Mangle does not forward to correct interface eventhough connexion mark areOK

domotile · May 26, 2026, 12:45pm

Hi dears,
Here is my network

I want alltraffic frompublic interface to go through WAN2 if it is available.
I use mangle rules to do this

 0    ;;; Accept local WAN1 from LAN
      chain=prerouting action=accept dst-address=192.168.9.0/24 in-interface=bridge-local log=no log-prefix="" 

 1    ;;; Accept local WAN2  from LAN
      chain=prerouting action=accept dst-address=192.168.50.0/24 in-interface=bridge-local 

 3    ;;; WAN1 mark incoming
      chain=prerouting action=mark-connection new-connection-mark=WAN1_connection passthrough=no connection-state="" connection-mark=no-mark in-interface=WAN1 log=no log-prefix="" 

 4    ;;; WAN2 mark incoming
      chain=prerouting action=mark-connection new-connection-mark=WAN2_connection passthrough=no connection-mark=no-mark in-interface=WAN2 packet-mark="" 


11    ;;; Force ipbx To WAN2
      chain=prerouting action=mark-connection new-connection-mark=WAN2_connection passthrough=yes connection-state="" src-address=192.168.1.150 dst-address-type=!local connection-mark=no-mark log=no log-prefix="" 

12    ;;; Force Bridge local to WAN1
      chain=prerouting action=mark-connection new-connection-mark=WAN1_connection passthrough=yes connection-state="" dst-address-type=!local connection-mark=no-mark in-interface=bridge-local log=no log-prefix="" 

13    ;;; Force Bridge tacteo to WAN1
      chain=prerouting action=mark-connection new-connection-mark=WAN1_connection passthrough=yes connection-state="" dst-address-type=!local connection-mark=no-mark in-interface=bridgeTacteo log=no log-prefix="" 

14    ;;; Force Public To WAN2
      chain=prerouting action=mark-connection new-connection-mark=WAN2_connection passthrough=yes connection-state="" dst-address-type=!local connection-mark=no-mark in-interface=Public log=no log-prefix="" 

15    ;;; remove mark for canal network
      chain=prerouting action=mark-connection new-connection-mark=no-mark passthrough=no dst-address=192.168.9.0/24 dst-address-type=local log=no log-prefix="" 

16    ;;; remove mark for domotile server
      chain=prerouting action=mark-connection new-connection-mark=no-mark passthrough=no dst-address=10.40.0.0/24 dst-address-type=!local log=no log-prefix="" 

17    ;;; remove mark for vpn
      chain=prerouting action=mark-connection new-connection-mark=no-mark passthrough=no dst-address=172.16.24.0/24 dst-address-type=!local log=no log-prefix="" 

18    ;;; remove mark for dydns
      chain=prerouting action=mark-connection new-connection-mark=no-mark passthrough=no dst-address-type=!local dst-address-list=dyndns log=no log-prefix="DYNDNS" 

19    ;;; MArkRouting for dyndns
      chain=prerouting action=mark-routing new-routing-mark=to-WAN2 passthrough=yes dst-address-list=dyndns log=yes log-prefix="" 

20    ;;; MArkRouting for PCC WAN1 from LAN
      chain=prerouting action=mark-routing new-routing-mark=to-WAN1 passthrough=no connection-mark=WAN1_connection in-interface=bridge-local log=yes log-prefix="" 

21    ;;; MarkRouting for PCC WAN2 from LAN
      chain=prerouting action=mark-routing new-routing-mark=to-WAN2 passthrough=no connection-mark=WAN2_connection in-interface=Public log=no log-prefix="" 

23    ;;; force dyndns  to wan2
      chain=output action=mark-routing new-routing-mark=to-WAN2 passthrough=no dst-address-type=!local dst-address-list=dyndns log=no log-prefix="" 

24    ;;; force ipbx to wan2
      chain=output action=mark-routing new-routing-mark=to-WAN2 passthrough=no src-address=192.168.1.150 dst-address-type=!local log=no log-prefix="" 

25    ;;; Mark route WAN1
      chain=output action=mark-routing new-routing-mark=to-WAN1 passthrough=no connection-mark=WAN1_connection log=yes log-prefix="" 

26    ;;; Mark route WAN2
      chain=output action=mark-routing new-routing-mark=to-WAN2 passthrough=no connection-mark=WAN2_connection log=no log-prefix="" 

28    chain=forward action=log connection-state=new connection-nat-state="" dst-address-type=!local in-interface=Public out-interface-list=WAN log=no log-prefix="Public"

If i Check in Firewall/connections, all the connections from public network are marked WAN2_connection which is great.

But when i check the firewall logs it seems that even if all packets are marked to go through WAN2, many of them are going through WAN1

2026-05-26T16:31:41.777050+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new,snat src-mac dc:e9:94:9e:b8:8b, proto UDP, 10.41.43.228:59583->172.64.41.3:443, NAT (10.41.43.228:59583->192.168.50.3:59583)->172.64.41.3:443, len 1278
2026-05-26T16:31:41.777153+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto UDP, 10.41.43.228:60736->172.64.41.3:443, len 1278
2026-05-26T16:31:41.777328+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new,snat src-mac dc:e9:94:9e:b8:8b, proto UDP, 10.41.43.228:60736->172.64.41.3:443, NAT (10.41.43.228:60736->192.168.50.3:60736)->172.64.41.3:443, len 1278
2026-05-26T16:31:41.896974+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto TCP (SYN), 10.41.43.228:56604->172.64.41.3:443, len 52
2026-05-26T16:31:41.904749+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto TCP (SYN), 10.41.43.228:57519->172.64.41.3:443, len 52
2026-05-26T16:31:41.905154+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto TCP (SYN), 10.41.43.228:57846->172.64.41.3:443, len 52
**2026-05-26T16:31:42.586530+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new src-mac 60:83:e7:5c:69:ad, proto TCP (SYN), 10.41.43.167:54764->213.92.56.75:443, len 52**
2026-05-26T16:31:43.656475+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto TCP (SYN), 10.41.43.228:59201->150.171.109.4:443, len 52
**2026-05-26T16:31:44.796553+04:00 10.40.0.43 firewall,info output: in:(unknown 0) out:WAN1, connection-mark:WAN1_connection connection-state:related,snat proto ICMP (type 3, code 1), 192.168.9.20->4.207.247.138, NAT (10.41.43.25->192.168.9.20)->4.207.247.138, len 68**
**2026-05-26T16:31:45.016721+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new src-mac ae:42:16:d8:81:f1, proto TCP (SYN), 10.41.43.211:60702->185.159.107.205:443, len 64**
**2026-05-26T16:31:48.016546+04:00 10.40.0.43 firewall,info output: in:(unknown 0) out:WAN1, connection-mark:WAN1_connection connection-state:established proto ICMP (type 8, code 0), 192.168.9.20->8.8.8.8, len 56**
2026-05-26T16:31:49.981739+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac 60:83:e7:5c:69:ad, proto UDP, 10.41.43.167:60943->1.1.1.1:53, len 72
2026-05-26T16:31:49.981825+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac 60:83:e7:5c:69:ad, proto UDP, 10.41.43.167:59889->1.1.1.1:53, len 72
2026-05-26T16:31:51.116747+04:00 10.40.0.43 firewall,info output: in:(unknown 0) out:lo, connection-mark:WAN1_connection connection-state:related,snat proto ICMP (type 3, code 1), 192.168.50.3->192.168.50.3, NAT 8.8.4.4->(192.168.50.3->192.168.1.104), len 101
2026-05-26T16:31:51.124653+04:00 10.40.0.43 firewall,info message repeated 2 times: [ output: in:(unknown 0) out:lo, connection-mark:WAN1_connection connection-state:related,snat proto ICMP (type 3, code 1), 192.168.50.3->192.168.50.3, NAT 8.8.4.4->(192.168.50.3->192.168.1.104), len 101]
2026-05-26T16:31:52.797524+04:00 10.40.0.43 firewall,info output: in:(unknown 0) out:WAN1, connection-mark:WAN1_connection connection-state:related,snat proto ICMP (type 3, code 1), 192.168.9.20->65.1.188.54, NAT (10.41.43.135->192.168.9.20)->65.1.188.54, len 80
2026-05-26T16:31:54.485169+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto UDP, 10.41.43.228:53083->1.1.1.1:53, len 56
2026-05-26T16:31:54.647221+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto TCP (SYN), 10.41.43.228:59202->172.217.170.163:80, len 52
**2026-05-26T16:31:54.797148+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new src-mac ea:9d:47:c4:98:e4, proto UDP, 10.41.43.231:56467->1.1.1.1:443, len 1228**
**2026-05-26T16:31:54.825178+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new,snat src-mac ea:9d:47:c4:98:e4, proto UDP, 10.41.43.231:56467->1.1.1.1:443, NAT (10.41.43.231:56467->192.168.9.20:56467)->1.1.1.1:443, len 1228**
**2026-05-26T16:31:54.825277+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new src-mac ea:9d:47:c4:98:e4, proto TCP (SYN), 10.41.43.231:55103->16.28.130.245:443, len 64**
2026-05-26T16:31:54.907193+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac ea:9d:47:c4:98:e4, proto UDP, 10.41.43.231:50505->1.0.0.1:443, len 1228
2026-05-26T16:31:54.915185+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new,snat src-mac ea:9d:47:c4:98:e4, proto UDP, 10.41.43.231:50505->1.0.0.1:443, NAT (10.41.43.231:50505->192.168.50.3:50505)->1.0.0.1:443, len 1228
**2026-05-26T16:31:54.915255+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new src-mac ea:9d:47:c4:98:e4, proto TCP (SYN), 10.41.43.231:55104->1.1.1.1:443, len 64**
2026-05-26T16:31:56.497424+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto TCP (SYN), 10.41.43.228:59203->2.22.197.56:80, len 52
**2026-05-26T16:31:57.847286+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new src-mac dc:e9:94:9e:b8:8b, proto TCP (SYN), 10.41.43.228:59204->204.79.197.203:80, len 52**
**2026-05-26T16:31:58.897002+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new src-mac e6:61:94:03:74:c4, proto TCP (SYN), 10.41.43.13:51484->3.161.94.112:443, len 64**
2026-05-26T16:32:00.804377+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN2, connection-mark:WAN2_connection connection-state:new src-mac 16:3c:bb:bd:13:9f, proto TCP (SYN), 10.41.43.226:48792->1.1.1.1:853, len 60
**2026-05-26T16:32:00.804377+04:00 10.40.0.43 firewall,info Public forward: in:Public out:WAN1, connection-mark:WAN2_connection connection-state:new src-mac 16:3c:bb:bd:13:9f, proto TCP (SYN), 10.41.43.226:48166->66.102.1.188:5228, len 60**

I do not understand why.
here is my routing table:

Columns: DST-ADDRESS, GATEWAY, DISTANCE
#       DST-ADDRESS      GATEWAY        DISTANCE
0  Xs   0.0.0.0/0        192.168.88.1         10
  DAd + 0.0.0.0/0        192.168.50.1          1
  DAd + 0.0.0.0/0        192.168.9.254         1
1  As   8.8.4.4/32       WAN2                  1
2  As   8.8.8.8/32       WAN1                  1
  DAc   10.10.100.0/24   bridgeTacteo          0
  DAc   10.40.0.1/32     sstp-domotile         0
  DAc   10.41.43.0/24    Public                0
3  As   192.168.0.0/24   10.40.0.1             1
  DAc   192.168.1.0/24   bridge-local          0
  DAc   192.168.5.0/24   TOIP                  0
  DAc   192.168.9.0/24   WAN1                  0
  DAc   192.168.50.0/24  WAN2                  0
4  IsH  0.0.0.0/0        8.8.4.4               2
5  IsH  0.0.0.0/0        8.8.8.8               1
6  IsH  0.0.0.0/0        8.8.8.8               2
7  IsH  0.0.0.0/0        8.8.4.4               1

Does anyone has a clue on what is happening?
for info her is my full config:
dimitile.rsc (12.9 KB)

TheCat12 · May 26, 2026, 6:44pm

I believe mangle rules 3 & 4 should be moved to the input chain with passthrough=no removed and some route marking rules should be added in the prerouting chain (de facto rules 20 & 21 with removed interface parameters):

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=WAN1_connection new-routing-mark=to-WAN1
add action=mark-connection chain=prerouting connection-mark=WAN2_connection new-routing-mark=to-WAN2

anav · May 26, 2026, 7:35pm

I will have a look later, no free time at the moment......

CGGXANNX · May 29, 2026, 10:25am

First, when you open your exported .rsc file in a text editor, and do a search for ="", you'll see all these occurrences in your firewall rules:

connection-state=""
connection-nat-state=""
packet-mark=""

You'll need to edit all those rules to get rid of them. For example, connection-state="" is a wrong condition that causes the rule to never match, in WinBox the condition shows up as this:

or this:

But it's not what you want. You should click on the triangle button (WinBox 3) or the - button (WinBox 4) to properly clear the condition so that they disappear from the export and are displayed like this:

Afterwards, re-export your configuration in an editor and make sure that there are no more instances of those 3 conditions mentioned above.

But the main cause of your problem (why some connections having the WAN2_connection connection mark are still routed through WAN1) is the content of the routes that you manually added. You made two kinds of mistakes:

When you added the route with dst-address=8.8.8.8/32 and dst-address=8.8.4.4/32 you used the interface name (WAN1 and WAN2) as value for gateway. That will not work because those destinations addresses are not connected addresses (cannot use ARP with them).
The way you specify the scope and target-scope for those routes, as scope=11 target-scope=11. Doing so cause the actual scope to become 12. Then in the routes that try to use those destinations as gateway you put scope=30 target-scope=11. With a value of target-scope=11 those gateways won't be resolved (because all rules with matching destinations have the scope 12 or 30).

