Multi ISP port forwarding

chaota · January 26, 2026, 10:33am

Hi, kind people.

I did everything i could myself but can’t fix this.

When i forward port 443 on one isp, it works.
When i setup same forward on second isp it does not work, until fist isp is down.
And again for first isp rule to work, second isp must be disabled.

I have RB5009UPr+S+IN, with 3 ISPs, configured as 3 interfaces:
pppoe-laito
pppoe-Tmobile
DHCP

I want to use them simultaneously, so distance in main routing table is set to 10, 20 and 30 in case of failure,
but i do have separate routing tables set up for each and mangle rules to tag and preroute.

It works, connection going through one ISP gets tagged and keep using it until ISP connection is severed.

```routeros
[admin@MikroTik] > /routing table printFlags: D - dynamic; X - disabled, I - invalid; U - used0 D   name="main" fib1     name="rtab-DHCP" fib2     name="rtab-Laito" fib3     name="rtab-Tmobile" fib

[admin@MikroTik] > /ip firewall mangle printFlags: X - disabled, I - invalid; D - dynamic0    chain=prerouting action=mark-connection new-connection-mark=mrk-Laito passthrough=yes connection-state="" connection-mark=no-mark in-interface=pppoe-laito log=no log-prefix=""

1    chain=prerouting action=mark-connection new-connection-mark=mrk-Tmobile passthrough=yes connection-state=new connection-mark=no-mark in-interface=pppoe-Tmobile log=no log-prefix=""

2    chain=prerouting action=mark-connection new-connection-mark=mrk-DHCP passthrough=yes connection-state="" connection-mark=no-mark in-interface=ether1 log=no log-prefix=""

3    chain=output action=mark-routing new-routing-mark=rtab-Tmobile passthrough=yes connection-mark=mrk-Tmobile log=no log-prefix=""

4    chain=output action=mark-routing new-routing-mark=rtab-Laito passthrough=yes connection-mark=mrk-Laito log=no log-prefix=""

5    chain=output action=mark-routing new-routing-mark=rtab-DHCP passthrough=yes connection-mark=mrk-DHCP log=no log-prefix=""

[admin@MikroTik] > /ip firewall nat print where action=dst-nat3    ;;; PLEXchain=dstnat action=dst-nat to-addresses=10.1.2.52 to-ports=32400 protocol=tcp in-interface=pppoe-laito dst-port=32400 log=no log-prefix=""

4    ;;; PLEXchain=dstnat action=dst-nat to-addresses=10.1.2.52 to-ports=32400 protocol=tcp in-interface=pppoe-Tmobile dst-port=32400 log=no log-prefix=""
```

Can You please nudge me in a good direction?

CGGXANNX · January 26, 2026, 10:43am

This is the problem (which appears on two of your rules)! Please note that this only matches if the connection-state is an empty string, which is never the case, your two mark-connection rules will never match and never trigger.

Edit them and set connection-state=new as it should be.

anav · January 26, 2026, 11:47am

Can you clarify the intent please.
From what I understand is that you have three WANs/

However you want to use them simultaneously which indicates to me you want to do some sort of load balancing but then state you want to separate them by distance??

Is the requirement more like, you want pppoe laito to be the primary used for all users, pppoe Tmobile to be the first backup and only use DHCP when the other two are not available OR SOMETHING ELSE?

OR,
You want users to be able to share all three connections all the time??

+++++++++++++++++++++++++++++++++++++++++++++++++

Note the above is completely separate from any requirements accessing the router through the WANs using router services like wireguard or port forwarding.

It seems like you have a server on port 433 somewhere on your LAN??
Have you considered VPN to your router then access LAN devices?? Much better (more secure) than port forwarding to a LAN server.

chaota · January 26, 2026, 12:10pm

Hey, thanks for reply.

So missing connection-state will not trigger on connection-mark=no-mark?

As i understood : if connection is not marked, it is marked and then this rule no longer apply to save compute. Actually it would be nice not to have to reset all connections each time i make a change.

As for distance. main routing table is only used if dedicated one does not work.
This is why i have failover there 10 20 30.
I do have load balance but i found it not consequential to the issue i’m having.

It’s a safety net. Normally new connection gets tagged and use dedicated routing table with one ISP only.

My goal is to have two internet facing 443, 80 ports.

I do have SSTP VPN set up, but i also do serve internet facing things.
Some tings like links or hassio instance for people in my home.

setting them up with permanent VPN seem excessive

lurker888 · January 26, 2026, 12:23pm

Connection-state and connection-mark are separate properties. Connection-state is always exactly one of new, established, related, untracked.

When you specify connection-state=A,B, it matches A or B. If you specify connection-state="", it matches no packet, ever.

It is however a common theme to use connection-mark=no-mark with new-connection-mark=whatever in prerouting in order to only assign a mark to things that were previously unmarked. This sort of marking only really applies to connection-state=new packets, so this may be optionally specified.

chaota · January 26, 2026, 12:32pm

I’d like to thank everyone for looking a it.
Setting connection-state=new solved my problem