๐ Failover Methods
This guide explains four distinct failover strategies in MikroTik for multi-ISP configurations, each with different mechanisms, latency profiles, and use cases. Understanding the flow and trade-offs helps you choose the right approach for your network topology.
info
Key Takeaway: Choose failover based on gateway complexity. Simple networks use check-gateway, multi-marked traffic uses route rules, recursive routes handle advanced topologies, and netwatch provides scripting flexibility for custom logic.
Prerequisitesโ
โ
MikroTik RouterOS v6.45+ (all methods)
โ
Two or more ISP gateways with known IPs (e.g., 192.168.1.1, 192.168.1.2)
โ
Ability to SSH into router or access Winbox
โ
Understanding of routing tables and gateway concepts
โ
Test hosts accessible via each ISP (e.g., 1.1.1.1, 1.1.1.2)
Failover Detection Flowโ
All methods rely on periodic health checks. Here's the universal flow:
โโโโโโโโโโโโโโโโโโโ
โ Traffic Sent โ
โโโโโโโโโโฌโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Which Failover Method Active? โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ check-gateway โ Built-in ping โ
โ โก route rules โ Built-in ping โ
โ โข recursive โ Built-in ping โ
โ โฃ netwatch โ External monitor โ
โโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโ
โ Health Check โ
โ (Ping Probe) โ
โโโโโโฌโโโโโโโโฌโโโโ
โ โ
Response No Response
(OK) (FAIL)
โ โ
โผ โผ
โโโโโโโโ โโโโโโโโโโโโโโโโ
โ Use โ โ Route Status โ
โ ISP โ โ Update? โ
โโโโโโโโ โโโโโโโโโโโโโโโโ
(depends on method)
Method 1: Check-Gateway (Passive Built-In)โ
How It Worksโ
The router continuously pings a gateway IP and automatically disables the route if the gateway doesn't respond. When the gateway recovers, the route re-enables.
Flow Diagram:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Primary Route (ISP-1, distance=1) โ
โ /ip route with check-gateway="ping" โ
โ Destination: 0.0.0.0/0 โ
โ Gateway: 192.168.1.1 โ
โโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโ
โ โ
Every ~3s When Disabled
Pings 192.168.1.1 โ
โ โ
โโ ICMP Response โผ
โ Route Stays ACTIVE โโโโโโโโโโโโโโโโโโโโ
โ โ ISP-1 Unavailableโ
โ โโโโโโโโโโโโโโโโโโโโ
โ โ
โโ No Response (3 failed probes) โ
โ Route Auto DISABLED Secondary Route
โ (ISP-2, distance=2)
โ Takes Over
โ
โโ Recovery: Response Received
Route Re-enabled
Configurationโ
Option A: Terminal
/ip route
add dst-address="0.0.0.0/0" target-scope="10" distance="1" gateway="192.168.1.1" \
comment="ISP-1" check-gateway="ping" scope="30" routing-table=main
add dst-address="0.0.0.0/0" target-scope="10" distance="2" gateway="192.168.1.2" \
comment="ISP-2" check-gateway="ping" scope="30" routing-table=main
Option B: Winbox
- Navigate to: IP โ Routes
- Click + to add first route:
- Dst. Address: 0.0.0.0/0
- Gateway: 192.168.1.1
- Distance: 1
- Check Gateway: ping
- Comment: ISP-1
- Click + to add second route:
- Dst. Address: 0.0.0.0/0
- Gateway: 192.168.1.2
- Distance: 2
- Check Gateway: ping
- Comment: ISP-2
Key Parameters Explainedโ
| Parameter | Value | Meaning |
|---|---|---|
check-gateway | ping | Use ICMP echo as health probe |
distance | 1, 2, 3... | Route priority (lower = preferred) |
target-scope | 10 | Scope flag for route categorization |
scope | 30 | Route is managed by user/admin |
Pros & Consโ
| Pros | Cons |
|---|---|
| โ Simpleโno scripting needed | โ Ping probe latency ~100-300ms |
| โ Built-in to RouterOS | โ Cannot distinguish between ISP failure vs. gateway failure |
| โ Minimal CPU overhead | โ No custom logic (always uses distance metric) |
| โ Works with any gateway | โ Probe target must be gateway IP itself |
Use Caseโ
Best for: Simple dual-ISP setups where each ISP provides a local gateway and both are directly reachable via ping.
Method 2: Route Rules + Check-Gateway (Marked Traffic)โ
How It Worksโ
Combines check-gateway with policy-based routing. Traffic is marked with routing marks, then routed to specific ISPs via separate routing tables. If the ISP in the primary table fails, traffic fails over to the secondary.
Flow Diagram:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Incoming Traffic โ
โโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโ
โ โ
โผ โผ
โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ
โ Has Routing Mark? โ โ No Mark = Use โ
โ (via mangle/filter) โ โ Default Table โ
โโโโโฌโโโโโโโโโโโโโโโโโโโโ โ (main) โ
โ โโโโโโโโโโโโโโโโโโโโ
โโ Mark=to-isp1 โ
โ โผ โ
โ /ip route rule lookup to-isp1 table โ
โ โผ โ
โ Query: to-isp1 Routing Table โ
โ ISP-1 Primary (distance=1) โ
โ Check-gateway status? โ
โ โโ Active โ Use ISP-1 โ
โ โโ Down โ No route found (packet drop) โ
โ โ
โโ Mark=to-isp2 โ
โ โผ โ
โ /ip route rule lookup to-isp2 table โ
โ โผ โ
โ Query: to-isp2 Routing Table โ
โ ISP-2 Primary (distance=1) โ
โ Check-gateway status? โ
โ โโ Active โ Use ISP-2 โ
โ โโ Down โ No route found (packet drop) โ
โ โ
โโ No Mark โ
โผ โ
Uses default route (main table) โโโโโโโโโ
ISP-1 Primary (distance=1)
Check-gateway status?
โโ Active โ Use ISP-1
โโ Down โ Fallback ISP-2 (distance=2)
Configurationโ
Option A: Terminal
# Step 1: Create routes in each ISP-specific table
/ip route
add dst-address="0.0.0.0/0" target-scope="10" distance="1" gateway="192.168.1.1" \
comment="ISP-1" check-gateway="ping" scope="30" routing-table=to-isp1
add dst-address="0.0.0.0/0" target-scope="10" distance="1" gateway="192.168.1.2" \
comment="ISP-2" check-gateway="ping" scope="30" routing-table=to-isp2
# Step 2: Create default routes in main table (fallback)
add dst-address="0.0.0.0/0" target-scope="10" distance="1" gateway="192.168.1.1" \
comment="ISP-1-main" check-gateway="ping" scope="30" routing-table=main
add dst-address="0.0.0.0/0" target-scope="10" distance="2" gateway="192.168.1.2" \
comment="ISP-2-main" check-gateway="ping" scope="30" routing-table=main
# Step 3: Create route rules to direct marked traffic
/ip route rule
add action=lookup disabled=no routing-mark=to-isp1 table=to-isp1
add action=lookup disabled=no routing-mark=to-isp2 table=to-isp2
add action=lookup-only-in-table disabled=no routing-mark=to-isp1 table=main
add action=lookup-only-in-table disabled=no routing-mark=to-isp2 table=main
# Step 4: Mark traffic with mangle rules (example: mark based on src-address)
/ip firewall mangle
add chain=prerouting src-address=192.168.100.0/24 action=mark-routing \
new-routing-mark=to-isp1 passthrough=yes comment="Subnet-1 uses ISP-1"
add chain=prerouting src-address=192.168.101.0/24 action=mark-routing \
