Hey Guys,

i’ve tried nearly anything without an proper solution.

My Setup:
HAP AC3
eth1 → WAN over PPPOE
eth2 → WAN over COAX Router
eth3-5 → Bridge

Standard Route through eth2 (400MBit)
I want ONE Client to go through eth1 because its SIP Telephonie and separated DSL for this.

I mark connections from the IP of the SIP Server, i set Routing Marks for all these connections, i created separate Routing Table where 0.0.0.0/0 goes over eth1, i see the tags in the connections Tab, but the Routing goes through eth2.

_# may/15/2022 09:47:30 by RouterOS 7.2.2

software id = FU2Y-5FQR

model = RBD53iG-5HacD2HnD

serial number = F34E0FF2DE05

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled
frequency=2412,2437,2462 name=CH-24-Auto tx-power=9
/interface bridge
add admin-mac=DC:2C:6E:5C:AC:05 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1_Telekom
set [ find default-name=ether2 ] name=eth2_PYUR
/interface wireless

managed by CAPsMAN

channel: 2437/20/gn(6dBm), SSID: AC, CAPsMAN forwarding

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=
MikroTik-5CAC09 wireless-protocol=802.11

managed by CAPsMAN

channel: 5680/20-eeCe/ac/DP(21dBm), SSID: AC, CAPsMAN forwarding

set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor
mode=ap-bridge ssid=MikroTik-5CAC0A wireless-protocol=802.11
/interface vlan
add interface=bridge name=VLAN2-GAST vlan-id=2
/caps-man configuration
add channel=CH-24-Auto country=germany datapath.bridge=bridge installation=
indoor name=AC_24 security.authentication-types=wpa2-psk .encryption=
aes-ccm,tkip ssid=AC
add country=“etsi 5.5-5.7 outdoor” datapath.bridge=bridge name=AC_5
security.authentication-types=wpa2-psk .encryption=aes-ccm,tkip ssid=AC
add channel=CH-24-Auto country=germany datapath.bridge=bridge
.client-to-client-forwarding=no .local-forwarding=yes .vlan-id=2
.vlan-mode=use-tag installation=indoor name=AC_24_GAST
security.authentication-types=wpa2-psk .encryption=aes-ccm,tkip ssid=
AC-Gast
/interface pppoe-client
add add-default-route=yes default-route-distance=20 disabled=no interface=
eth1_Telekom name=pppoe-Telekom user=
XXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Gast ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=Gast interface=VLAN2-GAST name=GAST
/routing table
add disabled=no fib name=Pyur
add disabled=no fib name=Telekom
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn,b
master-configuration=AC_24 name-format=prefix-identity name-prefix=24
add action=create-dynamic-enabled hw-supported-modes=an,ac
master-configuration=AC_5 name-format=prefix-identity name-prefix=5
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-Telekom list=WAN
add interface=eth2_PYUR list=WAN
add interface=eth1_Telekom list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap

set certificate=request discovery-interfaces=bridge enabled=yes interfaces=
wlan1,wlan2 lock-to-caps-man=yes
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN2-GAST network=192.168.20.0
add address=192.168.10.2/24 interface=bridge network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=10 interface=eth2_PYUR use-peer-dns=no
add default-route-distance=30 interface=bridge
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.0/24 list=LAN
add address=192.168.10.3-192.168.10.13 list=LANo3CX
add address=192.168.10.15-192.168.10.254 list=LANo3CX
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark
new-connection-mark=3CX passthrough=no src-address=192.168.10.14
add action=mark-connection chain=prerouting connection-mark=no-mark
new-connection-mark=3CX passthrough=no src-address=192.168.10.15
add action=mark-routing chain=prerouting connection-mark=3CX
new-routing-mark=Telekom passthrough=no
add action=mark-routing chain=output connection-mark=3CX new-routing-mark=
Telekom passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Exchange SMTP” dst-address=
192.168.10.253 dst-port=25 protocol=tcp to-addresses=192.168.10.253
to-ports=25
add action=dst-nat chain=dstnat comment=“Exchange OWA” dst-address=
192.168.10.253 dst-port=443 protocol=tcp to-addresses=192.168.10.253
to-ports=443
add action=dst-nat chain=dstnat comment=“Exchange Lets Encrypt Challenge”
dst-address=192.168.10.253 dst-port=80 protocol=tcp to-addresses=
192.168.10.253 to-ports=80
add action=dst-nat chain=dstnat comment=Mailstore dst-address=192.168.10.13
dst-port=8462 protocol=tcp to-addresses=192.168.10.13 to-ports=8462
add action=dst-nat chain=dstnat comment=“3CX Webclient” dst-port=5001
in-interface=pppoe-Telekom protocol=tcp to-addresses=192.168.10.14
to-ports=5001
add action=dst-nat chain=dstnat comment=“3CX SIP TCP” disabled=yes
dst-address=192.168.10.14 dst-port=5060 protocol=tcp to-addresses=
192.168.10.14 to-ports=5060
add action=dst-nat chain=dstnat comment=“3CX RTP” dst-port=9000-10999
in-interface=pppoe-Telekom protocol=udp to-addresses=192.168.10.14
to-ports=9000-10999
add action=dst-nat chain=dstnat comment=“3CX Tunnel TCP” dst-port=5090
in-interface=pppoe-Telekom protocol=tcp to-addresses=192.168.10.14
to-ports=5090
add action=dst-nat chain=dstnat comment=“3CX Tunnel UDP” dst-port=5090
in-interface=pppoe-Telekom protocol=udp to-addresses=192.168.10.14
to-ports=5090
add action=dst-nat chain=dstnat comment=“3CX SIP UDP” disabled=yes
dst-address=192.168.10.14 dst-port=5060 protocol=udp to-addresses=
192.168.10.14 to-ports=5060
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
pppoe-Telekom routing-table=Telekom suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=yes dst-address=::/0 src-address=
192.168.10.13/32 table=Pyur
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=AC-GW
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN_

(1) You have fastrack and mangling selected and those are not compatible
(2) Luckily,. No mangling required, so get rid of those mangle rules and you can keep fastrack enabled!

(3) What is your SIP server… you seem to use randomly 192.168.10.13 192.168.10.14 and 192.168.10.15 ???

(4) With the setup below all users will go to cable for internet. If cable goes down all users will switch to pppoe until cable comes backup.
Now we have to account for the SIP connection and thus the table and routing rule are required. Just fill in the ??? with your actual server IP that needs to go outbound.

/ip route
add dst-address=0.0.0.0/0 gateway=cable-ISP  distance=5    check-gateway=ping
add dst-address=0.0.0.0/0 gateway=pppoe-ISP   distance=10
/routing table add name=usePPPOE  fib
/routing rule add src-address=?????????   action=lookup-only-in-table  table=usePPPOE

Hey,

my SIP Server is .14, the other two are for testing.

I tried rules too but without any success. So you say fasttrack is my problem?

I try Rules again with restarting Gateway or kill connections.

So i did this and killed connections without any solution.

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
pppoe-Telekom pref-src=“” routing-table=Telekom scope=30
suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=::/0 src-address=
192.168.10.15/32 table=Telekom

10.14 is my SIP Server, 10.15 is my Test Server, it always goes thorugh cable…

One cannot help with snippets of a config that in of itself is wrong! Why are you giving the secondary pppoe route a distance of 1 for example and my examples dont have any table in a route itself.

Read this, it has all the information you need… https://forum.mikrotik.com/viewtopic.php?t=182373
PARAs I and J apply!

Hey Sorry, i snipped it down cause i did the changes you wrote in you last Post.

Here in complete.

If i do it with Routes i need an Second Routing Table didn’t i?

_# may/15/2022 14:57:23 by RouterOS 7.2.2

software id = FU2Y-5FQR

model = RBD53iG-5HacD2HnD

serial number = F34E0FF2DE05

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled
frequency=2412,2437,2462 name=CH-24-Auto tx-power=9
/interface bridge
add admin-mac=DC:2C:6E:5C:AC:05 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1_Telekom
set [ find default-name=ether2 ] name=eth2_PYUR
/interface wireless

managed by CAPsMAN

channel: 2437/20/gn(6dBm), SSID: AC, CAPsMAN forwarding

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=
MikroTik-5CAC09 wireless-protocol=802.11

