ECMP load Balance + Port forwarding random WAN fail.

jason9456402 · April 18, 2024, 8:24am

I has been build ECMP load balance on mikrotik os version 7.14.2 (Behind nat). I have 2 Wan to access my web server internally. some of user manage to use Wan1, but not Wan2. some of user manage to access through Wan2, but not Wan1. do you all have any idea to make it both Wan public IP address manage to access my web server for any user?

Below is my config parameter.

[admin@MikroTik] /ip/route> /ip address print
Flags: X - DISABLED
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

;;; defconf
0 X 192.168.88.1/24 192.168.88.0 bridge
;;; LAN
1 192.168.0.2/23 192.168.0.0 bridge
;;; ISP2
2 172.28.2.2/24 172.28.2.0 ether2
;;; ISP1
3 172.28.1.2/24 172.28.1.0 ether1
;;; Ether5
4 X 192.168.0.1/32 192.168.0.0 ether5

[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

0 As + 0.0.0.0/0 172.28.1.1 1
1 As + 0.0.0.0/0 172.28.2.1 1
DAc 172.28.1.0/24 ether1 0
DAc 172.28.2.0/24 ether2 0
DAc 192.168.0.0/23 bridge 0
2 As 0.0.0.0/0 172.28.1.1 1
3 As 0.0.0.0/0 172.28.2.1 1

[admin@MikroTik] /ip/route> /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 X chain=srcnat action=masquerade src-address=192.168.0.200 out-interface=ether1 log=no log-prefix=""

1 X chain=srcnat action=masquerade src-address=192.168.0.200 out-interface=ether2 log=no log-prefix=""

2 X chain=srcnat action=masquerade out-interface=Unifi log=no log-prefix=""

3 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" ipsec-policy=out,none

4 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether2 log=no log-prefix="" ipsec-policy=out,none

5 chain=dstnat action=dst-nat to-addresses=192.168.0.205 to-ports=8000 protocol=tcp dst-address=172.28.1.2 in-interface=ether1 dst-port=8001 log=no
log-prefix=""

6 chain=dstnat action=dst-nat to-addresses=192.168.0.205 to-ports=8000 protocol=tcp dst-address=172.28.2.2 in-interface=ether2 dst-port=8000 log=no
log-prefix=""

[admin@MikroTik] /ip/route> /ip firewall mangle print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough

1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough

3 chain=input action=mark-connection new-connection-mark=ISP1-Con passthrough=yes in-interface=ether1 log=no log-prefix=""

4 chain=input action=mark-connection new-connection-mark=ISP2-Con passthrough=yes in-interface=ether2 log=no log-prefix=""

5 chain=output action=mark-routing new-routing-mark=ISP1 passthrough=no connection-mark=ISP1-Con log=no log-prefix=""

6 chain=output action=mark-routing new-routing-mark=ISP2 passthrough=no connection-mark=ISP2-Con log=no log-prefix=""

7 chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=no connection-mark=ISP1-Con in-interface=bridge log=no log-prefix=""

8 chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=no connection-mark=ISP2-Con in-interface=bridge log=no log-prefix=""

[admin@MikroTik] /ip/route> /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 X ;;; Allow incoming traffic on the desired port
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

2 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""

4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""

5 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

9 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

chain=forward action=accept connection-state=established,related,untracked

11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

llamajaja · April 18, 2024, 12:40pm

Need to post config properly

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

I can help if you wish to change to PCC, which is better load balancing,

jason9456402 · April 19, 2024, 2:44pm

Thanks for your help. Below is my environment and config in mikrotik.

mikrotik IP: 192.168.0.2 (behind nat)
ISP router IP: 172.28.1.1 (TPLINK) plug into mikrotik ether1
ISP2 router IP: 172.28.2.1 (DLINK) plug into mikrotik ether2
unmanageable switch: plug into mikrotik ether3,4,5,6,7,8,9,10
port forward from ISP public ip will forward into 192.168.0.205 through tcp 8000
port forward from ISP2 public ip will forward into 192.168.0.205 through tcp 8000
meet requirement: user manage to use ISP1 or ISP2 public ip access this web server. if ISP1 is down, user will still manage to access web using ISP2. if ISP2 down, user still manage to access web using ISP1.

