Dual WAN with Dedicated LAN-to-WAN Routing Issue

RouterOS General
1

Hi,

I'm trying to configure my MikroTik hEX (RouterOS v7.19.3 - E50UG) with the following network segmentation:

  • Main LAN (192.168.10.0/24) → Uses UVT connection (pppoe-out1)

  • Guest network (192.168.50.0/24) → Uses CZNET connection (ether1)

  • IoT network (192.168.66.0/24) → No direct internet access

Configuration already done

Connection Marking

  • Main LAN traffic marked as uvt_conn

  • Guest traffic marked as cznet_conn

Policy Routing

  • Two separate routing tables: to-wan-cznet and to-wan-uvt

  • Marked connections routed through appropriate WAN

Network Address Translation (NAT)

  • Main LAN traffic masqueraded through UVT

  • Guest traffic masqueraded through CZNET

VLAN Setup

  • VLAN 50 for guest network

  • VLAN 66 for IoT devices

  • VLAN 848 for UVT PPPoE connection

DHCP Services

  • Separate DHCP pools for each network segment

Problem Description

Connections from LANs are not working. I can ping the router itself, but traffic is not being sent to the correct WAN interface.

Question

I have no idea what I'm missing. Any suggestions on what could be wrong with my configuration? You can see details in config below

Thanks!

/ip address print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK         INTERFACE 
;;; defconf
0   192.168.10.1/24    192.168.10.0    bridge    
1   10.200.126.135/26  10.200.126.128  ether1    
;;; iot
2   192.168.66.1/24    192.168.66.0    vlan66    
3 D 178.15.15.15/32   10.11.5.146     pppoe-out1
;;; guest
4   192.168.50.1/24    192.168.50.0    vlan50    



/interface print
Flags: R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
 #    NAME        TYPE       ACTUAL-MTU  L2MTU  MAX-L2MTU  MAC-ADDRESS      
;;; CZNET
 0 R  ether1      ether            1500   1600       2048  F4:1E:57:AD:B7:F6
;;; UVTNET
 1 R  ether2      ether            1500   1596       2026  F4:1E:57:AD:B7:F7
 2 RS ether3      ether            1500   1596       2026  F4:1E:57:AD:B7:F8
 3 RS ether4      ether            1500   1596       2026  F4:1E:57:AD:B7:F9
 4  S ether5      ether            1500   1596       2026  F4:1E:57:AD:B7:FA
;;; defconf
 5 R  bridge      bridge           1500   1596             F4:1E:57:AD:B7:F7
 6 R  lo          loopback        65536                    00:00:00:00:00:00
;;; uvt
 7 R  pppoe-out1  pppoe-out        1492                                     
;;; guest
 8 R  vlan50      vlan             1500   1592             F4:1E:57:AD:B7:F7
;;; iot
 9 R  vlan66      vlan             1500   1592             F4:1E:57:AD:B7:F7
;;; UVT
10 R  vlan848     vlan             1500   1592             F4:1E:57:AD:B7:F7




/interface vlan print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME      MTU  ARP      VLAN-ID  INTERFACE
;;; guest
0 R vlan50   1500  enabled       50  bridge   
;;; iot
1 R vlan66   1500  enabled       66  bridge   
;;; UVT
2 R vlan848  1500  enabled      848  ether2   



/interface bridge print
Flags: D - dynamic; X - disabled, R - running 
 0  R ;;; defconf
      name="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=F4:1E:57:AD:B7:F7 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=F4:1E:57:AD:B7:F7 
      ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no port-cost-mode=long mvrp=no max-learned-entries=auto 


/interface bridge port print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, HORIZON, TRUSTED, FAST-LEAVE, BPDU-GUARD, EDGE, POINT-TO-POINT, PVID, FRAME-TYPES
#    INTERFACE  BRIDGE  HW   HORIZON  TRUSTED  FAST-LEAVE  BPDU-GUARD  EDGE  POINT-TO-POINT  PVID  FRAME-TYPES
;;; defconf
0  H ether3     bridge  yes  none     no       no          no          auto  auto               1  admit-all  
;;; defconf
1  H ether4     bridge  yes  none     no       no          no          auto  auto               1  admit-all  
;;; defconf
2 IH ether5     bridge  yes  none     no       no          no          auto  auto               1  admit-all  




