Configured for dual wan, now cant access the router though internet works

Hello, total beginner here so a bit stumped. Configured for dual wan and DHCP, now i can access internet but cannot access the router. Winbox can see the router but cannot connect (connection time out). Please for your input on the following script

# dec/05/2024 01:34:32 by RouterOS 6.49.17
# software id = **ELIDED**
#
# model = RB750Gr3
# serial number = xxxxxxxxxx
/interface bridge
add name=bridge_LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISPA
set [ find default-name=ether2 ] name=ether2-Ispb
set [ find default-name=ether3 ] name=ether3-output
set [ find default-name=ether4 ] name=ether4-output
set [ find default-name=ether5 ] name=ether5-output
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_LAN name=dhcp1
/interface bridge port
add bridge=bridge_LAN interface=ether3-output
add bridge=bridge_LAN interface=ether4-output
add bridge=bridge_LAN interface=ether5-output
/ip address
add address=192.168.0.1/24 interface=bridge_LAN network=192.168.0.0
/ip dhcp-client
add disabled=no interface=ether1-ISPA
add disabled=no interface=ether2-Ispb
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=103.94.168.168,103.94.168.169 gateway=\
    192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=bridge_LAN new-connection-mark=isp1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=bridge_LAN new-connection-mark=isp2 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1 in-interface=\
    bridge_LAN new-routing-mark="ke isp1" passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp2 in-interface=\
    bridge_LAN new-routing-mark="ke isp2" passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1-ISPA new-connection-mark=isp1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2-Ispb new-connection-mark=isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=isp1 new-routing-mark=\
    "ke isp1" passthrough=yes
add action=mark-routing chain=output connection-mark=isp2 new-routing-mark=\
    "ke isp2" passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISPA
add action=masquerade chain=srcnat out-interface=ether2-Ispb
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark="ke isp1"
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark="ke isp1" \
    target-scope=30
add distance=2 gateway=192.168.8.1 routing-mark="ke isp1"
add check-gateway=ping distance=1 gateway=192.168.8.1 routing-mark="ke isp2"
add check-gateway=ping distance=1 gateway=1.1.1.1 routing-mark="ke isp2" \
    target-scope=30
add distance=2 gateway=192.168.1.1 routing-mark="ke isp2"
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=1 gateway=192.168.8.1
add distance=1 dst-address=1.1.1.1/32 gateway=192.168.8.1
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1

Can winbox connect via MAC address?

Instead of clicking on the IP address (that will populate the field “Connect To:” with 192.168.0.1, try clicking on the MAC address of the hex, the “Connect To.” will be populated with the MAC address of the device.

How did you manage to create the export if Winbox does not connect (Web browser/webfig, ssh, etc.)?

In your export there is seemingly no /ip firewall filter rules, did you omit them or really you have no firewall set?

Your config is missing the “normal” categorization of interfaces and winbox provisions, usually something like (adapted to your config):

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add interface=ether1-ISPA list=WAN
add interface=ether2-Ispb list=WAN
add interface=bridge_LAN list=LAN

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Can winbox connect via MAC address?

Instead of clicking on the IP address (that will populate the field “Connect To:” with 192.168.0.1, try clicking on the MAC address of the hex, the “Connect To.” will be populated with the MAC address of the device.

Yes…i did not know that we can connect through the mac addess. Thanks a lott… but why i cannot connect through ip?

How did you manage to create the export if Winbox does not connect (Web browser/webfig, ssh, etc.)?

i export the settings through script before i relocate the router…after everything set up i realize i cannot access the router anymore either by winbox or web browser.

In your export there is seemingly no /ip firewall filter rules, did you omit them or really you have no firewall set?

I followed youtube guides…so I guess i have no firewall set? how risky is this? can plain password during initial login mitigate the issue?

Your config is missing the “normal” categorization of interfaces and winbox provisions, usually something like (adapted to your config):

Probably because the config was exported script. i don’t know coding so i’m unaware of proper coding practices. Can i add the code to the script?

It is not a good idea to have a router facing the internet without a firewall, and thus granting connection to the router itself (Ok, a user NOT default and a secure password would help) and to any device in your LAN from the outside, but you have as gateways 192.168.1.1 and 192.168.8.1, so the device is actually behind other routers, isn’t it?

So you can now connect via MAC but not by IP with Winbox?

I don’t really know the reason, it could be your mangle rules in pre-routing that catch all traffic, including local one?
The rest of your configuration seems to me pretty much harmless.

The usual recommendation to beginners is (unless really-really needed) is to take one port out of the bridge, assign to it a static IP, leave it not connected and be able to connect to it directly a laptop in case of need emergency.

If now you can access the router configuration with winbox via MAC you can try disabling the mangle rules and see what happens.
If those are the culprits, you could try “narrowing” their scope, excluding local LAN destination addresses.

Yes, you can add the snippet I posted, opening a new terminal in Winbox and copy-pasting it, that in itself is harmless but it is essentially only a preparatory step to later - if needed - add the default firewall rules (which make use of the interface list categorizations).

If by IP you have to add the port, so 192.168.1.1**:winboxPort#**

Your routes are a mess ( also dont use same ip dns addresses in recursive routers so changed them)
This is correct.

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=12 comment=“WAN 1”
add dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10 target-scope=11
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12 comment=“WAN 2”
add distance=2 dst-address=1.0.0.1/32 gateway=192.168.8.1 scope=10 target-scope=11
++++++++++++++
( special tables )
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=“ke isp1”
add dst-address=0.0.0.0/0 gateway=192.168.8.1 routing-mark=“ke isp2”

Lets look at mangling…
/ip firewall mangle
( ensuring traffic TO the router goes back out same WAN )
add action=mark-connection chain=input connection-mark=no-mark
in-interface=ether1-ISPA new-connection-mark=to-isp1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark
in-interface=ether2-Ispb new-connection-mark=to-isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=to-isp1 new-routing-mark=
“ke isp1” passthrough=no
add action=mark-routing chain=output connection-mark=to-isp2 new-routing-mark=
“ke isp2” passthrough=no
( applying load balance mangling )
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=bridge_LAN new-connection-mark=isp1 dst-address-type=!local
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=bridge_LAN new-connection-mark=isp2 dst-address-type=!local
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1
new-routing-mark=“ke isp1” passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp2
new-routing-mark=“ke isp2” passthrough=no

Note: I use different mark-connections to ensure if there are issues and looking at traffic its easy to see which marks belong to which traffic flow.

It is not a good idea to have a router facing the internet without a firewall, and thus granting connection to the router itself (Ok, a user NOT default and a secure password would help) and to any device in your LAN from the outside, but you have as gateways 192.168.1.1 and 192.168.8.1, so the device is actually behind other routers, isn’t it?

Ok, i’ll look into adding firewall for the router. You’re correct, my ISPs provided their own routers which basically customers cannot touch the settings, so probably double nat situation? Two routers, connected to the hex, then goes to a switch to distribute to access point and pc.

So you can now connect via MAC but not by IP with Winbox?

Correct, quite baffled in this as my ip4 in the pc assigned the correct subnet (192.168.0.77 or something)

I don’t really know the reason, it could be your mangle rules in pre-routing that catch all traffic, including local one?
The rest of your configuration seems to me pretty much harmless.

The usual recommendation to beginners is (unless really-really needed) is to take one port out of the bridge, assign to it a static IP, leave it not connected and be able to connect to it directly a laptop in case of need emergency.

If i did this then the router will still not accessible though the IP’s lan network? only through winbox’s mac address direct connection, right?

If now you can access the router configuration with winbox via MAC you can try disabling the mangle rules and see what happens.
If those are the culprits, you could try “narrowing” their scope, excluding local LAN destination addresses.

I’ll still be able to connect through winbox’s mac right? A bit worried that messing with the mangle rules will cause me to be locked out completely from the router.

Yes, you can add the snippet I posted, opening a new terminal in Winbox and copy-pasting it, that in itself is harmless but it is essentially only a preparatory step to later - if needed - add the default firewall rules (which make use of the interface list categorizations).

Great, thank you for the input

If by IP you have to add the port, so 192.168.1.1> :winboxPort#

So if i add this then i’ll be able to access the router through this IP? only through winbox or will browsers can too?

