Category: Failover

Now that we have lots of 4G dongles providing clients a failover when their ADSL dies (crappy copper means when not if) We need to monitor the status of the routes.

For this to work you need to do a few things first.

View full article »

The default IP address on the Telstra MF823 4G router is

If you want to connect this to a router, and to a LAN that has the same IP range (but this should never happen in the real world……) you need to change the IP on the router.


You can call Telstra, bump your ass on the moon for a while, or follow these steps.

View full article »

After giving up on IPSEC tunnels (Not EoIP over IPSEC tho) i have created the below.

We all know how bad PPTP tunnels are, and why having them is just annoying people trying to steal your data, rather than actually protecting it.


View full article »

This method never worked as planned. The IPSEC tunnel left a hidden route in the route table, so it just got messy. Try this one instead.


I needed a way to fail over from an IPSEC tunnel with static IPs at each end, to a PPTP tunnel from a site with a non routable address.

The main problem is that I have the remote subnet listed as accessible Via bridge.local to allow the IPSEC traffic and to allow NetWatch to monitor the remote sites.

The solution is as follows

  • Setup and test IPSEC Tunnel
  • Setup the PPTP tunnel as needed to the remote site.
  • Add a route with a lower preference than the normal route.
  • Add a comment to the remote site route

/ip route
add check-gateway=ping comment=”over ipsec” distance=1 dst-address= \
add distance=10 dst-address= gateway=pptp-out1
add distance=1 dst-address= gateway=”ether1-ADSL Modem”

In this setup, the local subnet is and the remote subnet is

We put in the netwatch scripts Red below is the STATIC IP address of the main interface.

/tool netwatch
add host=
add down-script=\
“/ip route set [/ip route find where comment=\”over ipsec\”] disabled=yes” \
host= up-script=\
“/ip route set [/ip route find where comment=\”over ipsec\”] disabled=no”

The red “over ipsec” is used to identify the rule that’s going to get changes.


When the main interface goes down, NetWatch will disable the route Via bridge.local and allow the PPTP distance 10 route to kick in.
The PPTP interface should redial as needed to get connection over the second internet connection and all should just work. I will be testing that tomorrow.

In testing now with only one interface. When the “over IPSEC” rule is enabled, all traffic goes over the IPSEC tunnel, when that route gets disabled, traffic will flow over the PPTP.

If you have a dynamic WAN IP address, then you will have to get more creating running a lookup using /IP address print and putting that into this NetWatch host


I’m sure there are much cleaner ways of doing this, as this will not fail over in the event of the IPSEC tunnel failing but the ADSL staying alive, but thats a topic for another day