Mikrotik WAN Failover / Bonding

powermzii

powermzii

Expert Member
Joined
Jun 4, 2007
Messages
4,860
Reaction score
1,429
Location
Pretoria East
So am trying to setup WAN failover on a hAP AC2. I've tried the guides and videos online but the 2nd WAN connection gets no traffic.
  1. The 2 WANs are RAIN 5G and Telkom LTE
  2. Rain 5G is on Ether 1 and has IP Passthrough enabled so i get a 10.x.x.x address. The route is available and reachable and internet works fine on here
  3. Telkom LTE is to be setup on Ether 2 and here i get a 192.168.8.x address from the LTE router in DMZ
  4. Setup mangle rules to mark the packets and connections for Rain and Telkom on the respective Interfaces for inbound traffic and used the same to point to the relevant outbound interface
When i plug in my Telkom to Ether 2 - no data flows and I lose internet connectivity completely

Followed this video -


Anyone out there able to help? Also happy to post my config
 
powermzii said:
So am trying to setup WAN failover on a hAP AC2. I've tried the guides and videos online but the 2nd WAN connection gets no traffic.
  1. The 2 WANs are RAIN 5G and Telkom LTE
  2. Rain 5G is on Ether 1 and has IP Passthrough enabled so i get a 10.x.x.x address. The route is available and reachable and internet works fine on here
  3. Telkom LTE is to be setup on Ether 2 and here i get a 192.168.8.x address from the LTE router in DMZ
  4. Setup mangle rules to mark the packets and connections for Rain and Telkom on the respective Interfaces for inbound traffic and used the same to point to the relevant outbound interface
When i plug in my Telkom to Ether 2 - no data flows and I lose internet connectivity completely

Followed this video -


Anyone out there able to help? Also happy to post my config
Click to expand...
I gave up on the load balancing, never got it to work.
 
OK after much tinkering i managed to get FAILOVER to work. For those interested - config is below for ROS 6.46.6.
Tested by unplugging the Rain connection and everything switched over to the Telkom one.

Code: 
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes name="LAN Bridge"

/interface ethernet
set [ find default-name=ether3 ] comment="Ethernet 3" name=LAN
set [ find default-name=ether1 ] comment="Ethernet 1" l2mtu=1600 name=RAIN
set [ find default-name=ether2 ] comment="Ethernet 2" l2mtu=1600 name=Telkom
set [ find default-name=ether4 ] comment="Ethernet 4" name=VOIP
set [ find default-name=ether5 ] comment="Ethernet 5"

/interface list
add name=WAN
add name=LAN/

/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN/ wan-interface-list=WAN
    
/ip dhcp-client
add disabled=no interface=RAIN use-peer-dns=no
add add-default-route=no disabled=no interface=Telkom use-peer-dns=no

/ip firewall mangle
add action=accept chain=prerouting dst-address=10.0.0.0/24 in-interface=\
    "LAN Bridge"
add action=accept chain=prerouting dst-address=192.168.8.0/24 in-interface=\
    "LAN Bridge"
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=RAIN new-connection-mark=RAIN_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=Telkom new-connection-mark=Telkom_Conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface="LAN Bridge" new-connection-mark=\
    RAIN_Conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface="LAN Bridge" new-connection-mark=\
    Telkom_Conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=RAIN_Conn \
    in-interface="LAN Bridge" new-routing-mark=to_RAIN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Telkom_Conn \
    in-interface="LAN Bridge" new-routing-mark=to_Telkom passthrough=yes
add action=mark-routing chain=output connection-mark=RAIN_Conn \
    new-routing-mark=to_RAIN passthrough=yes
add action=mark-routing chain=output connection-mark=Telkom_Conn \
    new-routing-mark=to_Telkom passthrough=yes
    
/ip firewall nat
add action=masquerade chain=srcnat out-interface=RAIN
add action=masquerade chain=srcnat out-interface=Telkom

/ip route
add check-gateway=ping distance=1 gateway=RAIN routing-mark=to_RAIN
add check-gateway=ping distance=2 gateway=Telkom routing-mark=to_Telkom
add distance=1 gateway=10.0.0.1
add distance=1 gateway=RAIN
add check-gateway=ping distance=2 gateway=192.168.8.1
 
What happens if your internet dies, and not your router?
That check looks like it only checks the next hop gateway and not the internet? What happens if you plug pull out the sim and not switch the router off, does it still fail over?
 
irBosOtter said:
What happens if your internet dies, and not your router?
That check looks like it only checks the next hop gateway and not the internet? What happens if you plug pull out the sim and not switch the router off, does it still fail over?
Click to expand...
Good point on this one... Will amend to check something further upstream like cloudflare or opendns

Thanks
 
Here is another guide on the Mikrotik Forum, which keeps it short and simple. Typology also comes into play with the way its done, so there isn't really a "one size fits all" solution, but there is always ways to simplify, especially if you use an older Mikrotik that is a little less powerful.

forum.mikrotik.com

Advanced Routing Failover without Scripting

_A comment about PPP uplinks (like PPPoE): https://forum.mikrotik.com/viewtopic.php?p=814682#p814682_ - important in RouterOS before v7 Introduction Let us suppose that we have several WAN links, and we want to monitor, whether the Internet is accessible through each of them. The problem can...
forum.mikrotik.com forum.mikrotik.com
 
I'm running a 3 WAN Load balance set up, with failover. I use scripts that run once per minute to check an internet IP for each WAN. My set up is a constant work in progress, but I'm happy with the current state.