Your routes are a mess ( also dont use same ip dns addresses in recursive routers so changed them)

Yeah i guess mixing multiple youtube videos without knowing the principle behind the steps does that… can you please elaborate about the same ip addresses in recursive routers? is it about the failover setting?

This is correct.

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=12 comment=“WAN 1”
add dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10 target-scope=11
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12 comment=“WAN 2”
add distance=2 dst-address=1.0.0.1/32 gateway=192.168.8.1 scope=10 target-scope=11
++++++++++++++
( special tables )
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=“ke isp1”
add dst-address=0.0.0.0/0 gateway=192.168.8.1 routing-mark=“ke isp2”

Lets look at mangling…
/ip firewall mangle
( ensuring traffic TO the router goes back out same WAN )
add action=mark-connection chain=> input > connection-mark=no-mark
in-interface=ether1-ISPA new-connection-mark=> to-isp1 > passthrough=yes
add action=mark-connection chain=> input > connection-mark=no-mark
in-interface=ether2-Ispb new-connection-mark=> to-isp2 > passthrough=yes
add action=mark-routing chain=output connection-mark=> to-isp1 > new-routing-mark=
“ke isp1” passthrough=> no
add action=mark-routing chain=output connection-mark=> to-isp2 > new-routing-mark=
“ke isp2” passthrough=no
( applying load balance mangling )
add action=mark-connection chain=> forward > connection-mark=no-mark
in-interface=bridge_LAN new-connection-mark=isp1 > dst-address-type=!local >
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=> forward > connection-mark=no-mark
in-interface=bridge_LAN new-connection-mark=isp2 > dst-address-type=!local >
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1
new-routing-mark=“ke isp1” passthrough=> no
add action=mark-routing chain=prerouting connection-mark=isp2
new-routing-mark=“ke isp2” passthrough=> no

Note: I use different mark-connections to ensure if there are issues and looking at traffic its easy to see which marks belong to which traffic flow.

Thank you for the input, i’ll try to update the existing config into this

The idea of having a free, self-standing port for emergency access is only that of having an emergency access, it is relatively easy to lock oneself out of Winbox MAC access too when fiddling with settings.
Your current situation is not “normal”, unless (intentionally or accidentally) disabled you should have normal IP access to that router, both from Winbox and from browser..

As said, I cannot really say which settings cause this, I suspect those mangle rules only because the rest of your configuration seems pretty much simple, in any case you should find the issue and resolve it, restore normal IP access to the router via IP and only later - if it is the case - restrict it again, but this time knowing what settings restrict it.

I see that anav suggested moving the mangle from prerouting to input and forward and added (where needed) dst-address-type=!local, so I believe that my guess was right.

The default port for Winbox should be port 8291, see if with that added Winbox connects via IP.

Also add this rule.
/ip neighbor discovery-settings
set discover-interface-list=LAN

Jaclaz & Anav, thank you for the guidance so far… So i update the script to include the instructions as follows:

/interface bridge
add name=bridge_LAN

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISPA
set [ find default-name=ether2 ] name=ether1-ISPB
set [ find default-name=ether3 ] name=ether3-output
set [ find default-name=ether4 ] name=ether4-output
set [ find default-name=ether5 ] name=ether5-output

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add interface=ether1-ISPA list=WAN
add interface=ether1-ISPB list=WAN
add interface=bridge_LAN list=LAN

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_LAN name=dhcp1

/interface bridge port
add bridge=bridge_LAN interface=ether3-output
add bridge=bridge_LAN interface=ether4-output
add bridge=bridge_LAN interface=ether5-output

/ip address
add address=192.168.0.1/24 interface=bridge_LAN network=192.168.0.0

/ip dhcp-client
add disabled=no interface=ether1-ISPA
add disabled=no interface=ether1-ISPB

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=103.94.168.168,103.94.168.169 gateway=\
    192.168.0.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=12 comment="WAN 1"
add dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10 target-scope=11
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12 comment="WAN 2"
add distance=2 dst-address=1.0.0.1/32 gateway=192.168.8.1 scope=10 target-scope=11
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark="ke isp1"
add dst-address=0.0.0.0/0 gateway=192.168.8.1 routing-mark="ke isp2"

