How configure 2Wan with one without routing mark?

Hello
I am going to the point:
I want that one IPs go throught wan1(default) others wan2. These Ips are clients IP which get Ip from pppoe server.
I search in mikrotik wiki and forum. Theoricaly, it is easy: only mark connections and route and create route with mark route…I must be the most stupid of the group. I have not gotten it to work.
Initially I thought my situation was simpler … wrong

What happen? When I mark IPs to go out through wan2 those IPs do not get out internet connection

My simplified code:

Previous note: wan2 is ether11 with the IP 192.168.1.200, wan1 is a vlan
ONLY I created a routing mark to wan2, wan1 without routing mark (maybe does it the problem?)
I disabled all drop firewall rules
/ip settings
set rp-filter=strict tcp-syncookies=yes

/ip route
add distance=1 gateway=192.168.1.1 routing-mark=to-wan2
add distance=1 gateway=10.32.0.121
add distance=3 gateway=192.168.1.1
##Also I added:
[add distance=1 dst-address=150.x.x.171/32 gateway= pref-src=10.205.255.6 routing-mark=to-wan2 scope=10]

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether11 log=yes log-prefix=M-CON-in new-connection-mark=to-wan2-conn passthrough=no
add action=mark-routing chain=output connection-mark=to-wan2-conn log=yes log-prefix=outm new-routing-mark=to-wan2 passthrough=no
add action=mark-routing chain=output log=yes log-prefix=out-wan2 new-routing-mark=to-wan2 passthrough=no src-address=192.168.1.200
add action=mark-connection chain=prerouting comment=PROBE connection-mark=no-mark disabled=yes log=yes log-prefix=WAN2-conn new-connection-mark=
WAN2-conn passthrough=yes src-address=150.X.X.171
add action=mark-routing chain=prerouting comment=PROBE connection-mark=WAN2-conn disabled=yes log=yes log-prefix=WAN2-conn new-routing-mark=to-wan2 passthrough=no

/ip firewall nat
add action=src-nat chain=srcnat comment=“WAN2” out-interface=ether11 to-addresses=192.168.1.200Has the same thing happened to someone?
I appreciate any help.

Thank you.

I didn’t study your config in detail, but right at the beginning, rp-filter=strict is your first problem, try rp-filter=loose.

I’m not sure that “rp-filter” would be the issue: it would only impact routing if asymmetric routing would be involved. This doesn’t sound to be the case.

List your full config (/export hide-sensitive) and clarify network setup.

Thank you Sub and Sebastia.
I change rp-filter=loose and it works!
…But Why? I thought the same as Sebastia.

True that initially I did not put all the information because I wanted to solve things step by step
Topology:
CCR1 with pppoe_server --------------------CCR2 with pppoe_server ----WAN1 y WAN2
(10.200.237.0/24) ----------------------------(150.2.2.135-150.2.2.191)

When I change in CCR2 rp-filter=loose the IPs 150.X.X.X do what I wanted: all go out throught WAN2 but If I tried to do the same with the internal IPs of the clients from CCR1 all wrong again
I thought I understood in mikrotik routing … I’m definitely very clumsy with routing


I attached my config (I recognize that it is somewhat messy) maybe it can help someone and and I can add light to what happens to me.
/interface bridge
add fast-forward=no name=bridge_pppoe
add name=lobridge
add name=publicbridge
/interface ethernet
set [ find default-name=ether11 ] comment=WAN2
set [ find default-name=ether12 ] comment=WAN
/interface pppoe-server
add name=1285 service=ServerAIR user=1285
add name=1323 service=ServerAIR user=1323
add name=1438 service=ServerAIR user=1438
add name=1558 service=ServerAIR user=1558
add name=cata service=PTP user=cata

