Community discussions

MikroTik App
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Failover between Routerboard Hex(Starlink) and a SXT LTE6

Fri Dec 20, 2024 8:22 pm

I have a Routerboard Hex and just purchased a SXT LTE6 as backup internet feed.
The Routerboard is set as Router and is connected in its Internet Port to a Starlink device. One Ethernet port is connected to a large Giga switch, which links a large network together, including (via microwave links) to a remote site.
At this remote site I have installed the new SXT LTE6, connected to the cellular network.
This is intended as a failover backup. What I want may not be possible, but:

Is there any way I can program the Routerboard to start using the SXT LTE6 for Internet if the Starlink fails?
I have seen the various failover scripts(?) but it is not clear to me how I can force the Routerboard router NOT to use its 'Internet' Port, but instead to use an IP address on the local LAN (via a single Ethernet port connected to the main Switch).

An additional question: The SXT LTE6 is set up as a Bridge. But it still has an external 'Internet' IP address with a box called "Firewall Router". Is this some unique new system to mix a Bridge with a Router?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21892
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Fri Dec 20, 2024 10:13 pm

Well I suspect you will need to setup vlans, as the connection to the remote site ( the backup internet part ) will have to come on the same port and on a vlan to be terminated as a WAN connection on the HEX.,
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Fri Dec 20, 2024 10:51 pm

I see what you mean, that would be the start.
You being a 'guru' can you give me advise how I could set this up on the Routerboard (v6.49.17) ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21892
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Fri Dec 20, 2024 10:59 pm

I would probably upgrade to 7.16.2 but its not absolutely necessary.
However doing so would allow you to remotely reach via BTH wireguard VPN, both the router and the LXT for configuration/troubleshooting issues.

This is the bible on vlans.... viewtopic.php?t=143620
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Fri Dec 20, 2024 11:53 pm

There are few ways to design this....

But, if you want something basic without VLANs or "passthrough".... I don't see harm in leaving the hEX as is, and then put the SXT on the hEX LAN.
i.e. assuming all have default configuration, the most basic failover be to:
- set the ip address of SXT to 192.168.88.2
- setup SXT as bridge: i.e. disabled dhcp-server, add ether1 to bridge ports, remove ether1 from WAN in /interface/list,
- make sure LTE is in WAN in /interface/list and NAT masquerade rule exists for WAN (or lte1 directly)
- then....connect to the SXT to a LAN port on hEX
- on hEX, then you add a route to the SXT with a higher distance=, so "/ip/route add gateway=192.168.88.2 distance=2"

That's IMO most basic way to start. And it will failover if you physically unplug the starlink with just the above. But it will not catch other network failures. Now above let you test something, then move on to actually do better failover detection once the basic plumbing is working, which get to be more involved depending on needs.

Presumable your starlink is using DHCP client to get its address & using a public IP. In which case, you can add a "check-gateway=ping" to default route to starlink, which at least ping the earthstation to "test starlink is up". To do this, you can add a script to the /ip/dhcp-client for starlink on hEX
:if ($bound=1) do={/ip route set [/ip route find gateway=$"gateway-address"] check-gateway=ping}
 


Finally, you could also perhaps use the SXT as a backup router using VRRP for your LAN – which means if SXT and HEX both were connect to LAN switch, then EITHER could provide routing for LAN even if one route hardware failed/powered-off/rebooted. But this could always be added later too.
Last edited by Amm0 on Sat Dec 21, 2024 6:58 am, edited 2 times in total.
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 1:51 am

Thanks for all that, I will work my way through the VLAN issue first.
Re the version: v6.49.17 was the latest update it just did, automatically.
I am not sure if the hardware allows for a even later version, if I find a way to download it.
I am scared to brick the unit....
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 6:52 am

Amm0: Your post crossed mine I think; I will try your idea first.
Thanks, Bart
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11103
Joined: Mon Dec 04, 2017 9:19 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 11:54 am

hEX RB750Gr3 has enough RAM to run ROS 7, but maybe yours is actually one of the older RB750 versions? 64 MB of RAM is the minimum required.

In any case, to upgrade to ROS 7 from ROS 6, you have to set the update channel to upgrade before /system package update install. If successful, the first upgrade will take you to 7.12.* and set the update channel back to stable; you have to run /system packege update install again to get to the latest stable 7.* (at the time of writing, 7.16.2).

Regarding @Amm0's suggestion to connect the SXT to the LAN of the hEX - just bear in mind that under the hood it is not as simple as it seems. If a router (the hEX in your scenario) finds out that the in-interface and the out-interface are the same for a packet, it informs the sender of that packet, by means of an ICMP message, that a better route is available in the same network. So when your PC initiates a TCP connection to www.some.site, it sends its SYN packet to the hEX, which forwards it to the destination via the SXT but also tells the PC to send the subsequent packets for the address of www.some.site to the hEX directly. Leaving aside all the firewall and NAT issues related to this, since they are irrelevant in this particular setup, some devices may not handle this properly. The probability that their connections fail is quite low as if the sender merely ignores the ICMP notification about availability of a better router, the hEX will keep forwarding the packets via SXT, i.e. the device has to misunderstand the notifications in a creative way to break its routing, but if some devices work OK when the Starlink connection is available and fail when it is not, this is the direction to dig in. Use of VRRP eliminates this as it makes the PC in the example above send already the first SYN packet to the SXT.

Whatever the WAN failover scenario where NAT is involved:
  • TCP connections fail at each WAN change, but new ones can be established without problems (depending on the particular application, some have to be re-established manually, though).
  • UDP connections that get periodically refreshed (like SIP registrations, IPsec or Wireguard sessions) usually need specific treatment after a WAN change if they keep passing through a device that did the NAT for one WAN even while routed via the other WAN. So this will become interesting if you eventually choose the VLAN approach where the hEX will use a dedicated VLAN to send the traffic to internet via the SXT.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 6:11 pm

All true @sindy. I do normally use VRRP on the LANs, so forgot the ICMP would further delay "fail-back". My generalized worry is always over-engineering failover so that itself produces outages, like here starlink should be pretty reliable, so failover should be pretty rare... So if perhaps "reopening a tab" is needed after failover, that may not be end of world for some failover cases. If more rapid failover/failback is desired, all the approaches do start getting more involved/complex.

Since we're talking about a hEX and SXT, neither are especially powerful routers & there is already a switch... So my thought be to use VRRP on LAN, so either SXT or HEX could be the "main" router", with the VRRP priority being on HEX. This has the add benefit if upgrade and/or end with messed up configuration, the other router allows the main LAN to still work. And the defaults on both routers have a firewall, WAN on ether1/lte1... so VRRP largely means change the default LAN IP address from .1 on each router to .2 and .3 & a new VRRP interface with 192.168.88.1. If VLANs are added, then those too need VRRP interface, and separate .2 and .3 IP address on the VLAN interface on each router.
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 9:26 pm

@Cindy: It is a RB750 r2. I don't see the available memory.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11103
Joined: Mon Dec 04, 2017 9:19 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 9:31 pm

/system resource print
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 10:03 pm

@All: I am afraid most of this is going way over my head.
I am familiar with basic routing etc; but not with the microtik / Winbox interface.
I have changed the SXT to another IP /24 network (192.168.51.254) , Left everything as default (Bridge, radio interface at WAN). NAT is checked.