/ip route print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp 
 0  Xs   dst-address=0.0.0.0/0 routing-table=main gateway=10.200.126.129 distance=2 scope=30 target-scope=10 suppress-hw-offload=no 

 1  As   dst-address=0.0.0.0/0 routing-table=main gateway=pppoe-out1 immediate-gw=pppoe-out1 distance=1 scope=30 target-scope=10 suppress-hw-offload=no 

   DAc   dst-address=10.11.5.146/32 routing-table=main gateway=pppoe-out1 immediate-gw=pppoe-out1 distance=0 scope=10 target-scope=5 local-address=178.17.14.240%pppoe-out1 

   DAc   dst-address=10.200.126.128/26 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 target-scope=5 local-address=10.200.126.135%ether1 

   DAc   dst-address=192.168.10.0/24 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10 target-scope=5 local-address=192.168.10.1%bridge 

   DAc   dst-address=192.168.50.0/24 routing-table=main gateway=vlan50 immediate-gw=vlan50 distance=0 scope=10 target-scope=5 local-address=192.168.50.1%vlan50 

   DAc   dst-address=192.168.66.0/24 routing-table=main gateway=vlan66 immediate-gw=vlan66 distance=0 scope=10 target-scope=5 local-address=192.168.66.1%vlan66 

 2  As   dst-address=0.0.0.0/0 routing-table=to-wan-cznet gateway=10.200.126.129 immediate-gw=10.200.126.129%ether1 distance=1 scope=30 target-scope=10 suppress-hw-offload=no 

 3  As   dst-address=0.0.0.0/0 routing-table=to-wan-uvt gateway=pppoe-out1 immediate-gw=pppoe-out1 distance=1 scope=30 target-scope=10 suppress-hw-offload=no 

 4  As   dst-address=209.38.255.33/32 routing-table=to-wan-uvt gateway=pppoe-out1 immediate-gw=pppoe-out1 distance=1 scope=30 target-scope=10 suppress-hw-offload=no 




/ip firewall mangle print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    ;;; LAN traffic
      chain=prerouting action=mark-connection new-connection-mark=uvt_conn passthrough=yes dst-address-type=!local in-interface=bridge log=no log-prefix="z lan" 

 4    ;;; LAN traffic z vlan50
      chain=prerouting action=mark-connection new-connection-mark=cznet_conn passthrough=yes src-address=192.168.50.0/24 dst-address-type=!local connection-mark=no-mark log=no log-prefix="" 

 5    ;;; uvt incoming
      chain=prerouting action=mark-connection new-connection-mark=uvt_conn passthrough=yes connection-mark=no-mark in-interface=pppoe-out1 log=yes log-prefix="z uvt" 

 6    ;;; cznet incoming
      chain=prerouting action=mark-connection new-connection-mark=cznet_conn passthrough=yes in-interface=ether1 log=yes log-prefix="z cznet" 

 7    ;;; cznet
      chain=output action=mark-routing new-routing-mark=to-wan-cznet passthrough=no connection-mark=cznet_conn log=no log-prefix="output cznet" 

 8    ;;; uvt
      chain=output action=mark-routing new-routing-mark=to-wan-uvt passthrough=no connection-mark=uvt_conn log=no log-prefix="output uvt" 

 9    ;;; cznet
      chain=prerouting action=mark-routing new-routing-mark=to-wan-cznet passthrough=no connection-mark=cznet_conn log=no log-prefix="to-wan- cznet" 

10    ;;; uvt
      chain=prerouting action=mark-routing new-routing-mark=to-wan-uvt passthrough=no connection-mark=uvt_conn log=no log-prefix="to-wan uvt" 



/ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade src-address=192.168.10.0/24 routing-mark=to-wan-uvt log=no log-prefix="" ipsec-policy=out,none 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade src-address=192.168.50.0/24 routing-mark=to-wan-cznet log=no log-prefix="" ipsec-policy=out,none 



/ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    chain=input action=accept protocol=gre log=no log-prefix="" 

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 4    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

13    ;;; allow to vlan66 from vlan1
      chain=forward action=accept src-address=192.168.10.0/24 dst-address=192.168.66.0/24 log=no log-prefix="" 

