DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

leandrosucesso · Thu Oct 05, 2023 4:34 am

Hello everyone,

My name is Leandro, and I'm experiencing a puzzling DNS resolution problem on my MikroTik RB4011iGS+ running RouterOS version 7.11.2.

I have two internet providers: NET and Vivo. I've set up policy-based routing to direct specific devices through either the NET or Vivo connection. Direct connections to either NET or Vivo work flawlessly, as does the general connection through the MikroTik. The issue only arises when I implement this rule to direct specific devices to each of the ISPs.

Configuration Details:
To achieve policy-based routing, I've set up the following:

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip dhcp-client
add add-default-route=no interface=Net use-peer-dns=no

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=1433 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.1.12 to-ports=1433
add action=dst-nat chain=dstnat dst-port=3389 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.1.10 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3392 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.1.12 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3391 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.0.11 to-ports=3389
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.12 to-ports=80

Mangle Rules:
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=net-route src-address-list=Net
add action=mark-routing chain=prerouting new-routing-mark=vivo-route src-address-list=Vivo

Routing Tables:
/routing table
add name=net-out FIB
add name=vivo-out FIB

Routes:
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=201.82.144.1 pref-src="" routing-table=net-out scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-vivo pref-src="" routing-table=vivo-out scope=30 suppress-hw-offload=no target-scope=10

"When I change the routing-table for main, everything starts working normally again, but all traffic goes only through the route with distance 1"

Routing Rules:
/routing rule
add routing-mark=net-route action=lookup table=net-out
add routing-mark=vivo-route action=lookup table=vivo-out
Problem:
When a device is routed through the NET connection via the MikroTik, it's unable to resolve domain names. When I ping or access a direct IP address, it works correctly, but DNS resolution fails. Running nslookup with the MikroTik as the DNS server results in a timeout, but using an external DNS (like 8.8.8.

directly works as expected.

Steps Already Taken:

Confirmed the MikroTik is set to use Google's DNS servers (8.8.8.8 and 8.8.4.4).
Ensured there are no firewall rules that would block DNS traffic.
Set up masquerade rules for DNS traffic.
Ensured DHCP is providing the MikroTik's IP as the DNS server to clients.
Despite all these attempts, the issue persists. I'm wondering if anyone else has faced a similar issue or if there are any other suggestions on how to diagnose and solve this problem.

Thank you for your assistance!

leandrosucesso · Thu Oct 05, 2023 11:04 pm

Help please

When I enable the rule to select the internet based on the clients, the clients that are on the route with distance = 2, have no navigation due to the DNS not resolving. Those on the route with distance 1 work normally. Then, when I disable this rule and route everything through the same internet, everything works fine.

raphaps · Thu Oct 05, 2023 11:28 pm

Export your complete configuration so we can review it. Delete the serial number and access passwords.

leandrosucesso · Thu Oct 05, 2023 11:51 pm

[Leandro@MikroTik] > export
# 2023-10-05 17:40:17 by RouterOS 7.11.2
# model = RB4011iGS+
/interface bridge
add admin-mac=48:A9:8A:B3:12:A5 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=48:A9:8A:B3:12:B4 name=Net
set [ find default-name=ether2 ] name=Vivo
/interface pppoe-client
add allow=pap,chap disabled=no interface=Vivo name=pppoe-vivo use-peer-dns=yes user=cliente@cliente
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add address-pool=pool1 interface=bridge lease-time=10h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=net-out
add disabled=no fib name=vivo-out
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Net list=WAN
add interface=pppoe-vivo list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=Net
/ip dhcp-server lease
add address=192.168.1.10 mac-address=50:EB:F6:2C:5C:50 server=dhcp1
add address=192.168.1.12 mac-address=74:56:3C:72:B6:87 server=dhcp1
add address=192.168.1.14 mac-address=00:0C:29:45:46:0A server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 comment=defconf disabled=yes name=router.lan
/ip firewall address-list
add address=54.94.110.72 list=Liberado
add address=ts.leandrosucesso.com list=Liberado
add address=192.168.1.0/24 list=Vivo
add address=192.168.1.10 list=Net
add address=192.168.1.12 list=Vivo
add address=177.194.66.57 comment="B2 Net" list=Liberado
add address=177.45.211.26 comment="B2 Vivo" list=Liberado
/ip firewall filter
add action=accept chain=input comment="Allow DNS UDP" protocol=udp src-port=53
add action=accept chain=input comment="Allow DNS TCP" protocol=tcp src-port=53
add action=accept chain=output dst-port=53 protocol=udp
add action=accept chain=output dst-port=53 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=WAN log=yes log-prefix=Winbox- protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=net-out passthrough=no src-address-list=Net
add action=mark-routing chain=prerouting new-routing-mark=vivo-out passthrough=yes src-address-list=Vivo
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=1433 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.1.12 to-ports=1433
add action=dst-nat chain=dstnat dst-port=3389 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.1.10 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3392 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.1.12 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3391 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.1.11 to-ports=3389
add action=dst-nat chain=dstnat dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=Liberado to-addresses=192.168.1.14 to-ports=22
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.14 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.14 to-ports=443
/ip firewall service-port
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=201.82.144.1 pref-src="" routing-table=net-out scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-vivo pref-src="" routing-table=vivo-out scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup disabled=no routing-mark=net-out table=net-out
add action=lookup disabled=no routing-mark=vivo-out table=vivo-out
/system clock
set time-zone-name=America/Sao_Paulo
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