new-routing-mark=to-isp2 passthrough=yes comment="Subnet-2 uses ISP-2"
Option B: Winbox
-
Create ISP-specific routing tables:
- IP โ Routes โ Click Routes (empty list shows main table)
- Right-click, New โ Create route with Routing Table:
to-isp1(repeat forto-isp2)
-
Create route rules:
- IP โ Route Rules โ Click +
- Action: lookup
- Routing Mark: to-isp1
- Table: to-isp1
- Repeat for
to-isp2
-
Mark traffic with mangle:
- IP โ Firewall โ Mangle โ Click +
- Chain: prerouting
- Src. Address: 192.168.100.0/24
- Action: mark-routing
- New Routing Mark: to-isp1
- Repeat for other subnets
Key Parameters Explainedโ
| Parameter | Meaning |
|---|---|
routing-table=to-isp1 | Define alternative routing table (not default main) |
routing-mark=to-isp1 | Lookup routes only in this table |
new-routing-mark=to-isp1 | Mark packets for specific ISP routing table |
action=lookup-only-in-table | Restrict lookup to specified table only |
Pros & Consโ
| Pros | Cons |
|---|---|
| โ Per-subnet ISP assignment (A to ISP-1, B to ISP-2) | โ Complex configuration (multiple tables + rules + mangle) |
| โ Traffic isolation by routing table | โ Requires traffic marking rules |
| โ Works with check-gateway | โ Hard to debug (traffic must match mangle rules) |
| โ Predictable failover per route | โ Main table fallback still needed |
Use Caseโ
Best for: Enterprise networks with multiple subnets requiring different ISP assignments (e.g., VoIP via ISP-1, data via ISP-2).
Method 3: Recursive Routing (Advanced)โ
How It Worksโ
Creates a chain of dependencies between routes. Primary routes use external IPs (1.1.1.1, 1.1.1.2) as gateways, which are themselves resolved via local gateway routes. If the external IP becomes unreachable, the primary route fails, triggering failover.
Flow Diagram:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Packet to Destination (0.0.0.0/0) โ
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Route Lookup: 0.0.0.0/0 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Primary: 0.0.0.0/0 via 1.1.1.1 โ
โ Distance: 1, check-gateway: ping โ
โ Secondary: 0.0.0.0/0 via 1.1.1.2 โ
โ Distance: 2, check-gateway: ping โ
โโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Recursive Lookup: Where is 1.1.1.1? โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ /ip route find dst-address=1.1.1.1 โ
โ Result: 1.1.1.1/32 via 192.168.1.1 โ
โ (check-gateway="ping" on this route) โ
โโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโ ICMP Reply to 1.1.1.1 โ (via 192.168.1.1)
โ โ Use primary route (0.0.0.0/0 via 1.1.1.1)
โ
โโ No Reply to 1.1.1.1 โ (ISP-1 down)
Recursive route 1.1.1.1/32 DISABLED
โ Cannot reach 1.1.1.1 gateway
โ Primary route becomes INVALID
โ Failover to secondary (0.0.0.0/0 via 1.1.1.2)
โผ
Recursive Lookup: Where is 1.1.1.2?
