the VPN tunnels, aka for you as admin to be able to access the routers for admin purposes??

Just be sure that the ip route gateway numbers you have entered are fake numbers and not real gateway numbers.......
Yes make sure you edit out any real numbers sooner rather than later.

Thanks for your quick reply. I am responsible for the configuration, that's the only purpose of the l2tp tunnel, just to let me in to access via winbox in a secure manner.
The gateway numbers are real and will change tomorrow with a modem reconfiguration and router replacement (CRS)

Remove the export, it says more than you think... 240... with open WinBox and hackable RouterOS version...

It will be nice when wireguard is out of beta as its far easier to setup than any other VPN.
I can access my router easily with my smartphone as well.

Remove the export, it says more than you think... 240... with open WinBox and hackable RouterOS version...

Thanks I hope with the edit I have made its better