Mikrotik OSPF Routing Distance Ignored

Discussion: Every routing protocol has a default distance to help the router to decide which route to use in case of multiple routes for the same destination. For Mikrotik routers these distances are listed here:
https://wiki.mikrotik.com/wiki/Manual:Route_Selection_Algorithm_in_RouterOS
If you want to configure a backup link that is only activated when the OSPF main route is missing, you can use a static route with distance 120 which is higher than the OSPF default 110.

If you enter this route in a mikrotik after the ospf route is learned it works as expected. The static 120 route is ignored until the ospf route vanishes.

But the other way arround does not work. If the 120 route is active, the OSPF route is ignored even it has the better distance of 110. And worse the Mikrotik keeps this route in its own OSPF announcement.

This is a known bug: https://forum.mikrotik.com/viewtopic.php?t=119493

Work around: You can make two smaller routes for the preferred path.
eg. two /26 should always overrule a /25 route.

Version: Mikrotik RouterOS 6.46.1

MikroTik Automatic IPSec Failover

Problem: Mikrotik allows only one ipsec policy per network-to-network pair. If you want to have redundant tunnels between two locations with two upstreams you cannot configure ipsec redundancy on Mikrotik because one ipsec policy is always marked as “invalid” by the OS.

Solution: I made a Mikrotik script that checks the status and reachabilty of the ipsec tunnel and endpoint, and switches between a primary and secondary tunnel policy and peer. You can add this script to the scheduler, for automatic failover. (Source: “/system script run 0” if this script is script “0”)

{
:local PrimaryPolicy 2
:local SecondaryPolicy 3
:local PrimaryPeer 0
:local SecondaryPeer 1

:local PrimaryOK [:ping count=3 src-address=localAip remoteAip];
:local SecondaryOK [:ping count=3 src-address=localBip remoteBip];
:local PrimaryActive [/ip ipsec policy get $PrimaryPolicy active];

# :log info "Status: $PrimaryOK $SecondaryOK $PrimaryActive";
# Test case: set $PrimaryOK 0;

:if ($PrimaryOK < 1 && $SecondaryOK > 1 && $PrimaryActive) do={
:log warn "switch to failover";
/ip ipsec policy disable $PrimaryPolicy;
/ip ipsec policy enable $SecondaryPolicy;
/ip ipsec peer disable $PrimaryPeer;
/ip ipsec peer enable $SecondaryPeer;
}
:if ($PrimaryOK = 3 && !$PrimaryActive) do={
:log warn "switch to primary";
/ip ipsec policy disable $SecondaryPolicy;
/ip ipsec policy enable $PrimaryPolicy;
/ip ipsec peer disable $SecondaryPeer;
/ip ipsec peer enable $PrimaryPeer;
}
}

Version: tested with RouterOS 6.44.1