Mikrotik blocks pages

escor · February 14, 2024, 2:14pm

Good morning everyone, I have a problem with Mikrotik. Currently, I have a Mikrotik that is balancing and another that manages only through pppoe. However, in the Mikrotik balancer it blocks certain pages, that is, for example, www.google.com, when I make a ping I get no answer for the page to open again I have to make a mangrove rule to output it through one of the lines directly and it works again correctly, however, after a few days it falls again and I have to change the output again to another line and it returns to to work, I don’t know what the error is about blocking the pages. If anyone can help me, I would appreciate it.

Mesquite · February 14, 2024, 2:28pm

Dont make tree/shrub based rules?

Post complete config less sensitive bits for review.

escor · February 15, 2024, 12:11am

Good afternoon, I attach the request.

/interface bridge
add name=bridge1
add admin-mac=0B:0B:0C:69:DE:69 auto-mac=no name=bridge101
add admin-mac=D0:74:1C:2E:A7:4B auto-mac=no name=bridge102
add admin-mac=04:4A:CC:66:7D:FF auto-mac=no name=bridge103
add admin-mac=0E:19:EF:B4:25:1D auto-mac=no name=bridge104
add admin-mac=02:A1:E2:E5:75:C5 auto-mac=no name=bridge105
add admin-mac=9D:2F:8D:49:9B:39 auto-mac=no name=bridge106
add admin-mac=54:0E:0E:4F:9A:A7 auto-mac=no name=bridge107
add admin-mac=91:0F:BB:34:C1:C9 auto-mac=no name=bridge108
add admin-mac=A1:D3:68:E6:05:17 auto-mac=no name=bridge109
add admin-mac=CD:84:9A:3E:C3:3B auto-mac=no name=bridge110
add admin-mac=5B:5C:43:F5:63:21 auto-mac=no name=bridge111
add admin-mac=8E:61:5E:0B:46:62 auto-mac=no name=bridge112
add admin-mac=8E:60:55:0B:46:6A auto-mac=no name=bridge113
add admin-mac=D2:BA:12:00:FE:8E auto-mac=no name=bridge114

add name=loopback
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment="BALANCEO DE CARGA"
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no speed=1Gbps
set [ find default-name=sfp-sfpplus5 ] speed=1Gbps
set [ find default-name=sfp-sfpplus6 ] auto-negotiation=no speed=1Gbps
set [ find default-name=sfp-sfpplus7 ] speed=1Gbps
/interface pppoe-client
add disabled=no interface=bridge101 name=pppoe-out1 password=speedy user=\
    speedy
add disabled=no interface=bridge102 name=pppoe-out2 password=speedy user=\
    speedy
add disabled=no interface=bridge103 name=pppoe-out3 password=speedy user=\
    speedy
add disabled=no interface=bridge104 name=pppoe-out4 password=speedy user=\
    speedy
add disabled=no interface=bridge105 name=pppoe-out5 password=speedy user=\
    speedy
add disabled=no interface=bridge106 name=pppoe-out6 password=speedy user=\
    speedy
add disabled=no interface=bridge107 name=pppoe-out7 password=speedy user=\
    speedy
add disabled=no interface=bridge108 name=pppoe-out8 password=speedy user=\
    speedy
add disabled=no interface=bridge109 name=pppoe-out9 password=speedy user=\
    speedy
add disabled=no interface=bridge110 name=pppoe-out10 password=speedy user=\
    speedy
add disabled=no interface=bridge111 name=pppoe-out11 password=speedy user=\
    speedy
add disabled=no interface=bridge119 name=pppoe-out12 password=speedy user=\
    speedy
add disabled=no interface=bridge121 name=pppoe-out13 password=speedy user=\
    speedy
add disabled=no interface=bridge122 name=pppoe-out14 password=speedy user=\
    speedy

/interface pptp-client
add connect-to=104.248.13.17 disabled=no name=pptp-out2 password=\
    salidaipublica2 user=salidaipublica2
/interface vlan
add interface=sfp-sfpplus1 name=vlan101 vlan-id=101
add interface=sfp-sfpplus1 name=vlan102 vlan-id=102
add interface=sfp-sfpplus1 name=vlan103 vlan-id=103
add interface=sfp-sfpplus1 name=vlan104 vlan-id=104
add interface=sfp-sfpplus1 name=vlan105 vlan-id=105
add interface=sfp-sfpplus1 name=vlan106 vlan-id=106
add interface=sfp-sfpplus1 name=vlan107 vlan-id=107
add interface=sfp-sfpplus1 name=vlan108 vlan-id=108
add interface=sfp-sfpplus1 name=vlan109 vlan-id=109
add interface=sfp-sfpplus1 name=vlan110 vlan-id=110
add interface=sfp-sfpplus1 name=vlan111 vlan-id=111
add interface=sfp-sfpplus1 name=vlan112 vlan-id=112
add interface=sfp-sfpplus1 name=vlan113 vlan-id=113
add interface=sfp-sfpplus1 name=vlan114 vlan-id=114

