MikroTik Failover - DUAL WAN - Broadband and LTE USB Modem

 

We're going to configure an ideal failover settings in MikroTik with email notification.

 

Example resources:

i) MikroTik Routerboard with 5 dedicated interface (ether1, ether2, ether3, ether4, ether5)

ii) Dual WAN ( ether1 is PPPoE, secondary line is LTE Modem )

iii) Primary gateway is "pppoe-out1" and secondary/backup gateway is "192.168.0.1%lte1"

iv) A bridge for LAN network (ether3, ether4, ether5) as 192.168.88.0/24

v) Router DNS is 8.8.8.8 and 1.1.1.1

Netwatch "Host/Checking-IP/Public-DNS" IP for ping check should be separate from router DNS. Here we will check the primary ISP with 8.8.4.4 and the secondary ISP with 1.0.0.1.

 

Let's begin;

Delete any default DHCP Client. As, we are going to use multiple ISP, so free up ether2 interface also (from bridge port) for WAN use. 

Configure ether1 with PPPoE, and configure modem with lte1.

Then MASQUERADE the PPPoE interface and lt1 to go online. Set DNS and reboot.

Step 1: (Winbox > IP > Routes)

Set route manually, not dynamic.

If your WAN side PPPoE or DHCP-Client configured with default route enabled to get IP-Route automatically, please disable that to set route manually, because we have to set comment on routes entry.

Set comment to your primary route as "Main Route", and secondary route comment should be "Backup Route".

 

Step 2: (Winbox > IP > Routes)

This step is very important !

Generally, traffic goes through the active line (no matter main or backup, which route distance is low, that is active line).

Here is an important issue when the primary/main line will be up back again, although the main line is back but the Netwatch ping to 8.8.4.4 will be failed because the current active line is backup/secondary line. In this time the ping 8.8.4.4 will try to go through secondary/backup line because the current active line is secondary line, and the ping 8.8.4.4 will be failed because it is blocked through secondary/backup line in firewall rules.

So, we have to set the specific ping through specific route.

Our configured route distance was 1 and 5 for main and backup gateway.
Now we have to create two additional route for ping packet routing mark.

a) Set destination address 8.8.4.4 via primary/main route. To achieve this create a new route first.

Winbox > IP > Routes > Add a new route

 Dst. Address = 0.0.0.0/0
 Gateway = pppoe-out1
 Distance = 11
 Routing Mark = UseMainLine

Now go to the "Rules" tab (Winbox > IP > Routes > Rules) and create a new rule.

 Dst. Address = 8.8.4.4
 Action = lookup only in table
 Table = UseMainLine

b) Set destination address 1.0.0.1 via backup/secondary route. To achieve this create a new route first.

Winbox > IP > Routes > Add a new route

 Dst. Address = 0.0.0.0/0
 Gateway = 192.168.0.1%lte1
 Distance = 12
 Routing Mark = UseBackupLine

Now go to the "Rules" tab (Winbox > IP > Routes > Rules) and create a new rule.

 Dst. Address = 1.0.0.1
 Action = lookup only in table
 Table = UseBackupLine

 

 

Step 3: (Winbox > IP > Firewall)

Fix the pinging route in Firewall rules so that the specified ping IP (public dns) goes only through the specified out-interface.

a) Create a new firewall allow rule as:

 Chain = output
 Dst. Address = 8.8.4.4
 Protocol = 1 (icmp)
 Out. Interface = pppoe-out1
 Action = accept

b) Create a new firewall allow rule as:

 Chain = output
 Dst. Address = 1.0.0.1
 Protocol = 1 (icmp)
 Out. Interface = 192.168.0.1%lte1
 Action = accept

c) Drag and drop the above two allow rules and place above the all accept rules. For priority basis action.

d) Create a new firewall drop rule as:

 Chain = output
 Dst. Address = 8.8.4.4
 Protocol = 1 (icmp)
 Out. Interface = ! pppoe-out1 (not/without pppoe)
 Action = drop

e) Create a new firewall drop rule as:

 Chain = output
 Dst. Address = 1.0.0.1
 Protocol = 1 (icmp)
 Out. Interface = ! lte1 (not/without modem)
 Action = drop

f)  Drag and drop the above two drop rules, and place above the all drop rules, but must be below allow rules. For priority basis action.

 

Now that we have configured the specified IP through specified interface, for ping check.
8.8.4.4 can only go through the primary ISP and it cannot go by secondary ISP.
So, the 8.8.4.4 is up means the primary ISP is up.

 

Step 4: (Winbox > Tools > Email)

Firstly, login to your Gmail account. Setup two-step verification in your Gmail account security settings. Then create "App Password" from your Gmail account security settings to use the app password in MikroTik Email settings.

 Server = smtp.gmail.com
 Port = 587
 Start TLS = yes
 From = "MikroTik Router" <youremailaddress@gmail.com>
 User = youremailaddress@gmail.com
 Password = ********** (app password)

Apply the settings to send emails systemwide.

 

Step 5: (Winbox > Tools > Netwatch)

Add two Netwatch rule for Main Line and Backup Line monitoring and send email notification.

1) Create a new Netwatch for primary line as:

 Host = 8.8.4.4
 Interval = 00:01:00
 Timeout = 1000

Up script:

:local date [/system clock get date]
:local time [/system clock get time]
:local ispname "Main Line Primary ISP"

:log info "$ispname is UP"
:log info "Main line up notice sent to yourofficialmail@gmail.com"

/ip route set [find comment="Main Route"] distance=1

/ip route set [find comment="Backup Route"] distance=5

:delay 00:00:15

/tool e-mail send to="yourofficialmail@gmail.com" cc="your2ndofficialmail@hotmail.com" subject="Internet \"$ispname\" is UP at $time $date" body="Internet \"$ispname\" is up at $time , $date .

Everything should go well !

Although the primary line is UP, please also keep monitored the backup line !"

Down script:

:local date [/system clock get date]
:local time [/system clock get time]
:local ispname "Main Line Primary ISP"

:log info "$ispname is Down"
:log info "Main line down notice sent to yourofficialmail@gmail.com"

/ip route set [find comment="Main Route"] distance=5

/ip route set [find comment="Backup Route"] distance=1

:delay 00:00:16

/tool e-mail send to="yourofficialmail@gmail.com" cc="your2ndofficialmail@hotmail.com" subject="Internet \"$ispname\" is DOWN at $time $date" body="Internet \"$ispname\" is down at $time , $date .

Attention ! Please check the primary fiber line hurry !

Currently the router is only performing with backup line"

2) Create another new Netwatch for backup line as:

 Host = 1.0.0.1
 Interval = 00:02:00
 Timeout = 1000

Up script:

:local date [/system clock get date]
:local time [/system clock get time]
:local ispname "Backup Line Secondary ISP"

:if ([/ping 8.8.4.4 count=3 ttl=53] = 0) do={
    :log warning "Main line is still down, changing route distance"
    /ip route set [find comment="Main Route"] distance=5
    /ip route set [find comment="Backup Route"] distance=1
    } else {:log info "Main Line is still UP"};

:log info "$ispname is UP"
:log info "Backup line up notice sent to yourofficialmail@gmail.com"

:delay 00:00:17

/tool e-mail send to="yourofficialmail@gmail.com" cc="your2ndofficialmail@hotmail.com" subject="Internet \"$ispname\" is UP at $time $date" body="Internet \"$ispname\" is up at $time , $date .

Although the backup line is UP, please also keep monitored the primary fiber line !"

Down script:

:local date [/system clock get date]
:local time [/system clock get time]
:local ispname "Backup Line Secondary ISP"

:log info "$ispname is Down"
:log info "Backup line down notice sent to yourofficialmail@gmail.com"

:if ([/ping 8.8.4.4 count=3 ttl=53] = 0) do={
    :log warning "Main line is still down, keeping backup route active"
    /ip route set [find comment="Main Route"] distance=5
    /ip route set [find comment="Backup Route"] distance=1
    } else {
    :log info "Main line is still UP"
    /ip route set [find comment="Main Route"] distance=1
    /ip route set [find comment="Backup Route"] distance=5
    };

:delay 00:00:18

/tool e-mail send to="yourofficialmail@gmail.com" cc="your2ndofficialmail@hotmail.com" subject="Internet \"$ispname\" is DOWN at $time $date" body="Internet \"$ispname\" is down at $time , $date .

Please check the backup fiber line hurry! Currently the router is only performing with primary line."

Step 6: Information

What we did here is the Netwatch will ping to public DNS (not to ISP gateway), so if the ISP's backend router down or ISP's upstream network down but their gateway is still reachable, the Netwatch will report that the ISP is actually down.
So, our failover configuration will successfully work !

Now, you may thought that, the Netwatch will check the link in every 1 minute and if it found the link down it will continuously send email in every 1 minute !
No, here is the magic part of Netwatch !
Netwatch script executed only once when a link state is changed (up or down).

So, it will send email only once when a link is down, and it will also send an email once when a link is up.

 

Step 7: Reboot the MikroTik

Check your Gmail, Enjoy !

Congratulations ! We have successfully configured our router failover settings.