I'm pretty new to Mikrotik, but pretty impressed with what I've seen out of the RB750G boxes we bought so far. However, I'm having some trouble with a pretty non-standard setup I'm trying to run on one, and I was hoping someone can point me to where I'm going wrong here.

Here's what I've got:

RouterOS 4.17 (I can upgrade to 5.x if anyone thinks that would make a difference for what I'm doing)

Port 1: Public IP of A.A.A.A
Port 3: Private IP of 192.168.20.253
Port 4: Private IP of 192.168.21.1

Port 1 connects to a fiber switch that connects it to a gateway of B.B.B.B to give it access to the rest of the internet
Port 3 connects to a backhaul that eventually gets it to 192.168.20.1, which also gives it access to the internet
Port 4 connects to a whole lot of APs we have, with backbone IPs of 192.168.21.x

I loosely followed the guide here for the next part: http://wiki.mikrotik.com/wiki/Load_Bala ... e_Gateways

Routes are in place to give different subnets to all our APs on port 4. Packets from 172.16.x.x, 172.20.x.x, and 192.168.21.x (coming from port 4) are all marked as GroupA and routed through 192.168.20.1 on port 3, with no NATing taking place. This part does work as expected.

Routes are also in place to give separate alias subnets to special customers on the same APs on port 4. These special customers all have IPs that start with 172.21.x.x. Packets for these customers are marked as GroupB and routed to B.B.B.B on Port 1. There is also a rule setup under NAT for 172.21.0.0/16 with an action of masquerade to NAT everything for these special customers. This part is what is not working.

When I try to ping out to Google at 8.8.8.8 from one of the special customers with a 172.21.x.x IP, I get a reply back from A.A.A.A saying the destination is unreachable, so it appears to be getting all the way to the Mikrotik box and then failing. If I switch that customer over to a 172.20.x.x IP, everything works properly to route them through the gateway on Port 3.

I'm sure this is a configuration issue on my end, but I'm really stuck on where I'm going wrong. Please take mercy upon me and help me.

Have You added NAT on Your gateway?

Unless I'm misunderstanding, that's what the masquerade should be doing, if you're talking about the traffic from GroupB that should be going out port 1. For the traffic going out port 3, the NAT happens later on down the line at another router, and that traffic is working as it should.