Current setup:
Dual WAN setup, one dhcp IP- ISP1, one static IP- ISP2
load balance on hAPac2 simply using same distance on default routes for each ISP
all LAN traffic exits the router and heads to a smart (managed) switch

One of the ISP’s allows me to have an open NAT, which I would like to use for gaming, and the other does not as it is behind CG-NAT. Is there a way to allow the traffic for my gaming console to only use the ISP with open NAT while allowing all other devices to take advantage of the load balancing of the two ISP connections? I have been looking into VLANs and also recently saw someone mention policy based routing for a similar situation. I am looking for some advice on what will work and/or best option to handle this. Thanks in advance!

First of all not sure what your setup is like without
/export hide-senstive file=anynameyouwish

But load balancing is a very complex algorithm and it doesnt sound like you are using it…
Something like this - https://mum.mikrotik.com/presentations/US12/steve.pdf

If you simply have two manual IP routes with equal distance, there is no control over what the router will use for WWW traffic.
I would suspect it would choose the first one due to order or whichever one it perceived to be of shortest distance etc… you have chaos
or as described in documentation ‘arbitrary’

NOT LOAD BALANCING
dst-address=0.0.0.0/0 gwy=ISP1-gatewayIP table=main distance=1
dst-address=0.0.0.0/0 gwy=ISP2-gatewayIP table=main distance=1

FAIL OVER - all users use the primary!!!
dst-address=0.0.0.0/0 gwy=ISP1-gatewayIP table=main distance=5
dst-address=0.0.0.0/0 gwy=ISP2-gatewayIP table=main distance=10

The above fail over would only work once, and switch all to WAN2 and would never switch back to WAN1, unless at some point WAN1 failed and then the router would look for an available routing again.
The use of check-gateway=ping ensures that when WAN1 goes down, the router keeps checking to see if its available and then switches all users back to WAN1 if it does… So a better fail over config then the one above which is really incomplete without it - see next example!

ENSURING ALL USERS USE ISP1 except for Gaming Console, BUT ensure USers have access to other ISP (ISP2) have access to the WAN2 if WAN1 fails…
(assumes ISP1 is the CGNAT that all use, ISP 2 is gaming ISP)

FAIL OVER - all use primary except gaming console!
dst-address=0.0.0.0/0 gwy=ISP1-gatewayIP table=main distance=5 check gateway=ping
dst-address=0.0.0.0/0 gwy=ISP2-gatewayIP table=main distance=10
dst-address=0.0.0.0/0 gwy-ISP2-gatewayIP table=gaming distance=10

Where
/routing table add name=gaming fib
/routing rule add src-address=gamingConsole-IP action=lookup-only-in-table table=gaming

By using action lookup only in table, in the routing rule, this means that if ISP2 is not available, the gaming IP will not reach any other route. If we changed it to lookup, then the router look for other available routes and thus would move the gaming console to ISP1 but that wouldnt work for you due to type of NAT.

++++++++++++++++++++++++++++++

It can get a bit more complicated as many people use recursive routing to ensure an ISP is actually available - connected to the WWW.

++++++++++++++++++++++++++++++++

Finally if you want true load balancing and fail over, its a hairy config to contend with but the link i provided works!!

Thank you for the response. I think I understand everything and had done some research regarding routing marks, etc. I should have said using poor man’s load balance, ha! It appears to use the connection with the faster download speed for downloads and the other connection for uploads as it has a better upload speed. But yes, it is probably mostly chaos even though it does appear to yield some overall improvement. I’ll give it a go with the info in the link and post my config if I end up running into trouble. I appreciate the help as I am still relatively new to RouterOS and not a networking guru by trade either.

Neither am I (apparently MT assumed wrong - that a large number of posts=MT config acumen —> NOT ) and thus avoid mangling like the plague and thus load balancing. I have two ISPs 1gig up/down via fibre and 300/50 via cable, Guess which one is a backup only… except for emails since it was our first provider and thus I have a special route that bypasses the primary for email.

The other reason, other than being a chicken-mierda is that mangling means one has to disable fastrack and thus overall performance sufferes…

So, I believe I have this all set up and working using the PCC method for load balance. I noticed it was saying ECMP when I finished up all of the mangle rules. I found this a bit odd as I thought using the PCC was a different method then ECMP. I will post my config this evening to see if there are any obvious issues.

