Hi, i have a mikrotik setup using dual wan. I have setup PPPoE and i want to control each client base on IP on which ISP they will use. I want half of the PPPoE will go to ISP1 and the other half will go ISP2.

MikroTik RouterOS 7.20 (c) 1999-2025 https://www.mikrotik.com/

/interface bridge
add name=bridge-PPPoE
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] name=ISP1-ETH1
set [ find default-name=ether2 ] name=ISP2-ETH2
set [ find default-name=ether3 ] name=LAN-ETH3
set [ find default-name=ether5 ] name=PPPoE-ETH5
/interface list
add name=WAN-LIST
/ip pool
add name=pool-LAN ranges=192.168.0.10-192.168.0.254
add name=pool-pppoe ranges=192.168.2.10-192.168.2.254
add name=dhcp_pool2 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool3 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge-lan lease-time=1d30m name=dhcp1
add address-pool=dhcp_pool3 interface=bridge-PPPoE lease-time=1d30m name=dhcp2
/ppp profile
add local-address=192.168.2.1 name=PowerHouse rate-limit=15M/15M remote-address=pool-pppoe
/queue type
add kind=fq-codel name=FQ-CODEL
/queue simple
add max-limit=15M/50M name=FQ-CODEL priority=4/4 queue=FQ-CODEL/FQ-CODEL target=bridge-lan
/queue tree
add limit-at=150M max-limit=150M name=DownTotal parent=global priority=1 queue=pcq-download-default
add limit-at=25M max-limit=25M name=UpTotal parent=global priority=1 queue=pcq-upload-default
add max-limit=150M name=ICMP_Down packet-mark=ICMP_Down parent=DownTotal priority=1 queue=default
add max-limit=25M name=ICMP_Up packet-mark=ICMP_Up parent=UpTotal priority=1 queue=default
add max-limit=100M name=DNS_Down packet-mark=DNS_Down parent=DownTotal priority=2 queue=default
add max-limit=25M name=DNS_Up packet-mark=DNS_Up parent=UpTotal priority=2 queue=default
add limit-at=150M max-limit=150M name=Web_Down packet-mark=Web_Down parent=DownTotal priority=3 queue=default
add max-limit=25M name=Web_Up packet-mark=Web_Up parent=UpTotal priority=3 queue=default
/routing table
add disabled=no fib name=to_ISP1
add disabled=no fib name=to_ISP2
/interface bridge port
add bridge=bridge-lan interface=LAN-ETH3
add bridge=bridge-PPPoE interface=PPPoE-ETH5
/interface list member
add interface=ISP1-ETH1 list=WAN-LIST
add interface=ISP2-ETH2 list=WAN-LIST
/interface pppoe-server server