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=10.255.255.1
/interface bridge port
add bridge=bridge101 interface=vlan101
add bridge=bridge102 interface=vlan102
add bridge=bridge103 interface=vlan103
add bridge=bridge104 interface=vlan104
add bridge=bridge105 interface=vlan105
add bridge=bridge106 interface=vlan106
add bridge=bridge107 interface=vlan107
add bridge=bridge108 interface=vlan108
add bridge=bridge109 interface=vlan109
add bridge=bridge110 interface=vlan110
add bridge=bridge111 interface=vlan111
add bridge=bridge112 interface=vlan112
add bridge=bridge113 interface=vlan113
add bridge=bridge114 interface=vlan114
add bridge=bridge115 interface=vlan115
add bridge=bridge116 interface=vlan116
add bridge=bridge117 interface=vlan117
add bridge=bridge118 interface=vlan118
add bridge=bridge119 interface=vlan119
add bridge=bridge120 interface=vlan120
add bridge=bridge121 interface=vlan121
add bridge=bridge122 interface=vlan122
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0

/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=portalrrcc.reniec.gob.pe list=MUNI
/ip firewall filter
add action=add-dst-to-address-list address-list=FAST.COM \
    address-list-timeout=none-dynamic chain=forward comment=fast.com content=\
    fast.com disabled=yes
add action=add-dst-to-address-list address-list=SPEEDTEST \
    address-list-timeout=none-dynamic chain=forward comment=SPEEDTEST \
    content=speedtest.net disabled=yes
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input connection-limit=100,32 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
    src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
    new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new disabled=yes limit=\
    400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new disabled=yes protocol=\
    tcp tcp-flags=syn
add action=accept chain=input connection-state=established,related disabled=\
    yes
add action=drop chain=input connection-state=invalid disabled=yes
add action=drop chain=input src-address-list=BLOCK-2
add action=add-src-to-address-list address-list="PORT SCANNER" \
    address-list-timeout=none-static chain=forward comment=\
    "PROTECCION CONTRA SCANNER DE PUERTOS" disabled=yes protocol=tcp psd=\
    21,3s,3,1
/ip firewall mangle
add action=accept chain=prerouting comment="NO BALANCEAR TRAFICO PRIVADO" \
    disabled=yes dst-address-list=RED-LAN src-address-list=RED-LAN
add action=mark-connection chain=prerouting comment="PRIMER SEGMENTO" \
    connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=\
    ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out3 new-connection-mark=ISP3_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out4 new-connection-mark=ISP4_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out5 new-connection-mark=ISP5_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out6 new-connection-mark=ISP6_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out7 new-connection-mark=ISP7_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out8 new-connection-mark=ISP8_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out9 new-connection-mark=ISP9_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out10 new-connection-mark=ISP10_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out11 new-connection-mark=ISP11_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out12 new-connection-mark=ISP12_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out13 new-connection-mark=ISP13_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out14 new-connection-mark=ISP14_conn passthrough=yes

add action=mark-connection chain=prerouting comment="SEGUNDO SEGMENTO" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=\
    both-addresses:14/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP2_conn passthrough=yes per-connection-classifier=both-addresses:14/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP3_conn passthrough=yes per-connection-classifier=both-addresses:14/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP4_conn passthrough=yes per-connection-classifier=both-addresses:14/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP5_conn passthrough=yes per-connection-classifier=both-addresses:14/4
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP6_conn passthrough=yes per-connection-classifier=both-addresses:14/5
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP7_conn passthrough=yes per-connection-classifier=both-addresses:14/6
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP8_conn passthrough=yes per-connection-classifier=both-addresses:14/7
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP9_conn passthrough=yes per-connection-classifier=both-addresses:14/8
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP10_conn passthrough=yes per-connection-classifier=both-addresses:14/9
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP11_conn passthrough=yes per-connection-classifier=both-addresses:14/10
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP12_conn passthrough=yes per-connection-classifier=both-addresses:14/11
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP13_conn passthrough=yes per-connection-classifier=both-addresses:14/12
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP14_conn passthrough=yes per-connection-classifier=both-addresses:14/13

