MikroTik Internet Failover Like a Pro ⚑🌐

MikroTik Internet Failover Like a Pro ⚑🌐

27.06.2025 Networking 0

Even the best internet connection has its bad days. But what if your router could automatically switch to a backup line when the main one goes down β€” and just as smoothly, switch back again when things recover?

Spoiler: It can.
In this post, we’re giving our MikroTik router a failover setup using WinBox, so it’ll automatically use a backup interface when the primary connection drops.

Let’s go.

🧠 The Goal

We’ll configure:

  • ether5 (via a backup-bridge) as a backup WAN
  • Primary internet via vlan100-internet
  • Both inside the internet VRF
  • Automatic failover between the two

πŸ”§ Part 1: Set Up the Backup Bridge & VRF

1. Create a Bridge for Ether5

  1. Go to Bridge
  2. Click the βž• button
  3. Name it: backup-bridge
  4. Click OK

2. Add Ether5 to the Bridge

  1. Stay in Bridge β†’ Ports
  2. Click βž•
  3. Select backup-bridge as the bridge
  4. Select ether5 as the interface
  5. Click OK

3. Add the Backup Bridge to the Internet VRF

  1. Go to IP β†’ VRF
  2. Edit the internet VRF
  3. In the Interfaces field, make sure to include:
    • vlan100-internet
    • lan-bridge
    • backup-bridge βœ…
  4. Click OK

βœ… Double-check that all three interfaces show up in the internet VRF table.

4. Add a DHCP Client for the Backup Bridge

  1. Go to IP β†’ DHCP Client
  2. Click βž•
  3. Interface: backup-bridge
  4. Add Default Route β†’ set to no (important!)
  5. Comment: Backup Internet DHCP
  6. Click OK

Repeat for the primary interface (vlan100-internet) if needed β€” make sure Add Default Route is also set to no there.

πŸ“‘ Part 2: Routing + NAT + Failover Logic

1. Create a WAN Interface List

  1. Go to Interface β†’ Interface List
  2. Under the Lists tab, click βž• β†’ Name it WAN
  3. Under List Members, add:
    • vlan100-internet
    • backup-bridge

2. Update NAT Rule to Use Interface List

  1. Go to IP β†’ Firewall β†’ NAT
  2. Edit the existing masquerade rule
  3. Change Out. Interface β†’ to Out. Interface List
  4. Select WAN
  5. Click OK

3. Set Static Default Routes with Gateway Check

  1. Go to IP β†’ Routes
  2. Remove any default routes added by DHCP

Add Primary Route

  • Dst. Address: 0.0.0.0/0
  • Gateway: IP of your main ISP’s gateway (check DHCP lease)
  • Distance: 10
  • Check Gateway: ping
  • Routing Table: internet
  • Comment: Primary Internet Route

Add Backup Route

  • Dst. Address: 0.0.0.0/0
  • Gateway: IP of your backup ISP (from DHCP lease)
  • Distance: 20
  • Check Gateway: ping
  • Routing Table: internet
  • Comment: Backup Internet Route

πŸ“ Use IP β†’ DHCP Client to find the Gateway IPs for each interface.

🧠 Part 3 (Optional): Auto-Update Routes with a Script

If your ISP frequently changes gateway IPs, use a script:

1. Create the Script

Go to System β†’ Scripts β†’ Add
Name: update-wan-routes
Enable full permissions
Paste this script:

rscKopiΓ«ren:local primaryGw "";
:local backupGw "";

:delay 2s;
:set primaryGw [/ip dhcp-client get [find interface=vlan100-internet] gateway];
:set backupGw [/ip dhcp-client get [find interface=backup-bridge] gateway];

:local primaryRouteId [/ip route find comment="Primary Internet Route" vrf=internet];
:local backupRouteId [/ip route find comment="Backup Internet Route" vrf=internet];

if ([:typeof $primaryGw] = "string" && $primaryGw != "") do={
    if ($primaryRouteId = "") do={
        /ip route add dst-address=0.0.0.0/0 gateway=$primaryGw distance=10 routing-table=internet comment="Primary Internet Route" check-gateway=ping vrf=internet
    } else={
        /ip route set $primaryRouteId gateway=$primaryGw;
    }
}

if ([:typeof $backupGw] = "string" && $backupGw != "") do={
    if ($backupRouteId = "") do={
        /ip route add dst-address=0.0.0.0/0 gateway=$backupGw distance=20 routing-table=internet comment="Backup Internet Route" check-gateway=ping vrf=internet
    } else={
        /ip route set $backupRouteId gateway=$backupGw;
    }
}

Click OK

2. Schedule the Script

Go to System β†’ Scheduler β†’ Add

  • Name: run-update-wan-routes
  • Start Time: 00:00:00
  • Interval: 1m (or 5m if preferred)
  • On Event: /system script run update-wan-routes
  • Enable same policies as the script
  • Click OK

βœ… Testing the Failover

  1. Go to IP β†’ Routes
    • You should see:
      • Primary route active (A flag)
      • Backup route inactive (D flag)
  2. Unplug the cable from your primary WAN (e.g., ether1)
  3. Wait 10–30 seconds
    • The primary route should go unreachable (X flag)
    • The backup route becomes active (A flag)
  4. Try browsing the internet β€” it should work via the backup!
  5. Plug back the cable β€” wait β€” the system should switch back automatically.

πŸŽ‰ You Did It!

You now have a MikroTik router with intelligent failover. Whether your fiber link dies or your ISP has a hiccup, your network stays online β€” no more panic.

Coming up: load balancing between multiple ISPs, or advanced firewall tricks for WAN-specific traffic. πŸš€

Let me know if you want this as a Markdown file, export for Notion/blog, or even with screenshots!

©  2025 The life of Pi. Built using WordPress and OnePage Express Theme.