I added an IP Route (Gateway) to it from the Hex, but I get a 'Not available' for the STX Gateway on 192.168.51.254. (It does show on the Winbox on my PC, but I cannot connect to it)
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 10:07 pm

@Sindy: I do have 64 mb RAM. In my case, it it worth upgrading to 7.x? Are there major advantages for what I am trying to do? Thanks.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11103
Joined: Mon Dec 04, 2017 9:19 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 10:14 pm

Unless you need Wireguard, OpenVPN over UDP, chacha20poly1305 encryption in IPsec, or json serialization/deserialization (or some other one of the many little improvements of the scripting language), I can see no reason to switch to ROS 7.
 
sk0003
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 17, 2023 6:52 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sat Dec 21, 2024 10:40 pm

I have a Routerboard Hex and just purchased a SXT LTE6 as backup internet feed.
The Routerboard is set as Router and is connected in its Internet Port to a Starlink device. One Ethernet port is connected to a large Giga switch, which links a large network together, including (via microwave links) to a remote site.
At this remote site I have installed the new SXT LTE6, connected to the cellular network.
This is intended as a failover backup. What I want may not be possible, but:

Is there any way I can program the Routerboard to start using the SXT LTE6 for Internet if the Starlink fails?
I have seen the various failover scripts(?) but it is not clear to me how I can force the Routerboard router NOT to use its 'Internet' Port, but instead to use an IP address on the local LAN (via a single Ethernet port connected to the main Switch).

An additional question: The SXT LTE6 is set up as a Bridge. But it still has an external 'Internet' IP address with a box called "Firewall Router". Is this some unique new system to mix a Bridge with a Router?
I have a very similar setup working perfectly.

I have a rb5009 with Starlink in bypass mode as WAN1 and then the LHGG LTE6 as secondary backup with LTE Passthrough. I also have recursive routes setup and use Netwatch for the failover along with a script for telegram notifications when WAN1 is down.

Starlink script in IP/DHCP Client/Ether1-WAN/Advanced
:if ($bound=1) do={
/ip route add distance=1 gateway=$"gateway-address" dst-address="192.5.5.241" scope=30 target-scope=31 comment="Starlink"
/ip route add distance=3 gateway="192.5.5.241" check-gateway=ping scope=30 target-scope=32 comment="Starlink"
} else={
/ip route remove [/ip route find comment="Starlink"]
}
LHGG LTE6 script in IP/DHCP Client/ETHER8-WAN2/Advanced
:if ($bound=1) do={
/ip route add distance=1 gateway=$"gateway-address" dst-address="8.8.4.4" scope=30 target-scope=10 comment="ISP2"
/ip route add distance=4 gateway="8.8.4.4" check-gateway=ping scope=30 target-scope=32 comment="ISP2"
} else={
/ip route remove [/ip route find comment="ISP2"]
}
Watch these two videos and follow exactly to set up lte passthrough on your SXT.
https://www.youtube.com/watch?v=8cD1cGH0e3Y
https://www.youtube.com/watch?v=IZFAeLbujso

Let me know if you need any more assistance with recursive routes.
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sun Dec 22, 2024 12:47 am

@sk0003
I managed to get SXT LTE6 "Ether1" into Passthrough Interface mode. I should still be able to reach it via Ether2 for programming.
Its default IP address is still 192.168.188.1
So how am I suppsed to connect to it? In your Starlink script, that IP address 192.5.5.241, where does that come from? It that the Starlink DHCP supplied address?
If so, this could change any time? And the $"gateway-address", is that internally set or do I have to set it?
Then, I have tried before to set a Route to the IP address of the SXT which is on another network. This does not work. It cannot reach it.

You also seem to have a WAN2. I only have a single WAN. The SXT is on the LAN... Can I still use your system>
 
sk0003
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 17, 2023 6:52 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Sun Dec 22, 2024 10:54 am

@sk0003
I managed to get SXT LTE6 "Ether1" into Passthrough Interface mode. I should still be able to reach it via Ether2 for programming.
Its default IP address is still 192.168.188.1
So how am I suppsed to connect to it? In your Starlink script, that IP address 192.5.5.241, where does that come from? It that the Starlink DHCP supplied address?
If so, this could change any time? And the $"gateway-address", is that internally set or do I have to set it?
Then, I have tried before to set a Route to the IP address of the SXT which is on another network. This does not work. It cannot reach it.

