Hi, I can't figure out what is going on, I've set a second default route with bigger distance, my goal is to mangle on it one specific LAN IP.
Using the tools/ping and specifing the source IP of the interface I can ping the remote host between the submask, the link is working, but I can't ping 8.8.8.8, the packet isn't more sent on the link, strange, as there is no default route.
In past I couldn't sepcify the source IP but the interface, and it worked, now it looks it want' to use the main gateway, what can I do?
When I mangle I see the packets going there by the proper source IP (I've masquerade NAT) but sometimes there are going there also packets with the LAN source adress, those packets are not NATed correctly, why? This NAT is placed in top of the list.. I've tried to NAT the packets tagged by mangle, or the source IP, or both..
I've also tried to mangle packets, to NAT then the packets, no effect, on that interface I still have packets coming by source IP as LAN, they are not natted, I've disabled passthoough, also on filter rules passthought is removed.
By now to have it work I need to create a valid subnet on the remote host to allow replying packets coming with LAN source IP, and disabling completely that NAT on the first router.
Briefly, the mangle works, but the NAT after mangle can say works 50%, that has no sense..
Not clear at all what you are trying to achieve and what you have done.
/export file=anynameyouwish (minus router serial number, any publicWANIP information, keys).
It sounds like you have ONE Lan user that you want to go out WAN2 vice WAN1??
I need that one LAN IP is mangled to a second WAN.
- I've created a new table's route, and FIB it
- I've mangled that source IP to that table by routing mark
- I've added a default router to the romote WAN2 host and give distance 4, I've also add the prefered source IP (the WAN2 local) but it didn't help with results, it's useless
- I've srcnat the routing mark tagged packets to a masquerade and I placed it to the top, I also disabled passthrough and also I disabled Fastrack on the Filters (if it may influence anything)
With previous releases it worked, I didn't have problem, with this release I see a mix of the LAN source IP and its natted packets too on the WAN2 link, it looks the NAT doesn't work always and I don't understand why.
Also I have problem ping 8.8.8.8 usng the local WAN2 IP as source, with the new 7.21 the ping tool is different, I can't more select interface, I need to specify the source adress:
targeting 8.8.8.8 doesn't send any packets into WAN2 link and it goes timeout
targeting WAN2 remote it sends and I receive replies.
That's also very strange, why mange sends there and ping not?
Forget mangling......
/routing table
add fib name=via-WAN2
/routing rules
add min-prefix=0 action=lookup-only-in-table table=main comment="allows local traffic"
add src-address=SINGLE_LAN_IP action=lookup-only-in-table table=via-WAN2
Thank you for replying and suggestiong, I've tried your solution even if I was skeptical about, your goal here seams to force routing everything from that LAN IP to the WAN2 route, this is happenng already, my problem is that on the WAN2 interface I have a mix of correctly NATted requests and the original source LAN IP.. that is a no sense. Unfortunately your solution ha no concrete impact on output.
I attach the Torch output, .65.1 is the WAN2 local host address, and .1.99 is the source LAN IP.
There is only .1.99 which generate traffic here
IN my opinion the problem here is that the NAT is not processing all packets before routing, maybe this is caused by fragmentation? I have no idea
@GiovanniG
With all due respect 
, we don't trust you (actually the description of what you did).
Post your FULL configuration, instructions here:
Hi, ok as you like, thank you
This router has actually different services running, so the config is not that short. I've enable mangle as I deisire it works
[admin@Ripasso-Sala] > /export
# 2026-01-27 02:48:12 by RouterOS 7.21.1
# software id = N52I-ZNF3
#
# model = RBcAPGi-5acD2nD
# serial number = *********************
/caps-man channel
add band=2ghz-b/g/n extension-channel=disabled frequency=2452 name=channel10
add band=5ghz-a/n/ac extension-channel=Ce frequency=5180 name=channel36
/interface bridge
add admin-mac=18:FD:74:47:70:01 auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
add name=bridge-guest
/interface wireless
# managed by CAPsMAN
# channel: 2452/20/gn(14dBm), SSID: Ripasso-staff, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors installation=indoor ssid=Ripasso-staff \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ce/ac/P(14dBm), SSID: Ripasso-staff, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-477003 wireless-protocol=802.11
/interface wireguard
add listen-port=57946 mtu=1420 name=wireguard-Aruba
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
bridge