[admin@MikroTik] > /export

2024-04-19 12:56:23 by RouterOS 7.14.2

software id = 241T-8R6Y

model = RB3011UiAS

serial number = 8EF20A2AB76D

/interface bridge
add admin-mac=74:4D:28:0C:4B:66 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2 disabled=yes
set [ find default-name=ether3 ] comment=LAN
/interface vlan
add comment=Unifi-BTU interface=ether5 name=vlan500 vlan-id=500
/interface pppoe-client
add add-default-route=yes interface=vlan500 max-mru=1492 max-mtu=1492 name=Unifi use-peer-dns=yes user=dennisa812@unifibiz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add fib name=ISP1
add fib name=ISP2
add disabled=no fib name=asterisk-traffic
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=172.28.1.1 interface=ether1 list=WAN
add comment=172.28.2.1 interface=ether2 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
add address=192.168.0.2/23 comment=LAN interface=bridge network=192.168.0.0
add address=172.28.2.2/24 comment=ISP2 interface=ether2 network=172.28.2.0
add address=172.28.1.2/24 comment=ISP1 interface=ether1 network=172.28.1.0
add address=192.168.0.1 comment=Ether5 disabled=yes interface=ether5 network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.2,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow incoming traffic on the desired port" disabled=yes dst-port=22 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1 new-connection-mark=ISP1-Con passthrough=yes
add action=mark-connection chain=input in-interface=ether2 new-connection-mark=ISP2-Con passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1-Con new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-Con new-routing-mark=ISP2 passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=ISP1 passthrough=yes src-address=172.28.1.1
add action=mark-routing chain=prerouting new-routing-mark=ISP2 passthrough=yes src-address=172.28.2.1
add action=mark-routing chain=prerouting connection-mark=ISP1-Con in-interface=bridge log=yes new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-Con in-interface=bridge log=yes new-routing-mark=ISP2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1 src-address=192.168.0.200
add action=masquerade chain=srcnat disabled=yes out-interface=ether2 src-address=192.168.0.200
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether2
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.205 to-ports=8000
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=8000 in-interface=ether2 protocol=tcp to-addresses=192.168.0.205 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 pref-src="" routing-table=ISP1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.2.1 pref-src="" routing-table=ISP2 scope=30 suppress-hw-offload=no target-scope=10
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule
add action=lookup disabled=no routing-mark=ISP1 src-address=172.28.1.1/32 table=ISP1
add action=lookup disabled=no routing-mark=ISP2 src-address=172.28.2.1/32 table=ISP2
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · April 19, 2024, 4:03pm

Unfortunately your config has some issues that need clarification.

Why is ether2 disabled?
Why do you have a VLAN, for what looks like a THIRD WAN pppoe connection? I thought your WAN1 and WAN2 were private IPs from a TP link and D link router??
You stated the mikrotik has an IP of 192.168.0.2 but then the bridge uses 192.168.88.1, so nothing is making sense so far.
Then later in ip address, the bridge is disabled?? but you have an IP pool for 88 network but disable the address in IP address and enable 192.168.0.2/23 ??
can I assume your ether5 IP address is to access the router off bridge if necessary?

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

a. One LAN subnet 192.168.0.0/24
b. ether5 is off bridge access to congfig router given IP of 192.168.55.1//24 ( just change ipv4 settings on laptop/pc to 192.168.55.5 for example and you can access router )

I will go on the assumption for the following.
You have two WANS and will remove any ppoe and any vlan, since you didnt mention it, can only assume it should not be on your config.

+++++++++++++++++++++++++++++++++++++++++++++++++++

c. IP static DNS entry was removed!
d. ipv6 settings disabled.
e. remove routing rules not required
f. adjusted mangles and routes and sourcenat

+++++++++++++++++++

# 2024-04-19 12:56:23 by RouterOS 7.14.2
#
# model = RB3011UiAS
# serial number = "removed for security reasons" 
/interface bridge
add admin-mac=XX.XX.XX.XX.XX auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2 disabled=no
set [ find default-name=ether3 ] comment=LAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=10m name=defcon
/routing table
add fib name=useISP1
add fib name=useISP2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 i
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes 
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=172.28.1.1 interface=ether1 list=WAN
add comment=172.28.2.1 interface=ether2 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.0/24 comment=LAN interface=bridge network=192.168.0.0
add address=172.28.2.2/24 comment=ISP2 interface=ether2 network=172.28.2.0
add address=172.28.1.2/24 comment=ISP1 interface=ether1 network=172.28.1.0
add address=192.168.55.1/24 comment=Ether5 disabled=no interface=ether5 network=192.168.55.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1   comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list   {  use dhcp static leases }
add address=192.168.0.XX/32  list=Authorized  comment="admin desktop"
add address=192.168.0.YY/32  list=Authorized  comment="admin laptop wired"
add address=192.168.0.AA/32  list=Authorized  comment="admin laptop wifi"
add address=192.168.0.BB/32  list=Authorized  comment="admin smartphone/ipad"
add address=192.168.55.0/24  list=Authorized  comment="off bridge access"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=Authorized
add action=accept chain=input comment="users DNS services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users DNS services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else"  { Put this rule in last so you dont lock yourself out }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes connection-mark=no-mark
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface=list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop  chain=forward comment="Drop all else"
/ip firewall mangle
{ first we mangle the external user coming to servers }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether1 \
    new-connection-mark=ISP1-Con passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether2 \
    new-connection-mark=ISP2-Con passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP1-Con  \
    new-routing-mark=useISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-Con  \
    new-routing-mark=useISP2 passthrough=no
{next we mangle for PCC load balancing traffic originating on the LAN}
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=PCCtoWAN1 passthrough=yes \
    in-interface-list=bridge per-connection-classifier=src-address-and-port:2/0 \
	comment="Identify Traffic from LAN to go out WAN1"
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=PCCtoWAN2 passthrough=yes \
    in-interface-list=bridge per-connection-classifier=src-address-and-port:2/1 \
	comment="Identify Traffic from LAN to go out WAN2"
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN1 \
    new-routing-mark=useWAN1 passthrough=no \
	commment="Route traffic from PCC to WAN1" 
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN2 \
    new-routing-mark=useWAN2 passthrough=no \
	commment="Route traffic from PCC to WAN2"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 
add action=masquerade chain=srcnat out-interface=ether2 
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.205 
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=8000 in-interface=ether2 protocol=tcp to-addresses=192.168.0.205
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 routing-table=main 
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=172.28.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=172.28.1.1 routing-table=useISP1 
add dst-address=0.0.0.0/0 gateway=172.28.2.1 routing-table=useISP2 
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