With multi-threaded connections multiple WANs get used:

1589811774326.png


Here's an example of one of my Netwatch scripts:
1589812449613.png
up:
Code: 
:log warning "WAN1 up, enabling WAN1_ROUTE";
ip route enable [find comment=WAN1_ROUTE]

down:
Code: 
:log warning "WAN1 down, disabling WAN1_ROUTE";
ip route disable [find comment=WAN1_ROUTE]

Routing table is a bit messy, but this may help give you an idea:
1589812275016.png
With the above script, you'll see if WAN1 fails the Netwatch test, WAN1_ROUTE will get disabled. If you look at all the to_WAN1 routing marks, you'll see that in this case, the next available route would be WAN3_ROUTE with a distance of 2. This is how I handle failover, likely not the best way, but it works.
 
webyep said:
I'm running a 3 WAN Load balance set up, with failover. I use scripts that run once per minute to check an internet IP for each WAN. My set up is a constant work in progress, but I'm happy with the current state.

With multi-threaded connections multiple WANs get used:

View attachment 842207


Here's an example of one of my Netwatch scripts:
View attachment 842211
up:
Code: 
:log warning "WAN1 up, enabling WAN1_ROUTE";
ip route enable [find comment=WAN1_ROUTE]

down:
Code: 
:log warning "WAN1 down, disabling WAN1_ROUTE";
ip route disable [find comment=WAN1_ROUTE]

Routing table is a bit messy, but this may help give you an idea:
View attachment 842209
With the above script, you'll see if WAN1 fails the Netwatch test, WAN1_ROUTE will get disabled. If you look at all the to_WAN1 routing marks, you'll see that in this case, the next available route would be WAN3_ROUTE with a distance of 2. This is how I handle failover, likely not the best way, but it works.
Click to expand...

This is nice - i thought about using NetWatch but the steps online seemed complex. I will spend sometime looking into it as it is likely more robust that just using routing for the checks.
 
powermzii said:
This is nice - i thought about using NetWatch but the steps online seemed complex. I will spend sometime looking into it as it is likely more robust that just using routing for the checks.
Click to expand...
Give it a try. Works fairly nicely, just pinging the gateway didn't do much for me. It's worth noting that I've commented on each route so that I can find them within Netwatch. Example WAN1_ROUTE, WAN2_ROUTE, and WAN3_ROUTE
 
Hi All

I set this fail-over up yesterday and it works fine, you can unplug the cable or turn off the router.
I used a RB951ui. I did not have a dhcp sever setup but you can. First get the config up and running.
I used a static ip of 173.0.0.50 on my laptop.
Then when its all working add a DHCP server to Ether5
Then you can create a bridge and add Ether5 & Wan and then put your Local Lan ip on the Bridge

Copy and Paste this into Notepad: Then using the Find & Replace update the following to your IP ranges:

###You will need to change the following:
###Router 1 (LTE): 10.0.0.1/24 - Mikrotik Ether1=10.0.0.50/24
###Router 2 (LTE): 192.168.8.1 - Mikrotik Ether2=192.168.8.50/24
###Router 3 : (Mikrotik) Ether5=173.0.0.1/24
###Gateway 1 : 10.0.0.1
###Gateway 2 : 192.168.8.1
###prerouting dst-address=10.0.0.0/24
###prerouting dst-address=192.168.8.0/24
###Replace Seacom with Eg: Rain
###Replace Bitco with Eg: Telkom

