Today, I want to share a practical approach to configuring automatic WAN failover on MikroTik routers using Netwatch. If you have ever experienced internet downtime because of a failure in your primary WAN connection, you know how disruptive it can be. While there are several ways to implement failover, my method gives more certainty by verifying true connectivity to the wider internet, not just a reachable gateway.
How Netwatch-Based Failover Differs
Previously, I posted about using static routes with check-gateway enabled to handle WAN failover. That approach is functional, but it only checks connectivity to your gateway. In contrast, using Netwatch lets us monitor a specific external IP address. This ensures your WAN connection is actually passing traffic to the internet, not just able to ping the next router upstream. It feels like a more robust solution for most real-world use cases.
Choosing the Target IP
To make this setup work, you need to pick a reliable IP address to ping. Here’s a key detail: during a failover event, your router will not be able to reach this IP via the secondary WAN until the primary is restored. That is on purpose. We want to be certain the primary WAN is truly online before automatically failing back.
For my own implementations, I recommend using one of the root DNS server IPs. They provide several advantages. First, you should not have any regular client traffic going directly to them. Second, they are among the most reliable services on the planet. You can find a list at root-servers.org and pick the nearest one to you.
Step-By-Step Configuration
1. Create the Auto Failover Script
Open the MikroTik web UI and go to System > Scripts > Add New. Paste in the following script and update the uptimeTarget variable to the IP address you selected from the root DNS server list.
:log info "starting dhcp client auto failover setup script";
# Nearest root nameserver
:local uptimeTarget;
:set uptimeTarget "192.5.5.241";
# Clean up any previous config for this interface
/ip route remove [ find comment="$interface default route" ];
/ip route remove [ find comment="$interface uptime target" ];
/tool netwatch remove [ find comment="$interface monitor" ];
:if ($bound = 1) do={
/ip route add dst-address=0.0.0.0/0 distance=10 gateway=$"gateway-address" comment="$interface default route";
/ip route add dst-address="$uptimeTarget/32" gateway=$"gateway-address" comment="$interface uptime target";
/tool netwatch add interval=10s host=$uptimeTarget down-script=":log info \"primary wan connection lost, failing over\"; /ip route disable [ find comment=\"$interface default route\" ]" up-script=":log info \"primary wan connection restored, failing back\"; /ip route enable [ find comment=\"$interface default route\" ]" comment="$interface monitor";
}
Name the script something descriptive, such as setup-auto-failover. Make a note of the name since you will need it shortly.
2. How the Script Works
Every time your primary WAN interface receives a DHCP lease, the script performs the following actions:
- Removes any existing routes or Netwatch instances for this interface, preventing overlaps.
- Adds a default gateway route for the primary WAN with a distance of 10.
- Adds a static route for your
uptimeTargetso that it is always routed via the primary WAN. - Sets up a Netwatch entry to monitor the
uptimeTarget. If Netwatch cannot reach it, the script disables the default route for the primary WAN, causing failover to the secondary WAN. It checks this every 10 seconds. - As soon as connectivity to the monitored IP is restored, the primary WAN route is reenabled, and traffic returns to normal.
3. Configure DHCP Clients
Now, go to IP > DHCP Client.
- Select your Secondary WAN and set Default Route Distance to a value greater than 10. I usually use 20, but any value above 10 works.
- For your Primary WAN, set Add Default Route to ’no’. Then set Script to the name you used earlier, for example,
setup-auto-failover.
To kick things into action immediately, you can click the Release button on the primary WAN DHCP client. This will make the router request a new IP and execute the script, putting all your failover logic in place.
4. Static Configurations
If your WAN connections do not use DHCP, you are not out of luck. Use this script as a model and implement equivalent static routes and Netwatch monitoring manually.
Final Thoughts
With this method, you get a highly responsive, self-correcting WAN failover system. When the internet upstream truly drops, your MikroTik router automatically reroutes traffic via your backup WAN. Once the primary recovers, traffic swiftly returns. I hope this setup brings your network a new level of reliability and gives you peace of mind in the face of surprise outages.