Hi all
For ISP issue concern I still can ping to 8.8.8.8 on Mikrotik when client doesn't. After changing to new DNS server (Open-DNS) It happened one again but just few minutes.
After that I have downgraded firmware from v6.48.1 to long-term v6.47.9
One more thing is I have 3 WAN lines, 2 static ips and one PPPoE. When using mangle to specific one network to one WAN it did not work.
My configuration is below.
Sorry for my bad English.
/interface pppoe-client
add disabled=no interface=ether2 name=pppoe-out1 user=hbhbla_ftth128
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PPTP ranges=10.10.10.10-10.10.10.100
/ppp profile
set *FFFFFFFE dns-server=208.67.222.222 local-address=10.10.10.1 remote-address=PPTP
/queue type
add kind=pcq name=DownLoad pcq-classifier=dst-address pcq-rate=20M
add kind=pcq name=Upload pcq-classifier=src-address pcq-rate=20M
/queue simple
add name=queue1 queue=Upload/DownLoad target=172.16.10.0/24
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface pptp-server server
set enabled=yes
/ip address
add address=203.x.x.x/30 interface=ether1 network=203.x.x.x
add address=172.16.1.1/24 interface=ether4 network=172.16.1.0
add address=14.x.x.x/30 interface=ether3 network=14.x.x.x
/ip cloud
set ddns-enabled=yes
/ip dns
set servers=8.8.8.8,203.113.131.1,203.113.188.1,203.113.131.2
/ip firewall address-list
add address=203.x.x.x list=WAN_IPs
add address=14.x.x.x list=WAN_IPs
add address=23.148.145.238 list=Black_Ips
add address=172.16.40.0/24 list=Connected_sub
add address=10.10.10.0/24 list=Connected_sub
add address=172.16.10.87 list=ANAM
add address=172.16.10.27 list=ANAM
add address=172.16.10.0/24 list=Connected_sub
add address=172.16.20.0/24 list=Connected_sub
add address=172.16.30.0/24 list=Connected_sub
add address=172.16.99.0/24 list=Connected_sub
/ip firewall filter
add action=add-src-to-address-list address-list=Black_Ips address-list-timeout=none-dynamic chain=forward disabled=yes dst-port=5060-5061 in-interface=ether1 protocol=udp \
src-address=!14.x.x.x
add action=add-src-to-address-list address-list=Black_Ips address-list-timeout=none-dynamic chain=forward disabled=yes dst-port=5060-5061 in-interface=ether3 protocol=udp \
src-address=!14.x.x.x
add action=drop chain=forward disabled=yes src-address-list=Black_Ips
add action=drop chain=input src-address=111.7.96.132
add action=drop chain=forward src-address=111.7.96.132
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-list=!Connected_sub new-connection-mark=WAN3_conn passthrough=yes \
src-address=10.10.10.0/24
add action=mark-routing chain=prerouting connection-mark=WAN3_conn disabled=yes new-routing-mark=to_WAN3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=dst-nat chain=dstnat dst-port=53 log=yes log-prefix=A protocol=udp src-address=10.10.10.100 to-addresses=176.103.130.132 to-ports=53
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=5001 protocol=tcp to-addresses=172.16.10.200 to-ports=5001
add action=dst-nat chain=dstnat dst-port=5006 protocol=tcp to-addresses=172.16.10.200 to-ports=5006
add action=dst-nat chain=dstnat dst-port=2021 protocol=tcp to-addresses=172.16.10.200 to-ports=2021
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=5060 in-interface=ether3 protocol=udp to-addresses=172.16.40.254 to-ports=5060
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=5061 in-interface=ether3 protocol=udp to-addresses=172.16.40.254 to-ports=5061
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=10000-20000 in-interface=ether3 protocol=udp to-addresses=172.16.40.254 to-ports=10000-20000
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=8080 protocol=tcp to-addresses=172.16.40.254 to-ports=80
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway=203.x.x.x routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=14.x.x.x routing-mark=to_WAN2
add check-gateway=ping distance=2 gateway=14.x.x.x
add check-gateway=ping distance=3 gateway=pppoe-out1
add check-gateway=ping distance=4 gateway=203.x.x.x
add distance=1 dst-address=172.16.2.0/24 gateway=172.16.1.2
add distance=1 dst-address=172.16.10.0/24 gateway=172.16.1.2
add distance=1 dst-address=172.16.20.0/23 gateway=172.16.1.2
add distance=1 dst-address=172.16.30.0/24 gateway=172.16.1.2
add distance=1 dst-address=172.16.40.0/24 gateway=172.16.1.2
add distance=1 dst-address=172.16.99.0/24 gateway=172.16.1.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes