Forgive me, I am a Winbox user. I can translate command line to Winbox, but do not know command lines to produce my configuration in text format. I am working on a RB2011 with latest OS and Firmware

I can get each WAN interface to work independently when disabling the other WAN Interface. My goal is to have Bridge1 Traffic only route out WAN1, and Bridge2 Traffic only route out WAN2. In my trial and error all traffic appears to default all routes out WAN1 when both WAN interfaces are enabled. Inbound routes to WAN2 fail to pass through to Bridge2.

WAN1: 68.x.x.193/29 Port ether1
WAN2: 47.x.x.174/30 Port ether3
Bridge1: 10.0.0.254/24 Port ether 2
Bridge2: 172.16.251.254/24 Port ehter4

Bridge 1 Ports: ether2
Bridge 1 Ports: ether4
no other ports are in use. Port 1 and port 2 are gateway for each subnet on separate physical switches.

Interface List:
LAN: Bridge1 & Bridge2
WAN: WAN1 & WAN 2

Routing Tables:
D Main FIB yes; (CANNOT MODIFY)
WAN2 FIB: yes (I ADDED)

WInbox QuickSet displays
Eth1: Static IP: 68.x.x.193/29 Gateway 47.x.x.173 (Gateway is WAN2’s gateway)
Local Network: 47.x.x.174/30 (NAT) (Not LAN subnet)
Already this is wrong. I change the Ether1 gateway to 68.x.x.168/29 and it doesn’t stick

IP Routes are defined:
AS 0.0.0.0/0 47.x.x..173 Dist 1
AS+ 0.0.0.0/0 68.x.x.198 Dist 1
DAC 47.x.x.x172/30 ether3 Dist 0
DAC 68.x.x.192/29 ether1 Dist 0
DAC 10.0.0.254/24 Bridge1 Dist 0
DAC 172.16.251.254/24 Bridge2 Dist 0

Following a KB articles, I have established the following Mangles:
Accept Rule:
Chain prerouting / Dst Address 47.x.x.172/30 / Accept
Chain prerouting / Dst Address 68.x.x.192/29 / Accept
Chain prerouting / Dst Address 10.0.0.0/24 / Accept
Chain prerouting / Dst Address 172.16.251.0/24 / Accept
Input Rule
Chain input / In.interface WAN1 / New Mark Connection WAN1 / Passthrough
Chain input / In.interface WAN2 / New Mark Connection WAN2 / Passthrough
Mark Connection Rule:
Chain prerouting / In. Interface WAN1 / Mark Connection / New Connection Mark = WAN1 / Passthrough
Chain prerouting / In. Interface WAN2 Mark Connection / New Connection Mark = WAN2 / Passthrough
PCC Rule:
Chain prerouting / In. Interface Bridge 1 / Per Connection Classifier Both Addresses 2 / 0 / Dst Add Type: ! Local / Mark Connection WAN1 / Passthrough
Chain prerouting / In. Interface Bridge 2 / Per Connection Classifier Both Addresses 2 / 1 / Dst Add Type: ! Local / Mark Connection WAN2 / Passthrough
Output Rule:
Chain output / Connection Mark WAN1 / Mark Routing / New Routing Mark Main / Passthrough
Chain output / Connection Mark WAN2 / Mark Routing / New Routing Mark WAN2 / Passthrough
Mark Route
Chain prerouting / In. Interface Bridge 1 / Connection Mark: WAN1 / Mark Routing New Routing Mark: Main / Passthrough
Chain prerouting / In. Interface Bridge 2 / Connection Mark: WAN2 / Mark Routing New Routing Mark: WAN2 / Passthrough

I require VoIP to access Bridge 2 from WAN 2. I have created these 2 NAT rules:
VoIP
Chain dstnat / protocol TCP / DST Port xxxx / In Interface ether 3 / dst-nat: 172.16.251.x
Chain dstnat / protocol UDP/ DST Port xxxx / In Interface ether 3 / dst-nat: 172.16.251.x

I think I’m almost there.
When both WAN interfaces are up, both Bridges route out WAN 1. Hence my Destination NAT’s no longer pass traffic and there is no audio
When I disable WAN1, everything works for both Bridges routing everything out WAN 2. VoIP audio works
When I disable WAN 2 everything TCP outbound on both Bridges routes out WAN1 and obviously no NAT for UPD

What I’m missing is Bridge1 should only go out WAN1 and Bridge2 should only go out WAN2.
Regardless of the WAN1 Status, Inbound NAT should route on the respected WAN2 Interface. Bridge2 currently fails to route out WAN2 with WAN1 up

I hope this makes sense. I tried to hire an advertised local Mikrotik Technician but he’s not willing to show me how to fix this… he just wants remote access to make changes. I have trust issues with that.

Thank you in Advance.

So lets get this straight.
You have two LANs, (two subnets) that require separate WAN access.

a. LAN1 goes to WAN1
b. LAN2 goest to WAN2

If WAN1 is not available you want LAN1 users to use WAN2??
If WAN2 is not available you want LAT2 users to use WAN1??

To add to the above, the scenario also includes external originated traffic coming inbound to both WANs.
The requirement is that any external traffic leave the router on the same WAN it came in on.

lets see what you have so far!!
/export file=anynameyouwish (minus router serial number and any public WANIP info ).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

By the way your text contradicts your config.
YOU DO NOT WANT PCC… that is load balancing between two LANS.
You specifically state you simply want LAN1 to use WAN1 and LAN2 to use WAN2.

YOu need to get your story straight.

Thank you for the response. I bit rude at the end, but still appreciated. My story is correct, my knowledge is lacking. To the best of my Mikrotik experience I presented my situation:

I do not want failover. If WAN1 is down, LAN1 is down. same for WAN2 / LAN2 As I mentioned, based on my research in these knowledge bases I ended up following some YouTube videos as I could not find a resolution in these knowledge bases. I agree I do not want PCC as you imply it is a Load Balance, I have since removed these two lines. I have also tried unsuccessfully with no defined Mangle Rules.

Here is my config in hopes you can politely point me in the right direction. Thank you for the command line to review this in text. It is much appreciated. I do question the routing tables Main and the second one I added WAN2. Even after changing the Route List for WAN2 to the WAN2 Table, LAN2 tracerts out WAN1. Enough said, here’s my config:

/interface bridge
add admin-mac=6C:xx:xxLxx:xx:xx auto-mac=no comment=defconf name=“Bridge1”
add admin-mac=6C:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=“Bridge2”
add name=“NO BRIDGE”
/interface ethernet
set [ find default-name=ether1 ] name=“WAN1: ether1”
set [ find default-name=ether3 ] name=“WAN2: ether3”
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=LAN2 ranges=172.16.251.101-172.16.251.199
/ip dhcp-server
add address-pool=dhcp_pool1 interface=“Bridge2” lease-time=1h name=“LAN2”
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=WAN2
/interface bridge port
add bridge=“Bridge1” comment=defconf ingress-filtering=no interface=ether2
add bridge=“Bridge2” comment=defconf ingress-filtering=no interface=ether4
add bridge=“NO BRIDGE” comment=defconf ingress-filtering=no interface=ether5
add bridge=“NO BRIDGE” comment=defconf ingress-filtering=no interface=ether6
add bridge=“NO BRIDGE” comment=defconf ingress-filtering=no interface=ether7
add bridge=“NO BRIDGE” comment=defconf ingress-filtering=no interface=ether8
add bridge=“NO BRIDGE” comment=defconf ingress-filtering=no interface=ether9
add bridge=“NO BRIDGE” comment=defconf ingress-filtering=no interface=ether10
add bridge=“NO BRIDGE” comment=defconf ingress-filtering=no interface=sfp1
add bridge=“Bridge2” comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=“Bridge1” list=LAN
add comment=defconf interface=“WAN1: ether1” list=WAN
add interface=“WAN2: ether3” list=WAN
add interface=“Bridge2” list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.0.254/24 comment=“Bridge1” interface=“Bridge1” network=10.0.0.0
add address=68.x.x.193/29 interface=“WAN1: ether1” network=68.x.x.192
add address=47.x.x.174/30 comment=“WAN Interfaces” interface=“WAN2: ether3” network=47.x.x.172
add address=172.16.251.254/24 comment=“Bridge2” interface=“Bridge2” network=172.16.251.0
/ip dhcp-client
add comment=defconf disabled=yes interface=“WAN1: ether1”
/ip dhcp-server network
add address=172.16.251.0/24 gateway=172.16.251.254
/ip dns
set servers=8.8.8.8
/ip dns static
add address=10.0.0.254 name=router.lan
add address=172.16.251.254 name=router.lan
/ip firewall address-list
add address=10.0.0.0/24 list=“LAN1”
add address=172.16.251.0/24 list=“LAN2”
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=
new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment=“Accept Rule” dst-address=47.x.x.172/30
add action=accept chain=prerouting dst-address=68.x.x.192/29
add action=accept chain=prerouting dst-address=10.0.0.0/24
add action=accept chain=prerouting dst-address=172.16.251.0/24
add action=mark-connection chain=input comment=“Input rule” in-interface=“WAN1: ether1” new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=input in-interface=“WAN2: ether3” new-connection-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment=“Mark Connection Rule” in-interface=“WAN1: ether1” new-connection-mark=WAN1
passthrough=yes
add action=mark-connection chain=prerouting in-interface=“WAN2: ether3” new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=output comment=“Output Rule” connection-mark=WAN1 new-routing-mark=main passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=WAN2 passthrough=yes
add action=mark-routing chain=prerouting comment=“Mark Routes” connection-mark=WAN1 in-interface=“Bridge1” new-routing-mark=main
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=“Bridge2” new-routing-mark=WAN2
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“WAN2 masquerade” out-interface=“WAN2: ether3”
add action=masquerade chain=srcnat comment=“WAN1 masquerade” out-interface=“WAN1: ether1”
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
/ip ipsec policy
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=47.x.x.173 pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=68.x.x.198 pref-src=“” routing-table=main scope=
30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=Mikrotik
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox

Some things you need to clear up first!

So you only have one port on bridge1?
So you only have two port on bridge2?
The rest of ports are on a bridge so why do you call it NO BRIDGE?

What traffic occurs on all the other etherports besides 1/3 for the WAN and ether2, ether4, wlan1 for the LAN??? or stated differently what traffic occurs on the third bridge??

Why are you missing all the information required for the first bridge - POOL, DHCP-SERVER, DHCP-SERVER NETWORK,
Why are you missing all the information required for the third bridge - EVERYTHING above and IP address.

Why is third bridge not on interface list members for LAN?

Where is third bridge supposed to get internet from??

Why is there a WLAN1 on second bridge, when there are no wifi settings shown, (does this router have wifi)

Is there any traffic originating outside the WAN coming in on WAN1 or WAN2 ??

Some things you need to clear up first!

So you only have one port on bridge1? Port 2 plugs into a network switch hosting all static devices on subnet 10.0.0.x
So you only have two port on bridge2? Port 4 plugs into a network switch hosting all DHCP devices on subnet 172.16.251.x. WLAN is on this bridge.
The rest of ports are on a bridge so why do you call it NO BRIDGE? Ports 5-10 are not in use. I created a NO Bridge to to keep them from ever being used in my absence.

What traffic occurs on all the other etherports besides 1/3 for the WAN and ether2, ether4, wlan1 for the LAN??? or stated differently what traffic occurs on the third bridge?? Bridge is designed to not be used if something gets plugged in. I appreciate the question, but it’s not relevant to my issue routing traffic out WAN1 and WAN2 respectfully.

Why are you missing all the information required for the first bridge - POOL, DHCP-SERVER, DHCP-SERVER NETWORK, Bridge1 is all static devices. Only Bridge2 needs DHCP Scope
Why are you missing all the information required for the third bridge - EVERYTHING above and IP address. 3rd Bridge is intended to not be used

Why is third bridge not on interface list members for LAN? 3rd Bridge is intended to not be used

Where is third bridge supposed to get internet from?? 3rd Bridge is intended to not be used

Why is there a WLAN1 on second bridge, when there are no wifi settings shown, (does this router have wifi) WIFI works.. not my issue here.

Is there any traffic originating outside the WAN coming in on WAN1 or WAN2 ?? No inbound NAT for WAN1. VoIP NAT Defined for WAN2:
/ip firewall nat
add action=dst-nat chain=dstnat comment=“VoIP UDP” dst-port=5060,5090,9000-10998 in-interface=“WAN2: ether3” protocol=udp to-addresses=172.16.251.x
add action=dst-nat chain=dstnat comment=“VoIP TCP” dst-port=5001,5060,5090 in-interface=“WAN2: ether3” protocol=tcp to-addresses=172.16.251.x
add action=masquerade chain=srcnat comment=“WAN2 masquerade” out-interface=“WAN2: ether3”
add action=masquerade chain=srcnat comment=“WAN1 masquerade” out-interface=“WAN1: ether1”

Can anybody provide the basic script to send Bridge1 out WAN1 and Bridge2 out WAN2 with no failover? If I could get this work reliably I could probably figure out the rest.

For the ports not using, simply go into interface settings and disable them. Clean and secure.
Ditch the third bridge!!
Always best to best to stick to one bridge and use vlans which is what RoS is optimally designed for, but thats personal preference

Understood bridge1 devices are statically set. No DHCP required.

Are you hosting a VOIP Server then??
I have VOIP modem and no dst nat rules are required for that??

Finally, do you have any local users of the VOIP server and how do they access the server by direct LANIP or via the WANIP?

As for the lanX to WANX and mangle rules..... I will focus on only the required rules.
The mangles ensure that any external traffic coming in on WAN1 and WAN2, AND HIT one of your Servers, goes out the same WAN.
The routing information ensures the internal originated traffic goes out the appropriate WAN.

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1-conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether3 new-connection-mark=WAN2-conn passthrough=yes

add action=mark-routing chain=prerouting connection-mark=WAN1-conn
new-routing-mark=use-SP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2-conn
new-routing-mark=use-ISP2 passthrough=no

Routing Rules
/routing rules
add src-address=LAN1-subnet action=lookup-in-table-only table=use-ISP1
add src-address=LAN2-subnet action=lookup-in-table-only table=use-ISP2

/ip route
add distance=1 gwy=WAN1 table=main {standard route}
add distance=1 gwy=WAN2 table=main {standard route}
add distance=1 gwy=WAN1 table=use-ISP1 { route for both external return traffic and local originated traffic on LAN1 to go out WAN1}
add distance=1 gwy=WAN2 table=use-ISP2 {route for both external return traffic and local originated traffic on LAN2 to go out WAN2}

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

However, if you also have external users Not only hitting the LAN servers but also using ROUTER services ( example VPN on router ) then you need to modify and add additional mangle rules which would look like....

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1-conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether3 new-connection-mark=WAN2-conn passthrough=yes

add action=mark-routing chain=prerouting connection-mark=WAN1-conn
new-routing-mark=use-SP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2-conn
new-routing-mark=use-ISP2 passthrough=yes
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=mark-routing chain=output connection-mark=WAN1_conn
new-routing-mark=use-ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=WAN2_conn
new-routing-mark=use-ISP2 passthrough=no

+++++++++++++++++++++++++++++++++++++++++++++++++

For any mangling adjust fastrack rule in forward chain thusly.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related mark=no-mark