Hi, Im experiencing some problem with 2 gateways! I cant make them to work together. One of the gateways just dont have any traffic. Only the main gateway works, even if i mangle the packets and policy route them correctly, the same problem works! The two gateways ping from routerOS but as i said before, only the main route works. Im using RouterOS 3.10 in a x86 system and 2 ethernet interfaces, one for each gateway, plus 1 eth interface for my routerboard wich redistribute wireless signal and 1 eth interface for my internal LAN!

Any help will be very apreciated!!! Thx very much.

Post your configuration export from menus you are configuring to make two gateways setup.

here is my route setup:


Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE

0 A S 0.0.0.0/0 200.163.176.237 reachable 200.163.176.233 1 WAN-2MB
reachable WAN-2MB WAN-2MB
1 A S 0.0.0.0/0 189.30.21.50 reachable 189.30.21.49 1 WAN-1MB
reachable WAN-1MB WAN-1MB
2 A S ;;; Gateway Default
0.0.0.0/0 reachable 200.163.176.233 1 WAN-2MB
3 A S 0.0.0.0/0 189.30.21.50 reachable 189.30.21.49 1 WAN-1MB
reachable WAN-1MB WAN-1MB
4 A S 0.0.0.0/0 reachable 200.163.176.233 1 WAN-2MB
5 X S 0.0.0.0/0 189.30.21.49 1
6 A S 0.0.0.0/0 reachable 200.163.176.233 1 WAN-2MB
7 A S 0.0.0.0/0 reachable 200.163.176.233 1 WAN-2MB
8 ADC 10.0.0.0/16 10.0.0.254 0 APs
9 ADC 10.1.3.0/24 10.1.3.1 0 LAN
10 ADC 10.1.4.0/24 10.1.4.1 0 LAN
11 ADC 11.0.0.0/16 11.0.0.253 0 APs
12 ADC 172.16.1.0/24 172.16.1.1 0 APs
13 ADC 172.16.2.0/24 172.16.2.1 0 APs
14 ADC 172.16.3.0/24 172.16.3.1 0 APs
15 ADC 172.17.1.0/24 172.17.1.1 0 APs
16 ADC 172.17.2.0/24 172.17.2.1 0 APs
17 ADC 172.17.3.0/24 172.17.3.1 0 APs
18 ADC 172.17.4.0/24 172.17.4.1 0 APs
19 ADC 172.17.5.0/24 172.17.5.1 0 APs
20 ADC 172.17.6.0/24 172.17.6.1 0 APs
21 ADC 189.30.21.48/29 189.30.21.50 0 WAN-1MB
22 ADC 192.168.0.0/24 192.168.0.1 0 LAN
23 ADC 200.163.176.232/29 200.163.176.237 0 WAN-2MB


and here is my route>rule setup(this one im not sure if its really right, testing configs to see if it works):

Flags: X - disabled, I - inactive
0 src-address=189.30.21.48/29 action=lookup table=rota2

1 src-address=200.163.176.232/29 action=lookup table=rota3

2 dst-address=189.30.21.48/29 routing-mark=rota2 action=lookup table=rota2

3 dst-address=200.163.176.232/29 routing-mark=rota3 action=lookup table=rota3

4 src-address=189.30.21.48/29 dst-address=200.163.176.232/29 action=lookup table=rota2

5 src-address=200.163.176.232/29 dst-address=189.30.21.48/29 action=lookup table=rota3

6 routing-mark=p2p action=lookup table=p2p

7 action=lookup table=main


here is my nat table(lots of rules to make custom setups for many clients, any help on that will be aprecciated)

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Posto do Carlinhos TV
chain=dstnat action=dst-nat to-addresses=172.17.5.13 to-ports=2001 dst-port=2001 protocol=tcp

1 ;;; E-Mule Ismael
chain=dstnat action=dst-nat to-addresses=172.16.1.47 to-ports=4671 dst-port=4671 protocol=tcp

2 ;;; E-Mule Gelson
chain=dstnat action=dst-nat to-addresses=192.168.0.80 to-ports=4670 dst-port=4670 protocol=tcp

3 ;;; E-Mule Caixa
chain=dstnat action=dst-nat to-addresses=192.168.0.70 to-ports=4666 ipv4-options=no-source-routing dst-port=4666 protocol=tcp

4 ;;; aciab teste
chain=dstnat action=dst-nat to-addresses=10.0.0.130 to-ports=5900 dst-port=5900 protocol=tcp

5 chain=dstnat action=dst-nat to-addresses=10.0.0.130 to-ports=1433 dst-port=1433 protocol=tcp

6 ;;; E-Mule Fabiano Pasch
chain=dstnat action=dst-nat to-addresses=172.16.3.21 to-ports=4669 dst-port=4669 protocol=tcp

7 ;;; E-Mule Robson
chain=dstnat action=dst-nat to-addresses=172.16.2.20 to-ports=4667 dst-port=4667 protocol=tcp

8 ;;; E-Mule Ganso
chain=dstnat action=dst-nat to-addresses=10.0.0.103 to-ports=4668 dst-port=4668 protocol=tcp

9 ;;; E-Mule Bruno
chain=dstnat action=dst-nat to-addresses=172.16.1.10 to-ports=4672 dst-port=4672 protocol=tcp

10 ;;; E-Mule Posto Carlinhos
chain=dstnat action=dst-nat to-addresses=10.0.0.86 to-ports=4685 dst-port=4685 protocol=tcp

11 ;;; Bloqueio de clientes n o cadastrados. Para liberar, cadastrar na address list: liberados
chain=dstnat action=accept dst-port=53 protocol=udp packet-mark=bloqueia

12 chain=dstnat action=dst-nat to-addresses=200.163.176.234 to-ports=85 packet-mark=bloqueia

13 chain=dstnat action=dst-nat to-addresses=200.163.176.234 to-ports=86 packet-mark=avisos

14 ;;; Redireciona determinados clientes para quadro de aviso. Para isso, cadastrar na address list: aviso
chain=dstnat action=dst-nat to-addresses=200.163.176.234 to-ports=85 src-address-list=avisos packet-mark=avisos

15 ;;; Regra para ips da classe 200.163.176.232/29 rotearem por esta classe
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-address=200.163.176.232/29

16 chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535 dst-address=189.30.21.48/29

17 ;;; ACIAB IP V lido
chain=dstnat action=netmap to-addresses=10.0.0.130 to-ports=0-65535 dst-address=200.163.176.236

18 chain=srcnat action=netmap to-addresses=200.163.176.236 to-ports=0-65535 src-address=10.0.0.130

19 ;;; RB532 - IP valido.
chain=dstnat action=netmap to-addresses=10.0.1.253 to-ports=0-65535 dst-address=200.163.176.235

20 chain=srcnat action=netmap to-addresses=200.163.176.235 to-ports=0-65535 src-address=10.0.1.253

21 ;;; RB153 - IP V lido
chain=dstnat action=netmap to-addresses=172.16.2.55 to-ports=0-65535 dst-address=189.30.21.51

22 chain=srcnat action=netmap to-addresses=189.30.21.51 to-ports=0-65535 src-address=172.16.2.55

23 ;;; Proxy
chain=dstnat action=redirect to-ports=3128 src-address=!10.0.0.130 src-address-list=Proxy Redirection dst-address-list=!proxy-exception dst-port=80
protocol=tcp

24 ;;; Imposto de Renda
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=3456 src-address-list=rede-brnet dst-port=3456 protocol=tcp

25 ;;; ICMS
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 src-address-list=Redes Clientes dst-port=8017 protocol=tcp

26 ;;; Caixa Federal
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 src-address-list=Redes Clientes dst-port=2631 protocol=tcp

27 X ;;; RADIUS
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 src-address-list=Redes Clientes dst-port=1812 protocol=udp

28 ;;; E-Mail
chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535 dst-port=25 protocol=tcp

29 chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535 dst-port=110 protocol=tcp

30 ;;; FTP
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 routing-mark=ftp

31 ;;; Banricompras
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=500 protocol=udp

32 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=10000 protocol=udp

33 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=11000 protocol=udp

34 ;;; Winbox
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 src-address-list=Redes Clientes dst-port=8291 protocol=tcp

35 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=20561 protocol=tcp

36 ;;; ACIAB
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=5900 protocol=udp

37 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=1433 protocol=udp

38 ;;; MSN
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=1863 protocol=tcp

39 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=1863 protocol=udp

40 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=6891-6901 protocol=udp

41 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=6891-6901 protocol=tcp

42 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=5190 protocol=udp

43 ;;; Cabal Online
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 src-address-list=Redes Clientes dst-port=38100-38130 protocol=tcp

44 ;;; Ping
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 protocol=icmp

45 ;;; MU
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 src-address-list=Redes Clientes dst-port=44405 protocol=tcp

46 chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 src-address-list=Redes Clientes dst-port=55901 protocol=tcp

47 ;;; Regra para redirecionar HTTPS para link 2Mb
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=443 protocol=tcp

48 X ;;; Regra NAT 01 - Habilitar estas regras se somente link de 2mb estiver funcionando.
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535

49 ;;; Regra NAT 02 - Habilitar estas regras link de 1mb estiver funcionando. Desabilitar Regra NAT 01
chain=srcnat action=src-nat to-addresses=200.163.176.237 to-ports=0-65535 dst-port=80 protocol=tcp

50 ;;; P2P
chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535 routing-mark=rota2

51 chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535

52 X ;;; Regra NAT 03 - Habilitar estas regras se somente link de 1mb estiver funcionando.
chain=srcnat action=src-nat to-addresses=189.30.21.50 to-ports=0-65535 src-address-list=Redes Clientes


and here is part of my mangle table(i pasted only the part of ruting-marks, i think it will be enough right):

5 ;;; P2P ####################################################################################################################
chain=prerouting action=mark-connection new-connection-mark=p2pC passthrough=yes p2p=all-p2p

6 chain=prerouting action=mark-packet new-packet-mark=p2p passthrough=yes connection-mark=p2pC

7 chain=prerouting action=mark-routing new-routing-mark=p2p passthrough=no packet-mark=p2p

8 ;;; Outros###################
chain=prerouting action=mark-routing new-routing-mark=rota2 passthrough=yes dst-port=!80 protocol=tcp

9 ;;; ACIAB
chain=prerouting action=mark-routing new-routing-mark=main passthrough=yes dst-port=5900 protocol=tcp

10 chain=prerouting action=mark-routing new-routing-mark=main passthrough=yes dst-port=1433 protocol=tcp

11 ;;; Mu Online###################
chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=44405 protocol=tcp

12 chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=55901 protocol=tcp

13 chain=prerouting action=mark-routing new-routing-mark=banricompras passthrough=yes dst-port=10000 protocol=udp

14 ;;; Banricompras
chain=prerouting action=mark-routing new-routing-mark=banricompras passthrough=yes dst-port=500 protocol=udp

15 ;;; Caixa Federal################
chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=2631 protocol=tcp

16 ;;; Winbox
chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=8291 protocol=tcp

17 ;;; E-Mail
chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes src-address-list=Redes Clientes dst-port=25 protocol=tcp

18 chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes src-address-list=Redes Clientes dst-port=110 protocol=tcp

19 chain=prerouting action=mark-routing new-routing-mark=banricompras passthrough=yes dst-port=11000 protocol=udp

20 chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=20561 protocol=tcp

21 ;;; Ping Route
chain=output action=mark-routing new-routing-mark=rota3 passthrough=yes protocol=icmp

22 ;;; MSN#################
chain=prerouting action=mark-routing new-routing-mark=msn passthrough=yes dst-port=1863 protocol=tcp

23 chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=1863 protocol=udp

24 chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=6891-6901 protocol=tcp

25 chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=6891-6901 protocol=udp

26 chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes dst-port=5190 protocol=udp

27 ;;; Mercado Regis Programa
chain=prerouting action=mark-routing new-routing-mark=rota3 passthrough=yes src-address-list=Redes Clientes dst-port=8017 protocol=tcp

28 ;;; Cabal Online#################
chain=prerouting action=mark-routing new-routing-mark=main passthrough=yes dst-port=38100-38130 protocol=tcp

my interface table:

Flags: X - disabled, R - running, D - dynamic, S - slave

NAME TYPE MTU

0 R WAN-2MB ether 1500
1 R WAN-1MB ether 1500
2 R APs ether 1500
3 R LAN ether 1500

and finally my ip address table:

Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; Rede Interna
192.168.0.1/24 192.168.0.0 192.168.0.255 LAN
1 ;;; Dirceu
10.1.3.1/24 10.1.3.0 10.1.3.255 LAN
2 ;;; Link Frame-Relay 2Mbps
200.163.176.237/29 200.163.176.232 200.163.176.239 WAN-2MB
3 200.163.176.236/29 200.163.176.232 200.163.176.239 WAN-2MB
4 10.0.0.254/16 10.0.0.0 10.0.255.255 APs
5 ;;; Link Frame-Relay 1Mbps
189.30.21.50/29 189.30.21.48 189.30.21.55 WAN-1MB
6 200.163.176.235/29 200.163.176.232 200.163.176.239 WAN-2MB
7 189.30.21.51/29 189.30.21.48 189.30.21.55 WAN-1MB
8 172.16.1.1/24 172.16.1.0 172.16.1.255 APs
9 172.16.2.1/24 172.16.2.0 172.16.2.255 APs
10 172.16.3.1/24 172.16.3.0 172.16.3.255 APs
11 ;;; Repetidora Sao Joao
11.0.0.253/16 11.0.0.0 11.0.255.255 APs
12 ;;; Repetidora Sao Joao
172.17.1.1/24 172.17.1.0 172.17.1.255 APs
13 ;;; Casa de Cultura Repetidora
172.17.2.1/24 172.17.2.0 172.17.2.255 APs
14 ;;; Polenta Repetidora
172.17.3.1/24 172.17.3.0 172.17.3.255 APs
15 ;;; Repetidora Alto da Bronze
172.17.4.1/24 172.17.4.0 172.17.4.255 APs
16 ;;; Repetidora San Diego
172.17.5.1/24 172.17.5.0 172.17.5.255 APs
17 ;;; Loterica
10.1.4.1/24 10.1.4.0 10.1.4.255 LAN
18 ;;; Repetidora EVA
172.17.6.1/24 172.17.6.0 172.17.6.255 APs


if you guys need any more info i will be pleased to give!

Pls guys, any help will be good… I need to make this work right as soon as possible! There is any problem with RouterOS 3.10 and multiple gateways? It dont work and I’m out of Ideas… thx!!

Depends what you want to do, but have a look at http://wiki.mikrotik.com/wiki/Load_Balancing
I think that’ll help. Works for me with 4 ‘WAN’ & 1 ‘LAN’

Hi, i will try this aproach but what i exactly wanted to do was to make policy routing based on packet marks and making some programs and ports use 1 link while other stuff use another link! Since Ares dont have limitation, i wanna place it and other p2p software on 1 link while important stuff like HTTPS, HTTP, some special programs and stuff like that on another link!!! This approach you showed above as i can understand wil load balance the links like it was only one without separating the type of packets per link but more in a equal load basis! There is ANY problem with the 3.10 version that makes it dont route more that one gateway simultaneously? Any help will be MUCH apprecciated, thx!!!

Use the same method as in wiki example above, but instead of using the Nth rules, make important stuff go through gateway1, like port 80,8080,443,8443 and traffic to certain dest address, or whatever you want. First connection mark with passthrough, then route mark. Make the rest go out the other gateway (default route with no routing marks)
Take the wiki example, break it down til you understand it, then it’ll make sense.

Ekkas


e.g. instead of

add action=mark-connection chain=prerouting comment=CM1 connection-state=new
disabled=no in-interface=LAN new-connection-mark=Cone nth=4,1
passthrough=yes

you’d use something like:

add action=mark-connection chain=prerouting comment=CM443 disabled=no
dst-port=80,8080,443,8443 in-interface=LAN new-connection-mark=Cone
passthrough=yes protocol=tcp


I mark it here with connection mark=Cone, you can have multiple rules like this following, then the routing mark with passthrough=false:

add action=mark-routing chain=prerouting comment=RM1 connection-mark=Cone
disabled=no in-interface=LAN new-routing-mark=Rone passthrough=no

Hi, well.. the problem is just that!!! It dont send any packets to other gateway if its not the main table! The packets only goes for the default gateway. Even if i src-nat to other gateway it wont go! Im going crazy with this allright because it worled really nice before and this thing is now just not working anymore for NO REASON AT ALL!!! Policy Rule Routing is not working and i wanna know why. My head is out of ideas really, its 4:00am and im exausted. Any help will be apreciated, thx very much!!!

I think if you want to get those gateways to work together is to srcnat the outbound requests to each IP set for that interface. I split mine by the source addresses. Like:

/ip firewall nat add chain=srcnat action=src-nat src-address=192.168.0.0/24 to-addresses=189.30.21.50
/ip firewall nat add chain=srcnat action=src-nat src-address=192.168.2.0/24 to-addresses=200.163.176.233

192.168.0.x goes out the interface assigned 189.30.21.50
192.168.2.x goes out the interface assigned 200.163.176.233

I don’t use packet marking. That seems to work only if they are going out the same interface with the same subnet to different IPs.

ADD: Insure those two nat entries are first in the nat list. The order in this list is very important. The first match is assigned and no other rules are used. If your first nat rule is
chain=srcnat action=masquerade out-interface=ether1
then all will go out ether1, no matter what rules follow it.

…and you don’t need to enter them in order. You can move the entries with the “move” command. Go to /ip firewall nat and enter
move 3 1
and rule 3 becomes rule 1

If you are a dhcp client on those interfaces, you can use the interface name in the “out-interface” parameter instead of the IPs. I use to-addresses instead because I have multiple IPs on each interface.

Warning: I have had some severe problems getting outbound packet markers to work with secure site requests from my clients.

Hi, i apreciate you help very much, but still, What i want is to route using packet marks because i have a lot of subnets and diferente clients alike, so it will be much more balanced for me if i can get the policy routing rules to work! Any more advice guys??? Or maybe someone picked my mistake in configuration? Look at the configs i posted and try to figure out what went wrong because im exausted searching for errors!

You can use the packet markers with the nat rules. But like I said, check your client SSL packets. They don’t seem to hold a packet marker.
/ip firewall nat add chain=srcnat action=src-nat packet-marker=eth1out out-interface=ether1
/ip firewall nat add chain=srcnat action=src-nat packet-marker=eth2out out-interface=ether2

Hi, well… the problem still goes! I tried some diferent aproachs like redirecting only some subnets to another link and it worked but not as i wish it has!!! When i mark packets that are port 80, 443, 21, 110, 25(important services) to go to the big link and all other packets to go to the small one the only packets that go is the ones redirected to the main gateway! I mean, if i mark http as route “route2” and all other as “route3” wouldnt it be right to make:

Destination gateway packet-mark
0.0.0.0/0 xxx.30.21.49
0.0.0.0/0 xxx.163.176.233 route2
0.0.0.0/0 xxx.30.21.49 route3


this should work right?

I also src-nat the routing marks to respective links!
Am i forgotting some routing rules? I just cant make it work and it worked already but stopped suddenly and now neither my dst-nat rules are working anymore!!! Whats wrong? is something with the 3.10 version of RouterOS? Thx in advance.

You are almost there!! Move the top rule to the bottom. It is the default “fallthrough” interface. Remember, the first that matches is the first it uses. All cases will match that first rule, and the other two will never be evaluated.

Look at these rules as a set of If..Else statements. The way you want it is:
If going anywhere and packet-mark=route1 then gateway=xx.xx.xx.xx
else if going anywhere and packet-mark=route2 then gateway=yy.yy.yy.yy
else if going anywhere then gateway=zz.zz.zz.zz

ADD: I would use the packet markers on the srcnat rules rather than the gateways tho. They will pick the route out once they are srcnatted to an IP address. If you assign a gateway to a packet that has a different IP subnet, there is going to be some trouble.

Hi again… Im still with no sucess at all doing the load balance. The config i showed above are in the IP>Route menu not IP>Route>Rules, so i cant move them! I also wanna know if im marking right the packets. Im marking in prerouting chain and im trying to use routing mark on src-nat as well to see if it works. If my idea is right, i should mark the packet, src-nat it based on the mark, place second gateway with routing mark and later place a rule to match that routing marks and lookup to the right routing table. This is what im doing, but it isnt working for some reason!!! Any clues?

I would not use packet markers at the gateways for this. I would use the packet markers in
/ip firewall nat
add chain=masquerade packet-marker=eth1out out-interface=ether1
add chain=masquerade out-interface=ether2
The packets marked with eth1out will go out the gateway on ether1, and the rest will go out the gateway on ether2.

On the same subnet or with multiple IP interfaces:
add chain=srcnat action=src-nat packet-marker=ip1out to-addresses=xxx.xxx.xxx.1
add chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.2
With this you can use packet markers at the gateway on same subnet IPs. But the gateways would need to be something like
200.163.176.1
and
200.163.176.2

These are your two IPs.
200.163.176.237
189.30.21.50
If you masquerade all as 200.163.176.237, then try to send a few out the 189.30.21.50 gateway, there will be problems if the device on the other end is not routed for both those IP subnets.

BTW, I am not guessing at this. I have a net now that has two “public” interfaces (private IPs from my provider) with multiple gateways on each. I route users out different gateways on each interface. I use
eth1ip1out
eth1ip2out
eth2ip1out
eth2ip2out
as packet marker names.