/interface vlan
add interface=bridge_pppoe name=vlanMNG vlan-id=20
add disabled=yes interface=ether12 name=vlanWAN vlan-id=23
add interface=ether12 name=vlan_WAN vlan-id=32
/interface list
add name=WAN
add name=WAN-FO
add name=MNG
add name=Discoverymio
/ip pool
add name=PPPoE_Clients ranges=150.2.2.135-150.2.2.191
add name=PPPoE_Local ranges=10.205.255.1
add name=dhcp_MNG ranges=10.205.1.1-10.205.7.254
add name=joaquin ranges=192.168.88.2-192.168.88.16
/ip dhcp-server
add address-pool=dhcp_MNG disabled=no interface=vlanMNG lease-time=15m name=dhcp_MNG
add address-pool=joaquin interface=ether5 name=dhcp_Joaquin
/ppp profile
add address-list=ClientesActivos dns-server=8.8.8.8,8.8.4.4 local-address=
10.205.255.1 name=serverAIR-profile only-one=no remote-address=
PPPoE_Clients session-timeout=1d
add change-tcp-mss=no local-address=10.205.255.30 name=PPPoE_AIR_30/04
only-one=yes rate-limit=“4096k/30720k 5120k/32768k 3200k/20480k 16 8 0”
/queue tree
add max-limit=20M name=Joaquin parent=ether5
/routing ospf instance
set [ find default=yes ] router-id=10.255.5.1
/system logging action
set 3 bsd-syslog=yes remote=150.2.2.100
/interface bridge port
add bridge=bridge_pppoe horizon=10 interface=ether1
add bridge=bridge_pppoe horizon=10 interface=ether2
/ip firewall connection tracking
set tcp-established-timeout=30m
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose tcp-syncookies=yes
/interface list member
add disabled=yes interface=vlanWAN list=WAN
add interface=ether11 list=WAN-FO
add interface=vlanMNG list=MNG
add disabled=yes interface=ether11 list=MNG
add interface=vlan_WAN list=WAN
add interface=vlanMNG list=Discoverymio
add interface=ether8 list=Discoverymio
/interface pppoe-server server
add default-profile=serverAIR-profile disabled=no interface=bridge_pppoe
one-session-per-host=yes service-name=ServerAIR
add disabled=no interface=ether6 keepalive-timeout=disabled
one-session-per-host=yes service-name=Coto
/ip address
add address=10.255.5.1 interface=lobridge network=10.255.5.1
add address=160.9.23.19/29 interface=vlanWAN network=160.9.23.16
add address=150.2.2.129 interface=lobridge network=150.2.2.129
add address=10.10.5.1/29 interface=ether8 network=10.10.5.0
add address=10.10.5.9/29 interface=ether6 network=10.10.5.8
add address=192.168.8.1/24 interface=ether10 network=192.168.8.0
add address=10.205.0.1/21 interface=vlanMNG network=10.205.0.0
add address=192.168.1.200/24 interface=ether11 network=192.168.1.0
add address=127.0.0.1 interface=lobridge network=127.0.0.1
add address=192.168.88.1/24 interface=ether5 network=192.168.88.0
add address=10.66.0.122/29 interface=vlan_WAN network=10.66.0.120
add address=150.2.2.193 interface=publicbridge network=150.2.2.193
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid interface=ether11
use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.205.0.0/21 gateway=10.205.0.1 ntp-server=10.255.5.1
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
/ip firewall mangle
add action=mark-connection chain=prerouting comment=“To_WAN-FO part1”
connection-mark=no-mark log-prefix=FO-conn new-connection-mark=WAN-FO
passthrough=yes src-address=150.2.2.144/28
add action=mark-connection chain=prerouting comment=“To_WAN-FO part2”
connection-mark=no-mark log-prefix=FO-conn new-connection-mark=WAN-FO
passthrough=yes src-address=150.2.2.176/28
add action=mark-connection chain=prerouting comment=“To_WAN-FO part3”
connection-mark=no-mark log-prefix=FO-conn new-connection-mark=WAN-FO
passthrough=yes src-address=150.2.2.160/28
add action=mark-routing chain=prerouting comment=To_WAN-FO connection-mark=
WAN-FO log=yes log-prefix=FO-route new-routing-mark=WAN-FO passthrough=no
add action=mark-connection chain=input comment=“To_WAN-FO input”
connection-mark=no-mark in-interface=ether11 log=yes log-prefix=
FO-conn-in new-connection-mark=WAN-FO passthrough=no
add action=mark-routing chain=output comment=“To_WAN-FO out” connection-mark=
WAN-FO log=yes log-prefix=FO-route-out new-routing-mark=WAN-FO
passthrough=no
/ip firewall nat
add action=src-nat chain=srcnat comment=“WAN FO” disabled=yes log=yes
log-prefix=FO-masquerade0 out-interface=ether11 to-addresses=
192.168.1.200
add action=src-nat chain=srcnat comment=“WAN FO” connection-mark=WAN-FO log=
yes log-prefix=FO-masquerade out-interface=ether11 to-addresses=