managed by CAPsMAN

channel: 5680/20-eeCe/ac/DP(21dBm), SSID: AC, CAPsMAN forwarding

set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor
mode=ap-bridge ssid=MikroTik-5CAC0A wireless-protocol=802.11
/interface vlan
add interface=bridge name=VLAN2-GAST vlan-id=2
/caps-man configuration
add channel=CH-24-Auto country=germany datapath.bridge=bridge installation=
indoor name=AC_24 security.authentication-types=wpa2-psk .encryption=
aes-ccm,tkip ssid=AC
add country=“etsi 5.5-5.7 outdoor” datapath.bridge=bridge name=AC_5
security.authentication-types=wpa2-psk .encryption=aes-ccm,tkip ssid=AC
add channel=CH-24-Auto country=germany datapath.bridge=bridge
.client-to-client-forwarding=no .local-forwarding=yes .vlan-id=2
.vlan-mode=use-tag installation=indoor name=AC_24_GAST
security.authentication-types=wpa2-psk .encryption=aes-ccm,tkip ssid=
AC-Gast
/interface pppoe-client
add add-default-route=yes default-route-distance=20 disabled=no interface=
eth1_Telekom name=pppoe-Telekom user=
XXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Gast ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=Gast interface=VLAN2-GAST name=GAST
/routing table
add disabled=no fib name=Pyur
add disabled=no fib name=Telekom
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn,b
master-configuration=AC_24 name-format=prefix-identity name-prefix=24
add action=create-dynamic-enabled hw-supported-modes=an,ac
master-configuration=AC_5 name-format=prefix-identity name-prefix=5
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-Telekom list=WAN
add interface=eth2_PYUR list=WAN
add interface=eth1_Telekom list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap

set certificate=request discovery-interfaces=bridge enabled=yes interfaces=
wlan1,wlan2 lock-to-caps-man=yes
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN2-GAST network=192.168.20.0
add address=192.168.10.2/24 interface=bridge network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=10 interface=eth2_PYUR use-peer-dns=no
add default-route-distance=30 interface=bridge
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.0/24 list=LAN
add address=192.168.10.3-192.168.10.13 list=LANo3CX
add address=192.168.10.15-192.168.10.254 list=LANo3CX
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Exchange SMTP” dst-address=
192.168.10.253 dst-port=25 protocol=tcp to-addresses=192.168.10.253
to-ports=25
add action=dst-nat chain=dstnat comment=“Exchange OWA” dst-address=
192.168.10.253 dst-port=443 protocol=tcp to-addresses=192.168.10.253
to-ports=443
add action=dst-nat chain=dstnat comment=“Exchange Lets Encrypt Challenge”
dst-address=192.168.10.253 dst-port=80 protocol=tcp to-addresses=
192.168.10.253 to-ports=80
add action=dst-nat chain=dstnat comment=Mailstore dst-address=192.168.10.13
dst-port=8462 protocol=tcp to-addresses=192.168.10.13 to-ports=8462
add action=dst-nat chain=dstnat comment=“3CX Webclient” dst-port=5001
in-interface=pppoe-Telekom protocol=tcp to-addresses=192.168.10.14
to-ports=5001
add action=dst-nat chain=dstnat comment=“3CX SIP TCP” disabled=yes
dst-address=192.168.10.14 dst-port=5060 protocol=tcp to-addresses=
192.168.10.14 to-ports=5060
add action=dst-nat chain=dstnat comment=“3CX RTP” dst-port=9000-10999
in-interface=pppoe-Telekom protocol=udp to-addresses=192.168.10.14
to-ports=9000-10999
add action=dst-nat chain=dstnat comment=“3CX Tunnel TCP” dst-port=5090
in-interface=pppoe-Telekom protocol=tcp to-addresses=192.168.10.14
to-ports=5090
add action=dst-nat chain=dstnat comment=“3CX Tunnel UDP” dst-port=5090
in-interface=pppoe-Telekom protocol=udp to-addresses=192.168.10.14
to-ports=5090
add action=dst-nat chain=dstnat comment=“3CX SIP UDP” disabled=yes
dst-address=192.168.10.14 dst-port=5060 protocol=udp to-addresses=
192.168.10.14 to-ports=5060
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
pppoe-Telekom pref-src=“” routing-table=Telekom scope=30
suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=::/0 src-address=
192.168.10.15/32 table=Telekom
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=AC-GW
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN_

Got It.

Thank you Anva, i Read you post before. After 100st rechecking of my config i’ve found my Problems:

1st: My dst address
/routing rule
add action=lookup-only-in-table disabled=no dst-address=::/0 src-address=
192.168.10.15/32 table=Telekom

And 2nd: No Completely Routing Table Telekom → this showed Up after deleting dst-address in my rule
I just had 0.0.0.0/0 → pppoe
But i needed these 3 Rules:
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-Telekom
pref-src=0.0.0.0 routing-table=Telekom scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=62.156.244.25/32 gateway=pppoe-Telekom
routing-table=Telekom scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=bridge
routing-table=Telekom scope=10 suppress-hw-offload=no

Now i just ask myself, what Problems will accure if the Telekom Gateway IP changes dynamicly

I just updated to 7.2.3 and now routing rules do not work for me. They were working in 7.2.1. If you are having trouble getting your routing rules to work, you may want to backup your current settings and then try downgrading to 7.2.1.