Hi
I have Failover set up from WAN to Sim. It works.
The problem is however, the Mikrotik (to the ISP) device plugged into the WAN port, cannot see the LAN1,LAN2 & LAN3 ports. The other appliances are also Mikrotik. They need to see each other, in order to work. When the appliance is plugged in the WAN port, I cannot ping its static IP, but internet connection is there.
IF I plug the ISP router into the LAN3 port, then the other Mikrotik appliances become visible, but then I lose the WAN Failover function.
Any ideas please? Thank you…
@oscalot Hello,
Could you clarify what you mean exactly by:
What does “see” refer to in this context? Do you mean no Layer 3 connectivity (e.g., pings failing), or do these devices need to be on the same Layer 2 network?
If it’s a routing issue, you need to configure a static route on the Mikrotik router to the LAN network of the RUT9, using the RUT9 WAN IP as the next hop. On the RUT9, you also need to allow forwarding in the firewall by editing the WAN zone and ensuring traffic between WAN and LAN is permitted.
If the devices need to be on the same Layer 2 network, the setup becomes more complex. One option is to connect the devices to the LAN port (port 3) on the RUT9. In this case, you can navigate to Network → Routing and add a default route (0.0.0.0/0) via the Mikrotik router’s IP so that Mikrotik acts as the default gateway for all traffic.
However, making failover work in this setup requires additional configuration. One option is to configure the LAN interface as a WAN and adjust related settings, such as the firewall, to reflect this change. Alternatively, you could add a default gateway on the LAN via CLI like so:
uci set network.lan.gateway='192.168.1.100'
uci commit
/etc/init.d/network restart
And then, manually modify the mwan3 (failover) configuration to include the LAN interface (similarly like other interfaces).
Keep in mind that this approach may not work as expected, since mwan3 is designed to manage WAN interfaces, not LAN interfaces.
Kind Regards,
Hello
Yes I am referring to Layer 3 and I mean that I cannot ping the other devices. I am reading your instructions for Layer 3, but I need some time to absorb your instructions, they seem too technical for me. 
I may come back to you for clearer instructions… 
@oscalot Hello,
If the setup is only layer 3, your MikroTik needs to know that it can reach the LAN network of the RUT901 through the RUT itself, rather than using its default route, which is the WAN of the MikroTik. To achieve this, you need to configure a static route on the MikroTik.
For example, if the WAN IP of the RUT901 is 192.168.100.100/24 and its LAN network is 192.168.1.0/24, you need to add the following route on the MikroTik:
192.168.1.0 255.255.255.0 via 192.168.100.100
This ensures that any traffic destined for the 192.168.1.0/24 network is sent to 192.168.100.100 (the RUT901’s WAN IP), and from there, the RUT forwards it to the LAN network. Since this traffic is entering the RUT901’s WAN interface, the firewall must be configured to allow traffic between the WAN and LAN. This can be done in the firewall settings under Network → Firewall → Zones → Edit the WAN zone, ensuring that traffic traffic from/to LAN is allowed.
If the RUT901 has a public IP on its SIM card, I would also recommend to separate the wired WAN and mobile connections into different firewall zones and block traffic from the mobile side into the device for better security.
Kind Regards,
I have made some changes to the config as per your recommendation. I can ping both Mikrotik dishes on LAN2 and LAN3.
If I move the main dish to WAN (where it should go) then I cannot ping it anymore.
If I interpreted your message correctly, then I understand that traffic between WAN and LAN has been set up in both directions as per the screenshot: I however cannot ping the WAN port from the LAN (wifi) side…
@oscalot Hello,
The firewall zone settings appears to be correct.
Could you share the IP addresses assigned to the WAN and LAN interfaces? Also, what is the IP address of the Mikrotik?
Also, please attach a screenshot of the ARP and IPv4 Routes sections from Status → Routes → Static.
Kind Regards,
Greetings,
I have spoken with my ISP. They are not authorised to make changes in the firmware of Mikrotik, for the routing changes as per your instructions. This is a pity. They have recommended that I purchase a Mikrotik hAP Lite. Their equipment will be plugged into the switch, then from the switch it will plug into the WAN port of the RUT9. This is the only way that my problem will be addressed apparently.
To your request on attaching screenshots of the Static ARP and IPv4 routes: There are far too many entries of IP addresses. Is it a good idea to post them publicly? 
Thanks for your help thus far…
@oscalot Hello,
Is my understanding correct that you are trying to access the LAN devices from WAN side? Or is it the other way around (from LAN you are trying to reach WAN devices?)
If you are trying to reach WAN devices from LAN, then you need to ensure that packets are not routed via the mobile interface (if its your default WAN/route) and are actually using the WAN port (you can try disabling mob1s1a1 interface leaving only LAN and WAN active and checking if it works).
If you are unable to modify routing settings on the ISP’s Mikrotik device, and you are trying to reach LAN devices from WAN, then port forwarding might be a viable alternative.
Let’s assume the RUT’s WAN IP, which is connected to the Mikrotik, is 192.168.100.100. The LAN IP of the RUT is 192.168.1.1, and the target LAN device has the IP 192.168.1.50. You can configure port forwarding as follows:
- Source: WAN
- Destination: LAN
- External IP: 192.168.100.100
- External Port: 8080
- Internal IP: 192.168.1.50
- Internal Port: 80
With this setup, any traffic sent to 192.168.100.100 on port 8080 from the Mikrotik network will reach the RUT’s WAN interface. The RUT will then forward it to the LAN device at 192.168.1.50 while translating the port to 80. This is useful if, for example, your device has a web interface running on the default HTTP port 80 and needs to be accessed via a browser.
If other ports are required, you can adjust the forwarding rules accordingly.
Kind Regards,