If you try this (assuming /24 subnets):
your ip firewall nat would be:
add chain=srcnat action=masquerade packet-marker=eth1ip1out out-interface=ether1
add chain=srcnat action=masquerade packet-marker=eth1ip2out out-interface=ether1
add chain=srcnat action=masquerade out-interface=ether2

your /ip route entries would be:
add gateway=200.163.176.1 packet-marker=eth1ip1out
add gateway=200.163.176.2 packet-marker=eth1ip2out
add gateway=189.30.21.2 packet-marker=eth2ip2out
add gateway=189.30.21.1

EDIT: I must have been sleepwalking when I wrote this. Please replace “packet-marker” with “routing-mark”.

Thak you very much for this info dude, your explanation is very complete and i think now i can adapt your advices to my needs!!! I wil try that and if it works i post here again to close the topic. Cya around!

You are welcome! When I saw your last post, I noticed I have a mistake in the route entries. They should be:
add gateway=200.163.176.2 routing-mark=eth1ip2out
add gateway=200.163.176.1
add gateway=189.30.21.2 routing-mark=eth2ip2out
add gateway=189.30.21.1

I should have looked at my /ip route to check first. Forgot to leave the default gateway on ether1. My bad

I have the same situation / problem…

I found the solutions posted here helpfull for both load balancing or correct routing of incoming connection to two external public ip addresses … but not for both.

Once i setup succesfully load balancing and drive traffic through both my internet gateways i cannot ping the public IPs from an external IP, thus cannot accept incoming external connections.

Once i setup succesfully the packet marking for correctly routing incoming external connections the load balancing breaks.

When i have both in place the only thing that breaks or makes one of the two is the activation / deactivation of the ip route rule:
/ip route rule
add action=lookup comment=“” disabled=no routing-mark=t1 table=t1

Where t1 is the connection / packet / route mark for incoming connections to the 2nd, not default, public IP.

How can i have both external IPs behave correctly and be able to do load balancing at the same time?

I must have been asleep when I wrote the last post. I use routing marks, not packet markers.
When you say they don’t work together, you mean they both work as long as the other is not.
How did you implement your load balancing?

Here is a simple routing-mark example. Wlan2 goes out ether2, and all else goes out ether1:
/ip firewall mangle add chain=prerouting action=mark-routing new-routing-mark=ether2out in-interface=wlan2
These must be in this order:
/ip firewall nat add chain=srcnat action=masquerade routing-mark=ether2out out-interface=ether2
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

To check, I have a page set up to let me know if it is working.
http://68.99.58.117/myip.php
From wlan2, it shows the IP of ether2
From everywhere else, it shows the IP of ether1
Please don’t DoS me now!

I have two internet interfaces (aDSL landlines), both bridged on the same MK, so there are two interfaces with actual internet IPs on the MK.

Lets call them WAN1 and WAN2.

I want to do simple static load balancing, whereas my LAN1 to go from WAN1 and LAN2 to go from WAN2.

I have managed that by following three basic steps:

• Route mark incoming connections from LAN2 going outbound
• Adding a default route with the same route mark
• Add a Nat - Masquerade rule with the same route mark

This worked; LAN2 was seeing the internet via WAN2, LAN1 via WAN1, success!

(The NAT rule for LAN1 was masquerade on src. Address = LAN1)

But with the above setup i could not ping WAN2 IP from the outside world. All reply packets where routed via WAN1 so no connections…

I fixed that by following these steps:

1. Mark connection, packet prerouting / output and route prerouting / output
2. Add a default route with the same route mark
3. Add a route rule for the same route mark to lookup the same routing (mark’s) table

When i activated step 3 LAN2 lost internet connectivity, WAN2 was pingable
When i deactivated step 3 LAN2 had internet, no ping for WAN2…

Eventually at this moment i have solved my problem by having made these changes:

1. Remove ‘add default route’ from WAN1 interface
2. Add default static route that has as gateway IP both WAN1 and WAN2 in the same rule
3. Route mark incoming connections from LAN2 going outbound
4. Adding a default route with the same route mark
5. Add a ‘default’ NAT - Masquerade with LAN1 as the src-adr
6. Add a Nat - Masquerade rule with the same route mark

For step 2 i have to find a way to make the rule updatable as i have to declare the other end’s IP as my gateway. And although i have static IPs, whenever the interface ‘redials’ It connects to a different end…

As it stands the above setup has both LAN2 going out the internet via WAN2 and WAN2 is publicly pingable ….

Any other solution?