Hi, As usual with Mikrotik it is roll-your-own but you can do this: https://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting I'd test the heck out of it first though. If the failover happens bear in mind the connections will drop (maybe not ones in the VPN if it connects again fast enough) as the default route will change and it'll be on a completely different network. I have wanted to try the following though: * Set up a Cloud Hosted Router on a VPS with oodles of speed and data. Everything, including the Internet for all the sites runs through this central node. * Have each external Mikrotik router run a VPN on the main (say NBN) and 4G link back to this router. If the main link goes down there is an alternate route to the VPS over 4G but all the sessions keep going albeit with maybe a small delay while the internal route changes and noticeable speed and latency change. * The VPN between the two sites would be kept persistent as well. You'd be running RFC1918 addresses on your 'internal' network and all internet traffic from this network would appear to come from the public IP address of the CHR using masquerade NAT. I am sure OSPF would be used to make the routes work properly. If you used IPv6 you could have public addresses for all the devices on the network. * See below - I hope my ASCII art survives. /--NBNVPN---\ /--NBN VPN---\ SiteA CHR SiteB \--4G VPN---/ | \--4G VPN----/ | Public | Internet I have seen some business grade ISPs offer such persistent data links using NBN and 4G and I figure they do something similar to the above. Regards, Jason Hecker <https://www.upandrunningtech.com.au/> <https://www.upandrunningtech.com.au/> On Wed, 9 Oct 2019, at 17:43, Karl Auer wrote:
We need to quote to a client for two routers capable of running a VPN between two sites - easy, that's a MikroTik. But they want a fallback to 3G/4G so that the site that falls back keeps Internet access AND so that the VPN keeps running.
What's the state of MikroTik 3G/4G fallback? Last I looked it seemed very roll-your-own, and supported only a few very specific dongles...
Ideally it would work like the (vastly more expensive) Merakis and just fail everything over to the secondary link if the primary fails, where "fail" would be either a ping test or interface down.
That said, I'm OK with a solution that needs more work, as long as once done it is set-and-forget.
Any pointers?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556 Old fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au