Problem with Routing Rules on RB5009 ROS 7.19.6

Why trafic from 192.168.48.20/32 does not go thru ISP1 on my RB5009 ROS 7.19.6?

The routing rule doesn’t work :

add action=lookup comment=PC1 disabled=no src-address=192.168.48.20/32 table=ISP1

My configuration:

/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1 name=wan1
set [ find default-name=sfp-sfpplus1 ] comment=ISP2 name=wan2

/interface vlan
add arp=reply-only interface=bridge name=camera-vlan vlan-id=40
add arp=reply-only interface=bridge name=guest-vlan vlan-id=30
add interface=bridge name=mgmt-vlan vlan-id=10
add arp=reply-only interface=bridge name=work-vlan vlan-id=20

/interface list
add name=WAN
add name=LAN

/ip dhcp-server
add add-arp=yes interface=work-vlan lease-time=4h name=work-dhcp use-radius=yes

/ip pool
add name=work-pool ranges=192.168.49.2-192.168.49.254
add name=guest-pool ranges=192.168.48.2-192.168.48.254
add name=mgmt-pool ranges=192.168.50.2-192.168.50.30
add name=camera-pool ranges=172.16.40.2-172.16.40.14

/ip dhcp-server
add add-arp=yes address-pool=guest-pool interface=guest-vlan lease-time=4h name=guest-dhcp
add address-pool=mgmt-pool interface=mgmt-vlan lease-time=8h name=mgmt-dhcp
add add-arp=yes address-pool=camera-pool interface=camera-vlan lease-time=4h name=camera-dhcp

/queue type
add cake-diffserv=besteffort cake-nat=yes kind=cake name=cake-rx
add cake-ack-filter=filter cake-diffserv=besteffort cake-nat=yes kind=cake
name=cake-tx

/queue simple
add comment=ISP1 max-limit=180M/25M name=cake_wan1 queue=cake-rx/cake-tx
target=wan1 total-queue=default
add comment=ISP2 max-limit=70M/70M name=cake_wan2 queue=cake-rx/cake-tx
target=wan2 total-queue=default

/routing table
add disabled=no fib name=ISP1
add disabled=no fib name=ISP2

/interface bridge port
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8 pvid=40

/ip settings
set allow-fast-path=no ipv4-multipath-hash-policy=l4

/interface bridge vlan
add bridge=bridge comment=Management tagged=bridge untagged=
ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10
add bridge=bridge comment=Work tagged=
bridge,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=20
add bridge=bridge comment=Guest tagged=
bridge,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=30
add bridge=bridge comment=Camera tagged=bridge untagged=ether8 vlan-ids=40

/interface list member
add interface=wan1 list=WAN
add interface=wan2 list=WAN
add interface=mgmt-vlan list=LAN
add interface=bridge list=LAN
add interface=work-vlan list=LAN
add interface=guest-vlan list=LAN
add interface=camera-vlan list=LAN

/ip address
add address=192.168.49.1/24 interface=work-vlan network=192.168.49.0
add address=192.168.48.1/24 interface=guest-vlan network=192.168.48.0
add address=192.168.50.1/27 interface=mgmt-vlan network=192.168.50.0
add address=172.16.40.1/28 interface=camera-vlan network=172.16.40.0

/ip dhcp-client
add add-default-route=no check-gateway=ping default-route-tables=ISP1
interface=wan1 script="if ($bound=1) do={ /ip/route/set [find where comme
nt="ISP1"] gateway=$"gateway-address" }"
add add-default-route=no check-gateway=ping default-route-tables=ISP2
interface=wan2 script="if ($bound=1) do={ /ip/route/set [find where comme
nt="ISP2"] gateway=$"gateway-address" }"

/ip dhcp-server network
add address=172.16.40.0/28 gateway=172.16.40.1
add address=192.168.48.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.48.1
add address=192.168.49.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.49.1
add address=192.168.50.0/27 gateway=192.168.50.1

/ip firewall address-list
add address=192.168.48.0/24 list=local
add address=192.168.49.0/24 list=local
add address=192.168.50.0/27 list=local
add address=172.16.40.0/28 list=local

/ip firewall filter
add action=accept chain=forward in-interface=work-vlan out-interface=camera-vlan
add action=accept chain=forward in-interface=work-vlan out-interface=mgmt-vlan
add action=accept chain=forward in-interface=work-vlan out-interface=guest-vlan
add action=drop chain=forward in-interface=camera-vlan out-interface-list=WAN
add action=drop chain=forward connection-state=!established in-interface-list=LAN out-interface-list=LAN

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip route
add comment=ISP1 dst-address=1.1.1.1 gateway=192.168.1.1 scope=10
add comment=ISP2 dst-address=1.1.1.2 gateway=192.168.0.1 scope=10
add check-gateway=ping gateway=1.1.1.1@main routing-table=ISP1 target-scope=11
add check-gateway=ping gateway=1.1.1.2@main routing-table=ISP2 target-scope=11
add check-gateway=ping comment=R1 gateway=1.1.1.1 target-scope=11
add check-gateway=ping comment=R2 gateway=1.1.1.2 target-scope=11

/routing rule
add action=lookup-only-in-table disabled=no dst-address=mgmt-vlan table=main
add action=lookup-only-in-table disabled=no dst-address=work-vlan table=main
add action=lookup-only-in-table disabled=no dst-address=guest-vlan table=main
add action=lookup-only-in-table disabled=no dst-address=camera-vlan table=main
add action=lookup comment=PC1 disabled=no src-address=192.168.48.20/32 table=ISP1

Please explain what is connected to ports 2,3,4,5,6,7 ??
Right now you have hybrid ports on each one of them so are they 6 pieces of ubiquiti expecting the mgmt vlan untagged and the rest of the data vlans tagged???

If so you could simplify the /interface bridge vlans to…..
/interface bridge vlan
add bridge=bridge comment=Management tagged=bridge untagged=ether2,\
ether3,ether4,ether5,ether6,ether7 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7 \
vlan-ids=20,30
add bridge=bridge comment=Camera tagged=bridge untagged=ether8 vlan-ids=40

No need for bridge to be LAN member ( remove, its covered by vlans )

Assuming you are behind another router and thus why very sparse on firewall rules…………… ??

Why do you need scripts in IP DHCP client if you have fixed private WANIPs??

What is your plan with two wans, Primary Failover, Load balancing??

I am going to assume based on the config looking for ECMP load balancing.

Thus would set that up as follows:

```/ip route
{ ECMP recursive routing }
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=30 target-scope=12
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=30 target-scope=12
add comment=ISP1 dst-address=1.0.0.1 gateway=192.168.1.1 scope=12 target-scope=11
add comment=ISP2 dst-address=8.8.4.4 gateway=192.168.0.1 scope=12 target-scope=11
{special table}
add comment=”ISP1 special” dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=ISP1

/routing rule
add action=lookup-only-in-table min-prefix=0 table=main comment=”To Local traffic first”
add action=lookup src-address=192.168.48.20/32 table=ISP1 comment=”PC1 only to WAN1”
```

Note, that if ISP1 is not available, the router will select the other available route aka via WAN2 unless you put look-up only in table.

@anav Thanks for your reply.

Access points. You are right.

Yes, we are behind firewall.

We can change ISP so the script can update gateway dymamically.

Load Balancing.

This is looks like a bug with Routing Rules on RouterOS 7.19.6 because after making changes which you suggested and also after adding addiotional rule to block traffic to 9.9.9.9 from specific host - the ping to 9.9.9.9 still works from the host 192.168.49.20.

add action=drop disabled=no dst-address=9.9.9.9/32 src-address=
192.168.49.20/32

Rebooting resolved the issue.

I would move to 7.21.3 as well.