This all worked without a problem up until 7.2.1, then in 7.2.2 it just stops working, and hasn’t worked in any release since. The Netwatch for ISP1 works without a problem, but the ISP2 Netwatch that has a routing mark never gets processed by the router. It seems to loop the traffic back to the gateway until the TTL expires.
I have provided a basic version of our config that demonstrates the problem. The attached config works perfect in 7.2.1, but ISP2 will not show up in Netwatch in 7.2.2. Any help would be greatly appreciated.
Code: Select all
# feb/14/2024 18:26:39 by RouterOS 7.2.1
# software id =
#
/interface bridge
add name=lanbridge
/interface ethernet
set [ find default-name=ether1 ] name=ge1-wan1
set [ find default-name=ether2 ] name=ge2-wan2
set [ find default-name=ether3 ] name=ge3-lan
set [ find default-name=ether4 ] name=ge4-lan
set [ find default-name=ether5 ] name=ge5-lan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-pool ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=lan-pool interface=lanbridge lease-time=3d name=lan
/port
set 0 name=serial0
/routing table
add fib name=ISP2
/interface bridge port
add bridge=lanbridge interface=ge3-lan
add bridge=lanbridge interface=ge4-lan
/ip address
add address=**ELIDED**/29 comment=ISP1_IP interface=ge1-wan1 network=**ELIDED**
add address=**ELIDED**/29 comment=ISP2_IP interface=ge2-wan2 network=**ELIDED**
add address=192.168.1.1/24 interface=lanbridge network=192.168.1.0
/ip dhcp-client
add interface=ge1-wan1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=512KiB servers=\
1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip firewall address-list
add address=**ELIDED** comment="Static Public IP assigned by ISP" list=PublicIP
add address=**ELIDED** comment="Static Public IP assigned by ISP" list=PublicIP
add address=172.16.0.0/12 list=ProtectedIPs
add address=192.168.0.0/16 list=ProtectedIPs
add address=10.0.0.0/8 list=ProtectedIPs
/ip firewall mangle
add action=mark-connection chain=MarkNewConnection comment=General \
connection-mark=no-mark in-interface=ge1-wan1 new-connection-mark=\
General-ISP1 passthrough=yes
add action=mark-connection chain=MarkNewConnection connection-mark=no-mark \
in-interface=ge2-wan2 new-connection-mark=General-ISP2 passthrough=yes
add action=mark-connection chain=MarkNewConnection connection-mark=no-mark \
new-connection-mark=General-Out passthrough=yes
add action=return chain=MarkNewConnection
add action=jump chain=prerouting comment="Mark new connections. Must be execu\
ted prior to mark-routing actions in the preroute chain." \
connection-mark=no-mark jump-target=MarkNewConnection
add action=mark-routing chain=prerouting connection-mark=General-ISP2 \
new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=output comment=\
"If traffic for router came in ISP2, make it leave via ISP2" \
connection-mark=General-ISP2 new-routing-mark=ISP2 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment="General Internet Access" \
dst-address-list=!ProtectedIPs out-interface=ge1-wan1 src-address-list=\
ProtectedIPs to-addresses=**ELIDED**
add action=src-nat chain=srcnat dst-address-list=!ProtectedIPs out-interface=\
ge2-wan2 src-address-list=ProtectedIPs to-addresses=**ELIDED**
/ip route
add comment=ISP1_PRIMARY_ROUTE distance=1 gateway=**ELIDED**
add comment=ISP2_BACKUP_ROUTE distance=2 gateway=**ELIDED** \
routing-table=ISP2
add comment=ISP2_PRIMARY_ROUTE distance=1 gateway=**ELIDED** \
routing-table=ISP2
add comment=ISP1_BACKUP_ROUTE distance=2 gateway=**ELIDED**
add distance=1 dst-address=8.8.4.4 gateway=**ELIDED**
add blackhole distance=2 dst-address=8.8.4.4
add distance=1 dst-address=8.8.8.8 gateway=**ELIDED**
add blackhole distance=2 dst-address=8.8.8.8
/system identity
set name=test