I have a mikrotik RB2011u with two WAN with different ISP.

WAN1 - Dynamic (192.168.1.x/24) on Ether1 WAN2 - Static (129.x.x.x/24) on Ether2 Every other port and Wlan - Bridge (192.168.8.x/24)

NAT
i have two firewall NAT:
CHAIN-srcnat outinterface-ether1 action-masquerade
CHAIN-srcnat outinterface-ether2 action-masquerade

and Routes with ether1 with distance=1 and ether2 distance=2

but for reason, if i type my ip address 129.x.x.x from an outside network i keep getting this page cannot be reached.

but i can reach it from any device on the bridge.

I’m try to get the bridge to access the internet through Ether1 (dynamic WAN isp) which works fine, and access from an outside network should come in through Ether2 (static WAN isp) which is the main problem.

Thank you in advance

Read this nice article:

https://wiki.mikrotik.com/wiki/Manual:PCC

Don't pay much attention to load balancing, but focus on how connections and routing are marked and why (it's explained there).

Are you seriously stating you want to access winbox by WANIP i.e. from external to the router?
If so did you have a lobotomy recently??

While pointing out that it might not be the best idea, because trust in security of WinBox has been shaken, it wasn't exactly friendly response, you know?

You should on your router setup a VPN that connects to a sentral site.
The you connect from the sentral site trough your VPN to your router using WinBox.

But if that is not an option, take care if you open WinBox on the outside IP.

1. Use a good and very strong username/password
2. Make sure routerOS is updated to latest version
3. Do not use default port 8291, use another.
4. Use port knocking (search forum on how to do it)
5. Send all you logs to an external server (see my signature on how to use Splunk with Mikrotik RouterOS
6. Do think once again if you really need the Winbox port open

Many many RouterOs has been hacked due to weakness in older RouterOS software.

You should on your router setup a VPN that connects to a sentral site.
The you connect from the sentral site trough your VPN to your router using WinBox.

But if that is not an option, take care if you open WinBox on the outside IP.

1. Use a good and very strong username/password
2. Make sure routerOS is updated to latest version
3. Do not use default port 8291, use another.
4. Use port knocking (search forum on how to do it)
5. Send all you logs to an external server (see my signature on how to use Splunk with Mikrotik RouterOS
6. Do think once again if you really need the Winbox port open

Many many RouterOs has been hacked doe to weakness in the RouterOS software.

Hi Sob, sorry mate, I call it as I see it. I am no politician, its the same person that will come back and claim that MT doesnt secure their device properly................

As for Jotne, comments like yours keeps myths alive and for Sobs sake I will continue my forthright tone!!
Please delete your last sentence it is NOT accurate or incur some well deserved anti-accolades.
The Only weakness has been complete effing morons claiming to be IT admins that do not secure access to the Router via winbox from external access via proper methods.

Sob, just pretend we are in a bad movie, you are the good cop and I am the bad cop.

Lets practice.......
Me
"If the OP is offended, he can go cry to his momma."
You
"Don't listen to him, he is still learning routerOS and is frustrated but means well. All you have to do to forward your router to hackers and North Koreans is to
publish your WANIP your gateway IP here and then create the following very easy and simple rules:
input chain rule as your first rule
add chain=input action=accept in-interface=WAN, and then
in your forward chain as the first rule
add chain=input action=accept in-interface=WAN

You and everyone else will be happily able to access your router, servers and pc without any difficulty.

OP
Oh thank you Sob you are my new BFF!!
Do you have a gofundme page I can donate too?

Please delete your last sentence it is NOT accurate or incur some well deserved anti-accolades.
The Only weakness has been complete effing morons claiming to be IT admins that do not secure access to the Router via winbox from external access via proper methods.

Rewritten the last line

Hahaha Not quite right, change it to this.......... and bend to my will!!
"Many many RouterOs have been hacked due to weaknesses in older RouterOS software, that were exploited when admins failed to configure their routers in a secure manner.

Well, that's what MikroTik said, but it's not entirely accurate. Sure, it's safest to block everything, but if you need some access to router, you have to open something. And whether it's port for WinBox or your favourite VPN protocol, it's the same in principle, any of those can have exploitable bugs. VPN is/should be probably a little safer, because it's at least standard protocol and if it's designed well, only implementation can be messed up. With own secret protocol (as WinBox uses) there can be mistakes in both implementation and design. And even though standard (open) protocol can have design flaws too, more people inspect it and there's higher chance to find them.

And about being nice, I'm just saying that if someone's new here, it's better to explain things and reasons, rather then jump to lobotomy comments. Think about it, would we enjoy your company here now, if we welcomed you like this?

Well, that's what MikroTik said, but it's not entirely accurate. Sure, it's safest to block everything, but if you need some access to router, you have to open something. And whether it's port for WinBox or your favourite VPN protocol, it's the same in principle, any of those can have exploitable bugs. VPN is/should be probably a little safer, because it's at least standard protocol and if it's designed well, only implementation can be messed up. With own secret protocol (as WinBox uses) there can be mistakes in both implementation and design. And even though standard (open) protocol can have design flaws too, more people inspect it and there's higher chance to find them.

And about being nice, I'm just saying that if someone's new here, it's better to explain things and reasons, rather then jump to lobotomy comments. Think about it, would we enjoy your company here now, if we welcomed you like this?

I would have gotten the point right away instead of trying to figure out truth from politically correct nonsense LOL.
Yes, I could have chosen more pleasant words! Thanks for the reminder to be civil. Next time I will have a coffee first then wake up and then type.

... politically correct nonsense ...

Be careful with such serious accusations!

Read this nice article:

https://wiki.mikrotik.com/wiki/Manual:PCC

Don't pay much attention to load balancing, but focus on how connections and routing are marked and why (it's explained there).

hi Sob,

Thanks for the reply, i have done all from the post but i notices i can only access the router from an outside network id the outside network is only behind a Mikrotik.

please do you know why this is?

i see the source IP address if i run torch on the on my WAN IP but no connection is established

Otun,
Is what you mean or asking........ how to reach your LAN or servers, when ON the LAN but using your WANIP to do so??

If that is the case, what you need to do is use HAIRPIN NAT.
You will find it in the wiki and also a very good youtube tutorial by stevocee

Otunmusa, by default the Mikrotik won't remember which ISP your outside request came in on. So you connect to the IP of ISP2, and your port forwarding rules forward to your web server. Then your webserver replies, but the Mikrotik will send the packets out on ISP1. This is a broken connection.

You have to create mangle rules.
1. When a new-connection comes in on ISP2 (in-interface=ether2), then action=mark-connection, connection-mark=ISP2
2. When the server replies, packets come in on the bridge1 interface. At this point they will go out on ISP1... So Create another mangle rule that says:
When connection-mark=ISP2 and in-interface=bridge1, set routing-mark=ISP2.
This will mark each packet.
3. Finally, you need to have a default route setup for ISP2 that says when packets match 0.0.0.0/0, it should send to your ISP2 gateway. In the route, you can specify a routing mark, set it to ISP2.

When the Mikrotik chooses which route to send packets out, it will choose the most restrictive route. So now, packets belonging to a connection that is established on ISP2 will also go out ISP2.

Hope I understood your question?

i see the source IP address if i run torch on the on my WAN IP but no connection is established

Next would be to Torch bridge1, youd should see packets forwarding to your webserver. If not, check your NAT (Port forwarding) rules.
On the same Torch, you should see packets coming from your webserver. If not, check firewall rules on the PC, are they LAN only, or any connection filter rules in your webserver.
Next run Torch on ISP2 again, if the reply packets aren't going out, then run Torch on ISP1. If you see the packets going out there, then check your mangle rules, routing marks and routes.

@Otunmusa: If you think you configured connection and route marking correctly, but it still doesn't work and you don't see what's wrong, you can export and post your config.

