[HELP] Mikrotik Multi WAN

RouterOS General
1

Hello everyone, I need your help. I am connecting two different ISP WAN connections to my MikroTik device, and my goal is to separate them based on LAN ports. For example, I want to use ISP1 when connected to port 1 and ISP2 when connected to port 2. I have prepared a configuration for this, but it’s not working stably. Yes, it does what I want, but the IP addresses seem to mix up. I have a web server (10.0.2.100), and when I use the configuration I set up, sometimes I can’t access it, and when I can, it’s very slow. When I disable the other WAN interface, the server works normally. I think there are some errors in the firewall settings. I would appreciate your help.

/interface ethernet
set [find default-name="ether1"] name=WAN-ISP1
set [find default-name="ether2"] name=WAN-ISP2
set [find default-name="ether3"] name=LAN-1
set [find default-name="ether4"] name=LAN-2
set [find default-name="ether5"] name=LAN-3
set [find default-name="ether6"] name=LAN-4
set [find default-name="ether7"] name=LAN-5
set [find default-name="ether8"] name=LAN-6
set [find default-name="ether9"] name=LAN-7
set [find default-name="ether10"] name=LAN-8
set [find default-name="ether11"] name=LAN-9
set [find default-name="ether12"] name=LAN-10
set [find default-name="ether13"] name=LAN-11
set [find default-name="ether14"] name=LAN-12
set [find default-name="ether15"] name=LAN-13
set [find default-name="ether16"] name=LAN-14
set [find default-name="ether17"] name=LAN-15
set [find default-name="ether18"] name=LAN-16
set [find default-name="ether19"] name=LAN-17
set [find default-name="ether20"] name=LAN-18
set [find default-name="ether21"] name=LAN-19
set [find default-name="ether22"] name=LAN-20
set [find default-name="ether23"] name=LAN-21
set [find default-name="ether24"] name=LAN-22

/interface bridge
add name=LAN-ISP1
add name=LAN-ISP2

/interface bridge port
add bridge=LAN-ISP1 interface=LAN-1
add bridge=LAN-ISP1 interface=LAN-3
add bridge=LAN-ISP1 interface=LAN-5
add bridge=LAN-ISP1 interface=LAN-7
add bridge=LAN-ISP1 interface=LAN-9
add bridge=LAN-ISP1 interface=LAN-11
add bridge=LAN-ISP1 interface=LAN-13
add bridge=LAN-ISP1 interface=LAN-15
add bridge=LAN-ISP1 interface=LAN-17
add bridge=LAN-ISP1 interface=LAN-19
add bridge=LAN-ISP1 interface=LAN-21

add bridge=LAN-ISP2 interface=LAN-2
add bridge=LAN-ISP2 interface=LAN-4
add bridge=LAN-ISP2 interface=LAN-6
add bridge=LAN-ISP2 interface=LAN-8
add bridge=LAN-ISP2 interface=LAN-10
add bridge=LAN-ISP2 interface=LAN-12
add bridge=LAN-ISP2 interface=LAN-14
add bridge=LAN-ISP2 interface=LAN-16
add bridge=LAN-ISP2 interface=LAN-18
add bridge=LAN-ISP2 interface=LAN-20
add bridge=LAN-ISP2 interface=LAN-22

/ip address
add address=10.0.2.1/24 interface=LAN-ISP1
add address=10.0.3.1/24 interface=LAN-ISP2

/ip dhcp-client
add interface=WAN-ISP1 disabled=no
add interface=WAN-ISP2 disabled=no

/ip firewall nat
add chain=srcnat out-interface=WAN-ISP1 action=masquerade
add chain=srcnat out-interface=WAN-ISP2 action=masquerade

/ip firewall address-list
add list=LAN-ISP1 address=10.0.2.0/24
add list=LAN-ISP2 address=10.0.3.0/24

/ip dns
set servers=1.1.1.1,1.0.0.1

/routing table
add name=ISP1
add name=ISP2

/routing table
set ISP1 fib
set ISP2 fib

/ip route
add gateway=WAN-ISP1 routing-table=ISP1 distance=1
add gateway=WAN-ISP2 routing-table=ISP2 distance=1

/ip firewall mangle
add chain=prerouting in-interface=LAN-1 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-3 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-5 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-7 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-9 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-11 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-13 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-15 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-17 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-19 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-21 action=mark-routing new-routing-mark=ISP1 passthrough=yes
add chain=prerouting in-interface=LAN-2 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-4 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-6 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-8 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-10 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-12 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-14 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-16 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-18 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-20 action=mark-routing new-routing-mark=ISP2 passthrough=yes
add chain=prerouting in-interface=LAN-22 action=mark-routing new-routing-mark=ISP2 passthrough=yes

/ip pool
add name=IPPool-ISP1 ranges=10.0.2.2-10.0.2.254
add name=IPPool-ISP2 ranges=10.0.3.2-10.0.3.254

