Policy base routing with two ISPs for junk traffic

Hi all, I have home network with two ISPs, VDSL and WiFi for two LANs. I used both networks in a way that I marked each traffic and sent it out by one of ISPs and in case of outage each one backed up another. This had some ugly consequences for me:

• Routing was missing something, MikroTik couldn’t reach Internet for updates because traffic wasn’t originating from LAN interface and wasn’t marked.
  
  
  
• When I added default route without marking, one of LANs lost Internet connectivity.
  
  
  
• I couldn’t ping router from LAN.
  
  
  
• When I overutilized any of two links my “ip sla” script started to shutdown routes to both ISPs one by one, again and again and again.

Now I want to do different approach. VDSL will be primary, WiFi will be backup. For junk traffic (like torrents, smartTV etc.) I’ll use WiFi, this will have no backup. I found out that separating torrents will be pain in the butt, so I’m leaving this for later. Right now I want to have whole Main LAN on VDSL and mark nunecessary clients (IP addresses) to got via WiFi. In the same time I want my MikroTik router and access points to reach Internet and download updates.

So, what I understood from MikroTik Wiki, when traffic will reach router, it will check routing table. If it won’t find route in marked routing table, it will use default table. I tried to setup whole thing according to this, but it doesn’t work. I created three default routes. VDSL default route with distance 1. WiFi default with distance 10. Switch to backup is done by script. Till this point all works perfectly.
I mark one PC 10.0.0.191 with mark JUNKPC, one I added default route for marked traffic with mark JUNKPC, LAN lost connectivity to internet completely.

Can anyone review my config below and point out what I’m doing wrong?

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP1 speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-LAN1 speed=100Mbps
set [ find default-name=ether3 ] name=ether3-LAN2 speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] name=ether5-ISP2 speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether8-LAN1
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether10-LAN1
/ip pool
add name=dhcp ranges=10.0.0.1-10.0.0.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge lease-time=23h59m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master-LAN1
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge interface=ether3-LAN2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8-LAN1
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10-LAN1
/interface list member
add interface=ether2-master-LAN1 list=discover
add interface=ether3-LAN2 list=discover
add interface=ether4 list=discover
add interface=ether5-ISP2 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8-LAN1 list=discover
add interface=ether9 list=discover
add interface=ether10-LAN1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=10.0.0.254/24 comment="LAN subnet" interface=bridge network=10.0.0.0
add address=192.168.1.2/29 comment=ISP1 interface=ether1-ISP1 network=192.168.1.0
add address=192.168.0.2/24 comment=ISP2 interface=ether5-ISP2 network=192.168.0.0
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.254
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-ISP1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-ISP1
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=JUNKPC passthrough=yes src-address=10.0.0.191
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1-ISP1
add action=masquerade chain=srcnat out-interface=ether5-ISP2
add action=masquerade chain=srcnat src-address=10.0.0.0/24
/ip route
add distance=1 gateway=ether5-ISP2 routing-mark=JUNKPC
add comment=ISP1 distance=1 gateway=192.168.1.1
add comment=ISP2 distance=10 gateway=192.168.0.1

Try gateway=192.168.0.1 instead of gateway=ether5-ISP2. Interface as gateway is not meant for ethernet.

I can see no explanation for the behaviour you describe in the part of the configuration which you have posted. The only mangle rule assigning the routing-mark checks that single src-address. So I could imagine the connections from 10.0.0.191 to become unbearably slow as you didn’t exclude them from fasttracking (so only every Nth packet of each connection initiated by 10.0.0.191 takes the same WAN as the initial packet as the rest is fasttracked and so they take the default route), but I can see no reason why connections from other hosts in LAN should lose connectivity.

If you need fasttracking and it is enough for you to choose the WAN based on src-address alone, you can assign the routing-mark (choose the routing table) using /ip route rule rows rather than mangle rules, as /ip route rule rows don’t collide with fasttracking. But again, this has nothing to do with the fact that you lose internet access for all LAN devices when you add or enable the default route with the routing-mark.

YOU BOTH WERE RIGHT!

When I identified gateway by IP address my rule started to work and router was able to check package online. Thanks Sob. Right after I enabled it, connection to internet was very slow. So I disabled fasttrack and all started to work as a charm. Thanks for spotting issue before I even got to it sindy. You saved me another worries

That simply doesn’t make sense. Unless you’ve censored out some rules from the configuration you’ve posted, the router’s own output packets should have never used that broken route, so the fact that it was broken should have had no effect on router’s ability to connect anywhere.

Again, was it connection to internet from 10.0.0.191 or from any LAN host? If from any LAN host, something is broken in the assignment of the routing-mark. And disabling fasttrack completely and not only for connections which use routing-mark in upload direction (which is a more complex task than it seems to be because the /ip firewall filter rule with action=fasttrack-connection normally matches packets in either direction, not only LAN->WAN but also WAN->LAN) may not be the best approach if your router’s CPU power doesn’t match the bandwidth of your internet uplink.

Yep, I also don’t see how the whole LAN or router’s own output could be affected, when the route clearly applied to only single source address. The “trick” I sometimes use is ignoring what seems to be an oversight and it has good results.

Maybe I wasn’t very clear about which issue is current and which was with previous config. In old config, which I mentioned I used /24 subnet for DHCP. This I divided by firewall mark rule to two /25 subnest and marked ISP1 and ISP2. It worked somehow, but as I now suspect as I didn’t have fasttrack disabled once I tried to verify package from router directly, something didn’t work as router itself is part of /24 DHCP pool. Anyway, today I have Internet connectivity loss from host 10.0.0.191 only (marked client). As I wrote, after gateway change, routing started to work for this client. And after fasttrack disable and router reboot, slowness was gone.

Router’s own incoming or outgoing connections cannot be fasttracked so it mush have been something else.