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark \
in-interface=ether1-ISPA new-connection-mark=to-isp1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark \
in-interface=ether1-ISPB new-connection-mark=to-isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=to-isp1 new-routing-mark=\
"ke isp1" passthrough=no
add action=mark-routing chain=output connection-mark=to-isp2 new-routing-mark=\
"ke isp2" passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=bridge_LAN new-connection-mark=isp1 dst-address-type=!local \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=bridge_LAN new-connection-mark=isp2 dst-address-type=!local \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1 \
new-routing-mark="ke isp1" passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp2 \
new-routing-mark="ke isp2" passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISPA
add action=masquerade chain=srcnat out-interface=ether1-ISPB

Everything looks ok from the screenshot but i’m not connected to the internet. i’ve tried disconnecting and reconnecting the cable but still no go. Did i misplace the order?

Also for firewall, can i just paste these script?

/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=no list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it"\
disabled=yes list=bogons

1. I see one change to be made here but since you were consistent it didnt cause any problems.
   /interface ethernet
   set [ find default-name=ether1 ] name=ether1-ISPA
   set [ find default-name=ether2 ] name=ether1-ISPB
   Should be:
   /interface ethernet
   set [ find default-name=ether1 ] name=ether1-ISPA
   set [ find default-name=ether2 ] name=ether2-ISPB

same here:
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark
in-interface=ether1-ISPA new-connection-mark=to-isp1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark
in-interface=ether1-ISPB new-connection-mark=to-isp2 passthrough=yes

Should be:
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark
in-interface=ether1-ISPA new-connection-mark=to-isp1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark
in-interface=ether2-ISPB new-connection-mark=to-isp2 passthrough=yes

Also change mangle rule
from: in-interface=ether1-ISPB
To: in-interface=ether2-ISPB

Also Sourcenat masquerade rule.
add action=masquerade chain=srcnat out-interface=ether1-ISPB
add action=masquerade chain=srcnat out-interface=ether2-ISPB


2. I do not see any other issues and thus understand the confusion. Maybe someone with sharper eyes!!
3. No need to add all those address lists, maybe later but not now.

what does a print look like of ip routes or a screen shot of the table.

Sorry i tried attaching the screenshot but last night it was raining hard causing flaky internet.
Does the screenshot below sufficient?

The issue is clearly (from your screenshot) that the two routes for 0.0.0.0/0 are S (Static) while they should be AS (Active Static).

No idea why that happens though .

Have you tried rebooting the router after all the additions/modifications?

Please reboot it and then do a new export and post the file.

After reboot only one of them changed to AS, but no internet. Ping from winbox to 8.8.8.8 still works though.
The exported script are as follows:

/interface bridge
add name=bridge_LAN

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISPA
set [ find default-name=ether2 ] name=ether2-ISPB
set [ find default-name=ether3 ] name=ether3-output
set [ find default-name=ether4 ] name=ether4-output
set [ find default-name=ether5 ] name=ether5-output

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_LAN name=dhcp1

/interface bridge port
add bridge=bridge_LAN interface=ether3-output
add bridge=bridge_LAN interface=ether4-output
add bridge=bridge_LAN interface=ether5-output

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=ether1-ISPA list=WAN
add interface=ether2-ISPB list=WAN
add interface=bridge_LAN list=LAN

/ip address
add address=192.168.0.1/24 interface=bridge_LAN network=192.168.0.0

/ip dhcp-client
add disabled=no interface=ether1-ISPA
add disabled=no interface=ether2-ISPB

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=\
    1.1.1.1,192.168.1.1,103.94.168.169,103.94.168.169 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether1-ISPA new-connection-mark=to-isp1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether2-ISPB new-connection-mark=to-isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=to-isp1 \
    new-routing-mark="ke isp1" passthrough=no
add action=mark-routing chain=output connection-mark=to-isp2 \
    new-routing-mark="ke isp2" passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge_LAN new-connection-mark=isp1 \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge_LAN new-connection-mark=isp2 \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1 \
    new-routing-mark="ke isp1" passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp2 \
    new-routing-mark="ke isp2" passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISPA
add action=masquerade chain=srcnat out-interface=ether2-ISPB