jason9456402 · April 23, 2024, 1:04pm

Unfortunately your config has some issues that need clarification.

Why is ether2 disabled?
Why do you have a VLAN, for what looks like a THIRD WAN pppoe connection? I thought your WAN1 and WAN2 were private IPs from a TP link and D link router??
You stated the mikrotik has an IP of 192.168.0.2 but then the bridge uses 192.168.88.1, so nothing is making sense so far.
Then later in ip address, the bridge is disabled?? but you have an IP pool for 88 network but disable the address in IP address and enable 192.168.0.2/23 ??
can I assume your ether5 IP address is to access the router off bridge if necessary?

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

a. One LAN subnet 192.168.0.0/24
b. ether5 is off bridge access to congfig router given IP of 192.168.55.1//24 ( just change ipv4 settings on laptop/pc to 192.168.55.5 for example and you can access router )

I will go on the assumption for the following.
You have two WANS and will remove any ppoe and any vlan, since you didnt mention it, can only assume it should not be on your config.

+++++++++++++++++++++++++++++++++++++++++++++++++++

c. IP static DNS entry was removed!
d. ipv6 settings disabled.
e. remove routing rules not required
f. adjusted mangles and routes and sourcenat

+++++++++++++++++++

# 2024-04-19 12:56:23 by RouterOS 7.14.2
#
# model = RB3011UiAS
# serial number = "removed for security reasons" 
/interface bridge
add admin-mac=XX.XX.XX.XX.XX auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2 disabled=no
set [ find default-name=ether3 ] comment=LAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=10m name=defcon
/routing table
add fib name=useISP1
add fib name=useISP2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 i
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes 
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=172.28.1.1 interface=ether1 list=WAN
add comment=172.28.2.1 interface=ether2 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.0/24 comment=LAN interface=bridge network=192.168.0.0
add address=172.28.2.2/24 comment=ISP2 interface=ether2 network=172.28.2.0
add address=172.28.1.2/24 comment=ISP1 interface=ether1 network=172.28.1.0
add address=192.168.55.1/24 comment=Ether5 disabled=no interface=ether5 network=192.168.55.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1   comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list   {  use dhcp static leases }
add address=192.168.0.XX/32  list=Authorized  comment="admin desktop"
add address=192.168.0.YY/32  list=Authorized  comment="admin laptop wired"
add address=192.168.0.AA/32  list=Authorized  comment="admin laptop wifi"
add address=192.168.0.BB/32  list=Authorized  comment="admin smartphone/ipad"
add address=192.168.55.0/24  list=Authorized  comment="off bridge access"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=Authorized
add action=accept chain=input comment="users DNS services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users DNS services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else"  { Put this rule in last so you dont lock yourself out }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes connection-mark=no-mark
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface=list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop  chain=forward comment="Drop all else"
/ip firewall mangle
{ first we mangle the external user coming to servers }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether1 \
    new-connection-mark=ISP1-Con passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether2 \
    new-connection-mark=ISP2-Con passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP1-Con  \
    new-routing-mark=useISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-Con  \
    new-routing-mark=useISP2 passthrough=no
{next we mangle for PCC load balancing traffic originating on the LAN}
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=PCCtoWAN1 passthrough=yes \
    in-interface-list=bridge per-connection-classifier=src-address-and-port:2/0 \
	comment="Identify Traffic from LAN to go out WAN1"
add action=mark-connection chain=forward connection-mark=no-mark \
    dst-address-type=!local new-connection-mark=PCCtoWAN2 passthrough=yes \
    in-interface-list=bridge per-connection-classifier=src-address-and-port:2/1 \
	comment="Identify Traffic from LAN to go out WAN2"
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN1 \
    new-routing-mark=useWAN1 passthrough=no \
	commment="Route traffic from PCC to WAN1" 
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN2 \
    new-routing-mark=useWAN2 passthrough=no \
	commment="Route traffic from PCC to WAN2"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 
add action=masquerade chain=srcnat out-interface=ether2 
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.205 
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=8000 in-interface=ether2 protocol=tcp to-addresses=192.168.0.205
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 routing-table=main 
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=172.28.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=172.28.1.1 routing-table=useISP1 
add dst-address=0.0.0.0/0 gateway=172.28.2.1 routing-table=useISP2 
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks for your guideline. Below is my export config file. I found that Route traffic from PCC to WAN will causing client device no internet, but mikrotik terminal ping to google successfully.