Result: 1.1.1.2/32 via 192.168.1.2
Ping 1.1.1.2 successful โ (via ISP-2)
โ Use secondary route
Configurationโ
Option A: Terminal
/ip route
# Step 1: Primary route using external IP 1.1.1.1 as gateway
add dst-address="0.0.0.0/0" target-scope="30" distance="1" gateway="1.1.1.1" \
comment="ISP-1" check-gateway="ping" scope="30" routing-table=main
# Step 2: Secondary route using external IP 1.1.1.2 as gateway
add dst-address="0.0.0.0/0" target-scope="30" distance="2" gateway="1.1.1.2" \
comment="ISP-2" check-gateway="ping" scope="30" routing-table=main
# Step 3: Recursive routes defining how to reach the external gateways
add dst-address="1.1.1.1" target-scope="10" distance="1" gateway="192.168.1.1" \
comment="ISP-1-Check" check-gateway="ping" scope="30" routing-table=to-isp1
add dst-address="1.1.1.2" target-scope="10" distance="1" gateway="192.168.1.2" \
comment="ISP-2-Check" check-gateway="ping" scope="30" routing-table=to-isp2
Option B: Winbox
-
IP โ Routes โ Click +
- Dst. Address: 0.0.0.0/0
- Gateway: 1.1.1.1 (external DNS/public IP)
- Distance: 1
- Check Gateway: ping
- Comment: ISP-1
-
IP โ Routes โ Click + (second route)
- Dst. Address: 0.0.0.0/0
- Gateway: 1.1.1.2
- Distance: 2
- Check Gateway: ping
- Comment: ISP-2
-
IP โ Routes โ Click + (recursive route 1)
- Dst. Address: 1.1.1.1/32
- Gateway: 192.168.1.1
- Check Gateway: ping
- Comment: ISP-1-Check
-
IP โ Routes โ Click + (recursive route 2)
- Dst. Address: 1.1.1.2/32
- Gateway: 192.168.1.2
- Check Gateway: ping
- Comment: ISP-2-Check
Key Conceptโ
Recursive routes create a dependency chain:
- Route A (0.0.0.0/0 via 1.1.1.1) depends on Route B (1.1.1.1/32 via 192.168.1.1)
- If Route B fails health check โ Route B disabled
- Route A cannot find gateway 1.1.1.1 โ Route A fails
- Failover to Route C (0.0.0.0/0 via 1.1.1.2) automatically
Pros & Consโ
| Pros | Cons |
|---|---|
| โ Natural failover chain (no extra rules needed) | โ Requires external IPs as probes (e.g., DNS: 1.1.1.1) |
| โ Handles complex topologies with multiple hops | โ Probe target must be reachable via primary ISP |
| โ Automatic dependency resolution | โ Latency depends on recursive lookup depth |
| โ Good for ISPs that block direct pings to gateway | โ Difficult to debug (need traceroute to understand) |
Use Caseโ
Best for: Complex ISP setups where gateway IP doesn't respond to ping, so you use public DNS IPs (1.1.1.1) or other public services as probe targets.
Method 4: Netwatch (Manual Scripting)โ
How It Worksโ
An external monitoring tool periodically checks a host, then runs custom scripts if the host goes down or recovers. Gives you complete control over failover logicโdisable/enable routes, trigger alerts, execute any RouterOS command.
Flow Diagram:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Netwatch Monitoring Loop (every 5s) โ
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Ping Target: 1.1.1.1 (ISP-1 probe) โ
โโโโโโโโฌโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโ
โ โ
ICMP OK No Response
โ โ
โผ โผ
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโ
โ Host UP โ โ Host DOWN (3 fails)โ
โโโโโโโโโโโโโโโ โโโโโโฌโโโโโโโโโโโโโโโโ
โ โ
โผ โผ
Execute: Execute:
up-script down-script
โ โ
โ โโ /ip route disable [find comment="ISP-1"]
โ โ โโ All ISP-1 routes now DISABLED
โ โ
โ โโ Optional: Log to file
โ โ โโ /log warning "ISP-1 Down"
โ โ
โ โโ Optional: Send email alert
โ โโ /tool send-email ...
