MikroTik PCC with 3 WAN + Dedicated WAN for CCTV/NVR Incoming Traffic (Policy Routing Issue)

raees63 · February 2, 2026, 10:23am

Hello,

I am using a MikroTik router with PCC load balancing on 3 WAN links (WAN1–WAN3) for LAN users.

I also have a 4th WAN (WAN4) which I want to use only for remote CCTV/camera traffic coming from external locations to my local NVR.

My Setup:

WAN1, WAN2, WAN3 → Used in PCC for normal internet users
WAN4 → Dedicated for camera/NVR traffic only
Cameras connect from remote public IPs to my NVR via port forwarding
NVR is on LAN
PCC is already working fine for users

Problem:

When WAN1 has the lowest distance (main route), camera traffic replies go via WAN1 instead of WAN4, causing asymmetric routing and connection issues.

If I make WAN4 priority 1, cameras work, but LAN internet becomes unstable.

I want:

LAN users → Use WAN1–WAN3 via PCC
Camera/NVR traffic → Always use WAN4 (no PCC)
WAN4 should not be used by LAN users

What I Tried:

Route distance changes
PCC exclusion
Mangle marking
Policy routing

But traffic still follows default route unless WAN4 is primary.

jaclaz · February 2, 2026, 10:42am

With all due respect , this is what you think you have tried, even a single, tiny mistake in anyone of the numerous settings involved in each of those attempts may have made the whole attempt fruitless.

At first sight both the Mangle marking and the Policy routing should have worked (if properly implemented) so what you should do now to get some assistance is to post your configuration(s), the one you tried with Mangle marking and the one with Policy routing or just your current configuration with none of the two approaches implemented.

Instructions here:

anav · February 2, 2026, 11:20am

Just to be clear, the WAN1,2,3 all have very different throughputs??
If not, ECMP is far easier to accomplish in terms of load balancing.

As far as WAN4 goes, I would bet cggx has a vrf solution that is golden……… sadly I am not up to that task.

As stated without your config, its hard to say much else.