192.168.1.200
add action=jump chain=srcnat jump-target=nat out-interface=vlan_WAN
src-address=10.200.237.0/24
add action=jump chain=nat jump-target=nat-0 src-address=10.200.237.0/27
add action=jump chain=nat jump-target=nat-1 src-address=10.200.237.32/27
add action=jump chain=nat jump-target=nat-2 src-address=10.200.237.64/27
add action=jump chain=nat jump-target=nat-3 src-address=10.200.237.96/27
add action=jump chain=nat jump-target=nat-4 src-address=10.200.237.128/27
add action=jump chain=nat jump-target=nat-5 src-address=10.200.237.160/27
add action=jump chain=nat jump-target=nat-6 src-address=10.200.237.192/27
add action=jump chain=nat disabled=yes jump-target=nat-6 src-address=
10.200.237.224/27
add action=src-nat chain=nat-0 src-address=10.200.237.0/27 to-addresses=
150.2.2.224
add action=src-nat chain=nat-1 src-address=10.200.237.32/27 to-addresses=
150.2.2.225
add action=src-nat chain=nat-2 src-address=10.200.237.64/27 to-addresses=
150.2.2.226
add action=src-nat chain=nat-3 src-address=10.200.237.96/27 to-addresses=
150.2.2.227
add action=src-nat chain=nat-4 src-address=10.200.237.128/27 to-addresses=
150.2.2.228
add action=src-nat chain=nat-5 src-address=10.200.237.160/27 to-addresses=
150.2.2.229
add action=src-nat chain=nat-6 src-address=10.200.237.192/27 to-addresses=
150.2.2.230
add action=src-nat chain=nat-6 disabled=yes src-address=10.200.237.224/27
to-addresses=150.2.2.231
add action=src-nat chain=srcnat log-prefix=mq out-interface=vlan_WAN
src-address=10.200.237.0/24 to-addresses=150.2.2.137
add action=masquerade chain=srcnat disabled=yes log-prefix=mq out-interface=
vlanWAN src-address=10.10.5.0/24
add action=masquerade chain=srcnat comment=“Salida Joaquin” disabled=yes
out-interface=vlanWAN src-address=192.168.88.0/24
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=WAN-FO
add distance=1 dst-address=150.2.2.160/32 gateway=1323 pref-src=
10.205.255.20 routing-mark=WAN-FO scope=10
add distance=1 dst-address=150.2.2.155/32 gateway=1285 pref-src=
10.205.255.6 routing-mark=WAN-FO scope=10
add distance=1 dst-address=150.2.2.173/32 gateway=1438 pref-src=
10.205.255.10 routing-mark=WAN-FO scope=10
add distance=1 dst-address=150.2.2.181/32 gateway=1558 pref-src=
10.205.255.10 routing-mark=WAN-FO scope=10
add distance=1 gateway=10.66.0.121
add distance=3 gateway=192.168.1.1
add comment=PTP2X distance=1 dst-address=10.200.237.0/24 gateway=10.10.5.4
add comment=“PTP2X - newip” distance=1 dst-address=150.2.2.192/26 gateway=
10.10.5.4
/ppp secret
add name=1285 profile=PPPoE_AIR_30/04 service=pppoe
add name=1323 profile=PPPoE_AIR_30/04 service=pppoe
add name=1438 profile=PPPoE_AIR_30/04 service=pppoe
add name=1558 profile=PPPoE_AIR_30/04 service=pppoe
/routing ospf interface
add network-type=broadcast passive=yes
add interface=ether6 network-type=point-to-point
/routing ospf network
add area=backbone network=10.10.5.8/29
add area=backbone network=10.255.5.0/24
/system logging
add action=remote prefix=PPPoE topics=pppoe,!debug
/system ntp client
set enabled=yes primary-ntp=193.145.15.15
/system ntp server
set enabled=yes[/Codebox]

Thank you for your quick answers

I’ll be honest, I just remember that rp-filter=strict doesn’t go well with multi-WAN configs.

My super-fast “research” says that how it works is that system takes source and destination addresses from incoming packet, swaps them and checks where it would route such packet. If it’s via different interface than incoming, filter drops it. And since routing marks are not taken in account, it will fail for any other incoming interface than the one with default route in main routing table.

It also looks like rp-filter=loose might be useless for common scenarios:

I’m not exactly sure about “even a default route, if applicable” part, and I can’t properly test it now. But if only mere presence of default route (which is good for any destination) is enough, then it basically does nothing, because what device doesn’t have default route?

I don’t think I understand. CCR1 is internal machine with only one upstream connection, or not?

Yes, only one wireless upstream connection.
I chose to have two pppoe servers with local authentication. Now I am thinking of migrating everything to a radius system, I think radsec would be very useful to have radius servers in the cloud.