add bridge=bridge-guest client-to-client-forwarding=no local-forwarding=no \
name=bridge-guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=1h name=Staff
add name=Free
/caps-man configuration
add channel=channel10 country=russia4 datapath=bridge installation=indoor mode=\
ap name=2GHz-Sala security=Staff ssid=Ripasso-staff
add channel=channel36 country=russia4 datapath=bridge installation=indoor mode=\
ap name=5GHz-Sala security=Staff ssid=Ripasso-staff
add datapath=bridge-guest name=Free security=Free ssid=Ripasso-Free
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=3 name=option3 value="'192.168.1.2'"
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
add hotspot-address=10.50.50.1 html-directory=flash/hotspot login-by=http-pap \
name=glhsprof radius-location-name=1f796f60 use-radius=yes
add hotspot-address=10.0.0.1 html-directory=flash/hotspot login-by=\
cookie,http-pap name=hsprof1 radius-location-name=1f796f60 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=4d
/ip pool
add name=default-dhcp ranges=192.168.1.100-192.168.1.220
add name=pool-guest ranges=10.0.0.2-10.0.0.254
add name=SSTP-pool ranges=192.168.84.2-192.168.84.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
add address-pool=pool-guest interface=bridge-guest lease-time=1d name=guest
/ip hotspot
add address-pool=pool-guest disabled=no interface=bridge-guest name=hotspot1 \
profile=hsprof1
/ip vrf
add disabled=yes interfaces=wireguard-Aruba name=Aruba
/ppp profile
add dns-server=1.1.1.1,208.67.222.222 local-address=192.168.84.1 name=Andrea \
only-one=no remote-address=SSTP-pool use-compression=no use-encryption=yes \
use-ipv6=no use-mpls=no use-upnp=no
/interface sstp-client
add add-default-route=yes connect-to=aruba.sicurezza.ru default-route-distance=\
3 keepalive-timeout=30 name=SSTP-aruba profile=default-encryption user=\
Ripasso verify-server-address-from-certificate=no
/routing table
add disabled=no fib name=SSTP
add disabled=no fib name=Wireguard-aruba
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=5GHz-Sala name-format=\
prefix-identity name-prefix=5GHz- radio-mac=18:FD:74:47:70:03 \
slave-configurations=Free
add action=create-dynamic-enabled master-configuration=2GHz-Sala name-format=\
prefix-identity name-prefix=2.4GHz- radio-mac=18:FD:74:47:70:02 \
slave-configurations=Free
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 \
internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10 \
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=wireguard-Aruba list=LAN
add interface=SSTP-aruba list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:FA:BB:80:23:61 name=ovpn-server1
/interface sstp-server server
set certificate="Lets encrypt1769074948" default-profile=Andrea
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-allowed-address=::/0 interface=\
wireguard-Aruba name=Aruba public-key=\
"**************" responder=yes
/interface wireless cap
#
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=192.168.1.2/24 interface=bridge network=192.168.1.0
add address=10.0.0.1/24 interface=bridge-guest network=10.0.0.0
add address=192.168.65.1/24 interface=wireguard-Aruba network=192.168.65.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h update-time=no
/ip dhcp-server lease
add address=192.168.1.131 client-id=1:1a:c0:16:2a:a3:84 mac-address=\
1A:C0:16:2A:A3:84 server=defconf
add address=192.168.1.99 dhcp-option=option3 mac-address=BC:6B:FF:7A:6D:96
add address=192.168.1.98 client-id=1:3a:64:df:37:b6:8b dhcp-option=option3 \
mac-address=3A:64:DF:37:B6:8B server=defconf
/ip dhcp-server network
add address=10.0.0.0/24 comment="hotspot network" gateway=10.0.0.1
add address=192.168.1.0/24 comment=defconf dns-server=\
1.1.1.1,8.8.8.8,192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input disabled=yes dst-address=192.168.1.2 dst-port=\
8291 protocol=tcp
add action=accept chain=forward disabled=yes dst-address=192.168.1.2 dst-port=\
8291 protocol=tcp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
10.0.0.0/24
add action=drop chain=input dst-address=192.168.1.0/24 src-address=10.0.0.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Wireguard Aruba-TV" \
new-routing-mark=Wireguard-aruba passthrough=no src-address=192.168.1.99
add action=mark-routing chain=prerouting comment="Wireguard Aruba-Gio" \
disabled=yes dst-address=!192.168.1.0/24 new-routing-mark=Wireguard-aruba \
src-address=192.168.1.98
add action=mark-routing chain=prerouting comment=SSTP-TV disabled=yes \
new-routing-mark=SSTP src-address=192.168.1.99
add action=mark-routing chain=prerouting comment=SSTP-Gio disabled=yes \
dst-address=!192.168.1.0/24 new-routing-mark=SSTP src-address=192.168.1.98
/ip firewall nat
add action=masquerade chain=srcnat comment="wireguard Aruba" routing-mark=\
Wireguard-aruba
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat comment=SSTP routing-mark=SSTP
add action=masquerade chain=srcnat comment="SSTP Andrea dall'Italia" disabled=\
yes src-address=192.168.84.0/24