raees63 · February 2, 2026, 12:10pm

# 2026-02-02 17:03:18 by RouterOS 7.17.2
# software id = 
#
# model = CCR2116-12G-4S+
# serial number = 
/interface ethernet
set [ find default-name=ether13 ] name="Ether Boot"
set [ find default-name=sfp-sfpplus2 ] name=LAN1
set [ find default-name=sfp-sfpplus1 ] l2mtu=1596 mac-address=\
     name=SAP
set [ find default-name=ether1 ] comment="Strom Fiber"
set [ find default-name=ether2 ] comment=Nayatel
set [ find default-name=ether3 ] comment=PTCL
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether6 ] comment=storm-camera
/interface list
add name=Ethernet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=option1 value="'10.10.10.100'"
add code=67 name=67 value="'boot\\pxeboot.n12'"
/ip dhcp-server option sets
add name=set1 options=67,option1
/ip pool
add name=openvpn ranges=192.168.99.2-192.168.99.50
add name=pool8 ranges=10.10.41.2-10.10.41.254
add name=dhcp_pool7 next-pool=pool8 ranges=10.10.40.2-10.10.40.254
/ip dhcp-server
add address-pool=dhcp_pool7 dhcp-option-set=set1 interface=LAN1 name=dhcp1
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.99.1 name=openvpn-profile remote-address=openvpn \
    use-encryption=yes
/routing table
add fib name=to_strom
add fib name=to_naya
add fib name=to_ptcl
add disabled=no fib name=to-storm-camera
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=prtg
/system logging action
set 3 remote=10.10.10.117 syslog-facility=local0
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=4096 min-neighbor-entries=4095 \
    soft-max-neighbor-entries=4095
/interface detect-internet
set wan-interface-list=all
/interface list member
add interface=ether4 list=Ethernet
add interface=LAN1 list=Ethernet
add interface=SAP list=Ethernet
/ip address
add address=192.168.1.254/24 interface=ether5 network=192.168.1.0
add address=192.168.100.26/24 interface=ether1 network=192.168.100.0
add address=192.168.17.26/24 interface=ether2 network=192.168.17.0
add address=192.168.15.26/24 interface=ether3 network=192.168.15.0
add address=10.10.10.1/18 interface=LAN1 network=10.10.0.0
add address=10.10.20.1/18 interface=LAN1 network=10.10.0.0
add address=10.10.40.1/18 interface=LAN1 network=10.10.0.0
add address=10.10.101.1/24 interface=SAP network=10.10.101.0
add address=192.168.101.26/24 interface=ether6 network=192.168.101.0
/ip dhcp-server network
add address=10.10.0.0/18 boot-file-name="boot\\pxeboot.n12" dhcp-option-set=\
    set1 dns-server=10.10.10.1,8.8.4.4,8.8.8.8 gateway=10.10.10.1 \
    next-server=10.10.10.100
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.10.101.52 match-subdomain=yes name=nflrouter.nutrifactor.com \
    type=A
add address=10.10.101.7 name=nutrifactorcloud.com type=A
add address=10.10.101.14 name=horizon.local type=A
add address=10.10.101.15 name=horizon-manager.horizon.local type=A
add address=10.10.101.20 name=radius.local type=A
add address=10.10.101.22 name=uag.local type=A
add address=10.10.101.62 name=mail.nutrifactor.online type=A
add address=10.10.10.110 name=n8n-nutrifactor.com type=A
/ip firewall address-list
add address=iris.fbr.gov.pk list=web_routing
add address=freepik.com list=web_routing
add address=www.freepik.com list=web_routing
add address=www.youtube.com list=web_routing
add address=youtube.com list=web_routing
add address=yastatic.net list=web_routing
add address=mc.yandex.ru list=web_routing
add address=yandex.ru list=web_routing
add address=admin.shopify.com list=Shopify
add address=tencentcdn1.tamashaweb.com list=tamasha
add address=3.160.77.142 list=tamasha
add address=43.152.190.241 list=tamasha
add address=43.152.190.242 list=tamasha
add address=43.152.188.238 list=tamasha
add address=10.10.40.123 list="mobile ip"
add address=10.10.40.66 list="mobile ip"
add address=10.10.40.49 list="mobile ip"
add address=10.10.10.78 list="mobile ip"
add address=45.143.222.63 list=tamasha
add address=smartcric.ch list=tamasha
add address=p2p03eu.vidict.net list=tamasha
add address=77.247.109.240 list=tamasha
add address=137.59.224.16 list=ptcl_routing
add address=dodeliver.com.pk list=web_routing
add address=msguides.com list=web_routing
add address=kms.msguides.com list=web_routing
add address=360.yandex.com list=web_routing
add address=ecom.leopardscourier.com list=naya_routing
add address=smtp.yandex.ru list=naya_routing
add address=imap.yandex.ru list=naya_routing
add address=clck.yandex.com list=naya_routing
add address=mail.yandex.com list=web_routing
add address=mail.yandex.ru list=web_routing
add address=admin.shopify.com list=ptcl_routing
add address=cdn.shopify.com list=ptcl_routing
add address=youtube.com comment=yt list=yt
add address=youtu.be list=yt
add address=tiktok.com list=web_routing
add address=accounts.zoho.com comment=zoho list=fb
add address=yandex.com comment=yandex list=web_routing
add address=accounts.zoho.com list=ptcl_routing
add address=zoho.com list=ptcl_routing
add address=web.whatsapp.com list=ptcl_routing
add address=162.159.192.1 list=naya_routing
add address=mail.nutrifactor.online list=web_routing
add address=web.whatsapp.net list=ptcl_routing
add address=static.whatsapp.net list=ptcl_routing
add address=mmg.whatsapp.net list=ptcl_routing