raphaps · Fri Oct 06, 2023 12:30 am

Set dns 8.8.8.8 on the dhcp-server where you only defined the router gateway.

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24

You are only able to browse the Vivo link because you configured pppoe-client with yes in user-peer-dns. The Net link is not having navigation because it may not be receiving the dns in the dhcp, and in addition, you removed the dns from it, leaving only 1.1.1.1 and 1.0.0.1.

/interface pppoe-client
add allow=pap,chap disabled=no interface=Vivo name=pppoe-vivo use-peer-dns=yes user=cliente@cliente

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

Therefore, you must make these configuration changes. If you always want to manage the router's DNS, disable use-peer-dns in pppoe-client and set the dns addresses as you did.

If you want devices on your network to use external DNS, change the dhcp-server configuration:

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1 netmask=24

raphaps · Fri Oct 06, 2023 1:23 am

I analyzed your post better and I think I understood your problem better. In the rule:

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=net-out passthrough=no src-address-list=Net

Change it to:

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.1.1 new-routing-mark=net-out passthrough=no src-address-list=Net

This way, you can only use the gateway as a DNS server in the dhcp-server.

leandrosucesso · Fri Oct 06, 2023 3:03 am

Good evening, friend. First and foremost, I'd like to thank you for helping me out.
I implemented the suggested change in mangles. The NET, which wasn't resolving DNS before, started to do so, but the navigation became extremely slow. Vivo, on the other hand, stopped navigating altogether, although it still pings IPs. However, it doesn't resolve DNS.

raphaps · Fri Oct 06, 2023 3:16 am

Add the "not" in dst-address to both rules, leaving it like this:

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.1.1 new-routing-mark=net-out passthrough=no src-address-list=Net

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.1.1 new-routing-mark=vivo-out passthrough=yes src-address-list=Vivo

In theory, access shouldn't be slow, change DNS addresses to see if it's better, also check the ping latency as it is.

leandrosucesso · Fri Oct 06, 2023 4:05 am

Yes, I did that. I set !192.168.1.1 for both Vivo and Net. However, the Net connection becomes extremely slow, and Vivo doesn't resolve DNS.

Below are the pings. The first one is with the route table set to 'main', and the second one is with the route table set to 'net-out'.

--net-out
Resposta de 8.8.8.8: bytes=32 tempo=20ms TTL=54
Resposta de 8.8.8.8: bytes=32 tempo=21ms TTL=54
Resposta de 8.8.8.8: bytes=32 tempo=22ms TTL=54
Resposta de 8.8.8.8: bytes=32 tempo=21ms TTL=54

---main
Resposta de 8.8.8.8: bytes=32 tempo=11ms TTL=60
Resposta de 8.8.8.8: bytes=32 tempo=10ms TTL=60
Resposta de 8.8.8.8: bytes=32 tempo=10ms TTL=60
Resposta de 8.8.8.8: bytes=32 tempo=10ms TTL=60

raphaps · Fri Oct 06, 2023 4:17 am

Export your complete route table. The latency of the pings will be different because the main is going out through Vivo and the net-out through the Net.

leandrosucesso · Fri Oct 06, 2023 4:44 am

Right, my routes below:

/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=201.82.144.1 pref-src=\
    "" routing-table=net-out scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-vivo pref-src="" \
    routing-table=vivo-out scope=30 suppress-hw-offload=no target-scope=10

/routing table
add disabled=no fib name=net-out
add disabled=no fib name=vivo-out

/routing rule
add action=lookup disabled=no routing-mark=net-out table=net-out
add action=lookup disabled=no routing-mark=vivo-out table=vivo-out

raphaps · Fri Oct 06, 2023 5:00 am

Is this your complete ip/route export? I'm not seeing the main table in your configuration. Another point, change this setting, leave the passthrough option as:

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.1.1 new-routing-mark=vivo-out passthrough=no src-address-list=Vivo

Disable the routing rule for now, until your configuration works, then enable it again.

