Skip to main content

WAN Failover

WAN Failover is a critical SD-WAN feature that ensures network resilience and business continuity. It allows you to combine multiple internet connections (e.g., Fiber, LTE, Starlink) on a single MikroTik device. Altostrat SDX continuously monitors the health of each link and, if your primary connection fails, automatically reroutes all traffic through a working secondary link in seconds. This process is seamless and ensures your business stays online and operational, even during a partial or complete ISP outage.

Core Concepts

Understanding these three concepts is key to mastering the WAN Failover service:

WAN Tunnels

Each of your internet connections is represented in SDX as a WAN Tunnel. This is a secure, lightweight OpenVPN tunnel that connects your router to Altostrat’s global network over a specific physical interface (like ether1 or lte1).

Interface Priority

This is a ranked list of your WAN Tunnels. The tunnel at the top of the list is the primary link, the second is the first backup, and so on. The system will always prefer to use the highest-priority link that is currently online.

Health Checks

Altostrat continuously monitors the health of each WAN Tunnel by sending probes to our global Anycast network. If a link fails to respond, it is marked as down, and traffic is automatically rerouted to the next-highest priority link.

Under the Hood: The Failover Mechanism

Altostrat’s WAN Failover is powered by a custom-built, high-performance stateless route controller, written in Go. Unlike a traditional VPN, its sole purpose is to authenticate your device and dynamically push routing information. This architecture is designed for maximum speed and resilience.
  1. Stateless Connections: Each of your router’s WAN interfaces establishes a persistent TCP connection (over port 443 for firewall compatibility) to our route controller. The controller itself holds no state; it relies on the live TCP connection as proof that the link is up.
  2. Dynamic Route Pushing: When a tunnel connects, it authenticates against our API. The API returns a set of routes tailored to that tunnel’s priority.
    • High-Priority Tunnels receive more specific routes (e.g., 0.0.0.0/1 and 128.0.0.0/1).
    • Low-Priority Tunnels receive a less specific, higher-metric default route (e.g., 0.0.0.0/0). RouterOS naturally prefers the more specific routes, directing all traffic through the primary link.
  3. Instantaneous Failover: If your primary ISP fails, the underlying TCP connection to our route controller is severed. The OpenVPN client on your MikroTik immediately detects this and automatically withdraws the specific, high-priority routes it had received. With those routes gone, the router’s traffic immediately begins flowing to the next-best route available—the default route provided by your still-active backup tunnel. The failover is complete.

Configuring WAN Failover

Follow these steps to enable and configure WAN Failover on your site. When you first enable the service, Altostrat automatically creates two default, unconfigured WAN Tunnels for you to start with.
1

1. Navigate to WAN Failover

From the SDX Dashboard, select the site you want to configure. In the site’s overview, navigate to the WAN Failover tab.
2

2. Enable and Configure Interfaces

  1. Click Enable to activate the WAN Failover service for this site.
  2. For your primary internet connection, click the gear icon to configure the first WAN Tunnel.
  3. In the modal, define the connection details:
    • Name: A descriptive name (e.g., “Primary Fiber Link”).
    • Interface: Select the physical MikroTik interface (e.g., ether1, lte1). The platform queries your device in real-time to populate this list.
    • Gateway IP: Enter the gateway IP for this connection. Click Look up eligible gateways to have the platform attempt to auto-discover it for you.
    • Connection Type: Specify the type of link (Fiber, LTE, etc.) for identification.
  4. Click Save.
  5. Repeat this process for all your available WAN links. To add more than two, click Add WAN Tunnel.
For metered connections like LTE or 5G, it’s best to place them lower in the priority list to ensure they are only used as a last resort.
3

3. Set Interface Priority

The order of the tunnels in this list determines their failover priority. The link at the top is the primary, the second is the first backup, and so on.
  • Use the up/down arrows to drag and drop the tunnels into your desired order of preference.
  • Click Confirm Priority to save the changes and push the new configuration to your device.

Managing and Monitoring Failover

Manually Triggering a Failover

You can manually trigger a failover for testing or operational reasons by simply changing the interface priority.
  1. Navigate to the WAN Failover tab.
  2. Drag your desired backup link to the top of the list.
  3. Click Confirm Priority. The router will immediately prefer the new primary link and switch its active traffic path.
A brief interruption in connectivity (a few seconds) will occur as the router’s routing table converges and traffic switches to the new active link.

Monitoring Failover Events

When a WAN Tunnel goes down or comes back up, Altostrat logs this as a Fault event. This provides a complete historical record of your link stability and failover activity.

View the Fault Log

To see a detailed history of all failover events, check the Faults log for your site. This is the best place to investigate ISP reliability.

Deactivating WAN Failover

If you no longer need a multi-WAN setup, you can deactivate the service.
  1. Navigate to the WAN Failover tab.
  2. Click the Deactivate button.
  3. Confirm the action. Altostrat will dispatch jobs to remove all associated WAN tunnel configurations from the device.

Best Practices

Test Your Setup Regularly

Periodically test your failover by unplugging the primary link’s network cable to ensure the backup connection takes over as expected. This validates your configuration and hardware from end to end.

Understand Link Characteristics

Place your most stable and highest-performing link at the top of the priority list. Use metered, high-latency, or less reliable connections (like LTE or satellite) as lower-priority backups.

Monitor for Flapping Links

Use the Faults log to identify unstable connections that are failing and recovering frequently (“flapping”). A flapping link can cause network instability and should be investigated with the ISP.