# mar/13/2019 11:47:13 by RouterOS 6.44
# software id = ABY1-BL9J
#
# model = 2011UiAS-2HnD
# serial number = 91E10A817B74
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=IPNX name=ether1-WAN1 speed=100Mbps
set [ find default-name=ether2 ] comment="OTHER NETWORK" name=ether2-WAN2 \
speed=100Mbps
set [ find default-name=ether3 ] comment=LAN speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile1 supplicant-identity="" \
wpa-pre-shared-key=aril01forall wpa2-pre-shared-key=aril01forall
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge security-profile=profile1 ssid=ARIL wireless-protocol=\
802.11
/ip firewall layer7-protocol
add name=Facebook regexp=www.facebook.com
add name="facebook mobile" regexp=fb.com
add name="facebook mobile2" regexp=m.facebook.com
add name=instagram regexp=www.instagram.com
add name="All blocked sites" regexp="^.+(thepiratebay.org|xpau.se|www.facebook\
.com|www.lindaikejisblog.com|www.instagram.com|www.irokotv.com|www.ibakatv\
.com|www.stelladimokokorkus.com|123movieswww.|thepiratebay.pet).*\$"
add name=torrentsites regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scr\
ape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /da\
ta\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\r\
\n"
add name=Youtube regexp=\
"^..+\\.(youtube.com|googlevideo.com|akamaihd.net).*\$"
add name=movie regexp=\
"^.+(104.31.18.30|xpau.se|www.tfp.is|www.o2tvseries.com).*\$"
add name="IDM Block" regexp="get /.*(user-agent: mozilla/4.0|range: bytes=)"
add name="All Video files" regexp="^.*get.+\\\\.(webm|mkv|flv|flv|vob|ogv|ogg|\
dr\\c|gifv|mng|avi|mov|qt|wmv|yuv|rm|rmvb|asf|amv|mp4|m4p|m4v|mpg|mp2|mpeg\
|mpe\\|mpv|mpg|mpeg|m2v|m4v|svi|3gp|3g2|mxf|roq|nsv|flv|f4v|f4p|f4a|f4b).*\
\\\$\""
/ip pool
add name=dhcp_pool0 ranges=192.168.8.2-192.168.8.160
add name=dhcp_pool1 ranges=192.168.8.2-192.168.8.160
add name=dhcp_pool2 ranges=192.168.8.160-192.168.8.254
add name=dhcp ranges=192.168.8.81-192.168.8.254
add name=dhcp_pool4 ranges=192.168.8.161-192.168.8.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=bridge lease-time=1m name=\
dhcp1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue tree
add max-limit=125k name="Youtube Download (Lower)" packet-mark=\
"youtube_dw_pk(lower)" parent=global queue=pcq-download-default
add max-limit=125k name="Youtube Upload (lower)" packet-mark=\
"youtube_up_pk(lower)" parent=global queue=pcq-upload-default
add max-limit=1k name="Torrent Download (lower)" packet-mark=\
"torrent_dw_pk(lower)" parent=global queue=pcq-download-default
add max-limit=1k name="Torrent Upload (lower)" packet-mark=\
"torrent_up_pk(lower)" parent=global queue=pcq-upload-default
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=wlan1
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set ipsec-secret=test use-ipsec=yes
/interface list member
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp1 list=LAN
add interface=ether1-WAN1 list=WAN
add interface=bridge list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.8.1/24 interface=bridge network=192.168.8.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=ether2-WAN2 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.8.6 client-id=1:18:60:24:ff:c2:6f mac-address=\
18:60:24:FF:C2:6F server=dhcp1
add address=192.168.8.5 client-id=1:b4:b5:2f:5f:73:5c mac-address=\
B4:B5:2F:5F:73:5C server=dhcp1
add address=192.168.8.71 client-id=1:10:f0:5:a0:e8:8a mac-address=\
10:F0:05:A0:E8:8A server=dhcp1
add address=192.168.8.70 client-id=1:88:78:73:f7:14:f3 mac-address=\
88:78:73:F7:14:F3 server=dhcp1
add address=192.168.8.7 client-id=1:bc:91:b5:70:b3:2d mac-address=\
BC:91:B5:70:B3:2D server=dhcp1
add address=192.168.8.18 client-id=1:14:2d:27:9b:7f:eb mac-address=\
14:2D:27:9B:7F:EB server=dhcp1
add address=192.168.8.73 client-id=1:a0:af:bd:17:7f:af mac-address=\
A0:AF:BD:17:7F:AF server=dhcp1
add address=192.168.8.8 client-id=1:90:61:ae:2e:f5:9a mac-address=\
90:61:AE:2E:F5:9A server=dhcp1
add address=192.168.8.9 client-id=1:ac:b5:7d:dd:54:4d mac-address=\
AC:B5:7D:DD:54:4D server=dhcp1
/ip dhcp-server network
add address=192.168.8.0/24 dns-server=8.8.8.8 gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes servers=41.222.70.179,208.67.222.123,8.8.8.8
/ip firewall address-list
add address=192.168.8.2-192.168.8.254 list="All User"
add address=192.168.8.11-192.168.8.20 list=Top
add address=192.168.8.21-192.168.8.30 list=Mid
add address=192.168.8.31-192.168.8.80 list=Low
add address=192.168.8.81-192.168.8.254 list=Lower
/ip firewall filter
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=22,80,443 in-interface=ether2-WAN2 \
protocol=tcp
add action=reject chain=forward layer7-protocol="All blocked sites" log=yes \
reject-with=icmp-port-unreachable
add action=reject chain=forward layer7-protocol=torrentsites reject-with=\
icmp-admin-prohibited
add action=drop chain=forward layer7-protocol=Facebook
add action=drop chain=forward layer7-protocol="facebook mobile"