/ip dhcp-server
add address-pool=IPPool-ISP1 interface=LAN-ISP1 name=DHCPServer-ISP1
add address-pool=IPPool-ISP2 interface=LAN-ISP2 name=DHCPServer-ISP2 

/ip dhcp-server network
add address=10.0.2.0/24 gateway=10.0.2.1 dns-server=1.1.1.1
add address=10.0.3.0/24 gateway=10.0.3.1 dns-server=1.1.1.1

/ip dhcp-server enable DHCPServer-ISP1
/ip dhcp-server enable DHCPServer-ISP2 

/ip firewall nat
add chain=dstnat in-interface=WAN-ISP1 action=dst-nat to-addresses=10.0.2.100

/ip firewall
filter add chain=forward in-interface=WAN-ISP1 action=accept
2

In your configuration, LAN-1 to LAN-22 are not IP interfaces, they are just member ports of their respective bridges. If you look at the packet and byte counters of those mangle rules, you’ll see that they stand at 0 because from the point of view of the IP firewall, there is no traffic that would match in-interface=LAN-x. Instead, use just two action=mark-routing rules, one matching on in-interface=LAN-ISP1 and the other one matching on in-interface=LAN-ISP2.

Since both the dhcp clients attached to WAN interfaces add the default routes to table main with the same distance of 1, packets without any routing mark assigned use a “random” WAN - the “random” is actually not that random as they actually use a hash of the source and destination address to choose the route.

3

Very confusing nomenclature,
There is no need to change etherport names, but if you must then at least have etherport3 name=LAN-3, and so forth.
I would not have thought of using bridges for grouping traffic like you have.
Now that its clear you are doing port forwarding, the mangle rules get more complex and I would now move from routing rules to mangles…

However, carrying that forward.
One approach would be to mangle traffic coming from one bridge and another mangle traffic set of rules for the other bridge.

NOTE TRY ROUTING RULES ONLY, may be easier and if it works we can avoid mangling, See next post for how to!!

  1. FIRST we ensure that SERVER traffic goes out the correct WAN. I assumed that you have multiple servers and they can be accessed by either WAN so:
    {mark the traffic connections}
    add chain=forward action=mark-connection in-interface=WAN-ISP1 connection-mark=no-mark
    new-connection-mark=to-servers1 dst-address-list=SERVERS passthrough=yes
    add chain=forward action=mark-connection in-interface=WAN-ISP2 connection-mark=no-mark
    new-connection-mark=to-servers2 dst-address-list=SERVERS passthrough=yes
    {route the marked traffic}
    add chain=prerouting action=mark-routing connection-mark=to-servers1
    new-routing-mark=ISP1 passthrough=no
    add chain=prerouting action=mark-routing connection-mark=to-servers2
    new-routing-mark=ISP2 passthrough=no

  2. Next we ensure the rest of the traffic goes out the appropriate WAN.
    {first mark connections}
    add chain=forward action=mark-connection in-interface=LAN-ISP1 connection-mark=no-mark
    new-connection-mark=from-bridge1 dst-address-type=!local passthrough=yes
    add chain=forward action=mark-connection in-interface=LAN-ISP connection-mark=no-mark
    new-connection-mark=from-bridge1 dst-address-type=!local passthrough=yes
    { then mark routes }
    add chain=prerouting action=mark-routing connection-mark=from-bridge1
    new-routing-mark=ISP1 passthrough=no
    add chain=prerouting action=mark-routing connection-mark=from-bridge2
    new-routing-mark=ISP2 passthrough=no

/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 comment=WAN1
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 comment=WAN2
add dst-address=1.1.1.1/32 gateway=WAN-ISP21 routing-table=main scope=10 target-scope=11
add distance=2 dst-address=9.9.9.9/32 gateway=WAN-ISP2 routing-table=main scope=10 target-scope=11
{special table routes}
add dst-address=0.0.0.0/0 gateway=WAN-ISP1 routing-table=ISP1
add dst-address=0.0.0.0/0 gateway=WAN-ISP2 routing-table=ISP2

4

Keeping with the routing rule theme sindy suggested..

It would look like no mangling and the following routing rules…
TRY THIS FIRST as its much easier.

/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=10.0.2.0/24 table=ISP1
add action=lookup-only-in-table src-address=10.0.3.0/24 table=ISP2

Everything else the same.
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 comment=WAN1
add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 comment=WAN2
add dst-address=1.1.1.1/32 gateway=WAN-ISP21 routing-table=main scope=10 target-scope=11
add distance=2 dst-address=9.9.9.9/32 gateway=WAN-ISP2 routing-table=main scope=10 target-scope=11
{special table routes}
add dst-address=0.0.0.0/0 gateway=WAN-ISP1 routing-table=ISP1
add dst-address=0.0.0.0/0 gateway=WAN-ISP2 routing-table=ISP2