You also seem to have a WAN2. I only have a single WAN. The SXT is on the LAN... Can I still use your system>
Once you have it in passthrough mode like in the videos, you should be able to see it in Winbox as a neighboring device through your router. You would access it through the management VLAN which was in the video.

THe 192.5.5.241 is the IP that is being pinged in my recursive route for the primary. Instead of 8.8.8.8, Google's IP for example.

This is what I have in my IP/Routes. You can see the primary is the one with the 192.5.5.241 and the secondary is with 8.8.4.4.
add disabled=no distance=1 dst-address=192.5.5.241/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.188.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    192.5.5.241 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=32
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=32
Then in netwatch the following. It only checks the primary. If down, it auto switches over because of the ip/routes setup above and runs a script to send a message via a telegram bot.
/tool netwatch
add disabled=no down-script="/system/script/run DOWN;" host=192.5.5.241 \
    http-codes="" interval=1m packet-count=10 packet-interval=1s start-delay=\
    3s startup-delay=2m test-script="" thr-avg=200ms timeout=3s type=icmp \
    up-s
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Mon Dec 23, 2024 8:57 pm

@sk0003 and all;
I spend 2 days on this, lost my entire system 8 times and had to reset to factory settings, etc.
So what I got right now:
- In the SXT LTE6 I set up a new Vlan called "net". As per video, I set the LTE in passtrhough to "net". I should not have to do anything else.
- In the Hex, I also added the Vlan "net" and I added a Default Route to it with a distance of 3. Route shows as 'net reachable' in blue.
I have NOT yet added any scripts; just manually testing.

In the Hex, when I try to ping 8.8.8.8 from the Tools/Ping using the Interface "net" it does not work.
When I ping 8.8.8.8 from my PC, and I pull the plug on the Starlink, I lose internet. When I plug it back on, it does not come back, and I have to reset my PC Ethernet interface.

In all my tests, I have not been able to get from my Hex to the Internet via the SXT. Not when it is in default Bridge mode, and not when it is in Passthrough mode.

SXT:
/interface/lte/apn> pr
# NAME APN ADD-DEFAULT-ROUTE DEFAULT-ROUTE-DISTANCE PASSTHROUGH-INTERFACE
0 * default internet yes 2 net

Hex:
/ip route> pr
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 S 0.0.0.0/0 net 3
2 ADC 192.168.1.0/24 192.168.1.195 ether1 0
3 ADC 192.168.50.0/24 192.168.50.254 bridge 0
4 ADC 192.168.188.0/24 192.168.188.2 net 0

Any help welcome...
 
sk0003
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 17, 2023 6:52 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Mon Dec 23, 2024 9:11 pm

@sk0003 and all;
I spend 2 days on this, lost my entire system 8 times and had to reset to factory settings, etc.
So what I got right now:
- In the SXT LTE6 I set up a new Vlan called "net". As per video, I set the LTE in passtrhough to "net". I should not have to do anything else.
- In the Hex, I also added the Vlan "net" and I added a Default Route to it with a distance of 3. Route shows as 'net reachable' in blue.
I have NOT yet added any scripts; just manually testing.

In the Hex, when I try to ping 8.8.8.8 from the Tools/Ping using the Interface "net" it does not work.
When I ping 8.8.8.8 from my PC, and I pull the plug on the Starlink, I lose internet. When I plug it back on, it does not come back, and I have to reset my PC Ethernet interface.

In all my tests, I have not been able to get from my Hex to the Internet via the SXT. Not when it is in default Bridge mode, and not when it is in Passthrough mode.