add address=g.whatsapp.net list=ptcl_routing
add address=w1.web.whatsapp.com list=ptcl_routing
add address=w2.web.whatsapp.com list=ptcl_routing
add address=graph.whatsapp.net list=ptcl_routing
add address=scontent.whatsapp.net list=ptcl_routing
add address=crashlogs.whatsapp.net list=ptcl_routing
add address=43.251.254.21 list=cameras
add address=182.180.119.188 list=cameras
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=log chain=forward log=yes log-prefix=traffic
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=log chain=forward log=yes log-prefix=traffic
add action=drop chain=forward comment=tamsha disabled=yes dst-address-list=\
    tamasha src-address-list="mobile ip"
add action=drop chain=forward comment="block connection rule" disabled=yes \
    dst-address=10.10.40.85
add action=drop chain=forward protocol=tcp tls-host=an.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=bs.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=clck.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=metrika.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=partner.yandex.ru
add action=drop chain=forward disabled=yes protocol=tcp tls-host=mc.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=yabs.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=ads.adfox.ru
add action=drop chain=forward protocol=tcp tls-host=awaps.yandex.net
add action=drop chain=forward protocol=tcp tls-host=mds.yandex.net
add action=drop chain=forward disabled=yes protocol=tcp tls-host=\
    avatars.mds.yandex.net
add action=drop chain=forward protocol=tcp tls-host=mc.admetrica.yandex.com
add action=drop chain=forward protocol=tcp tls-host=adfox.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=ssp.adfox.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=adsdk.yandex.ru
add action=drop chain=forward protocol=tcp tls-host=banner.yandex.com
add action=drop chain=forward protocol=tcp tls-host=adfstat.yandex.ru
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=forward out-interface=ether6 src-address=10.10.0.0/18
/ip firewall mangle
add action=mark-connection chain=prerouting comment="stromcamera mark-conn" \
    disabled=yes in-interface=ether6 new-connection-mark=storm_camera \
    src-address-list=cameras
add action=mark-routing chain=prerouting comment="stromcamera mark-conn" \
    connection-mark=storm_camera disabled=yes new-routing-mark=\
    to-storm-camera passthrough=no src-address-list=cameras
add action=accept chain=prerouting comment=strom_camera dst-address=\
    192.168.101.0/24 in-interface-list=Ethernet
add action=mark-connection chain=prerouting comment="stromcamera mark-conn" \
    connection-mark=no-mark in-interface=ether6 new-connection-mark=\
    storm_camera
add action=add-dst-to-address-list address-list=fb address-list-timeout=1w \
    chain=prerouting in-interface-list=all protocol=tcp tls-host=\
    *.facebook.com
add action=add-dst-to-address-list address-list=fb address-list-timeout=1w \
    chain=prerouting in-interface-list=all protocol=tcp tls-host=*.fb.com
add action=add-dst-to-address-list address-list=fb address-list-timeout=1w \
    chain=prerouting in-interface-list=all protocol=tcp tls-host=*.fbcdn.com
add action=add-dst-to-address-list address-list=fb address-list-timeout=1w \
    chain=prerouting in-interface-list=all protocol=tcp tls-host=*.fbcdn.net
add action=add-dst-to-address-list address-list=fb address-list-timeout=\
    none-dynamic chain=prerouting protocol=tcp tls-host=*.fna.fbcdn.net
add action=accept chain=prerouting dst-address=10.10.40.0/24 src-address=\
    192.168.99.0/24
add action=accept chain=prerouting dst-address=192.168.99.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=10.10.101.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.10.0/24 src-address=\
    10.10.101.0/24
add action=accept chain=prerouting dst-address=10.10.20.0/24 src-address=\
    10.10.101.0/24
add action=accept chain=prerouting dst-address=10.10.40.0/24 src-address=\
    10.10.101.0/24
add action=accept chain=prerouting dst-address=10.10.101.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=10.10.101.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=10.10.10.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=10.10.40.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.20.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.40.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.20.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=10.10.10.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=10.10.40.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=prerouting dst-address=10.10.10.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=prerouting dst-address=10.10.21.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=10.10.21.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.21.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=10.10.11.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.11.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=10.10.11.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=10.10.11.0/24 src-address=\
    10.10.101.0/24
add action=accept chain=prerouting dst-address=192.168.18.0/24 src-address=\
    10.10.101.0/24
