set up second WAN/ISP temporarily

RouterOS Beginner Basics
1

We are transitioning to a new ISP. I want to setup the second ISP while the first is still in place - until we can test everything, and get DNS resolution using the new host names.

So far:
1-Added IP Addresses of new ISP and selected interface of ISP2
2-Created a Mangle prerouting for Routing Mark for testing from my IP only.
3-Added default IP Route and selected the routing mark from step 2
4-Added Source NAT setting the out interface, routing mark and “to address” using one of the public ip’s on WAN2.

At this point, I can surf the webs and whatsmyip shows the new ISP IP Address

Now - I’ve added the NAT rules for inbound traffic (internal services)… and for them to work, I add a Mangle prerouting rule.
But when I do this - the old IP address on ISP1 no longer responds to requests.

So - how do I get both ISP1 and ISP2 to respond to requests while we are setting up the router and testing… and of course, waiting for DNS resolution to update.

Thanks in advance for the assistance. I did not initially program this device so I am stumbling along.

Oh and to mention - we are using the Mikrotik VPN feature too for L2TP/ipSEC to connect to our Remote Desktop.

(CCR1009-8G-!S-1S+)

2

You’ll need to mark traffic coming from ISP2, so that based on that mark only that traffic will be routed out to internet over isp2.
The other traffic to internet should go over isp1.

Added emphasis

3

“At this point, I can surf the webs and whatsmyip shows the new ISP IP Address”
So the outbound mark is working as intended…


So When I mark the traffic coming from ISP2 - it only works on ISP2.
So, for example
70.1.1.1 (ISP1) inbound goes to port 80 to server 192.168.3.20
When I add the NAT rule
60.1.1.1 (ISP2) inbound goes to port 80 to server 192.168.3.20
and add Mangle rule as well…

but now 70.1.1.1 no longer works for the inbound, only 60.1.1.1

I need both working so until DNS is resolved - both IP’s will work.

4

You need to mark connections coming in to each WAN and then make routing mark based on those connections:

/ip firewall mangle
add action=mark-connection chain=input comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In"
add action=mark-connection chain=input comment="ISP2-In" in-interface=ether2 new-connection-mark="ISP2-In"
add action=mark-routing chain=output comment="ISP1-Out" connection-mark="ISP1-In" new-routing-mark="ISP1"
add action=mark-routing chain=output comment="ISP2-Out" connection-mark="ISP2-In" new-routing-mark="ISP2"

/ip route
add distance=1 gateway=1.1.1.1 routing-mark="ISP1"
add distance=1 gateway=2.2.2.1 routing-mark="ISP2"

And as you can see you need to add a route for ISP 1 with routing mark as you did for ISP 2.

5

The above will work for traffic going to router itself only.

For traffic forwarded, “forward chain + input interface condition” for inbound and “prerouting chain + mark condition” for outbound can be used.

6

Oops, I copy/paste wrong section of code. Correct it as @sebastia stated. Sorry for my mistakes!

7

So I shouldn’t use those 6 lines of code?
Perhaps I should hire someone.

8

Here is the correct code:

/ip firewall mangle
add action=mark-connection chain=forward comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In"
add action=mark-connection chain=forward comment="ISP2-In" in-interface=ether2 new-connection-mark="ISP2-In"
add action=mark-routing chain=prerouting comment="ISP1-Out" connection-mark="ISP1-In" new-routing-mark="ISP1"
add action=mark-routing chain=prerouting comment="ISP2-Out" connection-mark="ISP2-In" new-routing-mark="ISP2"

/ip route
add distance=1 gateway=1.1.1.1 routing-mark="ISP1"
add distance=1 gateway=2.2.2.1 routing-mark="ISP2"

You will need to edit the in-interface’s and gateways to match your configuration.

Edit: In fact it wouldn’t hurt to include my original mangle rules since you are using the Mikrotik as VPN.

9

I have also same rules but only difference I have no two isp, I have two link one of our pop points and no any problem.