Router doesn't workin to well

Greetings!

I have a RB2011UiAS with two DHCP WANs, but when one of them is offline, the other WAN doesn’t work either, even if I change the default route in DHCP Client, but if I put a cable right to the modem, I have a connection.

If I try to access any website sometimes I have a DNS error, but when I submit a backup with the same configuration the connection is established when I change the route,


I noticed something too, when I apply some change, it doesn’t show to me, I have to close the window and open it again to show the right configuration.


I know this is stranger, I already saw some videos, reviewed all my WANs and rules configuration from zero, but I still have those problems.

I am sure you have reviewed all possible config topics and still it doesn’t work …
Wouldn’t it be easier to actually SHOW your config then ?
If not, nobody will be able to help.

/export file=anynameyouwish
Move file to your PC.
Remove any sensitive info (public IP, serial, passwds, …)
Post contents back here between [__code] [/__code] quotes for easier readability.

Please also provide a small drawing of your network setup (can be on paper).

Thanks for the advice, so there is below the configuration.

 
 # may/21/2025 10:14:49 by RouterOS 6.49.15
# software id = Y952-X3FU
#
# model = 2011UiAS
# serial number =
/interface pptp-client
add connect-to=grupolink.dyndns.org disabled=no name="" \
    password= user=
/interface bridge
add fast-forward=no name="BD - Rede Local"
/interface ethernet
set [ find default-name=ether1 ] name="Eth1 - VivoDHCP" speed=100Mbps
set [ find default-name=ether2 ] name="Eth2 - VivoPPPoe" speed=100Mbps
set [ find default-name=ether3 ] name="Eth3 - Rede Local" speed=100Mbps
set [ find default-name=ether4 ] name="Eth4 - Interliga\E7\E3o G4" speed=\
    100Mbps
set [ find default-name=ether5 ] name="Eth5 - NetVirtua" speed=10Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    Eth6-Vivo-2
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=Eth7
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=Eth8
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=Eth9
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=Eth10
set [ find default-name=sfp1 ] name=Fibra
/interface pppoe-client
add disabled=no interface=Eth10 name="PPPoE - Vivo" password= user=\
    
/interface list
add name=Links
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=Whatsapp regexp=whatsapp
add comment=Bloqueio name=Bloqueio regexp="^.+(clickjogos|jogos360|netflix|str\
    eaming|xbox|nintendo|games|jogos|disney|bets|bet|apostas|apostasnacional|b\
    et365|blaze|paramount).*\$"
add comment="Bloqueio Pornografia" name="Bloqueio Pornografia" regexp="^.+(xvi\
    de|xvideos|redtube|porno|porn|sexo|pornocarioca|xhamster|xham|xxx).*\$"
/ip pool
add name=VPN ranges=10.0.1.10-10.0.1.254
add name="Rede Local" ranges=10.0.0.50-10.0.0.254
/ip dhcp-server
add address-pool="Rede Local" disabled=no interface="BD - Rede Local" \
    lease-time=1d name="DHCP Rede local"
/ppp profile
add local-address=10.0.1.1 name=VPN remote-address=VPN
/queue type
set 0 kind=none
set 1 kind=none
set 2 kind=none
set 3 kind=none
set 4 kind=none
set 5 kind=none
set 6 kind=none
set 8 kind=none
set 9 kind=none
/interface bridge port
add bridge="BD - Rede Local" hw=no interface="Eth3 - Rede Local"
add bridge="BD - Rede Local" hw=no interface="Eth4 - Interliga\E7\E3o G4"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 use-ipsec=required
/interface list member
add interface="Eth5 - NetVirtua" list=Links
add interface="PPPoE - Vivo" list=Links
add interface="Eth2 - VivoPPPoe" list=Links
add interface=Eth6-Vivo-2 list=Links
add interface="PPTP-Grupo Link" list=Links
add interface="Eth1 - VivoDHCP" list=Links
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN enabled=yes
/ip address
add address=10.0.0.1/24 interface="BD - Rede Local" network=10.0.0.0
/ip arp
add address=10.0.0.116 interface="BD - Rede Local" mac-address=\
    
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add add-default-route=no disabled=no interface="Eth2 - VivoPPPoe" \
    use-peer-dns=no use-peer-ntp=no
add disabled=no interface="Eth5 - NetVirtua" use-peer-dns=no use-peer-ntp=no
add add-default-route=no disabled=no interface="BD - Rede Local" \
    use-peer-dns=no use-peer-ntp=no
add add-default-route=no disabled=no interface=Eth6-Vivo-2 use-peer-dns=no \
    use-peer-ntp=no
add add-default-route=no disabled=no interface="Eth1 - VivoDHCP" \
    use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.5,10.0.0.11 domain= \
    gateway=10.0.0.1 netmask=24 ntp-server=200.160.0.8,200.189.40.8
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4
/ip dns static
add address= name=
/ip firewall address-list
add address=10.0.0.0/24 list="Redes Conhecidas"
add address=10.0.0.240 list="Maquinas liberadas total"
add address=10.0.0.72 list="Maquinas liberadas total"
add address=20.72.0.0/15 list=WindowsUpdate
add address=52.140.118.28 list=WindowsUpdate
add address=52.165.164.173 list=WindowsUpdate
add address=52.137.106.217 list=WindowsUpdate
add address=52.252.198.189 list=WindowsUpdate
/ip firewall filter
add action=drop chain=forward layer7-protocol=Whatsapp src-address-list=\
    "Maquinas Bloqueadas Whatsapp"
add action=drop chain=output layer7-protocol=Whatsapp src-address-list=\
    "Maquinas Bloqueadas Whatsapp"
add action=drop chain=forward comment=BloqueioPorIPTEMP disabled=yes \
    protocol=tcp src-address=143.105.25.131
add action=drop chain=forward comment=BloqueioPorIP disabled=yes protocol=tcp \
    src-address=47.238.192.255
add action=drop chain=forward comment=BloqueioPorIP disabled=yes protocol=tcp \
    src-address=69.55.54.0/24
add action=drop chain=forward comment=BloqueioPorIP disabled=yes protocol=tcp \
    src-address=138.124.60.132
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list="!Redes Conhecidas" in-interface="BD - Rede Local" \
    new-connection-mark=NET passthrough=yes src-address-list=NET
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes in-interface="PPPoE - Vivo" new-connection-mark=Vivo passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface="Eth5 - NetVirtua" new-connection-mark=NET passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface="Eth2 - VivoPPPoe" new-connection-mark=Vivo passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=Eth6-Vivo-2 new-connection-mark=Teste passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface="Eth1 - VivoDHCP" new-connection-mark=Teste passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Vivo in-interface=\
    "BD - Rede Local" new-routing-mark=Vivo passthrough=yes
add action=mark-routing chain=prerouting connection-mark=NET in-interface=\
    "BD - Rede Local" new-routing-mark=NET passthrough=yes
add action=mark-routing chain=output connection-mark=Vivo dst-address-list=\
    "!Redes Conhecidas" new-routing-mark=Vivo passthrough=yes
add action=mark-routing chain=output connection-mark=NET dst-address-list=\
    "!Redes Conhecidas" new-routing-mark=NET passthrough=yes
/ip firewall nat
add action=accept chain=dstnat in-interface-list=Links protocol=gre
add action=accept chain=dstnat dst-port=1723 in-interface-list=Links \
    protocol=tcp
add action=accept chain=dstnat dst-port=8291 in-interface-list=Links \
    protocol=tcp
add action=masquerade chain=srcnat dst-port=993 out-interface-list=Links \
    protocol=tcp
add action=masquerade chain=srcnat dst-port=5938 out-interface-list=Links \
    protocol=tcp
add action=masquerade chain=srcnat dst-port=995 out-interface-list=Links \
    protocol=tcp
add action=masquerade chain=srcnat dst-port=587 out-interface-list=Links \
    protocol=tcp
add action=masquerade chain=srcnat dst-port=143 out-interface-list=Links \
    protocol=tcp
add action=masquerade chain=srcnat dst-port=110 out-interface-list=Links \
    protocol=tcp
add action=masquerade chain=srcnat out-interface-list=Links src-address-list=\
    "!Maquinas Bloqueadas"
add action=masquerade chain=srcnat out-interface-list=Links
add action=accept chain=dstnat dst-port=3389 protocol=tcp
add action=dst-nat chain=dstnat dst-port=1883 protocol=tcp to-addresses=\
    10.0.0.240 to-ports=1883
/ip firewall service-port
set sip sip-direct-media=no sip-timeout=0s
/ip proxy access
add action=deny
/ip route
add disabled=yes distance=1 gateway="Eth2 - VivoPPPoe" routing-mark=Vivo
add disabled=yes distance=1 gateway="Eth2 - VivoPPPoe" routing-mark=Vivo
add disabled=yes distance=1 gateway=201.6.247.1 routing-mark=NET
add disabled=yes distance=1 gateway=Eth6-Vivo-2 routing-mark=Vivo2
add distance=1 gateway="Eth1 - VivoDHCP" routing-mark=VivoDHCP
add disabled=yes distance=3 gateway=201.6.247.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes port=8778
set api-ssl disabled=yes
/ip socks
set port=4153
/ip socks access
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 dhcp-client
add interface="BD - Rede Local" request=address use-peer-dns=no
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set backlight-timeout=never
/lcd interface
set Fibra disabled=yes
set "Eth1 - VivoDHCP" disabled=yes
set "Eth3 - Rede Local" disabled=yes
set "Eth4 - Interliga\E7\E3o G4" disabled=yes
set "Eth5 - NetVirtua" disabled=yes
set Eth7 disabled=yes
set Eth8 disabled=yes
set Eth9 disabled=yes
set Eth10 disabled=yes
/lcd interface pages
set 0 interfaces="Eth2 - VivoPPPoe,Eth6-Vivo-2"
/ppp secret
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=AEPH
/system logging
add disabled=yes topics=dhcp
add topics=e-mail
/system ntp client
set enabled=yes primary-ntp=200.160.0.8 secondary-ntp=200.189.40.8
/system scheduler
add interval=5m name="update no-ip" on-event=\
    "/system script run update-noip\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jul/25/2024 start-time=16:18:04
/system script
add dont-require-permissions=no name=NO-IP owner= policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global noipuser \"\"\r\
    \n:global noippass \"\"\r\
    \n:global noiphost \"\"\r\
    \n:global inetinterface \"ether1\"\r\
    \n\r\
    \n:global previousIP\r\
    \n\r\
    \n:global currentIP [/ip address get [find interface=\$inetinterface] addr\
    ess]\r\
    \n\r\
    \n:if (\$currentIP != \$previousIP) do={\r\
    \n    :log info \"No-IP: Sending UPDATE!\"\r\
    \n    :global str \"/nic/update\?hostname=\$noiphost&myip=\$currentIP\"\r\
    \n    /tool fetch address=dynupdate.no-ip.com src-path=\$str mode=https us\
    er=\$noipuser password=\$noippass dst-path=\"/noip.html\"\r\
    \n    :delay 1\r\
    \n    :global previousIP \$currentIP\r\
    \n    :log info \"No-IP: Host \$noiphost updated on No-IP with IP \$curren\
    tIP\"\r\
    \n} else={\r\
    \n    :log info \"No-IP: No update necessary\"\r\
    \n}\r\
    \n"
/tool e-mail
set address=127.0.0.1 from=""
/tool graphing interface
add
/tool netwatch

