This is our configutation on 2 routers
1st Router - CORE/NAT
/interface bridge
add name=bridge1-routing
add name=loopback1
/interface ethernet
set [ find default-name=ether1 ] mac-address= name=\
ether1-ISP1
set [ find default-name=ether2 ] mac-address= name=\
ether2-ISP2
set [ find default-name=ether3 ] mac-address=
set [ find default-name=ether4 ] mac-address=
set [ find default-name=ether5 ] disabled=yes mac-address=
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
/routing ospf instance
add distribute-default=if-installed-as-type-1 name=ospf1 router-id=\
10.254.254.254
/routing ospf area
add instance=ospf1 name=area1
/interface bridge port
add bridge=bridge1-routing interface=ether4
add bridge=bridge1-routing interface=ether5
/interface detect-internet
set detect-interface-list=all
/ip address
add address=10.254.254.254 interface=loopback1 network=10.254.254.254
add address=10.254.253.1/28 interface=bridge1-routing network=10.254.253.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-ISP1 use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no disabled=no interface=ether2-ISP2 use-peer-dns=no \
use-peer-ntp=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="accept valid input" connection-state=\
established,related
add action=accept chain=input comment="allow icmp(ping)" protocol=icmp
add action=drop chain=input comment="drop invalid input" connection-state=\
invalid log-prefix=invalid
add action=accept chain=forward comment="accept valid forward" \
connection-state=established,related
add action=drop chain=forward comment=\
"drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-ISP1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"drop incoming from internet which is not public IP" in-interface=\
ether1-ISP1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether3 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
"drop incoming from internet which is not public IP" in-interface=ether3 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=output comment=\
"[failover rule] allow 1.0.0.1 ping to isp1 only" dst-address=1.0.0.1 \
out-interface=!ether1-ISP1 protocol=icmp
add action=drop chain=output comment=\
"[failover rule] allow 8.8.4.4 ping to isp2 only" dst-address=8.8.4.4 \
out-interface=!ether2-ISP2 protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISP1
add action=masquerade chain=srcnat out-interface=ether2-ISP2
/ip route
add comment=ISP1 distance=1 gateway=122.154.193.115
add comment=ISP2 distance=2 gateway=192.168.254.254
add check-gateway=ping comment="netwatch for isp2" distance=1 dst-address=\
1.0.0.1/32 gateway=122.154.193.115
add check-gateway=ping comment="netwatch for isp1" distance=1 dst-address=\
8.8.4.4/32 gateway=192.168.254.254
/routing ospf interface
add interface=bridge1-routing network-type=point-to-point
add interface=loopback1 network-type=point-to-point
/routing ospf network
add area=area1 network=10.254.254.254/32
add area=area1 network=10.254.253.0/28
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=92.223.73.5 \
server-dns-names=asia.pool.ntp.org
/tool netwatch
add comment="isp1 checker" down-script="/ip route disable [find where comment=\
ISP1];\r\
\n:log warning \"ISP1 link is down!\";" host=1.0.0.1 interval=5s \
up-script="/ip route enable [find where comment=ISP1];\r\
\n:log warning \"ISP1 link is up!\";"
add comment="isp2 checker" down-script="/ip route disable [find where comment=\
ISP2];\r\
\n:log warning \"ISP2 link is down!\";" host=8.8.4.4 interval=15s \
up-script="/ip route enable [find where comment=ISP2];\r\
\n:log warning \"ISP2 link is up!\";"
2nd Router - PPPoE/Hotspot Server
/interface bridge
add name=bridge3-Hotspot vlan-filtering=yes
add name=loopback1
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=ether1-ISP1
set [ find default-name=ether2 ] name=ether2-Hotspot
set [ find default-name=ether3 ] disabled=yes mac-address=
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] name=ether10-LAN poe-out=off
/interface vlan
/interface ethernet switch port
/interface list
add name=WAN
add name=LAN
add name=LAN2
add name=WAN2
/ip hotspot profile
add dns-name=rc.pisowifi hotspot-address=10.0.0.1 html-directory=public \
http-cookie-lifetime=1d login-by=cookie,http-chap,http-pap,mac-cookie \
name=hsprof1
/ip kid-control
add name=kid1
/ip pool
add name=dhcp_pool ranges=10.0.3.1-10.0.10.254
add name=pool-pppoe ranges=192.168.5.10-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool disabled=no interface=bridge3-Hotspot lease-time=\
1d name=dhcp1
/ip hotspot
add address-pool=dhcp_pool addresses-per-mac=1 disabled=no interface=\
bridge3-Hotspot name=hotspot1 profile=hsprof1
/ppp profile
add bridge-learning=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.5.1 \
name=30MBPS only-one=yes parent-queue=none rate-limit=32M/32M \
remote-address=pool-pppoe
add bridge-learning=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.5.1 \
name=20MBPS only-one=yes parent-queue=none rate-limit=22M/22M \
remote-address=pool-pppoe
/queue simple
add name=Hotspot target=bridge3-Hotspot
add name=PPPoE target=192.168.5.0/24
/ppp profile
add bridge-learning=yes dns-server=8.8.8.8,8.8.4.4 idle-timeout=2h \
local-address=192.168.5.1 name=10MBPS only-one=yes parent-queue=PPPoE \
rate-limit=12M/12M remote-address=pool-pppoe
add bridge-learning=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.5.1 \
name=50MBPS only-one=yes parent-queue=PPPoE rate-limit=52M/52M \
remote-address=pool-pppoe
/routing ospf instance
add distribute-default=if-installed-as-type-1 name=ospf1 router-id=\
10.254.254.253
/routing ospf area
add instance=ospf1 name=area1
/system logging action
set 0 memory-lines=2000
set 1 disk-file-count=1
/interface bridge port
add bridge=bridge3-Hotspot interface=ether2-Hotspot
add bridge=bridge3-Hotspot interface=ether7
add bridge=bridge3-Hotspot interface=ether8
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1-ISP1 list=WAN
add interface=ether2-Hotspot list=LAN
add disabled=yes interface=ether3 list=WAN
add interface=bridge3-Hotspot list=LAN
/interface pppoe-server server
add default-profile=10MBPS disabled=no interface=bridge3-Hotspot \
one-session-per-host=yes service-name=10MBPS
/ip address
add address=10.0.0.1/18 interface=bridge3-Hotspot network=10.0.0.0
add address=10.254.254.253 interface=loopback1 network=10.254.254.253
add address=10.254.253.2/28 interface=ether4 network=10.254.253.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-ISP1 use-peer-dns=no \
use-peer-ntp=no
add disabled=no interface=ether3
/ip dhcp-server network
add address=10.0.0.0/18 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.0.0.0/18 list="ip all"
add address=192.168.5.0/24 list=PPPoE
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="accept valid input" connection-state=\
established,related
add action=accept chain=input comment="allow icmp(ping)" protocol=icmp
add action=drop chain=input comment="drop invalid input" connection-state=\
invalid log-prefix=invalid
add action=accept chain=forward comment="accept valid forward" \
connection-state=established,related
add action=drop chain=forward comment=\
"drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=ether1-ISP1 log=yes \
log-prefix=!NAT
add action=drop chain=forward comment=\
"drop incoming from internet which is not public IP" disabled=yes \
in-interface=ether1-ISP1 log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=drop chain=forward comment=\
"drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=ether3 log=yes log-prefix=\
!NAT
add action=drop chain=forward comment=\
"drop incoming from internet which is not public IP" disabled=yes \
in-interface=ether3 log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=drop chain=output comment=\
"[failover rule] allow 1.0.0.1 ping to isp1 only" disabled=yes \
dst-address=1.0.0.1 out-interface=!ether1-ISP1 protocol=icmp
/ip firewall mangle
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="ISP masquerade" disabled=yes \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="ISP masquerade" disabled=yes \
out-interface=ether3
add action=masquerade chain=srcnat comment="Hotspot masquerade" src-address=\
10.0.0.0/18
add action=masquerade chain=srcnat comment="PPPoE masquerade" src-address=\
192.168.5.0/24
/ip firewall raw
/ip hotspot user
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
/ip route
add comment=ISP1 disabled=yes distance=1 gateway=192.168.254.254
add comment=ISP2 disabled=yes distance=2 gateway=122.154.193.115
add check-gateway=ping comment="netwatch for isp1" disabled=yes distance=1 \
dst-address=1.0.0.1/32 gateway=192.168.254.254
add check-gateway=ping comment="netwatch for isp2" disabled=yes distance=1 \
dst-address=8.8.4.4/32 gateway=122.154.193.115
/ppp secret
add name=K profile=10MBPS service=pppoe
add name=D profile=10MBPS service=pppoe
/routing ospf interface
add interface=ether4 network-type=point-to-point
add interface=loopback1 network-type=point-to-point
/routing ospf network
add area=area1 network=10.254.254.253/32
add area=area1 network=10.254.253.0/28
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=92.223.73.5 \
server-dns-names=asia.pool.ntp.org