SXT:
/interface/lte/apn> pr
# NAME APN ADD-DEFAULT-ROUTE DEFAULT-ROUTE-DISTANCE PASSTHROUGH-INTERFACE
0 * default internet yes 2 net

Hex:
/ip route> pr
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 S 0.0.0.0/0 net 3
2 ADC 192.168.1.0/24 192.168.1.195 ether1 0
3 ADC 192.168.50.0/24 192.168.50.254 bridge 0
4 ADC 192.168.188.0/24 192.168.188.2 net 0

Any help welcome...
I am not seeing the “man” VLAN which is the management VLAN. That is how you access the LTE. Have you followed through the video exactly as it says? I will print the configs from mine in a bit.
 
sk0003
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 17, 2023 6:52 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Tue Dec 24, 2024 1:33 am

@sk0003 and all;
I spend 2 days on this, lost my entire system 8 times and had to reset to factory settings, etc.
So what I got right now:
- In the SXT LTE6 I set up a new Vlan called "net". As per video, I set the LTE in passtrhough to "net". I should not have to do anything else.
- In the Hex, I also added the Vlan "net" and I added a Default Route to it with a distance of 3. Route shows as 'net reachable' in blue.
I have NOT yet added any scripts; just manually testing.

In the Hex, when I try to ping 8.8.8.8 from the Tools/Ping using the Interface "net" it does not work.
When I ping 8.8.8.8 from my PC, and I pull the plug on the Starlink, I lose internet. When I plug it back on, it does not come back, and I have to reset my PC Ethernet interface.

In all my tests, I have not been able to get from my Hex to the Internet via the SXT. Not when it is in default Bridge mode, and not when it is in Passthrough mode.

SXT:
/interface/lte/apn> pr
# NAME APN ADD-DEFAULT-ROUTE DEFAULT-ROUTE-DISTANCE PASSTHROUGH-INTERFACE
0 * default internet yes 2 net

Hex:
/ip route> pr
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.1.1 1
1 S 0.0.0.0/0 net 3
2 ADC 192.168.1.0/24 192.168.1.195 ether1 0
3 ADC 192.168.50.0/24 192.168.50.254 bridge 0
4 ADC 192.168.188.0/24 192.168.188.2 net 0

Any help welcome...
Here is my LTE config
/interface vlan
add interface=ether1 name=man vlan-id=2
add interface=ether1 name=net vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=orange authentication=pap ip-type=ipv4 passthrough-interface=net \
    passthrough-mac=auto use-network-apn=yes user=orange
/interface lte
set [ find default-name=lte1 ] allow-roaming=yes apn-profiles=orange band="" \
    sms-protocol=auto sms-read=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=ether1 lease-time=10m \
    name=defconf
/port
set 0 name=serial0
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=man list=LAN
/ip address
add address=192.168.188.1/24 comment=defconf disabled=yes interface=ether1 \
    network=192.168.188.0
/ip dhcp-client
add interface=man
/ip dhcp-server network
add address=192.168.188.0/24 comment=defconf dns-server=192.168.188.1 \
    gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.188.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Skopje
/system identity
set name="LHGG LTE6"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
On the main router. Also, remember to add "man" interface to your LAN interface list.
/interface vlan
add interface=ether8 name=man vlan-id=2
add comment=WAN2 interface=ether8 name=net vlan-id=3
add disabled=yes interface=bridge name=vlan20 vlan-id=20
 
BartKindtNZ
just joined
Topic Author
Posts: 10
Joined: Fri Dec 20, 2024 7:51 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Tue Dec 24, 2024 2:52 am

@sk0003
I would like to compare that with mine; how do you 'export' the config you are showing me? That 'Code All'?
 
sk0003
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Sun Sep 17, 2023 6:52 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Tue Dec 24, 2024 9:26 am

@sk0003
I would like to compare that with mine; how do you 'export' the config you are showing me? That 'Code All'?
In Winbox, go to New Terminal and type in /export file=namefile.rsc

Then go to Files in the menu and right click the file that was created and Download to your PC. Then open that with a text editor.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Oct 03, 2023 4:21 pm

Re: Failover between Routerboard Hex(Starlink) and a SXT LTE6

Tue Dec 24, 2024 3:57 pm

Complete instructions here:
viewtopic.php?t=203686#p1051720

Who is online

Users browsing this forum: escor and 28 guests