add action=accept chain=prerouting dst-address=192.168.18.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=192.168.18.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=192.168.18.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=10.10.12.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.12.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=10.10.12.0/24 src-address=\
    10.10.40.0/24
add action=accept chain=prerouting dst-address=10.10.41.0/24 src-address=\
    10.10.20.0/24
add action=accept chain=prerouting dst-address=10.10.20.0/24 src-address=\
    10.10.41.0/24
add action=accept chain=prerouting dst-address=10.10.41.0/24 src-address=\
    10.10.10.0/24
add action=accept chain=prerouting dst-address=10.10.10.0/24 src-address=\
    10.10.41.0/24
add action=accept chain=prerouting dst-address=10.10.101.0/24 src-address=\
    10.10.41.0/24
add action=accept chain=prerouting dst-address=10.10.41.0/24 src-address=\
    10.10.101.0/24
add action=accept chain=prerouting dst-address=10.10.41.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\
    10.10.41.0/24
add action=accept chain=prerouting dst-address=192.168.18.0/24 src-address=\
    10.10.41.0/24
add action=accept chain=prerouting dst-address=10.10.41.0/24 src-address=\
    192.168.18.0/24
add action=mark-connection chain=prerouting in-interface-list=Ethernet \
    new-connection-mark=strom-conn src-address=10.10.101.62
add action=mark-routing chain=prerouting in-interface-list=Ethernet \
    new-routing-mark=to_strom passthrough=no src-address=10.10.101.62
add action=accept chain=prerouting comment=strom dst-address=192.168.100.0/24 \
    in-interface-list=Ethernet
add action=accept chain=prerouting comment=naytel dst-address=192.168.17.0/24 \
    in-interface-list=Ethernet
add action=accept chain=prerouting comment=ptcl dst-address=192.168.15.0/24 \
    in-interface-list=Ethernet
add action=mark-connection chain=prerouting comment="strom mark-conn" \
    connection-mark=no-mark in-interface=ether1 new-connection-mark=\
    strom-conn
add action=mark-connection chain=prerouting comment="nayatel mark-conn" \
    connection-mark=no-mark in-interface=ether2 new-connection-mark=naya-conn
add action=mark-connection chain=prerouting comment="ptcl mark conn" \
    connection-mark=no-mark in-interface=ether3 new-connection-mark=ptcl-conn
add action=mark-connection chain=prerouting disabled=yes in-interface=ether1 \
    new-connection-mark=strom-conn src-address=10.10.101.62
add action=mark-connection chain=prerouting comment="Fb Routing to naya" \
    dst-address-list=fb dst-address-type=!local in-interface-list=Ethernet \
    new-connection-mark=strom-conn
add action=mark-connection chain=prerouting comment=\
    "Website Routing to strom" dst-address-list=web_routing dst-address-type=\
    !local in-interface-list=Ethernet new-connection-mark=strom-conn
add action=mark-connection chain=prerouting comment="Website Routing to naya" \
    dst-address-list=naya_routing dst-address-type=!local in-interface-list=\
    Ethernet new-connection-mark=naya-conn
add action=mark-connection chain=prerouting comment="Website Routing to FB" \
    dst-address-list=ptcl_routing dst-address-type=!local in-interface-list=\
    Ethernet new-connection-mark=ptcl-conn
add action=mark-connection chain=prerouting comment="strom pcc" \
    connection-mark=no-mark dst-address-type=!local in-interface-list=\
    Ethernet new-connection-mark=strom-conn per-connection-classifier=\
    both-addresses:3/0
add action=mark-connection chain=prerouting comment="naya pcc" \
    connection-mark=no-mark dst-address-type=!local in-interface-list=\
    Ethernet new-connection-mark=naya-conn per-connection-classifier=\
    both-addresses:3/1
add action=mark-connection chain=prerouting comment="ptcl pcc" \
    connection-mark=no-mark dst-address-type=!local in-interface-list=\
    Ethernet new-connection-mark=ptcl-conn per-connection-classifier=\
    both-addresses:3/2
add action=mark-routing chain=prerouting comment="strom routing mark" \
    connection-mark=strom-conn in-interface-list=Ethernet new-routing-mark=\
    to_strom
add action=mark-routing chain=prerouting comment="nayatel roting mark" \
    connection-mark=naya-conn in-interface-list=Ethernet new-routing-mark=\
    to_naya
add action=mark-routing chain=prerouting comment="ptcl routing mark" \
    connection-mark=ptcl-conn in-interface-list=Ethernet new-routing-mark=\
    to_ptcl
add action=mark-routing chain=output comment="strom output mark" \
    connection-mark=strom-conn new-routing-mark=to_strom
add action=mark-routing chain=output comment="naya output mark" \
    connection-mark=naya-conn new-routing-mark=to_naya
add action=mark-routing chain=output comment="ptcl output mark" \
    connection-mark=ptcl-conn new-routing-mark=to_ptcl
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    to-ports=53
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether6
add action=accept chain=srcnat disabled=yes dst-address=192.168.110.0/24 \
    src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment=SAProuter1 dst-address=192.168.100.26 \
    dst-port=6121 protocol=tcp to-addresses=10.10.101.52 to-ports=30000
