Hey everyone,
I’m running a MikroTik CCR1009 with RouterOS 7.18.2.
I have BGP sessions with two different upstreams:
- ISP1 (national provider) on
ether1— with 2 BGP peers (important!) (1 is the main BGP Neighboor and the 2nd one is the Backup Neighboor) - ISP2 (international provider) on
combo1— with 1 BGP peer
From both providers I receive the default route (0.0.0.0/0), and as expected, MikroTik installs both in the main routing table, which leads to ECMP.
But here’s the issue — I need strict policy-based routing (PBR):
- Traffic that comes in via ISP1 must go out via ISP1
- Traffic that comes in via ISP2 must go out via ISP2
- My internal LAN (
192.168.88.0/24) should only go out via ISP1, with NAT - No ECMP, no load balancing — I need symmetric routing, 100% predictable
- Applications like VoIP are breaking because of asymmetric paths — packets go out one ISP and come back on the other
What I’ve tried:
- VRFs per ISP — unreliable, didn’t fully work as expected
- Mangle + routing marks — inconsistent behavior, especially with BGP-installed routes
- Routing rules and custom routing tables — close, but I still had leaks (traffic exiting the wrong interface)
- Tried filtering the default route, but I need them for failover logic, and filters break things if not done carefully
What I need help with:
- A clean way to enforce symmetric routing based on ingress ISP, without relying on ECMP or hacky tricks
- A config that works properly with multiple BGP peers on the same ISP
- Proper use of
/routing/tableand/routing/ruleto handle this the MikroTik 7.x way - And yeah — NO mangle, if possible
If anyone’s running a similar dual-homed BGP setup with strict PBR on RouterOS 7+, I’d love to see how you solved it.
P.S.: even tried doing something like in this tutorial https://www.slideshare.net/GLCNetworks/policy-based-routing-pbr-on-mikrotik but no success. Instead of the Src.Address I’ve used the interface…
Thanks in advance!