Service is on a slave interface

add disabled=no interface=PPPoE-ETH5 service-name=PowerHouse1
/ip address
add address=192.168.0.1/24 interface=bridge-lan network=192.168.0.0
add address=192.168.2.1/24 interface=bridge-PPPoE network=192.168.2.0
/ip dhcp-client
add add-default-route=no interface=ISP1-ETH1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ISP2-ETH2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list=Wan_List
add address=192.168.254.0/24 list=Wan_List
add address=192.168.0.0/24 list=Lan_List
add address=192.168.2.0/24 list=PPPoE_List
/ip firewall filter
add action=drop chain=output disabled=yes dst-address=8.8.8.8
/ip firewall mangle
add action=accept chain=prerouting comment="No Balance Traffic traffic entry on LAN" dst-address-list=Lan_List src-address-list=Lan_List
add action=accept chain=prerouting comment="Access to ISP Routers" dst-address-list=Wan_List
add action=mark-connection chain=input comment=Input in-interface=ISP1-ETH1 new-connection-mark=ISP1_Conn
add action=mark-connection chain=input in-interface=ISP2-ETH2 new-connection-mark=ISP2_Conn
add action=mark-connection chain=prerouting comment="Connection Mark for ISP1" connection-mark=no-mark in-interface=ISP1-ETH1 new-connection-mark=ISP1_Conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ISP2-ETH2 new-connection-mark=ISP2_Conn
add action=mark-routing chain=output comment=Output connection-mark=ISP1_Conn new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=output connection-mark=ISP2_Conn new-routing-mark=to_ISP2 passthrough=no
add action=mark-connection chain=prerouting comment=Pcc connection-mark=no-mark dst-address-type=!local in-interface=bridge-lan new-connection-mark=ISP1_Conn
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-lan new-connection-mark=ISP2_Conn
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting comment="Routing Mark" connection-mark=ISP1_Conn in-interface=bridge-lan new-routing-mark=to_ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2_Conn in-interface=bridge-lan new-routing-mark=to_ISP2 passthrough=no
add action=mark-connection chain=prerouting comment=QOS-ICMP new-connection-mark=ICMP_Con protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP_Con in-interface=bridge-lan new-packet-mark=ICMP_Up passthrough=no
add action=mark-packet chain=prerouting connection-mark=ICMP_Con in-interface=ISP1-ETH1 new-packet-mark=ICMP_Down passthrough=no
add action=mark-packet chain=prerouting connection-mark=ICMP_Con in-interface=ISP2-ETH2 new-packet-mark=ICMP_Down passthrough=no
add action=mark-connection chain=prerouting comment="WEB(Http + Https)" dst-port=80,443 new-connection-mark=Web_Conn protocol=tcp
add action=mark-connection chain=prerouting dst-port=80,443 new-connection-mark=Web_Conn protocol=udp
add action=mark-packet chain=prerouting connection-mark=Web_Conn in-interface=bridge-lan new-packet-mark=Web_Up passthrough=no
add action=mark-packet chain=prerouting connection-mark=Web_Conn in-interface-list=WAN-LIST new-packet-mark=Web_Down passthrough=no
add action=mark-connection chain=prerouting comment=DNS dst-port=53 new-connection-mark=DNS_Conn protocol=tcp
add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=DNS_Conn protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS_Conn in-interface=bridge-lan new-packet-mark=DNS_Up passthrough=no
add action=mark-packet chain=prerouting connection-mark=DNS_Conn in-interface-list=WAN-LIST new-packet-mark=DNS_Down passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1-ETH1
add action=masquerade chain=srcnat out-interface=ISP2-ETH2
/ip route
add check-gateway=ping comment="Recursive Route ISP1" disabled=no dst-address=8.8.8.8/32 gateway=192.168.1.1 routing-table=main scope=10 suppress-hw-offload=no
target-scope=10
add comment="Recursive Route ISP2" disabled=no distance=1 dst-address=1.0.0.1/32 gateway=192.168.254.254 routing-table=main scope=10 suppress-hw-offload=no
target-scope=10
add check-gateway=ping comment="Main Route ISP1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=30 suppress-hw-offload=no
target-scope=11
add check-gateway=ping comment="Main Route Isp2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=main scope=30 suppress-hw-offload=no
target-scope=11
add check-gateway=ping comment="Route to ISP1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=to_ISP1 suppress-hw-offload=no
target-scope=11
add check-gateway=ping comment="Back Up Route ISP1" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=to_ISP1 suppress-hw-offload=no
target-scope=11
add check-gateway=ping comment="Route to ISP2" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 routing-table=to_ISP2 suppress-hw-offload=no
target-scope=11
add check-gateway=ping comment="Backp Up Route ISP2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=to_ISP2 suppress-hw-offload=no
target-scope=11
/ppp aaa
set enable-ipv6-accounting=yes use-radius=yes
/ppp secret
add name=pppoe1 profile=PowerHouse
add name=pppoe2 profile=PowerHouse
add name=pppoe3 profile=PowerHouse

Not so simple my friend!
I think I follow but to be clear,
THe users are on the LAN.
So the requirement is 1/2 of the users ONLY go to WAN1 and the other half to WAN2
OR
The requirement is that most of the time, 50% of the user are using WAN1 and the other 50% roughly are using WAN2. This is called load balancing.

Once its clear a config approach can be adopted.
Further requirements, if any, need to be made clear.
Do you have any external users going to servers on the LAN and if so which WAN do they come in on, and do you want them entering the router over the public IP (port forwarding) or more securely within a VPN.
Do you have any external users ( usually the admin, need access to the router directly for remote configuration purpose (aka vlan))
+++++++++++++++++++++++++++++++++++

Then we have to cover the requirements for failover. What happens if WAN1 ISP or WAN2 ISP fail, do you want users to switch over or not etc..... This assumes its two different ISP providers, otherwise, its a moot point.