โ
โโ /ip route enable [find comment="ISP-1"]
โโ All ISP-1 routes now RE-ENABLED
(Router immediately tries ISP-1 routes)
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Result: Failover or Failback โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ ISP-1 Down (no route) โ
โ โ Traffic uses ISP-2 (distance=2) โ
โ โ
โ ISP-1 Recovers (route re-enabled) โ
โ โ Traffic back to ISP-1 (distance=1) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Configurationโ
Option A: Terminal
# Step 1: Create default routes (ISP-1 primary, ISP-2 secondary)
/ip route
add dst-address="0.0.0.0/0" target-scope="10" distance="1" gateway="192.168.1.1" \
comment="ISP-1" check-gateway="none" scope="30" routing-table=main
add dst-address="0.0.0.0/0" target-scope="10" distance="2" gateway="192.168.1.2" \
comment="ISP-2" check-gateway="none" scope="30" routing-table=main
# Step 2: Create recursive routes for netwatch probes
add dst-address="1.1.1.1" target-scope="10" distance="1" gateway="192.168.1.1" \
comment="ISP-1-probe" scope="30" routing-table=to-isp1
add dst-address="1.1.1.2" target-scope="10" distance="1" gateway="192.168.1.2" \
comment="ISP-2-probe" scope="30" routing-table=to-isp2
# Step 3: Create netwatch monitors with down/up scripts
/tool netwatch
add host="1.1.1.1" interval="5s" timeout="3s" \
down-script="/ip route disable [find comment=\"ISP-1\"]" \
up-script="/ip route enable [find comment=\"ISP-1\"]" \
comment="ISP-1"
add host="1.1.1.2" interval="5s" timeout="3s" \
down-script="/ip route disable [find comment=\"ISP-2\"]" \
up-script="/ip route enable [find comment=\"ISP-2\"]" \
comment="ISP-2"
Option B: Winbox
-
Create routes (WITHOUT check-gateway):
- IP โ Routes โ Click +
- Dst. Address: 0.0.0.0/0
- Gateway: 192.168.1.1
- Distance: 1
- Comment: ISP-1
- Check Gateway: none (important: let netwatch handle it)
-
Create netwatch monitors:
- Tools โ Netwatch โ Click +
- Host: 1.1.1.1 (external IP to probe)
- Interval: 5s
- Down Script:
/ip route disable [find comment="ISP-1"] - Up Script:
/ip route enable [find comment="ISP-1"] - Comment: ISP-1
- Click + (add second netwatch for ISP-2)
Key Parameters Explainedโ
| Parameter | Meaning |
|---|---|
host | External IP to ping (e.g., public DNS 1.1.1.1) |
interval | Probe frequency (default 60s, shown as 5s for fast failover) |
timeout | Fail after N seconds of no response |
down-script | RouterOS commands executed when host unreachable |
up-script | RouterOS commands executed when host recovers |
check-gateway="none" | Disable built-in checks; let netwatch manage routes |
Advanced Script Exampleโ
With Logging & Email Alert:
/tool netwatch
add host="1.1.1.1" interval="5s" timeout="3s" \
down-script="/log warning \"ISP-1 Down\"; \
/ip route disable [find comment=\"ISP-1\"]; \
/tool send-email to=\"admin@example.com\" subject=\"ISP-1 Failover\" body=\"ISP-1 is down, using ISP-2\"" \
up-script="/log info \"ISP-1 Up\"; \
/ip route enable [find comment=\"ISP-1\"]; \
/tool send-email to=\"admin@example.com\" subject=\"ISP-1 Recovered\" body=\"ISP-1 is back online\"" \
comment="ISP-1"
Pros & Consโ
| Pros | Cons |
|---|---|
| โ Complete control over failover logic | โ Requires explicit scripting (not automatic) |
| โ Can execute any RouterOS command on failure | โ More CPU overhead (external monitoring process) |
| โ Can send alerts/notifications | โ Requires netwatch service running |
| โ Flexible probe targets (any external IP) | โ Failover delay = netwatch interval + timeout |
| โ Easy to debug (scripts visible in GUI) | โ Misconfigured scripts can break routing |
Use Caseโ
Best for: Networks needing custom alerting, logging, or complex failover actions (e.g., disable VPN route on ISP-1 failure, reset firewall nat rules, trigger backup systems).
