the /export hide-sensitive doesn't seem to contain any public IPs and so I am not sure if the export if complete.
Since both your public IPs are assigned dynamically using DHCP, they are not shown in
export. The
export command shows the static configuration; a
print command shows the currently existing items, including those dynamically added. I don't ask for a
print output, it's just an explanation.
@mutluit is right that your firewall is not tight enough - you use a mix of "permit everything but a few exceptions" and "deny everything but a few exceptions", but the first one wins.
I personally prefer to deny everything but a few exceptions, because if you forget to permit something that should have been permitted, your legal users will be unhappy and will let you know quickly; if you forget to deny something that should have been denied, your illegal users will be happy and will never let you know.
But that's a subject for another topic, although a very important one if you want to remain the only administrator of your router.
To the topic of your OP - from what you wrote I understand that the IP addresses you get from the ISP are fixed despite the fact that you get them using DHCP, can you confirm that? The difference it makes is whether it is necessary to add a script to the DHCP client configuration, which would update the
gateway parameter of a route via ETH3-WAN2, or whether it can be left out because the IP address of the gateway actually never changes.
Given that you actually port-forward the traffic which arrives to ETH3-WAN2 to multiple internal addresses, use of
/ip firewall mangle to handle the assignment of the
routing-mark seems more appropriate to me than use of
/ip route rule. Nevertheless, the
/ip route rule rows are used to prevent packets coming in via WAN2 from being routed back through it instead of being delivered to the LAN hosts - it's one of possible ways to ensure that.
So the following will make all connections which come from the internet to the public IP assigned to ETH3-WAN2 be responded through that interface:
/ip route
add dst-address=0.0.0.0/0 routing-mark=via-wan2 gateway=[/ip dhcp-client get [find interface=ETH3-WAN2] gateway]
/ip route rule
add dst-address=172.16.10.0/24 action=lookup-only-in-table table=main
add dst-address=192.168.0.0/24 action=lookup-only-in-table table=main
/ip firewall mangle
add chain=prerouting connection-state=new action=jump jump-target=cmark-pr comment="only the first packet of each connection is eligible for eventual connection marking"
add chain=prerouting connection-mark=wan2-conn action=mark-routing new-routing-mark=via-wan2 comment="all packets, including the first one, may need the connection-mark to routing-mark translation"
add chain=cmark-pr in-interface=ETH3-WAN2 action=mark-connection new-connection-mark=via-wan2 passthrough=yes comment="anything that came in via WAN2 must be responded through there"
add chain=output connection-mark=wan2-conn action=mark-routing new-routing-mark=via-wan2 comment="connections to Mikrotik itself may also gave come in via WAN2"