I had never set up fastrack, so I guess I don’t know what I am missing by not using it

Good!
No you are imagining things, I just downloaded the pdf and searched through it and ECMP is only noted at the beginning when it discusses in general the various options.

Here is the config as requested. I have not done anything to set up the routing for the game console traffic yet.

apr/13/2022 23:23:19 by RouterOS 7.2

software id = XXXXXXXX

model = RBD52G-5HacD2HnD

serial number = XXXXXXXXXXX

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=Starlink name=ether1-ISP1
set [ find default-name=ether2 ] comment=“Verizon Wireless” name=ether2-ISP2
set [ find default-name=ether3 ] comment=Bridged
set [ find default-name=ether4 ] comment=Bridged
set [ find default-name=ether5 ] comment=Bridged
/interface wireless
set [ find default-name=wlan1 ] country=“united states” frequency=auto mode=
ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] country=“united states” frequency=auto mode=
ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
add name=dhcp_pool2 ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/routing table
add disabled=no fib name=to-ISP1
add disabled=no fib name=to-ISP2
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 disabled=yes interface=wlan1
add bridge=bridge1 disabled=yes interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1-ISP1 list=WAN
add interface=bridge1 list=LAN
add interface=ether2-ISP2 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.10.1/24 interface=bridge1 network=192.168.10.0
add address=192.168.1.2/24 interface=ether2-ISP2 network=192.168.1.0
/ip dhcp-client
add add-default-route=no interface=ether1-ISP1 use-peer-dns=no use-peer-ntp=
no
add add-default-route=no disabled=yes interface=ether2-ISP2 use-peer-dns=no
use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,1.0.0.1,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=Bogons
add address=10.0.0.0/8 comment=“Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it” list=Bogons
add address=127.0.0.0/8 comment=“Loopback [RFC 3330]” list=Bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=Bogons
add address=172.16.0.0/12 comment=“Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it” list=Bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=Bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=
Bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=Bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=Bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=Bogons
add address=224.0.0.0/4 comment=
“MC, Class D, IANA # Check if you need this subnet before enable it”
list=Bogons
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1-ISP1
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether2-ISP2
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1-ISP1
add action=drop chain=input in-interface=ether2-ISP2
/ip firewall mangle
add action=accept chain=prerouting comment=accept dst-address=XXX.YYY.64.0/21
dst-address-list=“”
add action=accept chain=prerouting comment=accept dst-address=192.168.1.0/24
dst-address-list=“”
add action=accept chain=prerouting comment=accept dst-address=192.168.10.0/24
dst-address-list=“”
add action=mark-connection chain=input comment=input in-interface=ether1-ISP1
new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=input comment=input in-interface=ether2-ISP2
new-connection-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting comment=“mark conn” in-interface=
ether1-ISP1 new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=prerouting comment=“mark conn” in-interface=
ether2-ISP2 new-connection-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC dst-address-type=
local in-interface=bridge1 new-connection-mark=ISP1 passthrough=yes
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting comment=PCC dst-address-type=
local in-interface=bridge1 new-connection-mark=ISP2 passthrough=yes
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=output comment=output connection-mark=ISP1
new-routing-mark=to-ISP1 passthrough=yes
add action=mark-routing chain=output comment=output connection-mark=ISP2
new-routing-mark=to-ISP2 passthrough=yes
add action=mark-routing chain=prerouting comment=“mark route”
connection-mark=ISP1 in-interface=bridge1 new-routing-mark=to-ISP1
passthrough=yes
add action=mark-routing chain=prerouting comment=“mark route”
connection-mark=ISP2 in-interface=bridge1 new-routing-mark=to-ISP2
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISP1
add action=masquerade chain=srcnat out-interface=ether2-ISP2
add action=masquerade chain=srcnat disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=XXX.YYY.64.1
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
XXX.YYY.64.1 pref-src=0.0.0.0 routing-table=to-ISP1 scope=30
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.1.1 pref-src=0.0.0.0 routing-table=to-ISP2 scope=30
suppress-hw-offload=no target-scope=10
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-ISP1 type=external
add interface=bridge1 type=internal
add interface=ether2-ISP2 type=external
/system clock
set time-zone-name=America/Chicago
/system identity
set name=“XXXXXXXXXX”
/system package update
set channel=long-term