add action=dst-nat chain=dstnat comment=SAProuter1 dst-address=192.168.100.26 \
    dst-port=3299 protocol=tcp to-addresses=10.10.101.52 to-ports=3299
add action=dst-nat chain=dstnat comment=SAProuter2 dst-address=192.168.100.26 \
    dst-port=3399 protocol=tcp to-addresses=10.10.101.52 to-ports=3399
add action=dst-nat chain=dstnat comment=SAProuter2 dst-address=192.168.100.26 \
    dst-port=3389 protocol=tcp to-addresses=10.10.101.52 to-ports=3389
add action=dst-nat chain=dstnat comment=SAProuter2 dst-address=192.168.100.26 \
    dst-port=33891 protocol=tcp to-addresses=10.10.101.54 to-ports=44330
add action=dst-nat chain=dstnat comment=SAProuter2 dst-address=192.168.100.26 \
    dst-port=40000 protocol=tcp to-addresses=10.10.101.52 to-ports=40000
add action=dst-nat chain=dstnat dst-address=192.168.100.26 dst-port=51056 \
    protocol=tcp to-addresses=10.10.10.232 to-ports=4443
add action=dst-nat chain=dstnat dst-address=192.168.100.26 dst-port=1190 \
    protocol=udp to-addresses=10.10.10.251 to-ports=1190
add action=dst-nat chain=dstnat comment="PTCL VPN" dst-address=192.168.15.26 \
    dst-port=5876 protocol=udp to-addresses=10.10.10.251 to-ports=1190
add action=dst-nat chain=dstnat dst-address=192.168.100.26 dst-port=51023 \
    protocol=tcp to-addresses=10.10.10.225 to-ports=4431
add action=dst-nat chain=dstnat comment="smtp inbound" dst-address=\
    192.168.100.26 dst-port=25 protocol=tcp to-addresses=10.10.101.62 \
    to-ports=25
add action=dst-nat chain=dstnat comment="smtp inbound" dst-address=\
    192.168.100.26 dst-port=80 protocol=tcp to-addresses=10.10.101.62 \
    to-ports=25
add action=dst-nat chain=dstnat comment="smtp submission" dst-address=\
    192.168.100.26 dst-port=587 protocol=tcp to-addresses=10.10.101.62 \
    to-ports=587
add action=dst-nat chain=dstnat comment=smtps dst-address=192.168.100.26 \
    dst-port=465 protocol=tcp to-addresses=10.10.101.62 to-ports=65
add action=dst-nat chain=dstnat comment=imap dst-address=192.168.100.26 \
    dst-port=143 protocol=tcp to-addresses=10.10.101.62 to-ports=143
add action=dst-nat chain=dstnat comment=imaps dst-address=192.168.100.26 \
    dst-port=993 protocol=tcp to-addresses=10.10.101.62 to-ports=993
add action=dst-nat chain=dstnat comment=pop3 disabled=yes dst-address=\
    192.168.15.26 dst-port=995 protocol=tcp to-addresses=10.10.101.62 \
    to-ports=995
add action=dst-nat chain=dstnat comment="smtp 995" disabled=yes dst-address=\
    192.168.100.26 dst-port=995 protocol=tcp to-addresses=10.10.20.165 \
    to-ports=995
/ip ipsec profile
set [ find default=yes ] dh-group="x25519,ecp256,ecp384,ecp521,modp8192,modp61\
    44,modp4096,modp3072,modp2048,modp1536,modp1024,modp768" dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-256,aes-192,aes-128,3des
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.100.1 routing-table=to_strom scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.17.1 \
    routing-table=to_naya
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.15.1 \
    routing-table=to_ptcl
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.100.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.17.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    192.168.15.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=10.10.21.0/24 gateway=10.10.10.252 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=10.10.11.0/24 gateway=10.10.10.252 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.18.0/24 gateway=10.10.10.252 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.10.12.0/24 gateway=10.10.10.252 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.99.0/24 gateway=10.10.10.251 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.101.1 \
    routing-table=to-storm-camera scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
    192.168.101.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set active-flow-timeout=1m cache-entries=32M enabled=yes
/ip traffic-flow target
add dst-address=10.10.10.98 port=600 src-address=10.10.10.1 version=ipfix
add disabled=yes dst-address=10.10.40.103 src-address=10.10.10.1 \
    v9-template-timeout=30s
add disabled=yes dst-address=10.10.40.22 port=9996
add dst-address=10.10.10.98 port=600 src-address=10.10.10.1 version=ipfix
add disabled=yes dst-address=10.10.40.22 port=9996
add dst-address=10.10.101.152 port=9996 src-address=10.10.10.1
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp secret
add name=zain profile=default-encryption service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/24 table=\
    main
add action=lookup-only-in-table disabled=no dst-address=10.10.10.0/18 \
    src-address="" table=main
add action=lookup-only-in-table disabled=no dst-address=10.10.101.0/24 table=\
    main
/snmp
set contact=HO enabled=yes
/system clock
set time-zone-name=Asia/Karachi
/system logging
set 0 action=remote disabled=yes
add action=remote disabled=yes prefix=traffic topics=firewall
add action=remote disabled=yes prefix=traffic topics=firewall
/system note
set show-at-login=no
/system resource irq rps
set *6 disabled=yes
set *7 disabled=yes
set *8 disabled=yes
set *9 disabled=yes
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add

