Community discussions

MikroTik App
 
davecullen86
just joined
Topic Author
Posts: 6
Joined: Fri Oct 21, 2022 10:57 pm

hAP AC2 PPPoE To LTE WAN Failover Help Request

Sat Oct 22, 2022 2:24 pm

Hey Team

I've set up PPPoE as my primary WAN and I'd like to have my LTE connection as a standby in the event of reachability issues over the PPPoE WAN.

I have LTE setup and a secondary default route, but I am struggling to understand how to set up remote IP monitoring which then invokes a failover/failback based on the ability for the WAN to reach 8.8.8.8 for example.

If someone could guide me in the right direction it would really be appreciated! :-)

Thanks! Dave

Here is my config:
# jan/02/1970 23:18:01 by RouterOS 6.49.7
# software id = NNXJ-E18N
#
# model = RBD52G-5HacD2HnD
# serial number = HCJ081P5AW3
/interface bridge
add admin-mac=18:FD:74:11:88:B2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] name=ether3-WAN-4G
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    REMOVED@broadband.vodafone.co.uk
/interface lte
set [ find ] name=lte1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-1188B6 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="united kingdom" distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-1188B7 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=wap.vodafone.co.uk authentication=pap name=\
    "Vodafone Internet" user=wap
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=Cato-IKEv2 responder=no
/ip ipsec policy group
add name=Cato-IKEv2
/ip ipsec profile
add dh-group=modp3072 enc-algorithm=aes-128 hash-algorithm=sha256 name=\
    Cato-IKEv2
/ip ipsec peer
add address=185.114.123.217/32 exchange-mode=ike2 name=Cato-IKEv2-London \
    profile=Cato-IKEv2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-gcm name=Cato-IKEv2 \
    pfs-group=none
/ip pool
add name=dhcp ranges=172.20.20.50-172.20.20.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/queue simple
add name=queue1 target=172.20.20.0/24
add name=Zoom_Queue packet-marks=Zoom-packet parent=queue1 priority=1/1 \
    target=172.20.20.0/24
add name="Other Traffic" packet-marks=no-mark target=172.20.20.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3-WAN-4G
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=172.20.20.1/24 comment=defconf interface=bridge network=\
    172.20.20.0
/ip dhcp-client
add comment=defconf interface=ether1
# DHCP client can not run on slave interface!
add add-default-route=no comment=WAN2-4G disabled=no interface=ether3-WAN-4G \
    use-peer-dns=no
/ip dhcp-server network
add address=172.20.20.0/24 comment=defconf gateway=172.20.20.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=172.20.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=3.7.35.0/25 list=Zoom
add address=3.21.137.128/25 list=Zoom
add address=3.22.11.0/24 list=Zoom
add address=3.23.93.0/24 list=Zoom
add address=3.25.41.128/25 list=Zoom
add address=3.25.42.0/25 list=Zoom
add address=3.25.49.0/24 list=Zoom
add address=3.80.20.128/25 list=Zoom
add address=3.96.19.0/24 list=Zoom
add address=3.101.32.128/25 list=Zoom
add address=3.101.52.0/25 list=Zoom
add address=3.104.34.128/25 list=Zoom
add address=3.120.121.0/25 list=Zoom
add address=3.127.194.128/25 list=Zoom
add address=3.208.72.0/25 list=Zoom
add address=3.211.241.0/25 list=Zoom
add address=3.235.69.0/25 list=Zoom
add address=3.235.82.0/23 list=Zoom
add address=3.235.71.128/25 list=Zoom
add address=3.235.72.128/25 list=Zoom
add address=3.235.73.0/25 list=Zoom
add address=3.235.96.0/23 list=Zoom
add address=4.34.125.128/25 list=Zoom
add address=4.35.64.128/25 list=Zoom
add address=8.5.128.0/23 list=Zoom
add address=13.52.6.128/25 list=Zoom
add address=13.52.146.0/25 list=Zoom
add address=13.114.106.166 list=Zoom
add address=18.157.88.0/24 list=Zoom
add address=18.205.93.128/25 list=Zoom
add address=50.239.202.0/23 list=Zoom
add address=50.239.204.0/24 list=Zoom
add address=52.61.100.128/25 list=Zoom
add address=52.81.151.128/25 list=Zoom
add address=52.81.215.0/24 list=Zoom
add address=52.197.97.21 list=Zoom
add address=52.202.62.192/26 list=Zoom