add action=masquerade chain=srcnat comment="Public WiFi" ipsec-policy=out,none \
src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=yes src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="NR web" dst-address=192.168.1.2 \
dst-port=51880 protocol=tcp to-addresses=192.168.1.8 to-ports=1880
add action=src-nat chain=srcnat dst-address=192.168.1.8 dst-port=1880 protocol=\
tcp to-addresses=192.168.1.2
/ip hotspot user
add name=admin
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=*.global-hotspot.ru
add dst-host=v8.global-hotspot.ru
add dst-host=*.glhs.ru
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=185.104.114.124
add action=accept disabled=no dst-address=185.119.59.183
add action=accept disabled=no dst-address=185.146.168.160
add action=accept disabled=no dst-address=185.189.14.125
add action=accept disabled=no dst-address=188.127.225.157
add action=accept disabled=no dst-address=188.225.18.2
add action=accept disabled=no dst-address=188.225.32.45
add action=accept disabled=no dst-address=188.225.73.64
add action=accept disabled=no dst-address=31.129.99.151
add action=accept disabled=no dst-address=45.67.56.15
add action=accept disabled=no dst-address=5.101.126.175
add action=accept disabled=no dst-address=83.220.174.225
add action=accept disabled=no dst-address=85.30.240.5
add action=accept disabled=no dst-address=87.236.23.242
add action=accept disabled=no dst-address=91.210.171.35
add action=accept disabled=no dst-address=91.230.211.75
add action=accept disabled=no dst-address=95.213.176.3
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
add disabled=yes distance=5 dst-address=0.0.0.0/0 gateway=192.168.62.1 \
routing-table=SSTP scope=30 target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.65.2 pref-src=\
192.168.65.1 routing-table=Wireguard-aruba scope=30 target-scope=10
/ip service
set www disabled=yes
set www-ssl certificate="Lets encrypt1769074948"
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/ppp secret
add name=Andrea profile=Andrea service=sstp
/radius
add address=109.68.214.124 require-message-auth=no service=hotspot timeout=3s
add address=62.113.98.21 require-message-auth=no service=hotspot timeout=3s
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=Ripasso-Sala
/system leds settings
set all-leds-off=after-1h
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.204.114.232
add address=194.190.168.1
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard settings
# Warning: cpu not running at default frequency
set cpu-frequency=716MHz
/system scheduler
add disabled=yes interval=1m name=monv8_up on-event=":local resoult (\"mon_up\?t\
ype=routeros&uuid=76a73e1bc9c05b3536cc3089fa594924&plid=1f796f606cd14f9f5d34\
b7466c76b477&mac_e0=\".[/interface ethernet get 0 mac-address].\"&identity=\
\".[/system identity get name].\"&curtime=\".[/system clock get time].\"&upt\
ime=\".[/system resource get uptime].\"&cpu_load=\".[/system resource get cp\
u-load].\"&board_name=\".[/system resource get board-name].\"&free_memory=\"\
.[/system resource get free-memory]);local bEncoded;for i from=0 to=([:len \
\$resoult] - 1) do={:local char [:pick \$resoult \$i];if (\$char = \" \") do\
={ :set \$char \"_\"};set bEncoded (\$bEncoded . \$char) }; /tool fetch keep\
-result=no mode=http address=mik.hm.v8.global-hotspot.ru host=mik.hm.v8.glob\
al-hotspot.ru src-path= \$bEncoded" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
1970-01-01 start-time=01:00:00
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@Ripasso-Sala] >
Well what is clear is that your original post in no way shape or form resembles the config.
There is only one WAN, coming in on ether1, but you have no DHCP set for it, and no IP address for it and to make matters worse you have ether1 on one of the TWO bridges.
Funny thing to make a capac into a router, its possible I guess but not my first choice.
So in reality you have one WAN but wish to push one IP through wireguard for TV it seems.
Why do you think the input chain is the place for a rule like this?
add action=drop chain=input dst-address=192.168.1.0/24 src-address=10.0.0.0/24
Its also not clear what your wireguard connects to?? 3rd party VPN server?
Dont think so, but I see no endpoint address or endpoint port to indicate your device is a client peer for s
handshake??????
Furthermore you have no input chain rule for handshake even if you were the server.........
So we need clarity on what is going in with Wireguard, since if a client you need to get rid of responder,
enter in the endpoint information and add persistent keep alive, just for starters.
The wireguard would be part of the WAN interface list and then you wouldnt need any Nat rule for it.
Speaking of NAT rules, they are all over the map and look wrong!
Very rare and frankly cannot recall seeing routing marks in NAT rules, so for starters get rid of them.
I dont see NAT rule for normal WAN traffic??
