Unfortunately your config has some issues that need clarification.
1. Why is ether2 disabled?
2. Why do you have a VLAN, for what looks like a THIRD WAN pppoe connection? I thought your WAN1 and WAN2 were private IPs from a TP link and D link router??
3. You stated the mikrotik has an IP of 192.168.0.2 but then the bridge uses 192.168.88.1, so nothing is making sense so far.
4. Then later in ip address, the bridge is disabled?? but you have an IP pool for 88 network but disable the address in IP address and enable 192.168.0.2/23 ??
5. can I assume your ether5 IP address is to access the router off bridge if necessary?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
a. One LAN subnet 192.168.0.0/24
b. ether5 is off bridge access to congfig router given IP of 192.168.55.1//24 ( just change ipv4 settings on laptop/pc to 192.168.55.5 for example and you can access router )
I will go on the assumption for the following.
You have two WANS and will remove any ppoe and any vlan, since you didnt mention it, can only assume it should not be on your config.
+++++++++++++++++++++++++++++++++++++++++++++++++++
c. IP static DNS entry was removed!
d. ipv6 settings disabled.
e. remove routing rules not required
f. adjusted mangles and routes and sourcenat
+++++++++++++++++++
# 2024-04-19 12:56:23 by RouterOS 7.14.2
#
# model = RB3011UiAS
# serial number = "removed for security reasons"
/interface bridge
add admin-mac=XX.XX.XX.XX.XX auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2 disabled=no
set [ find default-name=ether3 ] comment=LAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=10m name=defcon
/routing table
add fib name=useISP1
add fib name=useISP2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 i
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=172.28.1.1 interface=ether1 list=WAN
add comment=172.28.2.1 interface=ether2 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.0.0/24 comment=LAN interface=bridge network=192.168.0.0
add address=172.28.2.2/24 comment=ISP2 interface=ether2 network=172.28.2.0
add address=172.28.1.2/24 comment=ISP1 interface=ether1 network=172.28.1.0
add address=192.168.55.1/24 comment=Ether5 disabled=no interface=ether5 network=192.168.55.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list { use dhcp static leases }
add address=192.168.0.XX/32 list=Authorized comment="admin desktop"
add address=192.168.0.YY/32 list=Authorized comment="admin laptop wired"
add address=192.168.0.AA/32 list=Authorized comment="admin laptop wifi"
add address=192.168.0.BB/32 list=Authorized comment="admin smartphone/ipad"
add address=192.168.55.0/24 list=Authorized comment="off bridge access"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="users DNS services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users DNS services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { Put this rule in last so you dont lock yourself out }
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes connection-mark=no-mark
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface=list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
{ first we mangle the external user coming to servers }
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether1 \
new-connection-mark=ISP1-Con passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether2 \
new-connection-mark=ISP2-Con passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP1-Con \
new-routing-mark=useISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-Con \
new-routing-mark=useISP2 passthrough=no
{next we mangle for PCC load balancing traffic originating on the LAN}
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local new-connection-mark=PCCtoWAN1 passthrough=yes \
in-interface-list=bridge per-connection-classifier=src-address-and-port:2/0 \
comment="Identify Traffic from LAN to go out WAN1"
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local new-connection-mark=PCCtoWAN2 passthrough=yes \
in-interface-list=bridge per-connection-classifier=src-address-and-port:2/1 \
comment="Identify Traffic from LAN to go out WAN2"
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN1 \
new-routing-mark=useWAN1 passthrough=no \
commment="Route traffic from PCC to WAN1"
add action=mark-routing chain=prerouting connection-mark=PCCtoWAN2 \
new-routing-mark=useWAN2 passthrough=no \
commment="Route traffic from PCC to WAN2"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.205
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=8000 in-interface=ether2 protocol=tcp to-addresses=192.168.0.205
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 routing-table=main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=172.28.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=172.28.1.1 routing-table=useISP1
add dst-address=0.0.0.0/0 gateway=172.28.2.1 routing-table=useISP2
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks for your guideline. Below is my export config file. I found that Route traffic from PCC to WAN will causing client device no internet, but mikrotik terminal ping to google successfully.
1. Why is ether2 disabled?
reply: should be enable. that time ECMP running 2 WAN will having some issue.
