I have 2 ISP with public ip, but only work 1 at time.

I set a failover in route list but only shows active if the ISP has been set as principal.

This is with ISP 1 as principal (the ping is from outside to the mikrotik)

WhatsApp Image 2025-10-22 at 10.12.29 AM1144×910 125 KB

This is with ISP2 as principal

WhatsApp Image 2025-10-22 at 10.12.29 AM1144×910 125 KB

Here the both address

Note: I have another mikrotik in other location with the same type config but different ISP and both public ip shows up

What’s is wrong with this? I need to see both active services so I can monitor them from outside.

First, you have to be clear about requirements.

1. Should the users have access to BOTH ISPs at the same time ( load balancing)?
2. Should the users have access to only one ISP at a time (failover)?
3. Do some internal user need to go out a specific WAN at all times?
4. Are there some external users reaching the LAN through a specific ISP?
5. Does the admin need to reach the router (router services such as VPN) via a specific ISP?

Please provide full config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists )

1. No, both ISPs is only for backup but we need to see both public ip from outside for monitoring (ping)
2. Yes, all network are on 1 failover
3. No
4. No
5. No, we reach the mikrotik through cloud

2025-10-22 13:00:34 by RouterOS 7.12.2

software id = RUSB-KDK1

model = RB3011UiAS

/interface bridge
add name="publica - giganet"
/interface ethernet
set [ find default-name=ether1 ] comment=GIGANET name="ether1 - GIGANET"
set [ find default-name=ether2 ] comment=INTER name="ether2 - INTER"
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment="LAN MERCADO" name=
"ether5 - MERCADO"
set [ find default-name=ether6 ] comment=BNC name="ether6 - BNC"
set [ find default-name=ether7 ] comment="HS INTERNO" name=
"ether7 - HS INTERNO"
set [ find default-name=ether8 ] comment="HS CLIENTES" name=
"ether8 - HS CLIENTES"
set [ find default-name=ether9 ] comment=CCTV name="ether9 - CCTV"
set [ find default-name=ether10 ] disabled=yes

/ip hotspot profile
add dns-name=slider.local hotspot-address=10.5.50.1 name=hsprof1
/ip pool
add name=dhcp_pool0 ranges=10.150.8.252/31
add name=dhcp_pool3 ranges=192.168.5.2-192.168.5.254
add name=hs-pool-7 ranges=10.5.50.2-10.5.50.254
add name=hs-pool-8 ranges=10.6.50.2-10.6.50.254
add name=dhcp_pool4 ranges=192.168.13.2-192.168.13.254
/ip dhcp-server
add address-pool=dhcp_pool3 interface="ether6 - BNC" name=BNC
add address-pool=hs-pool-7 interface="ether7 - HS INTERNO" lease-time=1h
name="HS INTERNO"
add address-pool=hs-pool-8 interface="ether8 - HS CLIENTES" lease-time=1h
name="HS CLIENTES"
add address-pool=dhcp_pool4 interface="ether9 - CCTV" lease-time=4w2d name=
dhcp1
/ip hotspot
add address-pool=hs-pool-7 addresses-per-mac=1 disabled=no interface=
"ether7 - HS INTERNO" name="HS INTERNO" profile=hsprof1
/ip hotspot user profile
add address-pool=hs-pool-8 mac-cookie-timeout=1d name=45min
/ip hotspot profile
add dns-name=experiencialider.net hotspot-address=10.6.50.1 html-directory=
"Super Lider hotspot 45 min" login-by=http-chap,http-pap,trial name=
hsprof2 trial-uptime-limit=45m trial-user-profile=45min
/ip hotspot
add address-pool=hs-pool-8 addresses-per-mac=1 disabled=no interface=
"ether8 - HS CLIENTES" name="HS CLIENTES" profile=hsprof2

/ip address
add address=10.150.8.251/24 comment="LAN MERCADO" interface=
"ether5 - MERCADO" network=10.150.8.0
add address=192.168.5.1/24 comment=BNC interface="ether6 - BNC" network=
192.168.5.0
add address=172.16.89.2/30 comment=GIGANET interface="ether1 - GIGANET"
network=172.16.89.0
add address=10.5.50.1/24 comment="hotspot network" interface=
"ether7 - HS INTERNO" network=10.5.50.0
add address=190.5X.XX.XXX comment="GIGANET PUBLICA" interface=
"publica - giganet" network=190.5X.XX.XXX
add address=10.6.50.1/24 comment="hotspot network" interface=
"ether8 - HS CLIENTES" network=10.6.50.0
add address=192.168.13.1/24 comment=CCTV interface="ether9 - CCTV" network=
192.168.13.0
add address=181.2YY.YY.YY/24 comment=INTER interface="ether2 - INTER"
network=181.2YY.YY.Y

/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" dns-server=8.8.8.8,8.8.4.4
gateway=10.5.50.1
add address=10.6.50.0/24 comment="hotspot network" gateway=10.6.50.1
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.13.0/24 gateway=192.168.13.1
/ip dns
set servers=9.9.9.9
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=src-nat chain=srcnat comment="GIGANET - MASCARADE PORT 1"
out-interface="ether1 - GIGANET" to-addresses=190.5X.XX.XXX
add action=masquerade chain=srcnat comment=INTER out-interface=
"ether2 - INTER"
add action=masquerade chain=srcnat comment=BNC out-interface="ether6 - BNC"
add action=masquerade chain=srcnat comment="masquerade hotspot network"
src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network"
disabled=yes src-address=10.6.50.0/24

/ip route
add check-gateway=ping comment="SALIENDO POR INTER" disabled=no distance=2
dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="SALIENDO POR GIGANET" disabled=no distance=1
dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src="" routing-table=main
scope=30 suppress-hw-offload=no target-scope=11
add comment=GIGANET distance=1 dst-address=1.0.0.1/32 gateway=172.16.89.1
pref-src=190.5X.XX.XXX scope=10
add comment=INTER distance=1 dst-address=1.1.1.1/32 gateway=181.2XX.XX.X
scope=10

Is that the full config?
I dont see any /interface bridge port settings, and you have no real firewall rules to speak of??

