Hello everyone,
it is my first time to setup mikrotik with 2 isp simultaneously and i have some problems.
mikrotik hap lite, ROS 6.49
wan1 - pppoe
wan2 - 192.168.1.0/24 - 4g lte modem
lan - 192.168.0.0/24
i can’t post current config, as have no access to the router now, will have it tomorrow.
What i want to achieve is this:
I have dvr with ip 192.168.0.108 and i want this dvr to reach internet only via wan1 with respective ports open for the data. The other pc’s must reach internet via wan2.
I am using routing marks for the src address of the dvr - 192.168.0.108 - to go via wan1. When i use routing marks for the rest of the pc’s can i use 192.168.0.0/24 in src address as it includes dvr ip? May be dvr rule must be first with passtrough=yes and the rest of the devices routing mark must be second with passtrough=no?
Is it necessary to use routing marks when i dst-nat to the dvr, or just one mangle rule for the dvr is enough for incoming-outgoing?
Regards.
For this simple policy just use routing rule, it was more clean and less resources than mangle as long as a proper routing and NAT rules was in place you are all set
hi, and thank you for the reply, can you specify more about routing rule? It means to add second routing table?
routing rule is an alternative to (mangle mark connection + mark routing) since your requirement is so simple, but the prerequisite still the same for PPPoE and LTE connection you are going to create a separate routing table for each connection
routing/table/add fib name=ISP1
routing/table/add fib name=ISP2
ip route/add dst-address=0.0.0.0 gateway=pppoe_out1 routing-table=ISP1
ip route/add dst-address=0.0.0.0 gateway=x.x.x.x%LTE1 routing-table=ISP2
routing/rule/add src-address=192.168.0.108/32 table=ISP1 action=lookup
routing/rule/add src-address=192.168.0.0/24 table=ISP2 action=lookup
/ip/firewall/nat/add chain=srcnat out-interface=pppoe_out1 action=masquerade
/ip/firewall/nat/add chain=srcnat out-interface=LTE1 action=masquerade
hey , thank you, it looks really simple and elegant. can i add just second routing table and keep main instead of isp1? it it necessary to adjust dst-nat for the dvr or the routing rule is enogh?
mikrotik hap lite is with 6.49 ros, i guess the cli you privided is from ros 7
regards
yes definitely and also read what’s the behavior of routing rules in mikrotik docs
Same concept applies if there were subtle difference that’s negligible
for the dst-nat / port-forwarding if you really need to you have to ensure you have this on your mangle rules
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new in-interface=pppoe_out1 new-connection-mark=ISP1
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=ISP1 passthrough=no
This will ensure that all locally generated traffic from the router will egress properly and of course do the DST nat / port-forwarding rule that you need
thank you sir, will test it later, really appreciate your help - youve got a bunch of beers 
Regards
no worries
Do you expect local user to also access the DVR?
hi anav, no, dvr is monitored remotely only. it is courrier company with slow internet, so my idea is to split the traffic between 2 isp - dvr for the cable net, 3 pc’s and 3 tablets for the 4g lte. local user does not have access to the dvr
Regards
another points to consider is use zerotier, I used that all the time and do some routing that’s it, sometimes punching a hole is hard for this undocumented Chinese NVR in that way you don’t have to fiddle NAT just my 0.002$
As stated easy to do with proper config.
Please post
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )
Hi everyone,
after multiple experiments i t hink it works now. I was able to do it with 2 mangle rules, as i tried to add second routing table i always had - syntax error etc., - What i did was this:
- Mangle rules
/ip firewall mangle
add chain=prerouting src-address=192.168.0.108 action=mark-routing new-routing-mark=to_wan1 passthrough=no
add chain=prerouting src-address=192.168.0.0/24 dst-address=!192.168.0.108 action=mark-routing new-routing-mark=to_wan2 passthrough=no - Routes for each WAN
/ip route
add gateway=pppoe-out1 routing-mark=to_wan1 check-gateway=ping
add gateway=192.168.1.1 routing-mark=to_wan2 check-gateway=ping - NAT for WANs
/ip firewall nat
add chain=srcnat out-interface=pppoe-out1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade - Port forwarding for DVR
/ip firewall nat
add action=dst-nat chain=dstnat comment=dvr dst-port=85 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.0.108 to-ports=85
add action=dst-nat chain=dstnat dst-port=8063 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.0.108 to-ports=8063
add action=dst-nat chain=dstnat dst-port=554 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.0.108 to-ports=554
It works - DVR can be accessed via wan1, rest ot pc’s are working via wan2 - but, i cannot ping wan1 static ip, or connect with winbox - when i try to open web port of the dvr it’s ok, data port is ok.
There is my full config
jun/25/2025 18:29:14 by RouterOS 6.49.18
software id = CRWN-QFGH
model = RB941-2nD
serial number =
/interface bridge
add admin-mac=74:4D:28:81:A9:9A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge name=econt skip-dfs-channels=all ssid=econt wireless-protocol=
802.11
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out1 password=******* user=
******
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik
unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=*******
/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=econt
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=
192.168.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add add-default-route=no disabled=no interface=ether2
/ip dhcp-server lease
add address=192.168.0.184 client-id=1:78:5f:4c:3:c2:7a comment=PC1-ARGOX
mac-address=78:5F:4C:03:C2:7A server=defconf
add address=192.168.0.181 client-id=1:78:5f:4c:0:59:58 comment=PC3-ARGOX
mac-address=78:5F:4C:00:59:58 server=defconf
add address=192.168.0.185 client-id=1:58:11:22:b6:78:d1 mac-address=
58:11:22:B6:78:D1 server=defconf
add address=192.168.0.180 client-id=1:58:11:22:b6:78:74 mac-address=
58:11:22:B6:78:74 server=defconf
add address=192.168.0.177 client-id=1:58:11:22:b6:78:2 mac-address=
58:11:22:B6:78:02 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=
192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=output dst-address=8.8.4.4 out-interface=ether2
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=to_wan1
passthrough=no src-address=192.168.0.108
add action=mark-routing chain=prerouting dst-address=!192.168.0.108
new-routing-mark=to_wan2 passthrough=no src-address=192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether2
add action=dst-nat chain=dstnat comment=dvr dst-port=85 in-interface=
pppoe-out1 protocol=tcp to-addresses=192.168.0.108 to-ports=85
add action=dst-nat chain=dstnat dst-port=8063 in-interface=pppoe-out1
protocol=tcp to-addresses=192.168.0.108 to-ports=8063
add action=dst-nat chain=dstnat dst-port=554 in-interface=pppoe-out1
protocol=tcp to-addresses=192.168.0.108 to-ports=554
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_wan2
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name=econt-etropole
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add down-script=“/ip route enable [find comment="ISP2"]” host=8.8.4.4
timeout=30s up-script=“/ip route disable [find comment="ISP2"]”
Regards