/ip route
add distance=1 gateway=192.168.1.1 routing-mark="ke isp1"
add distance=1 gateway=192.168.8.1 routing-mark="ke isp2"
add check-gateway=ping comment="WAN 1" distance=1 gateway=8.8.4.4 scope=10 \
    target-scope=12
add check-gateway=ping comment="WAN 2" distance=2 gateway=1.0.0.1 scope=10 \
    target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=192.168.8.1 scope=10 \
    target-scope=11
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10 \
    target-scope=11

/system clock
set time-zone-name=Asia/Jakarta

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Using the original mangle rules brings back internet however still lock out from accessing through IP address (mac address access through winbox works though).
I’m comparing the script below, does it have something to do with the passthrough settings, dst-address line or in-interface (bold)?

Here are the exported script:

/interface bridge
add name=bridge_LAN

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISPA
set [ find default-name=ether2 ] name=ether2-ISPB
set [ find default-name=ether3 ] name=ether3-output
set [ find default-name=ether4 ] name=ether4-output
set [ find default-name=ether5 ] name=ether5-output

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_LAN name=dhcp1

/interface bridge port
add bridge=bridge_LAN interface=ether3-output
add bridge=bridge_LAN interface=ether4-output
add bridge=bridge_LAN interface=ether5-output

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=ether1-ISPA list=WAN
add interface=ether2-ISPB list=WAN
add interface=bridge_LAN list=LAN

/ip address
add address=192.168.0.1/24 interface=bridge_LAN network=192.168.0.0

/ip dhcp-client
add disabled=no interface=ether1-ISPA
add disabled=no interface=ether2-ISPB

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=103.94.168.168,103.94.168.169 gateway=\
    192.168.0.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1-ISPA new-connection-mark=isp1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2-ISPB new-connection-mark=isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=isp1 new-routing-mark=\
    "ke isp1" passthrough=yes
add action=mark-routing chain=output connection-mark=isp2 new-routing-mark=\
    "ke isp2" passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=bridge_LAN new-connection-mark=isp1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=bridge_LAN new-connection-mark=isp2 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1 in-interface=\
    bridge_LAN new-routing-mark="ke isp1" passthrough=yes
add action=mark-routing chain=prerouting connection-mark=isp2 in-interface=\
    bridge_LAN new-routing-mark="ke isp2" passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISPA
add action=masquerade chain=srcnat out-interface=ether2-ISPB

/ip route
add distance=1 gateway=192.168.1.1 routing-mark="ke isp1"
add distance=1 gateway=192.168.8.1 routing-mark="ke isp2"
add check-gateway=ping comment="WAN 1" distance=1 gateway=8.8.4.4 scope=10 \
    target-scope=12
add check-gateway=ping comment="WAN 2" distance=2 gateway=1.0.0.1 scope=10 \
    target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=192.168.8.1 scope=10 \
    target-scope=11
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10 \
    target-scope=11

/system clock
set time-zone-name=Asia/Jakarta

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Adjust mangles. ( in-interface not required on mark routing as its already captured in the mark connection! )
/ip firewall mangle
{ traffic to the router )
add action=mark-connection chain=input connection-mark=no-mark
in-interface=ether1-ISPA new-connection-mark=incoming-isp1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark
in-interface=ether2-ISPB new-connection-mark=incoming-isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=incoming-isp1 new-routing-mark=
“ke isp1” passthrough=no
add action=mark-routing chain=output connection-mark=incoming-isp2 new-routing-mark=
“ke isp2” passthrough=no
{ load balancing mangling }
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=bridge_LAN new-connection-mark=isp1 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=forward connection-mark=no-mark
in-interface=bridge_LAN new-connection-mark=isp2 passthrough=yes
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1
new-routing-mark=“ke isp1” passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp2
new-routing-mark=“ke isp2” passthrough=no

Dont forget for the first rule in the forward chain of firewall rules adjust it by adding…
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes connection-mark=no-mark

Still no internet, but the weird thing is the Windows 10’s LAN connection notification (the one on the bottom right icon in windows) reported that i have internet access. I’ve reboot the router few times to check this… the browser reported no internet though.

Here are the export result:

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether1-ISPA new-connection-mark=incoming-isp1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    ether2-ISPB new-connection-mark=incoming-isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=incoming-isp1 \
    new-routing-mark="ke isp1" passthrough=no
add action=mark-routing chain=output connection-mark=incoming-isp2 \
    new-routing-mark="ke isp2" passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=bridge_LAN new-connection-mark=isp1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=bridge_LAN new-connection-mark=isp2 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1 \
    new-routing-mark="ke isp1" passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp2 \
    new-routing-mark="ke isp2" passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISPA
add action=masquerade chain=srcnat out-interface=ether2-ISPB

/ip route
add distance=1 gateway=192.168.1.1 routing-mark="ke isp1"
add distance=1 gateway=192.168.8.1 routing-mark="ke isp2"
add check-gateway=ping comment="WAN 1" distance=1 gateway=8.8.4.4 scope=10 \
    target-scope=12
add check-gateway=ping comment="WAN 2" distance=2 gateway=1.0.0.1 scope=10 \
    target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=192.168.8.1 scope=10 \
    target-scope=11
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10 \
    target-scope=11

Regarding the fasttrack command, it reported error with the “h” in hw-offload highlighted red as follows.

After trial and error, finally got internet AND can access webfig with the following script

/interface bridge
add name=bridge_LAN

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISPA
set [ find default-name=ether2 ] name=ether2-ISPB
set [ find default-name=ether3 ] name=ether3-output
set [ find default-name=ether4 ] name=ether4-output
set [ find default-name=ether5 ] name=ether5-output

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=192.168.0.2-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_LAN name=dhcp1

/interface bridge port
add bridge=bridge_LAN interface=ether3-output
add bridge=bridge_LAN interface=ether4-output
add bridge=bridge_LAN interface=ether5-output

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=ether1-ISPA list=WAN
add interface=ether2-ISPB list=WAN
add interface=bridge_LAN list=LAN

/ip address
add address=192.168.0.1/24 interface=bridge_LAN network=192.168.0.0

/ip dhcp-client
add disabled=no interface=ether1-ISPA
add disabled=no interface=ether2-ISPB

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,8.8.8.8,103.94.168.168,103.94.168.169 gateway=\
    192.168.0.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1-ISPA new-connection-mark=incoming-isp1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2-ISPB new-connection-mark=incoming-isp2 passthrough=yes
add action=mark-routing chain=output connection-mark=incoming-isp1 \
    new-routing-mark="ke isp1" passthrough=no
add action=mark-routing chain=output connection-mark=incoming-isp2 \
    new-routing-mark="ke isp2" passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=bridge_LAN new-connection-mark=isp1 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=bridge_LAN new-connection-mark=isp2 passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=isp1 in-interface=\
    bridge_LAN new-routing-mark="ke isp1" passthrough=no
add action=mark-routing chain=prerouting connection-mark=isp2 in-interface=\
    bridge_LAN new-routing-mark="ke isp2" passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISPA
add action=masquerade chain=srcnat out-interface=ether2-ISPB

/ip route
add distance=1 gateway=192.168.1.1 routing-mark="ke isp1"
add distance=1 gateway=192.168.8.1 routing-mark="ke isp2"
add check-gateway=ping comment="WAN 1" distance=1 gateway=8.8.4.4 scope=10 \
    target-scope=12
add check-gateway=ping comment="WAN 2" distance=2 gateway=1.0.0.1 scope=10 \
    target-scope=12
add distance=2 dst-address=1.0.0.1/32 gateway=192.168.8.1 scope=10 \
    target-scope=11
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.1.1 scope=10 \
    target-scope=11

/system clock
set time-zone-name=Asia/Jakarta

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Anav & Jaclaz, thank you for your guidance and patience. I’ll test the connection further for the services (VOIP, P2P, etc) hopefully no issues.
The fasttrack setting causing the speed to drop about 20% however it lower CPU load by a lot (around 20% without fasttrack to 5% with fasttrack).

For the fastrack rule.
simply add this.
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=
established,related connection-mark=no-mark

This avoids the slowdown of the router not behaving well when attempting to fastrack mangled traffic.
Now since the majority of traffic is mangled, there will be little that fastrack can do, but we have to live with that.
( or buy a 5009 router with more gusto )

EDIT: → I see already recommended this…