2. Why do you have a VLAN, for what looks like a THIRD WAN pppoe connection? I thought your WAN1 and WAN2 were private IPs from a TP link and D link router??
reply: VLAN can be ignore. that time is using for testing purpose.
3. You stated the mikrotik has an IP of 192.168.0.2 but then the bridge uses 192.168.88.1, so nothing is making sense so far.
reply: this is not saying that my bridge ether 3,4,6,7,8,9,10 manage to access router portal?
4. Then later in ip address, the bridge is disabled?? but you have an IP pool for 88 network but disable the address in IP address and enable 192.168.0.2/23 ??
reply: im no longer need DCHP from mikrotik and 192.168.88.1 also not using.
5. can I assume your ether5 IP address is to access the router off bridge if necessary?
reply: can I allow ether3,4,5,6,7,8,9,10 manage to access router?
Currently my router configuration value.
[admin@MikroTik] /ip/firewall/mangle> /export
# 2024-04-23 20:42:50 by RouterOS 7.14.2
# software id = 241T-8R6Y
#
# model = RB3011UiAS
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1
set [ find default-name=ether2 ] comment=ISP2
set [ find default-name=ether3 ] comment=LAN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add fib name=ISP1
add fib name=ISP2
add disabled=no fib name=asterisk-traffic
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=172.28.1.1 interface=ether1 list=WAN
add comment=172.28.2.1 interface=ether2 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.0.2/23 comment=LAN interface=bridge network=192.168.0.0
add address=172.28.2.2/24 comment=ISP2 interface=ether2 network=172.28.2.0
add address=172.28.1.2/24 comment=ISP1 interface=ether1 network=172.28.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.200 list=asterisk
add address=95.214.55.253 comment="Not Malaysia IP" list=Banned
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether1 new-connection-mark=ISP1-Con passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark in-interface=ether2 new-connection-mark=ISP2-Con passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP1-Con new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=ISP2-Con new-routing-mark=ISP2 passthrough=no
add action=mark-connection chain=forward comment="Identify Traffic from LAN to go out WAN1" connection-mark=no-mark dst-address-type=!local in-interface-list=LAN \
new-connection-mark=PCCtoWAN1 passthrough=yes per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=forward comment="Identify Traffic from LAN to go out WAN2" connection-mark=no-mark dst-address-type=!local in-interface-list=LAN \
new-connection-mark=PCCtoWAN2 passthrough=yes per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting comment="Route traffic from PCC to WAN1" connection-mark=PCCtoWAN1 disabled=yes new-routing-mark=ISP1 passthrough=no
add action=mark-routing chain=prerouting comment="Route traffic from PCC to WAN2" connection-mark=PCCtoWAN2 disabled=yes new-routing-mark=ISP2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether2
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.205 to-ports=8000
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=8000 in-interface=ether2 protocol=tcp to-addresses=192.168.0.205 to-ports=8000
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=192.168.0.216 to-ports=3389
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=3389 in-interface=ether2 protocol=tcp to-addresses=192.168.0.216 to-ports=3389
add action=dst-nat chain=dstnat dst-address=172.28.1.2 dst-port=81 in-interface=ether1 protocol=tcp to-addresses=192.168.0.216 to-ports=80
add action=dst-nat chain=dstnat dst-address=172.28.2.2 dst-port=80 in-interface=ether2 protocol=tcp to-addresses=192.168.0.216 to-ports=80
add action=dst-nat chain=dstnat comment=AnnCRM dst-address=172.28.1.2 dst-port=8889 in-interface=ether1 protocol=tcp to-addresses=192.168.0.215 to-ports=8080
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=172.28.2.1 pref-src="" routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.1.1 pref-src="" routing-table=ISP1 scope=30 suppress-hw-offload=no target-scope=\
10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.28.2.1 pref-src="" routing-table=ISP2 scope=30 suppress-hw-offload=no target-scope=10
/lcd
set time-interval=hour
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule
add action=lookup disabled=yes routing-mark=ISP2 src-address=172.28.2.1/32 table=ISP2
add action=lookup disabled=no routing-mark=ISP1 src-address=172.28.1.1/32 table=ISP1
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether2 filter-src-ip-address=113.210.63.230/32