Respond for the internet connection through which they connect.

I apologize for the English; I’m using a translator.

Good morning, I’m explaining my situation here, requesting help with this configuration.

I have a Mikrotik router with 5 fiber optic internet ports, each with a fixed public IP address.

These ports are Ethernet 1 through 5.

A client needs to connect to a server we have on the LAN.

This client has 3 fixed public IP addresses and can initiate the connection through any of them.

The client must connect through Internet connection 3 (Ethernet 3) and 5 (Ethernet 5) as a backup.

What I’m trying to do is have the server respond to these client public IP addresses through the same Internet connection the client used to connect.

Currently, my server responds through Internet connection 1 (Ethernet 1), which is the default Internet connection.

I configure a mangle with prerouting for each of the client’s three public IP addresses. This way, I get the server to access Internet connection 3 when it connects to one of the client’s public IP addresses.

The problem is that the same configuration would apply to Internet connection 5 (Ethernet 5), so I configure the server to access two different connections, 3 and 5, to connect to the same public IP addresses. Of course, it doesn’t work.

What I want is for the client to connect with its IP address 1 to connection 3, and the server will respond through fiber 3. But if the client connects with IP address 1 to connection 5, it will respond through 5, and so on for the client’s three public IP addresses.

I case by “have the server respond to these client public IP addresses through the same Internet connection” you mean the gateway Mikrotik router should send out the reply through the interface the request came in, here is my method for ether1 and ether2 as uplinks (RoS v 7.16.2) :

/ip firewall mangle
add action=mark-connection chain=prerouting comment="suplinks: mark ether1 connection" in-interface=ether1 new-connection-mark=ether1 passthrough=no
add action=mark-connection chain=prerouting comment="suplinks: mark ether2 connection" in-interface=ether2 new-connection-mark=ether2 passthrough=no
add action=mark-routing chain=prerouting comment="suplinks: reply through ether1" connection-mark=ether1 new-routing-mark=ether1 passthrough=no
add action=mark-routing chain=prerouting comment="suplinks: reply through ether2" connection-mark=ether2 new-routing-mark=ether2 passthrough=no
add action=mark-routing chain=output comment="suplinks: reply through ether1" connection-mark=ether1 new-routing-mark=ether1 passthrough=no
add action=mark-routing chain=output comment="suplinks: reply through ether2" connection-mark=ether2 new-routing-mark=ether2 passthrough=no

Explained: when a packet reaches the router from outside the connection is marked with the name of the interface. When a packet reaches the router not from outside or is initiated by the router then the connection mark becomes routing mark. The passthrough=no is important: the first applied mangle rule ends the mange prerouting process.

The routing tables needed:

/routing table
add name=ether1 fib
add name=ether2 fib

And the routes:

/ip route
add gateway=<nexthopp> routing-table=ether1
add gateway=<nexthopp> routing-table=ether2

Here is exactly the same as in the route in the main routing table. Distance does not matter.

This is my snippit for doing this.
Make sure you adjust the interface names and gateway for each section correctly.

/routing table
add fib name=ether1-NBN_Traffic
add fib name=ether2-ISP2_Traffic
add fib name=ether3-ISP3_Traffic

# This is for traffic to and from the router itself, but the route table entries are used for the port forwards lower down.
# make sure you set the gateway IP Addresses in ip/route correctly

# what comes from ether1, gets out from ether1
/ip firewall mangle add action=mark-connection chain=input in-interface=ether1-NBN new-connection-mark=ether1-NBN_conn passthrough=yes disabled=no comment="in ether1-NBN,out ether1-NBN"
/ip firewall mangle add action=mark-routing chain=output connection-mark=ether1-NBN_conn new-routing-mark=ether1-NBN_Traffic passthrough=no disabled=no 
/ip route add dst-address=0.0.0.0/0 gateway=123.123.123.1 distance=1 routing-table=ether1-NBN_Traffic disabled=no comment="ether1-NBN_Traffic"

# what comes from ether2-ISP2, gets out from ether2-ISP2
/ip firewall mangle add action=mark-connection chain=input in-interface=ether2-ISP2 new-connection-mark=ether2-ISP2_conn passthrough=yes disabled=no comment="in ether2-ISP2,out ether2-ISP2"
/ip firewall mangle add action=mark-routing chain=output connection-mark=ether2-ISP2_conn new-routing-mark=ether2-ISP2_Traffic passthrough=no disabled=no 
/ip route add dst-address=0.0.0.0/0 gateway=155.157.23.1 distance=1 routing-table=ether2-ISP2_Traffic disabled=no comment="ether2-ISP2_Traffic"


# what comes from ether3-ISP3, gets out from ether3-ISP3
/ip firewall mangle add action=mark-connection chain=input in-interface=ether3-ISP3 new-connection-mark=ether3-ISP3_conn passthrough=yes disabled=no comment="in ether3-ISP3,out ether3-ISP3"
/ip firewall mangle add action=mark-routing chain=output connection-mark=ether3-ISP3_conn new-routing-mark=ether3-ISP3_Traffic passthrough=no disabled=no 
/ip route add dst-address=0.0.0.0/0 gateway=20.37.45.1 distance=1 routing-table=ether3-ISP3_Traffic disabled=no comment="ether3-ISP3_Traffic"


# If you have port forwards you need to ensure they stick to the correct interfaces for the return traffic
# note you have to define not onlt the external interface but the name of your bridge or LAN interface too

# port forwards from ether1-NBN, goes back out from ether1-NBN
/ip firewall mangle add action=mark-connection chain=forward in-interface=ether1-NBN connection-state=new new-connection-mark=ether1-NBN_pfw passthrough=no disabled=no comment="pfw ether1-NBN, out ether1-NBN"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=bridge connection-mark=ether1-NBN_pfw new-routing-mark=ether1-NBN_Traffic passthrough=no disabled=no


# port forwards from ether2-ISP2, goes back out from ether2-ISP2
/ip firewall mangle add action=mark-connection chain=forward in-interface=ether2-ISP2 connection-state=new new-connection-mark=ether2-ISP2_pfw passthrough=no disabled=no comment="pfw ether2-ISP2, out ether2-ISP2"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=bridge connection-mark=ether2-ISP2_pfw new-routing-mark=ether2-ISP2_Traffic passthrough=no disabled=no


# port forwards from ether3-ISP3, goes back out from ether3-ISP3
/ip firewall mangle add action=mark-connection chain=forward in-interface=ether3-ISP3 connection-state=new new-connection-mark=ether3-ISP3_pfw passthrough=no disabled=no comment="pfw ether3-ISP3, out ether3-ISP3"
/ip firewall mangle add action=mark-routing chain=prerouting in-interface=bridge connection-mark=ether3-ISP3_pfw new-routing-mark=ether3-ISP3_Traffic passthrough=no disabled=no

As you may have guessed the responders have some WHAT IFs, and other suggestions ( and also some errors).
In other words, you should not be asking for a part solution if the requirements are not fully identified.
A better response can be had when we know what else is going on the router for both incoming/outgoing traffic, VPNs etc…
(how many subnets, how many servers, are users on same subnet also accessing server and if so how etc…)

/export file=anynameyouwish (minus router serial number, any public IP information, keys etc.)