/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Seacom"
set [ find default-name=ether2 ] name="ether2 - Bitco"
set [ find default-name=ether5 ] name="ether5 - Local Lan"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=10.0.0.50/24 interface="ether1 - Seacom" network=10.0.0.0
add address=192.168.8.50/24 interface="ether2 - Bitco" network=192.168.8.0
add address=173.0.0.1/24 interface="ether5 - Local Lan" network=173.0.0.0
/ip dns
set servers=8.8.8.8
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.0.0.0/24 in-interface=\
"ether5 - Local Lan"
add action=accept chain=prerouting dst-address=192.168.8.0/24 in-interface=\
"ether5 - Local Lan"
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface="ether1 - Seacom" new-connection-mark=Seacom_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface="ether2 - Bitco" new-connection-mark=Bitco_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface="ether5 - Local Lan" \
new-connection-mark=Seacom_conn passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface="ether5 - Local Lan" \
new-connection-mark=Bitco_conn passthrough=yes per-connection-classifier=\
both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=Seacom_conn \
in-interface="ether5 - Local Lan" new-routing-mark=to_Seacom passthrough=\
yes
add action=mark-routing chain=prerouting connection-mark=Bitco_conn \
in-interface="ether5 - Local Lan" new-routing-mark=to_Bitco passthrough=\
yes
add action=mark-routing chain=output connection-mark=Seacom_conn \
new-routing-mark=to_Seacom
add action=mark-routing chain=output connection-mark=Bitco_conn \
new-routing-mark=to_Bitco
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - Seacom"
add action=masquerade chain=srcnat out-interface="ether2 - Bitco"
/ip route
add check-gateway=ping distance=1 gateway=10.0.0.1 routing-mark=to_Seacom
add check-gateway=ping distance=1 gateway=10.0.0.1 routing-mark=to_Seacom
add check-gateway=ping distance=1 gateway=192.168.8.1 routing-mark=to_Bitco
add check-gateway=ping distance=1 gateway=192.168.8.1 routing-mark=to_Bitco
add check-gateway=ping distance=1 gateway=10.0.0.1
add check-gateway=ping distance=1 gateway=10.0.0.1
add check-gateway=ping distance=2 gateway=192.168.8.1
 
Nomis said:
Hi All

I set this fail-over up yesterday and it works fine, you can unplug the cable or turn off the router.
I used a RB951ui. I did not have a dhcp sever setup but you can. First get the config up and running.
I used a static ip of 173.0.0.50 on my laptop.
Then when its all working add a DHCP server to Ether5
Then you can create a bridge and add Ether5 & Wan and then put your Local Lan ip on the Bridge

Copy and Paste this into Notepad: Then using the Find & Replace update the following to your IP ranges:

###You will need to change the following:
###Router 1 (LTE): 10.0.0.1/24 - Mikrotik Ether1=10.0.0.50/24
###Router 2 (LTE): 192.168.8.1 - Mikrotik Ether2=192.168.8.50/24
###Router 3 : (Mikrotik) Ether5=173.0.0.1/24
###Gateway 1 : 10.0.0.1
###Gateway 2 : 192.168.8.1
###prerouting dst-address=10.0.0.0/24
###prerouting dst-address=192.168.8.0/24
###Replace Seacom with Eg: Rain
###Replace Bitco with Eg: Telkom

/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Seacom"
set [ find default-name=ether2 ] name="ether2 - Bitco"
set [ find default-name=ether5 ] name="ether5 - Local Lan"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=10.0.0.50/24 interface="ether1 - Seacom" network=10.0.0.0
add address=192.168.8.50/24 interface="ether2 - Bitco" network=192.168.8.0
add address=173.0.0.1/24 interface="ether5 - Local Lan" network=173.0.0.0
/ip dns
set servers=8.8.8.8
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.0.0.0/24 in-interface=\
"ether5 - Local Lan"
add action=accept chain=prerouting dst-address=192.168.8.0/24 in-interface=\
"ether5 - Local Lan"
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface="ether1 - Seacom" new-connection-mark=Seacom_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface="ether2 - Bitco" new-connection-mark=Bitco_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface="ether5 - Local Lan" \
new-connection-mark=Seacom_conn passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface="ether5 - Local Lan" \
new-connection-mark=Bitco_conn passthrough=yes per-connection-classifier=\
both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=Seacom_conn \
in-interface="ether5 - Local Lan" new-routing-mark=to_Seacom passthrough=\
yes
add action=mark-routing chain=prerouting connection-mark=Bitco_conn \
in-interface="ether5 - Local Lan" new-routing-mark=to_Bitco passthrough=\
yes
add action=mark-routing chain=output connection-mark=Seacom_conn \
new-routing-mark=to_Seacom
add action=mark-routing chain=output connection-mark=Bitco_conn \
new-routing-mark=to_Bitco
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - Seacom"
add action=masquerade chain=srcnat out-interface="ether2 - Bitco"
/ip route
add check-gateway=ping distance=1 gateway=10.0.0.1 routing-mark=to_Seacom
add check-gateway=ping distance=1 gateway=10.0.0.1 routing-mark=to_Seacom
add check-gateway=ping distance=1 gateway=192.168.8.1 routing-mark=to_Bitco
add check-gateway=ping distance=1 gateway=192.168.8.1 routing-mark=to_Bitco
add check-gateway=ping distance=1 gateway=10.0.0.1
add check-gateway=ping distance=1 gateway=10.0.0.1
add check-gateway=ping distance=2 gateway=192.168.8.1
Click to expand...