raees63 · February 2, 2026, 12:19pm

traffic is coming so mikrotik take it as source traffic and use wan 1 as default

gigabyte091 · February 3, 2026, 7:06am

Regarding VRF, I have 2 WANs, one is for my personal use and one for business use.

So what I did is I created dedicated VLAN for my business devices:

/interface vlan
add interface=bridge name=VLAN10 vlan-id=10

Assigned an IP address to new VLAN interface:

add address=172.16.10.1/24 comment=VLAN10 interface=VLAN10 network=\
    172.16.10.0

Created DHCP server to hand out IP addresses:

/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN10 lease-time=1d name=dhcp1
/ip pool
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254

Then create new VRF entry and add interfaces you want to be a part of that VRF list, in my case ether5 is used for WAN2 and VLAN10 is used for my business devices:

/ip vrf
add interfaces=ether5,VLAN10 name=VRF10

After that I created DHCP client:

add default-route-tables=VRF10 interface=ether5 name=client2

Be sure to add your interface that’s used for WAN4 to appropriate interface list. (I used default WAN list so I didn’t need to make any changes to firewall and masq. rules.)

Also add your VLAN interface to appropriate interface list.

After that you should check your routes, it should look like this:

[admin@MikroTik] > ip route p
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
    DST-ADDRESS       GATEWAY              ROUTING-TABLE  DISTANCE
DAd 0.0.0.0/0         192.168.200.100      main                  1
DAc 172.16.20.0/24    VLAN20               main                  0
DAc 192.168.200.0/24  ether1               main                  0
DAd 0.0.0.0/0         192.168.188.1@VRF10  VRF10                 1
DAc 172.16.10.0/24    VLAN10@VRF10         VRF10                 0
DAc 192.168.188.0/28  ether5@VRF10         VRF10                 0

I’m fairly new to the VRF so if I made any error someone will correct me.

jaclaz · February 3, 2026, 9:55am

But in this case all the traffic from/to the cameras enters/exits the router through a same interface, doesn't it?

I.e. a routing rule set like

/routing rule 
add min-prefix=0 action=lookup-only-in-table  table=main comment="Allows local traffic"
add interface=ether<x> action=lookup-only-in-table table=<cameras>

might be enough.

raees63 · February 3, 2026, 10:13am

thanks it works