You should setup vlans, and thus can separate traffic at layer 3 from each other. Right now they are all connected as per your setup.

There’s no /interface bridge port settings, and the Mikrotik is recent… First, i need both ISP active a later setup next firewall.

Well to have the two WANs respond to pings you will need to have some mangle rules involved.
You will note I only do this mangle for WAN2 as WAN1 is primary and any pinging will always work as the router chooses this path for return traffic from the router.

/routing table
add fib name=useISP2

/ip firewall mangle
add chain=input action=mark-connections connection-mark=no-mark
new-connection-mark=incomingWAN2 passthrough=yes
add chain=output action=mark-routing connection-mark=incomingWAN2
new-routing-mark=useISP2 passthrough=no

Now we have added a special table for the routing involved and added to the other routes looks like:
I prefer to use non-related DNS, for canary addresses as its more independent.............

/ip route
add check-gateway=ping comment="SALIENDO POR GIGANET"
dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=10 target-scope=12
add check-gateway=ping comment="SALIENDO POR INTER" distance=2
dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add comment=GIGANET ISP1" dst-address=1.0.0.1/32 gateway=172.16.89.1 scope=10
target-scope=11
add comment=INTER ISP2" distance=2 dst-address=9.9.9.9/32 gateway=181.2XX.XX.X
scope=10 target-scope=11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add comment="Monitor ISP2" dst-address=0.0.0.0/0 gateway=181.2XX.XX.X routing-table=useISP2

Note: Ensure your forward chain firewall rule fasstrack rule looks like:
add action=fasttrack-connection chain=forward connection-state=established,related
connection-mark=no-mark

It didn't work

here the export

/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark new-connection-mark=incomingWAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=incomingWAN2 new-routing-mark=useISP2 passthrough=no

/routing table
add fib name=useISP2

/ip route
add comment="Monitor ISP2" dst-address=0.0.0.0/0 gateway=181.2XX.XX.1 routing-table=useISP2
add check-gateway=ping comment="SALIENDO POR GIGANET" dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=10 target-scope=12
add check-gateway=ping comment="SALIENDO POR INTER" distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12
add comment="GIGANET ISP1" dst-address=1.0.0.1/32 gateway=172.16.89.1 pref-src=190.5X.XX.XXX scope=10 target-scope=11
add comment="INTER ISP2" distance=2 dst-address=9.9.9.9/32 gateway=181.2XX.XX.1 scope=10 target-scope=11

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=fasttrack-connection chain=forward connection-mark=no-mark connection-state=established,related hw-offload=yes

Right now the ISP1 “GIGANET” can't reach and the ISP2 work fine.

You are absolutely right!
I freaking forgot to identify which WAN we were mangling LOL. Sorry to have wasted your time.
Please find the fix below.
/ip firewall mangle
add action=mark-connection chain=input in-interface="ether2 - INTER" connection-mark=no-mark new-connection-mark=incomingWAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=incomingWAN2 new-routing-mark=useISP2 passthrough=no

I dont understand however why your Primary WAN is not working it looks fine to me??
First check if the modification above fixes everything. I think that should!!

Otherwise for the primary wan1 - gigabit, well I dont understand why you keep putting in pref-src=190.5X, is that an additional piece needed to get ISP connectivity from that ISP???

It’s work!! ty so much!!

still can't reach ISP1 “GIGANET” maybe for diferent distance?

the primary wan1 - gigabit is a loopback to the private ip to the public ip, that why i need to put the pref-src on route and nat rule.

hi wtfrank, can you explain what you mean for ISP1. I am not familiar with loopback to private IP to the public IP. For some reason the ping of hte public IP is not reaching you........... hmmmmmmmmmmmmmmm

A little help from a friend,
Can you confirm which situation describes your setup:

1. The ISP is providing you with a private interconnection subnet but routes traffic for that public IP to you via that subnet, using the private IP attached to your WAN1 ; or

2. The ISP may be dst-nating traffic for the public IP to the private one attached to WAN1.

In simple term, i set a permanent public ip as private ip in my mikrotik without interface asociation (Like 127.0.0.1 but with public ip usually set on a brigde without port) and the ISP identify my router with that.

Here a video more technical

https://www.youtube.com/watch?v=5A-qytY4JPI

Also found a post where u comment 2 years ago for the same type of conection.

Also you can see my nat, route and adress export for more information that how its work.

Okay you have some torturous setup but WHY?

A. are you connected to an ISP modem?
B. are you connected to an ISP modem/router?

PLus will repeat the request for answers to the questions I asked above for you to confirm........

What is driving this setup?

How are you testing the pinging of your WANs being available.
From external or internal??