I think this describes how to setup WAN failover:
https://help.mikrotik.com/docs/spaces/ROS/pages/26476608/Failover+WAN+Backup

You are missing the correct route (/ip route).

Okay, I will fix it.

Actually, I didn't set up this router. I'm trying to understand what the previous administrator did, but I'm kinda lost.

Added comments:
layer-7 blocking of Whatsapp simply eats away CPU power and is (for most cases) rather useless.

But most importantly …
I hope those 2 other routers in front of this RB2011 router are acting as decent firewall because right now this RB2011 is pretty much wide open to the outside world.
E,g. you have ZERO rules on input chain. So everything can get to your router if it passes those ISP devices.
Forward is also non-existant except for those layer-7 rules (the rest is disabled and even if enabled, very limited).

Usually you should put your firewall on the device which accepts WAN connections, so in this case it should be on RB2011.
Otherwise you have to maintain TWO firewalls (one for each ISP).

But that’s my view.

About Layer-7 it was something I was testing by myself, I can even delete it.

These other routers are actually from our two ISPs. To be honest, I’m already having problems with all these configurations. I’m considering doing a full reset. so I could set it up properly.

My advice then:
export your current config using show-sensitive
Also make a binary backup (from Files, just in case)
Move both files away from your device !

Verify users are correct with how you think it should be.
If not, clean up.

Reset to default config, keeping users (just make sure not to do this during business hours or you WILL hear your clients )
That should make sure a default firewall is present.

Then start from there adding pieces from earlier exported config. Make sure to save between each major step (and Safe Mode is your friend !!).
Also make sure to remove (if possible) 1 port from your bridge and access from there using Winbox with MAC address. Or you may risk locking yourself out.

OK, I got it. Thank you for all help.