Comparison Tableโ
| Feature | Check-Gateway | Route Rules | Recursive | Netwatch |
|---|---|---|---|---|
| Setup Complexity | โญ Very Simple | โญโญโญ Complex | โญโญ Moderate | โญโญ Moderate |
| Failover Latency | ~100-300ms | ~100-300ms | ~100-300ms | ~5-15s (configurable) |
| CPU Usage | ๐ Very Low | ๐ Very Low | ๐ Very Low | ๐ก Moderate |
| Scripting Support | โ No | โ No | โ No | โ Full |
| Per-Subnet ISP Control | โ No | โ Yes | โ No | โ No |
| Dependency Chains | โ No | โ No | โ Yes | โ No |
| Custom Logic | โ No | โ No | โ No | โ Yes |
| Alerting/Logging | โ No | โ No | โ No | โ Yes |
| Best For | Simple dual-ISP | Multi-subnet per-ISP | Complex topologies | Custom failover actions |
Verification Stepsโ
For All Methods:โ
# 1. Check active routes
/ip route print where dst-address="0.0.0.0/0"
# 2. Verify route status (ACTIVE = enabled, X = disabled)
/ip route print where dst-address="0.0.0.0/0" detail
# 3. Test failover by simulating ISP-1 down (temporarily disable)
/ip route disable [find comment="ISP-1"]
# 4. Verify traffic now routes via ISP-2
/ip route print
# 5. Re-enable ISP-1 (failback)
/ip route enable [find comment="ISP-1"]
# 6. Check routing mark for marked traffic (Method 2 only)
/ip route rule print
# 7. For netwatch, view monitoring status
/tool netwatch print
Test Packet Path:โ
# Trace route through active ISP
/ip route print where dst-address="0.0.0.0/0"
# Note the first active route (lowest distance)
# Ping external host to verify ISP connectivity
/ping 8.8.8.8 count=5
# For recursive routes, check if probe target is reachable
/ip route print where dst-address="1.1.1.1"
Troubleshootingโ
| Issue | Cause | Solution |
|---|---|---|
| Route remains DISABLED after ISP recovers | Check-gateway still sees host down, or netwatch is disabled | Manually enable: /ip route enable [find comment="ISP-1"], check probe target (1.1.1.1 reachable?), verify gateway IP (192.168.1.1 responds to ping?) |
| Both routes show ACTIVE but traffic still fails | Distance metric incorrect or both gateways down | Verify distance values (lower = preferred). Ping both gateways: /ping 192.168.1.1 and /ping 192.168.1.2. Check if gateway IPs are correct. |
| Failover takes too long (>30 seconds) | Check-gateway interval too long, or netwatch timeout too high | Reduce check-gateway ping interval in route (default ~3s), reduce netwatch interval (e.g., 5s instead of 60s), reduce timeout (e.g., 3s). |
| Route rules not directing traffic to ISP-2 | Mangle rule not matching traffic, or route-rule action incorrect | Verify mangle rule matches source address: /ip firewall mangle print, check routing-mark is applied: /ip firewall mangle print stats. Verify route rule has action=lookup: /ip route rule print. |
| Netwatch scripts not executing | Netwatch disabled, or script syntax error | Enable netwatch: /tool netwatch enable [find comment="ISP-1"], test script manually: copy down-script content and run, check RouterOS logs for errors: /log print. |
| Recursive route not working (gateway unreachable) | Recursive probe target (1.1.1.1) not responding, or recursive route misconfigured | Verify recursive route exists: /ip route print where dst-address="1.1.1.1", ping probe target directly: /ping 1.1.1.1, check if recursive route via ISP is active. |
| Traffic uses wrong ISP (not preferred) | Distance value too high on primary, or secondary route has lower distance | Verify primary distance = 1, secondary = 2: /ip route print. Disable secondary route, test traffic, re-enable. |