add action=mark-routing chain=prerouting comment="TERCER SEGMENTO" \
    connection-mark=ISP1_conn in-interface=bridge1 new-routing-mark=to_ISP1 \
    passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=bridge1 new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP3_conn \
    in-interface=bridge1 new-routing-mark=to_ISP3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP4_conn \
    in-interface=bridge1 new-routing-mark=to_ISP4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP5_conn \
    in-interface=bridge1 new-routing-mark=to_ISP5 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP6_conn \
    in-interface=bridge1 new-routing-mark=to_ISP6 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP7_conn \
    in-interface=bridge1 new-routing-mark=to_ISP7 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP8_conn \
    in-interface=bridge1 new-routing-mark=to_ISP8 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP9_conn \
    in-interface=bridge1 new-routing-mark=to_ISP9 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP10_conn \
    in-interface=bridge1 new-routing-mark=to_ISP10 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP11_conn \
    in-interface=bridge1 new-routing-mark=to_ISP11 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP12_conn \
    in-interface=bridge1 new-routing-mark=to_ISP12 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP13_conn \
    in-interface=bridge1 new-routing-mark=to_ISP13 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP14_conn \
    in-interface=bridge1 new-routing-mark=to_ISP14 passthrough=yes

add action=mark-routing chain=output comment="CUARTO SEGMENTO" \
    connection-mark=ISP1_conn new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP3_conn \
    new-routing-mark=to_ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP4_conn \
    new-routing-mark=to_ISP4 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP5_conn \
    new-routing-mark=to_ISP5 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP6_conn \
    new-routing-mark=to_ISP6 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP7_conn \
    new-routing-mark=to_ISP7 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP8_conn \
    new-routing-mark=to_ISP8 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP9_conn \
    new-routing-mark=to_ISP9 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP10_conn \
    new-routing-mark=to_ISP10 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP11_conn \
    new-routing-mark=to_ISP11 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP12_conn \
    new-routing-mark=to_ISP12 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP13_conn \
    new-routing-mark=to_ISP13 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP14_conn \
    new-routing-mark=to_ISP14 passthrough=yes

add action=mark-routing chain=prerouting comment="REDIRECCIONAR PAGINA MUNI" \
    dst-address-list=MUNI new-routing-mark=to_ISP8 passthrough=yes


/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=pppoe-out3
add action=masquerade chain=srcnat out-interface=pppoe-out4
add action=masquerade chain=srcnat out-interface=pppoe-out5
add action=masquerade chain=srcnat out-interface=pppoe-out6
add action=masquerade chain=srcnat out-interface=pppoe-out7
add action=masquerade chain=srcnat out-interface=pppoe-out8
add action=masquerade chain=srcnat out-interface=pppoe-out9
add action=masquerade chain=srcnat out-interface=pppoe-out10
add action=masquerade chain=srcnat out-interface=pppoe-out11
add action=masquerade chain=srcnat out-interface=pppoe-out12
add action=masquerade chain=srcnat out-interface=pppoe-out13
add action=masquerade chain=srcnat out-interface=pppoe-out14

/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=pppoe-out3 routing-mark=to_ISP3
add check-gateway=ping distance=1 gateway=pppoe-out4 routing-mark=to_ISP4
add check-gateway=ping distance=1 gateway=pppoe-out5 routing-mark=to_ISP5
add check-gateway=ping distance=1 gateway=pppoe-out6 routing-mark=to_ISP6
add check-gateway=ping distance=1 gateway=pppoe-out7 routing-mark=to_ISP7
add check-gateway=ping distance=1 gateway=pppoe-out8 routing-mark=to_ISP8
add check-gateway=ping distance=1 gateway=pppoe-out9 routing-mark=to_ISP9
add check-gateway=ping distance=1 gateway=pppoe-out10 routing-mark=to_ISP10
add check-gateway=ping distance=1 gateway=pppoe-out11 routing-mark=to_ISP11
add check-gateway=ping distance=1 gateway=pppoe-out12 routing-mark=to_ISP12
add check-gateway=ping distance=1 gateway=pppoe-out13 routing-mark=to_ISP13
add check-gateway=ping distance=1 gateway=pppoe-out14 routing-mark=to_ISP14
add check-gateway=ping distance=1 gateway=pppoe-out1
add check-gateway=ping distance=2 gateway=pppoe-out2
add check-gateway=ping distance=3 gateway=pppoe-out3
add check-gateway=ping distance=4 gateway=pppoe-out4
add check-gateway=ping distance=5 gateway=pppoe-out5
add check-gateway=ping distance=6 gateway=pppoe-out6
add check-gateway=ping distance=7 gateway=pppoe-out7
add check-gateway=ping distance=8 gateway=pppoe-out8
add check-gateway=ping distance=9 gateway=pppoe-out9
add check-gateway=ping distance=10 gateway=pppoe-out10
add check-gateway=ping distance=11 gateway=pppoe-out11
add check-gateway=ping distance=12 gateway=pppoe-out12
add check-gateway=ping distance=13 gateway=pppoe-out13
add check-gateway=ping distance=14 gateway=pppoe-out14