Are you also going to check further upstream as suggested by @webyep ?
 
webyep said:
I'm running a 3 WAN Load balance set up, with failover. I use scripts that run once per minute to check an internet IP for each WAN. My set up is a constant work in progress, but I'm happy with the current state.

With multi-threaded connections multiple WANs get used:

View attachment 842207


Here's an example of one of my Netwatch scripts:
View attachment 842211
up:
Code: 
:log warning "WAN1 up, enabling WAN1_ROUTE";
ip route enable [find comment=WAN1_ROUTE]

down:
Code: 
:log warning "WAN1 down, disabling WAN1_ROUTE";
ip route disable [find comment=WAN1_ROUTE]

Routing table is a bit messy, but this may help give you an idea:
View attachment 842209
With the above script, you'll see if WAN1 fails the Netwatch test, WAN1_ROUTE will get disabled. If you look at all the to_WAN1 routing marks, you'll see that in this case, the next available route would be WAN3_ROUTE with a distance of 2. This is how I handle failover, likely not the best way, but it works.
Click to expand...
powermzii said:
Are you also going to check further upstream as suggested by @webyep ?
Click to expand...


Dont need to check further upstream it works perfectly. You can turn off the LTE router or pull out any cables and it will fail over. I have a fiber and a LTE modem. If unplug the fiber ONT it fail over to the LTE if I turnoff or unplug the Fiber Modem it fails over. I already check upstream beyond any routers within or on my lan
 
Nomis said:
Dont need to check further upstream it works perfectly. You can turn off the LTE router or pull out any cables and it will fail over. I have a fiber and a LTE modem. If unplug the fiber ONT it fail over to the LTE if I turnoff or unplug the Fiber Modem it fails over. I already check upstream beyond any routers within or on my lan
Click to expand...

Understood - i think the use case he mentioned was that f the connection to your ISP is fine but for some reason they can route your request - checking 8.8.8.8 or some other IP would tell you if your Fibre ISP or LTE ISP is down - so beyond the confines of your walls essentially

But good work nonetheless
 
If you are load balancing - I would maybe add rules for online banking sites etc, they do not like some of your requests coming from 2 diff ip's

Maybe a mangle rule that looks at the TLS host then marks the connection, then have a mangle that marks the route on that connection

I often find load balancing brings more problems than it is worth
 
I've moved away from the Netwatch script for failover.

On the weekend I encountered an interesting edge-case where an ISP allowed ICMP traffic even though I was capped. I've moved to use "Detect Internet" within Interfaces. https://wiki.mikrotik.com/wiki/Manual:Detect_internet

1590406232259.png

I added a scheduled script to check the INTERNET interface list and enable/disable accordingly.

Code: 
{
    :global Wan1CurrentState ([:len [/ip route find where comment="WAN1_ROUTE" and !disabled]] > 0)
    :global Wan2CurrentState ([:len [/ip route find where comment="WAN2_ROUTE" and !disabled]] > 0)
    :global Wan1State [:len [/interface list member find where list=INTERNET and interface=WAN1]];
    :global Wan2State [:len [/interface list member find where list=INTERNET and interface=WAN2]];

    :if ($Wan1State = 1 and $Wan1CurrentState = false) do={:log warning "WAN1 up, enabling WAN1_ROUTE";/ip route enable [find comment=WAN1_ROUTE];} 
    :if ($Wan1State = 0 and $Wan1CurrentState = true) do={:log warning "WAN1 down, disabling WAN1_ROUTE";/ip route disable [find comment=WAN1_ROUTE];}

    :if ($Wan2State = 1 and $Wan2CurrentState = false) do={:log warning "WAN2 up, enabling WAN2_ROUTE";/ip route enable [find comment=WAN2_ROUTE];} 
    :if ($Wan2State = 0 and $Wan2CurrentState = true) do={:log warning "WAN2 down, disabling WAN2_ROUTE";/ip route disable [find comment=WAN2_ROUTE];}
}
 
Last edited:
powermzii said:
I am assuming it automatically fails over to the other connection when one is down? Do you know if it only checks the availability of a connection on the gateway or some other host upstream?

I had to laugh at how easy this looks compared to our mangles etc..
Click to expand...
it basically pings a ubiquti server ( you can change this) and as soon as it cant reach that server ( site) it changes to the next available connection, can have 4 fail overs. As soon as the Primary responds to a ping again, it switches back. We dont even notice anymore when our Vodacom Wireless service goes down anymore.
 
ijacobs3 said:
it basically pings a ubiquti server ( you can change this) and as soon as it cant reach that server ( site) it changes to the next available connection, can have 4 fail overs. As soon as the Primary responds to a ping again, it switches back. We dont even notice anymore when our Vodacom Wireless service goes down anymore.
Click to expand...

That's pretty cool
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X