Advanced Optionsโ
1. Combined Approach: Check-Gateway + Netwatchโ
Use built-in check-gateway for automatic failover, and netwatch for alerting:
# Routes use check-gateway (fast failover)
/ip route
add dst-address="0.0.0.0/0" distance="1" gateway="192.168.1.1" \
check-gateway="ping" comment="ISP-1"
add dst-address="0.0.0.0/0" distance="2" gateway="192.168.1.2" \
check-gateway="ping" comment="ISP-2"
# Netwatch adds logging & alerts (no disable/enable script)
/tool netwatch
add host="1.1.1.1" interval="10s" \
down-script="/log warning \"ISP-1 health check failed\"; \
/tool send-email to=\"admin@example.com\" subject=\"ISP-1 Degraded\"" \
comment="ISP-1-Alert-Only"
2. Multi-Tier Failover (3+ ISPs)โ
/ip route
add dst-address="0.0.0.0/0" distance="1" gateway="192.168.1.1" \
check-gateway="ping" comment="ISP-1"
add dst-address="0.0.0.0/0" distance="2" gateway="192.168.1.2" \
check-gateway="ping" comment="ISP-2"
add dst-address="0.0.0.0/0" distance="3" gateway="192.168.1.3" \
check-gateway="ping" comment="ISP-3"
Distance values create a failover chain: ISP-1 โ ISP-2 โ ISP-3.
3. Conditional Failover Based on Packet Typeโ
Use mangle rules to mark different traffic types, then route each to preferred ISP:
/ip firewall mangle
# VoIP traffic prefers ISP-1 (lower latency)
add chain=prerouting protocol=udp dst-port=5060,5061 \
action=mark-routing new-routing-mark=to-isp1 passthrough=yes comment="VoIPโISP-1"
# Video streaming prefers ISP-2 (higher bandwidth)
add chain=prerouting dst-port=443 \
action=mark-routing new-routing-mark=to-isp2 passthrough=yes comment="HTTPSโISP-2"
# Create separate routing tables (Method 2)
/ip route
add dst-address="0.0.0.0/0" distance="1" gateway="192.168.1.1" \
check-gateway="ping" routing-table=to-isp1 comment="ISP-1-VoIP"
add dst-address="0.0.0.0/0" distance="1" gateway="192.168.1.2" \
check-gateway="ping" routing-table=to-isp2 comment="ISP-2-Video"
4. Active-Active Load Balancing (PCC)โ
Distribute traffic evenly between two ISPs using Per-Connection Classifier:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=isp1 \
per-connection-classifier=both-addresses-and-ports:2/1 passthrough=yes
add chain=prerouting action=mark-routing new-routing-mark=isp2 \
per-connection-classifier=both-addresses-and-ports:2/2 passthrough=yes
/ip route
add dst-address="0.0.0.0/0" distance="1" gateway="192.168.1.1" \
routing-table=isp1 check-gateway="ping" comment="ISP-1"
add dst-address="0.0.0.0/0" distance="1" gateway="192.168.1.2" \
routing-table=isp2 check-gateway="ping" comment="ISP-2"
Each connection goes to either ISP-1 or ISP-2 based on source/destination hash.
5. Bandwidth Management Per ISPโ
Limit each ISP route to prevent one from saturating:
/ip firewall mangle
# Queue ISP-1 traffic for rate limiting
add chain=forward routing-mark=to-isp1 action=mark-packet new-packet-mark=isp1-limited passthrough=yes
/queue
add name="isp1-queue" parent=ether1 direction=in limit-at=50M target=192.168.1.1
add name="isp2-queue" parent=ether2 direction=in limit-at=50M target=192.168.1.2
Related Guidesโ
- Policy-Based Routing (PBR) for Call Center VPNs
- Policy-Based Routing (PBR) for GCash
- Quality of Service (QoS) Setup
- MikroTik Security Hardening
โ Failover Configuration Complete! Your network now has redundant ISP paths with automatic failover. Monitor the routes and adjust check-gateway intervals based on your ISP stability.