/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8085
set api disabled=yes port=2222
set winbox port=5623
set api-ssl disabled=yes
/routing ospf interface
add disabled=yes interface=sfp-sfpplus4 network-type=broadcast passive=yes
/routing ospf network
add area=backbone disabled=yes network=192.168.5.0/24
add area=backbone disabled=yes network=110.22.20.0/24
add area=backbone disabled=yes network=175.166.41.0/30
/system clock
set time-zone-name=America/Lima
/system identity
set name="MK LINEAS"
/system ntp client
set enabled=yes primary-ntp=146.164.53.65 secondary-ntp=129.6.15.28
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes secrets=*********

Mesquite · February 15, 2024, 12:44am

I would retain the one bridge you use for the LAN and scrap the rest unless there is some reason you have to have bridges.
THis reduces bridge ports to three lines.

Simpy assign all the vlans to sfpplus1 as you have and define each
pppoE client as follows:

/interface pppoe-client
add disabled=no interface=vlan101 name=pppoe-out1 password=speedy user=
speedy

Interface list members
bridge1=LAN
pppoe-out1 thru pppoe-out14 = WAN

Any reason why you have no forward chain firewall rules??

Do you have any external originated traffic going directly to the router? ( like VPN etc. ?)
Do you have any external originated traffic go to the LAN like to a server?

If the answer is no, then you dont need all the mangle rules, just these ones…
ALSO on the mark-routing rules, set passthrough=no !

add action=mark-connection chain=prerouting comment="SEGUNDO SEGMENTO" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=\
    both-addresses:14/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP2_conn passthrough=yes per-connection-classifier=both-addresses:14/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP3_conn passthrough=yes per-connection-classifier=both-addresses:14/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP4_conn passthrough=yes per-connection-classifier=both-addresses:14/3
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP5_conn passthrough=yes per-connection-classifier=both-addresses:14/4
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP6_conn passthrough=yes per-connection-classifier=both-addresses:14/5
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP7_conn passthrough=yes per-connection-classifier=both-addresses:14/6
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP8_conn passthrough=yes per-connection-classifier=both-addresses:14/7
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP9_conn passthrough=yes per-connection-classifier=both-addresses:14/8
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP10_conn passthrough=yes per-connection-classifier=both-addresses:14/9
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP11_conn passthrough=yes per-connection-classifier=both-addresses:14/10
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP12_conn passthrough=yes per-connection-classifier=both-addresses:14/11
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP13_conn passthrough=yes per-connection-classifier=both-addresses:14/12
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    ISP14_conn passthrough=yes per-connection-classifier=both-addresses:14/13

add action=mark-routing chain=prerouting comment="TERCER SEGMENTO" \
    connection-mark=ISP1_conn in-interface=bridge1 new-routing-mark=to_ISP1 \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=bridge1 new-routing-mark=to_ISP2 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP3_conn \
    in-interface=bridge1 new-routing-mark=to_ISP3 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP4_conn \
    in-interface=bridge1 new-routing-mark=to_ISP4 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP5_conn \
    in-interface=bridge1 new-routing-mark=to_ISP5 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP6_conn \
    in-interface=bridge1 new-routing-mark=to_ISP6 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP7_conn \
    in-interface=bridge1 new-routing-mark=to_ISP7 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP8_conn \
    in-interface=bridge1 new-routing-mark=to_ISP8 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP9_conn \
    in-interface=bridge1 new-routing-mark=to_ISP9 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP10_conn \
    in-interface=bridge1 new-routing-mark=to_ISP10 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP11_conn \
    in-interface=bridge1 new-routing-mark=to_ISP11 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP12_conn \
    in-interface=bridge1 new-routing-mark=to_ISP12 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP13_conn \
    in-interface=bridge1 new-routing-mark=to_ISP13 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP14_conn \
    in-interface=bridge1 new-routing-mark=to_ISP14 passthrough=no

…

You do not need check-gateway=ping on your manually created specific routes.