Load Balancing Protocols and Natting

I have been trying to get my configuration going and all so far has been well.

I have two Outgoing Internet Connections which i am splitting quite successfully with Mangle

ISP 1 POP3 SMTP All Other Traffic
ISP 2 POP3 WEB HTTPS

When i do incoming connections for eg vpn i need to be able to connect to the external interface on ISP 2 and then my routing goes belly up.

Once the incoming connections are working well i need to configure transparent proxy and would like to know if i need to run that on seperate router on Lan before it goes to Load balancer

Here is my routes that i have configured if somebody can please have a look i am almost 99 % sure this is where the problem lies

/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.6.1 routing-mark=“HTTP traffic” scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.6.1 routing-mark=“SSL traffic” scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.2.1 routing-mark=“POP3 traffic” scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.2.1 routing-mark=“SMTP traffic” scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.4.1 routing-mark=“P2P traffic” scope=255 target-scope=10
add comment=“” disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=
192.168.2.1 routing-mark=“Unknown traffic” scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.2.1 routing-mark=“WAN - 01” scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.6.1 routing-mark=“WAN - 02” scope=255 target-scope=10
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.2.1 scope=30 target-scope=10
add comment=“” disabled=no distance=10 dst-address=0.0.0.0/0 gateway=
192.168.6.1 scope=30 target-scope=10

Can you please show your mangle and NAT rules?

Also, if you have two WAN links why are there three gateways in those routes?

Sorry about that there is a 3rd Gateway that i did not mention

/ip firewall mangle
add action=mark-routing chain=prerouting comment=“” disabled=no
new-routing-mark=ISP1 passthrough=no src-address-list=WAN-01
add action=mark-routing chain=prerouting comment=“” disabled=no
new-routing-mark=ISP2 passthrough=no src-address-list=WAN-02
add action=mark-routing chain=prerouting comment=“” disabled=no dst-port=80
in-interface=LAN new-routing-mark=“HTTP traffic” passthrough=no protocol=
tcp
add action=mark-routing chain=prerouting comment=“” disabled=no dst-port=443
in-interface=LAN new-routing-mark=“SSL traffic” passthrough=no protocol=
tcp
add action=mark-routing chain=prerouting comment=“” disabled=no dst-port=110
in-interface=LAN new-routing-mark=“POP3 traffic” passthrough=no protocol=
tcp
add action=mark-routing chain=prerouting comment=“” disabled=no dst-port=25
in-interface=LAN new-routing-mark=“SMTP traffic” passthrough=no protocol=
tcp
add action=mark-routing chain=prerouting comment=“P2P Traffic” disabled=no
in-interface=LAN new-routing-mark=“P2P traffic” p2p=all-p2p passthrough=
no
add action=mark-routing chain=prerouting comment=“Unknown Traffic” disabled=
no in-interface=LAN new-routing-mark=“Unknown traffic” passthrough=no


/ip firewall nat
add action=masquerade chain=srcnat comment=“ISP1 Gateway” disabled=no
out-interface=ISP1 src-address-list=Allowed-Internet
add action=masquerade chain=srcnat comment=“ISP2 Gateway” disabled=no
out-interface=ISP2 src-address-list=Allowed-Internet
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=21
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=21
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=25
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=25
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=80
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=80
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=110
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=110
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=389
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=443
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=443
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3389
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=3389
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=3390
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.6 to-ports=3390
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=1723
in-interface=ISP1 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=1723
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=80
in-interface=ISP2 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=80
add action=dst-nat chain=dstnat comment=“” disabled=no dst-port=1723
in-interface=ISP2 protocol=tcp src-address-list=!Allowed-Internet
to-addresses=192.168.1.5 to-ports=1723

Any feedback please Guys will be appreciated

What is in the “WAN-01” and “WAN-02” address list in your mangle rules? If they contain the IP addresses on the public interfaces, then your src-address-list isn’t going to work for those mangle rules. You can try specifying the in-interface for those, that seems to work better and be more efficient.

You can dry disabling one of your masquerade rules and instead of specifying an out interface on the one that is enabled, specify your LAN subnet.