Why is ether2 disabled?
reply: should be enable. that time ECMP running 2 WAN will having some issue.
Why do you have a VLAN, for what looks like a THIRD WAN pppoe connection? I thought your WAN1 and WAN2 were private IPs from a TP link and D link router??
reply: VLAN can be ignore. that time is using for testing purpose.
You stated the mikrotik has an IP of 192.168.0.2 but then the bridge uses 192.168.88.1, so nothing is making sense so far.
reply: this is not saying that my bridge ether 3,4,6,7,8,9,10 manage to access router portal?
Then later in ip address, the bridge is disabled?? but you have an IP pool for 88 network but disable the address in IP address and enable 192.168.0.2/23 ??
reply: im no longer need DCHP from mikrotik and 192.168.88.1 also not using.
can I assume your ether5 IP address is to access the router off bridge if necessary?
reply: can I allow ether3,4,5,6,7,8,9,10 manage to access router?

Currently my router configuration value.
[admin@MikroTik] /ip/firewall/mangle> /export

2024-04-23 20:42:50 by RouterOS 7.14.2

software id = 241T-8R6Y

model = RB3011UiAS

serial number =

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2
set [ find default-name=ether3 ] comment=LAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add fib name=ISP1
add fib name=ISP2
add disabled=no fib name=asterisk-traffic
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=172.28.1.1 interface=ether1 list=WAN
add comment=172.28.2.1 interface=ether2 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.0.2/23 comment=LAN interface=bridge network=192.168.0.0
add address=172.28.2.2/24 comment=ISP2 interface=ether2 network=172.28.2.0
add address=172.28.1.2/24 comment=ISP1 interface=ether1 network=172.28.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.200 list=asterisk
add address=95.214.55.253 comment="Not Malaysia IP" list=Banned
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether1 new-connection-mark=ISP1-Con passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether2 new-connection-mark=ISP2-Con passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP1-Con new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-Con new-routing-mark=ISP2 passthrough=no
add action=mark-connection chain=forward comment="Identify Traffic from LAN to go out WAN1" connection-mark=no-mark dst-address-type=!local in-interface-list=LAN
new-connection-mark=PCCtoWAN1 passthrough=yes per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=forward comment="Identify Traffic from LAN to go out WAN2" connection-mark=no-mark dst-address-type=!local in-interface-list=LAN
new-connection-mark=PCCtoWAN2 passthrough=yes per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting comment="Route traffic from PCC to WAN1" connection-mark=PCCtoWAN1 disabled=yes new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting comment="Route traffic from PCC to WAN2" connection-mark=PCCtoWAN2 disabled=yes new-routing-mark=ISP2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether2
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.205 to-ports=8000
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=8000 in-interface=ether2 protocol=tcp to-addresses=192.168.0.205 to-ports=8000
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=192.168.0.216 to-ports=3389
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=3389 in-interface=ether2 protocol=tcp to-addresses=192.168.0.216 to-ports=3389
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=81 in-interface=ether1 protocol=tcp to-addresses=192.168.0.216 to-ports=80
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=80 in-interface=ether2 protocol=tcp to-addresses=192.168.0.216 to-ports=80
add action=dst-nat chain=dstnat comment=AnnCRM dst-address=172.28.1.2 dst-port=8889 in-interface=ether1 protocol=tcp to-addresses=192.168.0.215 to-ports=8080
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=172.28.2.1 pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 pref-src="" routing-table=ISP1 scope=30 suppress-hw-offload=no target-scope=
10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.2.1 pref-src="" routing-table=ISP2 scope=30 suppress-hw-offload=no target-scope=10
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule
add action=lookup disabled=yes routing-mark=ISP2 src-address=172.28.2.1/32 table=ISP2
add action=lookup disabled=no routing-mark=ISP1 src-address=172.28.1.1/32 table=ISP1
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether2 filter-src-ip-address=113.210.63.230/32