See @jaclaz thread for the correct way to specify those values for recursive routing: Simple recursive failover for bears of little brain - RouterOS / Useful user articles - MikroTik community forum

As a result, the routes in both tables are invalid (have the I flag) and everything fall back to the main routing table. In the main table, the two DHCP clients on ether1 and ether2 added their respective default routes with the same distance, creating an ECMP group (they have a + sign in the list). This "load-balances" your connections, so you'll see some using WAN1 and some using WAN2.

To correct your routes. First open IP -> Routes and mark all routes with the s (static) flags and delete them. Then add the following routes instead:

/ip route
# 192.168.0.0/24 through sstp-domotile
add check-gateway=ping dst-address=192.168.0.0/24 gateway=10.40.0.1 \
    comment="192.168.0.0/24 through sstp-domotile" routing-table=main 

# narrow route to the WAN1 canary (note 192.168.9.254 is the gateway provided by WAN1):
add dst-address=8.8.8.8/32 gateway=192.168.9.254 routing-table=main \
    comment="WAN1 canary" scope=11 target-scope=10

# narrow route to the WAN2 canary (note 192.168.50.1 is the gateway provided by WAN2):
add dst-address=8.8.4.4/32 gateway=192.168.50.1 routing-table=main \
    comment="WAN2 canary" scope=11 target-scope=10

# default route for to-WAN1
add check-gateway=ping distance=1 gateway=8.8.8.8@main routing-table=to-WAN1 \
    comment="default route for to-WAN1" scope=30 target-scope=11

# fallback route for to-WAN1
add check-gateway=ping distance=2 gateway=8.8.4.4@main routing-table=to-WAN1 \
    comment="fallback route for to-WAN1" scope=30 target-scope=11

# default route for to-WAN2
add check-gateway=ping distance=1 gateway=8.8.4.4@main routing-table=to-WAN2 \
    comment="default route for to-WAN2" scope=30 target-scope=11

# fallback route for to-WAN2
add check-gateway=ping distance=2 gateway=8.8.8.8@main routing-table=to-WAN2 \
    comment="fallback route for to-WAN2" scope=30 target-scope=11

Note 1: In the canary routes above we've hard-coded the two gateway addresses, 192.168.9.254 and 192.168.50.1. If you cannot be sure that those two gateways always keep those addresses, then you'll need to modify the two DHCP client instances, the ones attached to the WAN1 interface (ether1) and WAN2 interface (ether2), and put these respective scripts into this textbox:

For WAN1:

:local routeComment "WAN1 canary";

:if ($bound = 1) do={
    :foreach canaryRoute in=[/ip/route/find comment=$routeComment] do={
        :if ([/ip/route/get $canaryRoute gateway] != $"gateway-address") do={
            /ip/route/set $canaryRoute gateway=$"gateway-address";
        };
    };
};

For WAN2:

:local routeComment "WAN2 canary";

:if ($bound = 1) do={
    :foreach canaryRoute in=[/ip/route/find comment=$routeComment] do={
        :if ([/ip/route/get $canaryRoute gateway] != $"gateway-address") do={
            /ip/route/set $canaryRoute gateway=$"gateway-address";
        };
    };
};

(it's almost the same script, just acting on different comments).

Note 2: If you don't want the two ECMP routes automatically added by the two DHCP clients in the main table, and will also do recursive route checks in the main table, then edit the two DHCP client instances and set add-default-route=no for them, then manually add the two routes to the main table:

add check-gateway=ping distance=1 gateway=8.8.8.8 routing-table=main \
    comment="ECMP default route in main using WAN1" scope=30 target-scope=11

add check-gateway=ping distance=1 gateway=8.8.4.4 routing-table=main \
    comment="ECMP default route in main using WAN2" scope=30 target-scope=11

We are giving them the same distance, so they still form an ECMP group and provide load-balancing in the main table. If you don't want ECMP then modify one of the two routes and give it a different distance value.

domotile · June 4, 2026, 12:21pm

Thank you so much CGGANNX,
I understand much better what I am doing.
Using the recursive route in the main table (note 2) is a must for me.
But target scope and actual scope are still fuzzy.
Thank you so much

jaclaz · June 4, 2026, 12:23pm

See if this (and links in it) helps:

anav · June 4, 2026, 10:11pm

Post a config if you run into issues attempting
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys, dhcp lease lists)