Dual ISP: Mikrotik automatic failover using netwatch

Organizations are heavily dependent on internet to get their jobs done these days. With everything going cloud, there is no room for internet downtime, especially for cooperate organisations. The onus is now on network administrators to implement policies on carefully designed networks to keep business operations running, no matter what. In this demonstration, I will be sharing with us on how we can use the Mikrotik netwatch in combination with a simple script to achieve automatic failover in a dual ISP setup on Mikrotik.

With a default route already pointing to ISP-1, netwatch will automatically set the default route to ISP-2 once ISP-1 becomes unreachable and will return authority to ISP-1 whenever it becomes available. To accomplish this, we need to enter the following commands in the new-terminal window of our Mikrotik router, assuming all basic configurations have been done and connectivity has been established to those ISPs.

Automatic failover
Image showing dual connections
[[email protected]] system script> add name=gw_1 source={/ip route set {… [/ip route find dst] gateway}
This command creates a script named gw_1 with command to set the default route to, which is ISP-1
[[email protected]] system script> add name=gw_2 source={/ip route set {.. [/ip route find dst] gateway}
This command creates a script named gw_2 with command to set the default route to, which is ISP-2
[[email protected]] system script> /tool netwatch
[[email protected]] tool netwatch> add host= interval=10s timeout=998ms … up-script=gw_1 down script=gw_2

You may also like: How to resolve issues faced when using Mikrotik routers as L2TP or PPTP VPN server

This line initiates a ping to, the gatew through ISP-1. The pings will be set at 10 seconds interval and at latency below 998 milliseconds, the link is considered up and the script gw_1 will be executed, otherwise, the script gw_2 will be executed. The script gw_1 sets the gateway to ISP-1 while gw_2 sets the gateway to ISP-2 .
For this to work effectively as intended, we need to make sure that pings used to test the reachability of ISP-1 one is not sent through ISP-2. To do this, we will create a firewall rule to block all icmp traffics to ISP-1 gateway through the interface connecting to ISP-2
[[email protected]] > ip firewall filter add chain=forward dst-address= protocol=icmp out-interface=ether2 action=drop
To check netwatch settings use the tool netwatch print command or the tool netwatch print detail command for more details
[[email protected]] tool netwatch> print
Flags: X – disabled
  #   HOST         TIMEOUT                   INTERVAL                 STATUS
  0      997ms                      10s                     up
[[email protected]] tool netwatch> print detail
Flags: X – disabled
  0   host= timeout=997ms interval=10s
since=jan/06/2018 14:01:03
status=up up-script=gw_1 down-script=gw_2
Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *