Well, your proposed way does in fact work almost as expected. I could leave it that way, but who knows, maybe something better can be done
I am aware that in RouterOS some things are done differently and it's worth to say more conveniently in most cases. But with this particular case I don't see that convenience I had before (not a biggie if there are some other ways of course).
Previously I could set port forwards as easy as this:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 88.88.66.70 --dport 8291 -j DNAT --to 192.168.1.2:8291
iptables -t nat -A PREROUTING -p tcp -i eth2 --dport 33555 -j DNAT --to 192.168.0.21:33555
As you can see no marking was needed. Port 8291 on ISP1 would forward to 1.2, port 33555 on ISP2 would be forwarded to 0.21. Just simple as that.
And I agree with you about not knowing how everything is internally handled in these operating systems.. That was the reason why I posted here with a request for help to get a different scheme of achieving the same thing.
Besides I'm still blind from inside the routeros when trying to escape with any of ISP1 IPs. For example:
> ping 8.8.8.8 src-address=88.88.66.70
8.8.8.8 ping timeout
While in my Linux router, I could simply type "ping 8.8.8.8 -I 88.88.66.70" and get a reply. 8.8.8.8 is Google's public DNS by the way.
Here are the data you requested and some more.
Address table:
/ip address
add address=77.77.253.154/24 broadcast=77.77.253.255 comment="" disabled=no \
interface=ether2 network=77.77.253.0
add address=192.168.0.1/21 broadcast=192.168.7.255 comment="" disabled=no \
interface=ether1 network=192.168.0.0
add address=172.10.10.1/29 broadcast=172.10.10.7 comment="" disabled=no \
interface=ether1 network=172.10.10.0
add address=192.168.100.1/24 broadcast=192.168.100.255 comment="" disabled=no \
interface=ether1 network=192.168.100.0
add address=88.88.66.82/24 broadcast=88.88.66.255 comment="" disabled=no \
interface=ether2 network=88.88.66.0
add address=88.88.66.70/24 broadcast=88.88.66.255 comment="" disabled=no \
interface=ether2 network=88.88.66.0
Routing table:
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
88.88.66.1 routing-mark=1 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=88.88.66.0/24 gateway=\
ether2 pref-src=88.88.66.70 routing-mark=1 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
88.88.66.1 routing-mark=2 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=88.88.66.0/24 gateway=\
ether2 pref-src=88.88.66.82 routing-mark=2 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
77.77.253.1 routing-mark=3 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=77.77.253.0/24 gateway=\
ether2 pref-src=77.77.253.154 routing-mark=3 scope=30 target-scope=10
/ip route rule
add action=lookup comment="" disabled=no interface=ether2 routing-mark=1 \
src-address=88.88.66.70/32 table=1
add action=lookup comment="" disabled=no interface=ether2 routing-mark=2 \
src-address=88.88.66.82/32 table=2
add action=lookup comment="" disabled=no interface=ether2 routing-mark=3 \
src-address=77.77.253.154/32 table=3
Firewall filtering rules:
/ip firewall filter
add action=accept chain=forward comment="Accept forward for client pool" \
disabled=no dst-address=0.0.0.0/0 in-interface=ether1 src-address=\
192.168.0.0/21
add action=accept chain=input comment=\
"Accept established inbound connections" connection-state=\
established disabled=no in-interface=ether2
add action=accept chain=input comment=\
"Accept related inbound connections" connection-state=related \
disabled=no in-interface=ether2
add action=accept chain=input comment=\
"Accept inbound 8291 port for winbox control" disabled=no \
dst-address=0.0.0.0/0 dst-port=8291 in-interface=ether2 protocol=tcp \
src-address=0.0.0.0/0
add action=accept chain=input comment="Accept SSH connections" \
disabled=no dst-address=0.0.0.0/0 dst-port=22 in-interface=ether2 \
protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment="Accept HTTP connections" \
disabled=yes dst-address=0.0.0.0/0 dst-port=80 in-interface=ether2 \
protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment=\
"Accept unflooded ICMP ping requests" disabled=no in-interface=\
ether2 limit=1,5 protocol=icmp
add action=drop chain=input comment="Drop everything unaccepted inbound" \
disabled=no dst-address=0.0.0.0/0 in-interface=ether2 src-address=\
0.0.0.0/0
add action=accept chain=input comment=\
"Accept established inbound connections" connection-state=\
established disabled=no in-interface=ether3
add action=accept chain=input comment=\
"Accept related inbound connections" connection-state=related \
disabled=no in-interface=ether3
add action=accept chain=input comment=\
"Accept inbound 8291 port for winbox control" disabled=no \
dst-address=0.0.0.0/0 dst-port=8291 in-interface=ether3 protocol=tcp \
src-address=0.0.0.0/0
add action=accept chain=input comment="Accept SSH connections" \
disabled=no dst-address=0.0.0.0/0 dst-port=22 in-interface=ether3 \
protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment="Accept HTTP connections" \
disabled=yes dst-address=0.0.0.0/0 dst-port=80 in-interface=ether3 \
protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input comment=\
"Accept unflooded ICMP ping requests" disabled=no in-interface=\
ether3 limit=1,5 protocol=icmp
add action=drop chain=input comment=\
"Drop everything unaccepted inbound" disabled=no dst-address=\
0.0.0.0/0 in-interface=ether3 src-address=0.0.0.0/0
Firewall mangle table:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=1 \
passthrough=yes protocol=tcp src-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=1 \
passthrough=yes protocol=udp src-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=2 \
passthrough=yes protocol=tcp src-address=192.168.2.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=2 \
passthrough=yes protocol=udp src-address=192.168.2.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=2 \
passthrough=yes protocol=tcp src-address=192.168.3.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=2 \
passthrough=yes protocol=udp src-address=192.168.3.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=3 \
passthrough=yes protocol=tcp src-address=192.168.4.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=3 \
passthrough=yes protocol=udp src-address=192.168.4.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=3 \
passthrough=yes protocol=tcp src-address=192.168.5.0/24
add action=mark-routing chain=prerouting comment="" disabled=no dst-address=\
0.0.0.0/0 dst-port=53,80,110,113,443,6667,6668,7000 new-routing-mark=3 \
passthrough=yes protocol=udp src-address=192.168.5.0/24
Firewall NAT table:
/ip firewall nat
add action=src-nat chain=srcnat comment=\
"IP 88.88.66.70 for subnet 192.168.0.0/24" disabled=no dst-address=\
0.0.0.0/0 out-interface=ether2 src-address=192.168.0.0/24 to-addresses=\
88.88.66.70
add action=src-nat chain=srcnat comment=\
"IP 88.88.66.82 for subnet 192.168.2.0/24" disabled=no dst-address=\
0.0.0.0/0 out-interface=ether2 src-address=192.168.2.0/24 to-addresses=\
88.88.66.82
add action=src-nat chain=srcnat comment=\
"IP 88.88.66.82 for subnet 192.168.3.0/24" disabled=no dst-address=\
0.0.0.0/0 out-interface=ether2 src-address=192.168.3.0/24 to-addresses=\
88.88.66.82
add action=src-nat chain=srcnat comment=\
"IP 77.77.253.154 for subnet 192.168.4.0/24" disabled=no dst-address=\
0.0.0.0/0 out-interface=ether2 src-address=192.168.4.0/24 to-addresses=\
77.77.253.154
add action=src-nat chain=srcnat comment=\
"IP 77.77.253.154 for subnet 192.168.5.0/24" disabled=no dst-address=\
0.0.0.0/0 out-interface=ether2 src-address=192.168.5.0/24 to-addresses=\
77.77.253.154