Hey Guys

I am quite new to mikrotik but has accomplished a lot following the forum posts.

I have a small or maybe big scenario.

I have 2 VPN Connections on my mikrotik. I can make single ip and multiple ip addresses work through either vpn connection. I now created 2 address lists of specific website addresses which I want to connect through either the one or other vpn. Problem is that when I create a mangle rule to route address list1 to VPN1 and Address list2 to VPN2 then it only uses the first and routes the traffic from address list2 to VPN1 as well.

So basically what I want is that PC with IP address 192.168.88.2 routes all traffic from address list1 to VPN1 and address list2 to VPN2. But it seems that Rule1 takes priority.

Please, show your work. We cannot divine the answer without seeing your rules.

Please, show your work. We cannot divine the answer without seeing your rules.

Here we go hope this helps, I cut out everything unnecessary


/interface bridge
add admin-mac=4C:5E:0C:F5:99:1F auto-mac=no name=Bridge-Local
/interface ethernet
set [ find default-name=ether3 ] comment="MASTER LAN PORT" mac-address=\
4C:5E:0C:F5:99:20 name=Port3-slave-local
set [ find default-name=ether4 ] mac-address=4C:5E:0C:F5:99:21 master-port=\
Port3-slave-local name=Port4-slave-local
set [ find default-name=ether5 ] mac-address=4C:5E:0C:F5:99:22 master-port=\
Port3-slave-local name=Port5-slave-local
set [ find default-name=ether1 ] comment="ADSL" mac-address=\
4C:5E:0C:F5:99:1E name=WAN-1
set [ find default-name=ether2 ] comment="LTE" mac-address=\
4C:5E:0C:F5:99:1F name=WAN-2

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
Bridge-Local lease-time=2d name=default

/interface l2tp-client
add comment="VPN1" connect-to=\
22.222.222.22 disabled=no ipsec-secret=xxxxxxx mrru=1600 name=\
VPN1-L2TP password=xxxxxxx profile=VPN1 use-ipsec=yes user=xxxxxxx
add comment="VPN2" connect-to=11.111.111.11 \
disabled=no ipsec-secret=xxxxxxx mrru=1600 name="VPN2-L2TP" \
password=xxxxxxx profile=VPN2 use-ipsec=yes user=xxxxxxx

/interface bridge port
add bridge=Bridge-Local interface=Port3-slave-local
add bridge=Bridge-Local interface=wlan1

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
Bridge-Local network=192.168.88.0

/ip dhcp-client
add comment="ADSL" default-route-distance=0 dhcp-options=\
hostname,clientid disabled=no interface=WAN-1
add comment="LTE" dhcp-options=hostname,clientid interface=WAN-2
"Mikrotik Wireless" mac-address=4C:5E:0C:1B:E9:4A server=default

/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4

/ip dns static
add address=10.0.0.1 name=router

/ip firewall address-list
add address=80.8.88.5 list="LIST1"
add address=9.14.21.1 list="LIST1"
add address=1.5.14.7 list="LIST1"
add address=6.2.4.1 list="LIST1"
add address=4.1.5.7 list=LIST2
add address=1.1.4.3 list=LIST2
add address=2.21.3.1 list=LIST2
add address=25.2.3.3 list=LIST2

/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established,related

/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"VPN2" dst-address-list=\
LIST1 new-routing-mark=VPN1 passthrough=yes src-address=\
192.168.88.2
add action=mark-routing chain=prerouting comment=\
"VPN2" dst-address-list=\
LIST2 new-routing-mark=VPN2 passthrough=yes src-address=\
192.168.88.2


/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN-1
add action=masquerade chain=srcnat disabled=yes out-interface=WAN-2
add action=masquerade chain=srcnat comment=\
"VPN1" out-interface=VPN1-L2TP
add action=masquerade chain=srcnat comment=\
"VPN2" out-interface="VPN2-L2TP"


/ip route
add comment="VPN2" distance=1 gateway=VPN2-L2TP \
routing-mark=VPN2
add comment="VPN1" distance=1 gateway=VPN1-L2TP \
routing-mark=VPN1

I don't see anything wrong without loading it into an actual router. I don't do a lot of policy based routing. I may just be missing something obvious.

You might try coming up with a couple of benign test websites which only use one IP address and use it consistently. Add one to each list and show us traceroutes from 192.168.88.2 to each of those addresses so that we see that they do or do not transit the same path.

Maybe show us Hopefully, you've not removed other mangle and route rules from your post.

Please, show your work. We cannot divine the answer without seeing your rules.

"We cannot divine the answer" Priceless. It's always the same no info but expecting all of the answers.

Also I don't think there is any point to having passthrough enabled after marking the route.
And always make sure and clear the connections when trying out changes to mangle rules. Sometimes connection tracking will mess with you a little bit.

Ok tested with 2 addresses on the one list and 2 on the other and then all is working. So I need to check my lists for duplicates.

Sent from my SM-N920C using Tapatalk