Finally, are all these users on one subnet, two subnets etc............. Can you split them into subnets if it makes life much easier in terms of a config.

What Router??

I dont have any external users that would enter the router and configure. All my users are LAN. I just want to divide my traffic to make use of the 2 ISP trying to resolve bottleneck and buffer bloat. I use router RB5009UG+S+IN and on my home lab the Mikrotik HAP

Easiest approach, assuming similar enough WAN throughputs, is to use ECMP load balancing.
Just ensure both WANS have a distance of 1, and thats it. The users should be fairly distributed between both WAN connections.

Note: This is valid for Vers 7 firmware.

1. There are many approaches to setting up your LAN, however the one you chose would be my least favourite
   Since its clear you only have two LAN ports in use, the options are
   A. DO NOT USE ANY BRIDGE OR JUST USE SINGLE BRIDGE and thus EITHER
   (i) Bridge gets IP, Ether5 gets IP
   (ii) Ether3 gets IP, Ether5 gets IP.
   B. Use vlans and one bridge.

I prefer B always, but for your case we will do another standard approach, keep bridge-lan and remove bridge-pppoe

What I would not do is use two bridges.

2. I find your setup very confusing. You have two subnets, so why are there four POOLs?? You should only have two pools. On top of that your pools within the same subnet overlap which is also confusing,,

3. Since you want equal use of the the WANS, what is the purpose of then adding some limiting by queueing to one of the subnets??? With two wan connections, what is the concern???

4. Also now, not clear on the purpose of Ether5, I thought the ISPs were two PPPOE connection on ether1 and ether2 and that you naming eth5 pppoe was to simply delineate that it was suppose to go out a specific WAN ??

5. For the dhcp-server network settings, if you manually added netmask=24, please remove its not necessary as the router will add the correct mask automatically.

6. You are missing all the firewall rules ...........bad, and should thus not be connected to the internet.

7. At this stage you can remove all your mangles and all your tables and all your routes and replace with only routes
   NOTE: Do not use the same canary DNS addresses for recursive routing, as you use for DNS for the users.

/ip route
add check-gateway=ping comment="Main Route ISP1"  dst-address=0.0.0.0/0 \
    gateway=1.1.1.1 routing-table=main scope=10 target-scope=12
add check-gateway=ping comment="Main Route Isp2"  dst-address=0.0.0.0/0 \
    gateway=9.9.9.9 routing-table=main scope=10 target-scope=12
add comment="Recursive Route ISP1" dst-address=1.1.1.1/32 \
    gateway=192.168.1.1 routing-table=main scope=10 target-scope=11
add comment="Recursive Route ISP2" dst-address=9.9.9.9/32 \
    gateway=192.168.254.254 routing-table=main scope=10 target-scope=11

8. Okay I understand your ethe5 now its ppp that your sharing a connection to a bunch of others through ether5......... If that is so, why does it appear you are applying limits to the home part of the LAN??

The plain fact is that with queuing enabled, you cannot make use of fastrack on the forward chain ( rule that is currently missing ), and thus slowing down regular processing of traffic.
My suggest is to ditch queuing for now and try with proper firewall rules in place.
If the flow is unsatisfactory then introduce queuing once you have determined the source of issues.

/ip firewall address-list
add address=192.168.0.X  list=Authorized  comment="admin wired on home lan"
add address=192.168.0.Y list=Authorized comment="admin wifi on home lan"
/ip firewall filter
{ default rules to keep }
add action=accept chain=input  connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
{ admin rules
add action=accept chain=input comment="admin access only"  in-interface-list=TRUSTED
   src-address-list=Authorized
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward  connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="admin access"  in-interface-list=TRUSTED \
    src-address-list=Authorized  out-interface-list=LAN
add action=drop chain=forward comment="drop all else"

To complete..........

/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface list member
add interface=ISP1-ETH1 list=WAN
add interface=ISP2-ETH2 list=WAN
add interface=bridge-lan list=LAN
add interface=PPPoE-ETH5 list=LAN
add interface=bridge-lan list=TRUSTED

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED