2 WANs and 2 kind of traffic with different WANs priority

RouterOS Beginner Basics
1

Hi.

What I have:

  • WAN 1 (DHCP via provider’s router, i.e. double NAT)
    WAN 2 (connected to 5G router, 5G router in a bridge mode)
    single LAN

What I want:
Split traffic into 2 group: first group should prefer WAN 1, second - WAN 2 (in both cases with failover).

How am I supposed to achieve this:
Create 2 routing table. Each has two default routes with different distance.
Table “main”:

  • WAN 1 has distance 1
    WAN 2 has distance 2

Table “prefer-mobile”

  • WAN 1 has distance 2
    WAN 2 has distance 1

In mangle prerouting mark second type of traffic with routing mark “prefer-mobile”.

What works fine
Without separating second type of traffic (i.e. without marking some traffic with “prefer-mobile” routing mark) all works as expected, including WAN’s failover.

Problem
As soon as I enable traffic separation, at least this separated traffic stops working.
What is missing/wrong?

/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.120.1 routing-table=prefer-mobile suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.2.3.4 pref-src="" routing-table=prefer-mobile suppress-hw-offload=\
    no

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Prefer routing HTTP(s) via WAN-Mobile" disabled=yes dst-address-type=\
    !local dst-port=80,443 in-interface-list=LAN new-routing-mark=\
    prefer-mobile passthrough=yes protocol=tcp
2

Two WANs, no primary or secondary, and each should provide backup to the other.

  1. use firewall address list to identify groups of users/devices as either Group1 Wan1 or Group2 Wan2.
  2. alternative option if possible separate users by subnet and thus avoid mangling.
  3. what you didnt note was if you had any external users coming into the router (for port forwarding to servers, or for VPNs like wireguard)

In any case need following routes
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gateway-IP routing-table=main
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP2-gateway-IP routing-table=main
add dst-address=0.0.0.0/0 gateway=ISP1-gateway-IP routing-table=useWAN1
add dst-address=0.0.0.0/0 gateway=ISP2-gateway-IP routing-table=useWAN2

For mangling…
add chain=prerouting action=mark-connection connection-mark=no-mark
src-address-list=Group1 new-connection-mark=fromGP1
dst-address-type=!local passthrough=yes
add chain=prerouting action=mark-connection connection-mark=no-mark
src-address-list=Group2 new-connection-mark=fromGP2
dst-address=!local-address passthrough=yes
add chain=pre-routing action=mark-routing connection-mark=fromGP1
new-routing-mark=useWAN1 passthrough=no
add chain=pre-routing action=mark-routing connection-mark=fromGP2
new-routing-mark=useWAN2 passthrough=no

(note: dont forget to modify fastrack rule with the following addition: connection-mark=no-mark

++++++++++++++++++