14    chain=forward action=drop src-address=192.168.66.0/24 out-interface-list=WAN log=no log-prefix="" 

15    ;;; Block guest to LAN1
      chain=forward action=drop src-address=192.168.50.0/24 dst-address=192.168.10.0/24 log=no log-prefix="" 

16    ;;; Block guest to LAN2
      chain=forward action=drop src-address=192.168.50.0/24 dst-address=192.168.66.0/24 log=no log-prefix="" 

17    ;;; Block management from guest
      chain=input action=drop protocol=tcp in-interface=vlan50 dst-port=8291,22,23,80,443,8728,8729 

18    ;;; Allow guest to internet
      chain=forward action=accept in-interface=vlan50 out-interface-list=WAN 




/interface pppoe-client print
Flags: X - disabled, I - invalid; R - running 
 0  R ;;; uvt
      name="pppoe-out1" max-mtu=1492 max-mru=1492 mrru=disabled interface=vlan848 user="xxx" password="xxx" profile=default keepalive-timeout=10 service-name="" ac-name="" add-default-route=no dial-on-demand=no 
      use-peer-dns=no allow=pap,chap,mschap1,mschap2 





/interface list print
Flags: * - BUILTIN
Columns: NAME
#   NAME   
;;; contains all interfaces
0 * all    
;;; contains no interfaces
1 * none   
;;; contains dynamic interfaces
2 * dynamic
;;; contains static interfaces
3 * static 
;;; defconf
4   WAN    
;;; defconf
5   LAN    



/interface list member print
Columns: LIST, INTERFACE
# LIST  INTERFACE 
;;; defconf
0 LAN   bridge    
;;; defconf
1 WAN   ether1    
2 WAN   pppoe-out1




/ip dhcp-server print
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
# NAME     INTERFACE  ADDRESS-POOL  LEASE-TIME
0 defconf  bridge     dhcp          30m       
1 dhcp66   vlan66     dhcp66        30m       
2 dhcp50   vlan50     dhcp50        30m       



 /ip pool print
Columns: NAME, RANGES, TOTAL, USED, AVAILABLE
#  NAME    RANGES                        TOTAL  USED  AVAILABLE
0  dhcp    192.168.10.38-192.168.10.243    206     9        197
;;; v66
1  dhcp66  192.168.66.10-192.168.66.240    231    10        221
;;; v50
2  dhcp50  192.168.50.10-192.168.50.240    231     2        229e
2

Using print is not how you are supposed to post your configuration on the forum, instead do

/export hide-sensitive file=config

Then go to the Files table and download config.rsc to your computer, open it with a plain text editor such as Notepad and remove sensitive informations (serial number, keys, MAC address, etc…) and then paste the file’s content here (surrounded by ``` … ``` for syntax highlighting).

Your problem is probably due to mixing mangle mark-routing and fasttrack. For your use case, a better solution is to get rid of all those mangle rules, then put the following in your Routing Rules table:

/routing rule
add action=lookup disabled=no min-prefix=0 table=main
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 interface=bridge table=to-wan-uvt
add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 interface=vlan50 table=to-wan-cznet

That would be compatible with fasttrack.

Another problem is that you appear to have VLAN interfaces on the main bridge, but have not turned on vlan-filtering on that bridge. Please export your full config (see above) so that we can check your VLAN configuration.

3

Only a word of warning, it is very easy to lock oneself out when fiddling with VLANs, the moment you switch vlan-filtering on the behaviour of the device will change.
It is usually advised to take a port out of any bridge (and with no VLAN) to use as emergency access/management. If you don’t need all the ports in the device you can leave it unconnected, if you need all ports you might later re-join it to the bridge, after having verified that you can access the router through one of the other ports.

4

Hi. Thanks for helping me out. I would like to stay with solution using mangle since this is just starting point and I would like to implement more difficult routing in future with load balancing etc.