Old, default static DNS should be removed
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
Some funky nat rules dst/src nat but will assume you are doing something with a purpose there.
In summary, still no need for mangling that I can see to move a single LANIP out the wireguard tunnel as I described.
being sincere, I knew the config was quite rich and it rises other questions that has no inpact, but make us loose time. This is way I wasn't happy to post it.
There is only one mikrotik on this place, and it's enough for it, no sense to spend more money.
This XL gives wifi to staff, wifi to clients (connected to the second bridge), a VPN for TV by wireguard (only when it is needed!)
No need to use this Mikroti as gateway/NAT, the gateway is the main router, the frames come from the TV to XL as it is specified as a fake-gateway by DHCP (option 3), these internet requests are simply redirected to the gateway (when the mangle not working), the gateway is on the same LAN and forward directly to TV the answer by its IP/arp, no need to NAT these requests, it works.
The wireguard is VPN, it works as receiver for some reasons, don't worry about that, I assure the link works as a phisical WAN2, and on it there is a default route to that.
The static DNS has no influence about this problem, I forgot about that, I deleted..
I need to mangle, without that the traffic will go to the default route, I only now this way to force to route to WAN2. A smple NAT in these cases will not help, it is needed to force a route, as I know.
Let's please focus exactly on the problem I have, the mangle works, it forces route all packets to the WAN2, no questions about that, I'm happy with that, it works as expected. The problem is, not all those packes are NATed, I can say only 50% of them are NAT, the others has the source IP of TV, why? That has no sense.
Another problem with 7.21.1 version, the tools/ping changed, from the router I can't send ICMP packts to 8.8.8.8 by the WAN2 using the source adress of WAN2, but I can ping the WAN2 remote host, the next hope, thse packets are sent on WAN2 link. The ping is wrongly following the main table instead the interface I specified by the WAN2 source address.
In this OS version I can't more select the isource nterface, they canged the ping window program, is this in the end a bug? It looks like! ANt the missing NAT can be a bug too..
Wish I could help, its beyond my scope of knowledge. Not sure how one can route traffic if not using the MT as a router??
About the ping change, you can use the percentage sign to select interface, see:
Tools -> Ping: interface field is missing
Not necessarily applying to your setup but - generally speaking - you can consider routing rules/policy routing as a "better" (but coarser) kind of sieve, IF what is needed can be done with routing rules, it should be done with them, and mangling should be reserved to what CANNOT be done with routing rules.
If the "strange" NAT behaviour remains the same with either your mangles and with the set of routing rules anav suggested, it should mean that the issue is somewhere else.
When this kind of things happen, i.e. something works with version x but suddenly breaks with version y, it is very difficult to understand if it worked before because of a subtle bug that was fixed by the new release or if it fails now because of a new bug introduced in the new release.
If you are sure that exactly the SAME configuration works with a 7.20x version and now it doesn't work anymore with 7.21.x, you should open a ticket with Mikrotik support about the matter.
Thank you, this problem is now solved, the ping works and I see it going on WAN2
I used 8.8.8.8%wireguard-Aruba
Thank you mate, Mikrotik is powerful, many things can be done with it, you just focus on the protocols and you may find different solutions.
In my case I've created a fake gateway, so by the ARP table the TV is sending to Mikrotik, its IP with TV(source):internet(destination), the XL has nothing to do with this packet and it sends to its main gateway. The gateway cares of the source IP only, not the source ethernet fram address, and it correctly replies back to TC according its ARP table.
In this way when I mangle the XL route the packets to the WAN2, expecting to NAT them all. NAT by the source IP works bad as well as NAT a routed marked packet.
The main topic here is that that router is effectively mangling and mark the packets, bucause it forces them route to the WAN2, but sometime it is missing to NAT them bufore sending, and that is a no sense
Sorry, I was editing my previous post while you replied, please read the newly edited version,
I've read, thanks,
doyou thing I can easly downgrade? Because upgrade to 7.21 needs 7.20.7 before, and ths makes me worried about loosing the actual config.
To downgrade is just necessary to upload the other firmware into files and reboot?
It is one of the few cases where the extremely terse - not to say scarce - official Mikrotik documentation is enough:
Remember that you need ALL the corresponding "extra" (if any) packages you have installed now uploaded.
In any case do BOTH a backup and an export before attempting a downgrade.
That device has only 16 Mb storage, so it has to be seen if you have enough space.
Otherwise you will need a netinstall (which is a huge PITA).
Yes, better avoid netinstall. I'll have a look, at this time I'm full of work, and the problem I?ve temporaly solved remove NAT, let all packets go wrongly to WAN2 and configuring a subnet compatible to the remote host that allows to NAT to interent, that's nasty but works.
I'm also going to open a report officially