add action=drop chain=forward layer7-protocol="facebook mobile2"
add action=drop chain=forward layer7-protocol=instagram
add action=add-src-to-address-list address-list=Torrent_users \
address-list-timeout=1m chain=forward layer7-protocol=torrentsites
add action=add-src-to-address-list address-list=Youtube_Users \
address-list-timeout=1m chain=forward layer7-protocol=Youtube
add action=drop chain=input comment="PPTP VPN BLOCK" disabled=yes dst-port=\
1723 protocol=tcp
add action=drop chain=input comment="L2TP VPN BLOCK" disabled=yes dst-port=\
1701 protocol=udp
add action=drop chain=input comment="IPSec ESP Block" disabled=yes protocol=\
ipsec-esp
add action=drop chain=input comment="IPSec AH block" disabled=yes protocol=\
ipsec-ah
add action=drop chain=input comment="IKE block" disabled=yes dst-port=500 \
protocol=udp
add action=drop chain=input comment="NAT-T BLOCK" disabled=yes dst-port=4500 \
protocol=udp
add action=drop chain=input comment="PROXY TRAFFIC BLOCK" disabled=yes \
protocol=ipencap
add action=drop chain=input comment="BLOCK TUNNELING P" disabled=yes \
protocol=gre
add action=drop chain=input comment="BLOCK DEFAULT OPENVPN TCP" disabled=yes \
dst-port=1194 protocol=tcp
add action=drop chain=input comment="BLOCK DOVPN UDP" disabled=yes dst-port=\
1194 protocol=udp
add action=drop chain=forward layer7-protocol=movie
add action=drop chain=forward connection-limit=2,32 layer7-protocol=\
"IDM Block" src-address-list=Lower
add action=drop chain=forward layer7-protocol="All Video files" \
src-address-list="All User"
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
bridge
add action=accept chain=prerouting dst-address=x.x.x.0/24 in-interface=\
bridge
add action=mark-connection chain=prerouting in-interface=ether1-WAN1 \
new-connection-mark=ipnx_conn passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether2-WAN2 \
new-connection-mark=swift_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=ipnx_conn passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=bridge new-connection-mark=swift_conn passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ipnx_conn \
in-interface=bridge new-routing-mark=to_ipnx passthrough=yes
add action=mark-routing chain=prerouting connection-mark=swift_conn \
in-interface=bridge new-routing-mark=to-swift passthrough=yes
add action=mark-routing chain=output connection-mark=ipnx_conn \
new-routing-mark=to_ipnx passthrough=yes
add action=mark-connection chain=output connection-mark=swift_conn \
new-connection-mark=to_swift passthrough=yes
add action=mark-connection chain=forward comment="torrent_dw_conn(lower)" \
in-interface=bridge layer7-protocol=torrentsites new-connection-mark=\
"torrent_dw_conn(lower)" passthrough=yes src-address-list=Lower
add action=mark-packet chain=forward comment="torrent_dw_pk(lower)" \
connection-mark="torrent_dw_conn(lower)" new-packet-mark=\
"torrent_dw_pk(lower)" passthrough=no
add action=mark-connection chain=prerouting comment="torrent_up_conn(lower)" \
in-interface=bridge layer7-protocol=torrentsites new-connection-mark=\
"torrent_up_conn(lower)" passthrough=yes src-address-list=Lower
add action=mark-packet chain=forward comment="torrent_up_pk(lower)" \
connection-mark="torrent_up_conn(lower)" new-packet-mark=\
"torrent_up_pk(lower)" passthrough=no
add action=mark-connection chain=forward comment="youtube_dw_conn(lower)" \
in-interface=bridge layer7-protocol=Youtube new-connection-mark=\
"youtube_dw_conn(lower)" passthrough=yes src-address-list=Lower
add action=mark-packet chain=forward comment="youtube_dw_pk(lower)" \
connection-mark="youtube_dw_conn(lower)" new-packet-mark=\
"youtube_dw_pk(lower)" passthrough=no
add action=mark-connection chain=prerouting comment="youtube_up_conn(lower)" \
in-interface=bridge layer7-protocol=Youtube new-connection-mark=\
"youtube_up_conn(lower)" passthrough=yes src-address-list=Lower
add action=mark-packet chain=forward comment="youtube_up_pk(lower)" \
connection-mark="youtube_up_conn(lower)" new-packet-mark=\
"youtube_up_pk(lower)" passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=ether2-WAN2
add action=dst-nat chain=dstnat comment="Server Port Forwarding rule" \
dst-port=3389 in-interface=ether2-WAN2 protocol=tcp to-addresses=\
192.168.8.5 to-ports=3389
/ip proxy access
add action=deny dst-address=0.0.0.0 dst-host=www.facebook.com src-address=\
192.168.1.139
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_ipnx
add check-gateway=ping distance=2 gateway=ether2-WAN2 routing-mark=to-swift
add check-gateway=ping distance=2 gateway=ether2-WAN2
/ip ssh
set allow-none-crypto=yes
/lcd
set time-interval=hour
/ppp secret
add name=vpn password=test
/system clock
set time-zone-name=Africa/Lagos
/tool traffic-monitor
add interface=ether1-WAN1 name=tmon1 threshold=0
add interface=ether3 name=tmon2 threshold=0 traffic=received
add interface=ether2-WAN2 name=tmon3 threshold=0 traffic=received