add address=52.215.168.0/25 list=Zoom
add address=64.69.74.0/24 list=Zoom
add address=64.125.62.0/24 list=Zoom
add address=64.211.144.0/24 list=Zoom
add address=65.39.152.0/24 list=Zoom
add address=69.174.57.0/24 list=Zoom
add address=69.174.108.0/22 list=Zoom
add address=99.79.20.0/25 list=Zoom
add address=103.122.166.0/23 list=Zoom
add address=109.94.160.0/22 list=Zoom
add address=109.244.18.0/25 list=Zoom
add address=109.244.19.0/24 list=Zoom
add address=111.33.181.0/25 list=Zoom
add address=115.110.154.192/26 list=Zoom
add address=115.114.56.192/26 list=Zoom
add address=115.114.115.0/26 list=Zoom
add address=115.114.131.0/26 list=Zoom
add address=120.29.148.0/24 list=Zoom
add address=140.238.128.0/24 list=Zoom
add address=147.124.96.0/19 list=Zoom
add address=149.137.0.0/17 list=Zoom
add address=152.67.20.0/24 list=Zoom
add address=152.67.118.0/24 list=Zoom
add address=152.67.180.0/24 list=Zoom
add address=158.101.64.0/24 list=Zoom
add address=160.1.56.128/25 list=Zoom
add address=161.189.199.0/25 list=Zoom
add address=161.199.136.0/22 list=Zoom
add address=162.12.232.0/22 list=Zoom
add address=162.255.36.0/22 list=Zoom
add address=165.254.88.0/23 list=Zoom
add address=168.138.16.0/24 list=Zoom
add address=168.138.48.0/24 list=Zoom
add address=168.138.72.0/24 list=Zoom
add address=168.138.244.0/24 list=Zoom
add address=173.231.80.0/20 list=Zoom
add address=192.204.12.0/22 list=Zoom
add address=193.122.32.0/22 list=Zoom
add address=193.123.0.0/19 list=Zoom
add address=193.123.40.0/22 list=Zoom
add address=193.123.128.0/19 list=Zoom
add address=198.251.128.0/17 list=Zoom
add address=202.177.207.128/27 list=Zoom
add address=202.177.213.96/27 list=Zoom
add address=204.80.104.0/21 list=Zoom
add address=204.141.28.0/22 list=Zoom
add address=207.226.132.0/24 list=Zoom
add address=209.9.211.0/24 list=Zoom
add address=209.9.215.0/24 list=Zoom
add address=210.57.55.0/24 list=Zoom
add address=213.19.144.0/24 list=Zoom
add address=213.19.153.0/24 list=Zoom
add address=213.244.140.0/24 list=Zoom
add address=221.122.88.64/27 list=Zoom
add address=221.122.88.128/25 list=Zoom
add address=221.122.89.128/25 list=Zoom
add address=221.123.139.192/27 list=Zoom
add address=8.5.128.0/24 list=Zoom
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=add-dst-to-address-list address-list=Zoom address-list-timeout=\
    none-dynamic chain=prerouting comment=\
    "Add missing Zoom server IPs to FW List" dst-port=\
    3478,3479,5090,5091,8801-8810 protocol=tcp
add action=add-dst-to-address-list address-list=Zoom address-list-timeout=\
    none-dynamic chain=prerouting comment=\
    "Add missing Zoom server IPs to FW List" dst-port=\
    3478,3479,5090,5091,8801-8810 protocol=udp
add action=mark-connection chain=prerouting dst-address-list=Zoom dst-port=\
    3478,3479,5090,5091,8801-8810 new-connection-mark=Zoom-Connection \
    passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address-list=Zoom dst-port=\
    3478,3479,5090,5091,8801-8810 new-connection-mark=Zoom-Connection \
    passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-address-list=Zoom dst-port=\
    80,443 new-connection-mark=Zoom-Connection passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=Zoom-Connection \
    new-packet-mark=Zoom-packet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add generate-policy=port-strict mode-config=Cato-IKEv2 peer=Cato-IKEv2-London \
    policy-template-group=Cato-IKEv2
/ip ipsec policy
set 0 comment="Local LAN" dst-address=10.2.0.0/24 group=Cato-IKEv2 proposal=\
    Cato-IKEv2 src-address=172.20.20.0/24
add comment="Azure Server Subnet" dst-address=10.2.0.0/24 peer=\
    Cato-IKEv2-London proposal=Cato-IKEv2 src-address=172.20.20.0/24 tunnel=\
    yes
add comment="VPN Range Subnet" dst-address=10.41.0.0/16 peer=\
    Cato-IKEv2-London proposal=Cato-IKEv2 src-address=172.20.20.0/24 tunnel=\
    yes
/ip ssh
set always-allow-password-login=yes
/system identity
set name=Cullen-Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
davecullen86
just joined
Topic Author
Posts: 6
Joined: Fri Oct 21, 2022 10:57 pm

Re: hAP AC2 PPPoE To LTE WAN Failover Help Request

Sat Oct 22, 2022 6:12 pm

I'm pretty sure, that because my primary connection is PPPoE, if it fails, the connection will be lost and the route withdrawn anyway since it's provided by the upstream provider. Therefore, there shouldn't be a need to monitor anything else.

I suppose if there was some problem further upstream that prevented the traffic from routing, this would be an issue, but that's unlikely or at least the less common issue compared with a complete outage.

Any view on this would be helpful. Otherwise, I am keeping going as I am with a route as distance 1 and 2.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14423
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP AC2 PPPoE To LTE WAN Failover Help Request

Tue Oct 25, 2022 6:57 pm

(1) THis has known to cause issues in the past and what it does is not well understood suggest set to NONE.....
/interface detect-internet
set detect-interface-list=all

(2) Not a secure protocol suggest mac server only be set to NONE.'

/tool mac-server
set allowed-interface-list=LAN

(3) I see no IP route for the backup WAN connection ??

What do you do with all the zoom rules........... Is it strictly for queues??
Not sure fastrack works with queues???

Put allow forward chain rules for queue traffic before the fastrack rule works for simple queues.
Have to consider both directions of traffic....
ex. (subnet of your choosing)

/ip firewall filter
add action=accept chain=forward connection-state=established,related src-address=172.16.25.0/24
add action=accept chain=forward connection-state=established,related dst-address=172.16.25.0/24
 
davecullen86
just joined
Topic Author
Posts: 6
Joined: Fri Oct 21, 2022 10:57 pm

Re: hAP AC2 PPPoE To LTE WAN Failover Help Request

Wed Nov 09, 2022 12:59 am

Hey Anav

Thanks a lot for taking the time to reply and for analysing my config!
(1) THis has known to cause issues in the past and what it does is not well understood suggest set to NONE.....
/interface detect-internet
set detect-interface-list=all
**Done - But should I expect a difference now since changing? What does it do?
(2) Not a secure protocol suggest mac server only be set to NONE.'

/tool mac-server
set allowed-interface-list=LAN
I checked Telnet and Winbox mac server settings and both are already set to LAN.
(3) I see no IP route for the backup WAN connection ??
These are my WAN routes:
Dst. Address		0.0.0.0/0
Gateway		
pppoe-out1 reachable
Check Gateway		 
Type		unicast
Distance		1
Dst. Address		0.0.0.0/0
Gateway		
192.168.0.1 reachable lte1
Check Gateway		 
Type		unicast
Distance		2
What do you do with all the zoom rules........... Is it strictly for queues??
Not sure fastrack works with queues???
Yea totally, this is for queues and likely poorly configured as I followed a tutorial.

I must admit I do struggle with this logic. So I just need a firewall rule to allow these zoom rules/definitions, but above the fast-track rule listed right?

Thanks so much again!

I assure you I am a networking professional, but I must say MikroTik is a learning curve for someone who has never seen it before!

:-) Dave :-)

Who is online

Users browsing this forum: tarfox and 14 guests