I have made some changes, like enabling vlan-filtering. Btw thanks @jaclaz for warning :slight_smile:
But I still did not manage to get this work and I'm struggling to see why. Here is my full config:

# 2025-08-21 23:46:36 by RouterOS 7.20beta8
# software id = XXXX-XXXX
#
# model = E50UG
# serial number = XXXXXXXXX
/interface bridge
add admin-mac=F4:1E:57:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=CZNET
set [ find default-name=ether2 ] comment=UVTNET
/interface vlan
add comment=guest interface=bridge name=vlan50 vlan-id=50
add comment=iot interface=bridge name=vlan66 vlan-id=66
add comment=UVT interface=ether2 name=vlan848 vlan-id=848
/interface pppoe-client
add comment=uvt disabled=no interface=vlan848 max-mru=1492 max-mtu=1492 name=\
    pppoe-out1 user=uvt
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.10.38-192.168.10.243
add comment=v66 name=dhcp66 ranges=192.168.66.10-192.168.66.240
add comment=v50 name=dhcp50 ranges=192.168.50.10-192.168.50.240
add name=dhcp_service ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp66 interface=vlan66 name=dhcp66
add address-pool=dhcp50 interface=vlan50 name=dhcp50
# Interface not running
add address-pool=dhcp_service interface=ether5 name=dhcp1 relay=192.168.100.1
/routing bgp template
set default as=65530
/routing table
add disabled=no fib name=to-wan-cznet
add disabled=no fib name=to-wan-uvt
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,ether3 vlan-ids=50
add bridge=bridge tagged=bridge,ether3,ether4 vlan-ids=66
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
add mac-address=FE:1C:XX:XX:XX:XX name=ovpn-server1
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=10.200.126.135/26 interface=ether1 network=10.200.126.128
add address=192.168.66.1/24 comment=iot interface=vlan66 network=192.168.66.0
add address=192.168.50.1/24 comment=guest interface=vlan50 network=\
    192.168.50.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 domain=\
    home.arpa gateway=192.168.10.1 netmask=24
add address=192.168.50.0/24 comment=dhcp50 dns-server=1.1.1.1 domain=\
    home.arpa gateway=192.168.50.1
add address=192.168.66.0/24 comment=dhcp66 dns-server=192.168.66.1 domain=\
    home.arpa gateway=192.168.66.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input protocol=gre
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow to vlan66 from vlan1" \
    dst-address=192.168.66.0/24 src-address=192.168.10.0/24
add action=drop chain=forward out-interface-list=WAN src-address=\
    192.168.66.0/24
add action=drop chain=forward comment="Block guest to LAN1" dst-address=\
    192.168.10.0/24 src-address=192.168.50.0/24
add action=drop chain=forward comment="Block guest to LAN2" dst-address=\
    192.168.66.0/24 src-address=192.168.50.0/24
add action=drop chain=input comment="Block management from guest" dst-port=\
    8291,22,23,80,443,8728,8729 in-interface=vlan50 protocol=tcp
add action=accept chain=forward comment="Allow guest to internet" \
    in-interface=vlan50 out-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="uvt incoming" \
    connection-mark=no-mark in-interface=pppoe-out1 log-prefix="z uvt" \
    new-connection-mark=uvt_conn
add action=mark-connection chain=prerouting comment="cznet incoming" \
    connection-mark=no-mark in-interface=ether1 log=yes log-prefix="z cznet" \
    new-connection-mark=cznet_conn
add action=mark-routing chain=output comment=cznet connection-mark=cznet_conn \
    log-prefix="output cznet" new-routing-mark=to-wan-cznet
add action=mark-routing chain=output comment=uvt connection-mark=uvt_conn \
    log-prefix="output uvt" new-routing-mark=to-wan-uvt
add action=mark-connection chain=prerouting comment=\
    "LAN traffic from bridge (10.0 network)" connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge log-prefix="z lan" \
    new-connection-mark=uvt_conn src-address=192.168.10.0/24
add action=mark-connection chain=prerouting comment=\
    "LAN traffic z vlan50 (50.0 network)" connection-mark=no-mark \
    dst-address-type=!local in-interface=vlan50 new-connection-mark=\
    cznet_conn src-address=192.168.50.0/24
add action=mark-routing chain=prerouting comment=cznet connection-mark=\
    cznet_conn log-prefix="to-wan- cznet" new-routing-mark=to-wan-cznet \
    passthrough=no
add action=mark-routing chain=prerouting comment=uvt connection-mark=uvt_conn \
    log-prefix="to-wan uvt" new-routing-mark=to-wan-uvt passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none routing-mark=to-wan-uvt src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none routing-mark=to-wan-cznet src-address=\
    192.168.50.0/24
add action=masquerade chain=srcnat comment="masquerade UVT traffic" \
    ipsec-policy=out,none routing-mark=to-wan-uvt
add action=masquerade chain=srcnat comment="masquerade CZNET traffic" \
    ipsec-policy=out,none routing-mark=to-wan-cznet
add action=masquerade chain=srcnat comment="defconf: masquerade fallback" \
    ipsec-policy=out,none
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.200.126.129 \
    routing-table=to-wan-cznet scope=30 suppress-hw-offload=no target-scope=\
    10
add disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-table=to-wan-uvt scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=vanguard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="" host=1.1.1.1 interval=10s test-script="" type=\
    simple up-script=""
/tool sniffer
set filter-interface=all filter-stream=yes streaming-enabled=yes \
    streaming-server=192.168.10.10
5

  1. You have two LAN vlans, 50 and 66, so why do you have 4 pools etc?
    Clearly your written explanation is lacking, and perhaps a diagram may help.

  2. What are ether3 and ether4 connected to...... assuming to either smart switches or smart APs?
    Your VLAN setup should more closely follow the best ref: Using RouterOS to VLAN your network

  3. Why do you have your bridge doing anything to do with DHCP?? Once you go vlans on the bridge, its important to have the bridge do only bridging in most cases.

hence turn bridge subnet into name=bridgevlan vlan-id=10 for example and then configure /interface bridge port and /interface bridge vlan iaw the reference provided. ( bridge usually not part of LAN interface once vlans are established for all lan subnets )

  1. why do you have a dhcp-server network for this unknown 192.168.100 entity as there is no affiliated address or vlan etc....

  2. You can get rid of the static IP DNS setting...........

  3. Modify forward chain rules like so: after the drop invalid rule

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN src-address=!192.168.66.0/24
add action=accept chain=forward comment="bridgesubnet to vlan66" in-interface=bridgevlan src-address=192.168.10.0/24 out-interface=vlan66 dst-address=192.168.66.0/24
add action=drop chain=forward comment="drop all else"

Now dropping access to services has nothing to do with the forward chain and everything to do with the input chain. To ensure only vlan10 has access...............

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=bridgevlan list=LAN
add interface=vlan50 list=LAN
add interface=vlan66 list=LAN
add interface=bridgevlan list=TRUSTED
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

NOW Adjust the input chain starting after allowing loopback rule......

add action=accept chain=input comment="admin access" in-interface-list=TRUSTED  
add action=accept chain=input comment="users to services"  in-interface=vlan50 dst-port=53 protocol=udp
add action=accept chain=input comment="users to services"  in-interface=vlan50 dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"  { put this rule here but last of all rules entered}
  1. Masquerade rules are hosed......... Not intended to replace routing functionality........ simply need.
add action=masquerade chain=srcnat ipsec-policy=out,none \
out-interface-list=WAN

In terms of routers suggest you dont use default route for pppoe so everything is controlled manually via /ip route. Your intent is poorly communicated, yes you want one vlan to use wan1 and the other to use wan2, but there is no direction provided for the what if WAN1 or WAN2 fails................. One needs to ensure that the router can go to the main table and find the other route............

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=10.200.126.129 
add check-gateway=ping dst-address=0.0.0.0/0 gateway=pppoe-out1 
++++++++++++++++++++++++++++++++++++++++++++++++
add dst-address=0.0.0.0/0 gateway=10.200.126.129 routing-table=to-wan-cznet
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=to-wan-uvt

I agree with the others,  the better solution for forcing the subnets out to the specific wan is best done by NO mangles and simply three  routing rules.

/routing rules
add min-prefix=0  action=lookup-only-in-table  table=main
add src-address=192.168.10.0/24  action=lookup table=to-wan-uvt
add src-address=192.168.50.0/24 action=lookup table=to-wan-cznet


GET THIS working first after fixing the config............ Right now your trying to bite off more than you can chew really.  THen when its working, for the simple case, I am more than happy to get mangles option working next,  and then load balancing can be added after.......