that's my config.

What i have tried:
proxy was enabled, so when i disabled it, i was able to access my router from winbox from an outside network for that day.
But some devices connect to the bridge couldn't access the internet while some could. Then the day after that i could no longer access the router from an outside network.

How do i get devices on the bridge to access the internet through WAN1 alone and only request to the router and the port forwarding ip use the WAN2.

I would like to ask which would be the best way to access the router remotely? I'm currently using OVPN but it still seems that the option isn't secure when the port is open? Am I right?

You didn't just add everything from that PCC article, did you? I hoped it was clear that I meant it as a learning material, to understand what you need to do about connection and route marking. In other words, I was lazy to write full explanation myself (Van9018 did it few posts later) and that article has nice explanation of what's happening.

If you don't want load balancing, remove the two rules with per-connection-classifier option. For the rest, this: should be: And you also need to add: And to avoid all possibilities that these connection marks could conflict with your torrent connection marks, you should add connection-mark=no-mark option to your torrent marking rules (those with action=mark-connection).

And about remote access, you have to open some port (VPN should be better than bare WinBox), otherwise you won't be able to connect.

And about remote access, you have to open some port (VPN should be better than bare WinBox), otherwise you won't be able to connect.

Yes, that is true, but along with the VPN port you need to do something with the winbox port if you want to use be able to log remotely through winbox on a client. Which was a bit strange for me as when the client is connected to the VPN it is able to ping the router with it's local address but it's unable to log in through winbox on the client side. With opened winbox port it's possible but It doesn't seems to be secure enough. I even had the crazy idea to use port knocking with VPN to allow only addresses on the list to be able to connect to the VPN server.

I get it. You don't need to open WinBox port from everywhere, you can do it only for connections from VPN, e.g. with in-interface=<vpn client interface>.

thanks Sob. it worked

I get it. You don't need to open WinBox port from everywhere, you can do it only for connections from VPN, e.g. with in-interface=<vpn client interface>.

Yes, that makes sense. Don't know how I missed it. I\ll definitely try it. Thank you.