/routing rule
add action=lookup disabled=yes routing-mark=net-out table=net-out
add action=lookup disabled=yes routing-mark=vivo-out table=vivo-out

leandrosucesso · Fri Oct 06, 2023 5:13 am

The main is a default table, which is why it does not appear in export.

I made the changes you mentioned. Passthrough = no and I disabled routing

raphaps · Fri Oct 06, 2023 5:20 am

Still not working?

If it still doesn't work, define just a single address for each marking routing and test again. Disable the address list 192.168.1.0/24.

/ip firewall address-list
add address=192.168.1.10 list=Net
add address=192.168.1.12 list=Vivo

In ip/route change the pppoe-Vivo gateway to the Vivo gateway address. And leave the distance for both at 1. Disable the default routes.

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=201.82.144.1 pref-src="" routing-table=net-out scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-vivo pref-src="" routing-table=vivo-out scope=30 suppress-hw-offload=no target-scope=10

leandrosucesso · Fri Oct 06, 2023 6:08 am

Yes, still not working

I made the changes. but still have the same problem. I did a download test and not even 1Mb is arriving. Then when I return the routes to main, everything goes back to normal. but leaving only through a single link. On OS V6 it worked perfectly.

raphaps · Fri Oct 06, 2023 6:25 am

This configuration is theoretically simple to do, not much has changed from version 6 to 7. I have a similar configuration in my environment that works normally using version 7.11.2, the difference is that there are 3 links balancing the load on two networks /25. I suggest disabling the firewall rules and redoing the settings from scratch, something may be going unnoticed.

llamajaja · Fri Oct 06, 2023 3:11 pm

(1) Remove this static dns setting, not required.
/ip dns static
add address=192.168.1.1 comment=defconf disabled=yes name=router.lan

(2) This is useless....... If you are trying to identify two different groups of users (to use the two different WANs)
You have listed the entire subnet!! For example it makes the third entry REDUNDANT.
For a whole subnet, much better to use dst or src-address=subnet

add address=192.168.1.0/24 list=Vivo
add address=192.168.1.10 list=Net
add address=192.168.1.12 list=Vivo

(3) Dont like your firewall rule order for input chain.. Also since you already provide access to users for needed services,
why do you keep the default rule that allows the same but all users to all services including config of the router??? Illogical and prefer:
Worst is the security infraction as you give access to winbox to the WAN side, SECURITY ALERT!
no need for dns output chain rules................. weird to do so........
Also another Security FAUX PAS, do not allowe external access to your DNS

/ip firewall filter
{default rules to keep}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
{admin rules}
add action=accept chain=input comment="Admin config access" src-address-list=Authorized
add action=accept chain=input comment="Allow DNS UDP" protocol=udp src-port=53 in-interface-list=LAN
add action=accept chain=input comment="Allow DNS TCP" protocol=tcp src-port=53 in-interface-list=LAN
add action=drop chain=input comment="Drop All Else" { Do not enter this rule until you have the allow rule above and firewall address list created }

For the firewall address list of Authorized, ensure any admin device (desktop, laptop, smartphone, ipad) gets a static DHCP lease!
/ip firewall address-list
add address=Admin-IP1 list=Authorized comment="Admin desktop wired"
add address=Admin-IP2 list=Authorized comment="Admin laptop-wifi"
add address=Admin-IP3 list=Authorized comment="Admin smartphone-wifi"
etc..

Will look at mangles, routes , later.........have a lunch date LOL.

llamajaja · Fri Oct 06, 2023 6:51 pm

Looking at mangling,,,,,,, I will assume the following.
a. there are no local LAN servers that external users are accessing.
b. there are no external users using Router services ( no incoming vpn handshakes to the router ).
c. There is only ONE user that needs special treatment to go out NET as the rest of the LAN users are going out VIVO

Since your explanation of these groups is so poor, what else can one conclude...............
There is no requirement expressed for failover either.
- what happens when WAN1 fails?
- what happes when WAN2 fails?

In conclusion, remove mangling.
This is all you need.

/ip route
add distance=5 check-gateway=ping dst-addresss=0.0.0.0/0 gateway=VIVO-gateway-IP routing-table=main
add distance=10 dst-addresss=0.0.0.0/0 gateway=NET-gateway-IP routing-table=main

All users will be routed out vivo as it has the lower distance. If VIVO is not available all users will go to NET.
When VIVO comes back-up users will be re-directed back to VIVO

Now lets deal with user that needs to go out NET as per your config.
/routing table add fib table=useNET

/routing rule add action=lookup src-address=192.168.1.12 table=useNET

Note: Because we dont use (lookup-only-in-table) for action, the user at .12, will be able to access VIVO if the NET connection is not available as the action (lookup) means the router will go to the main table to find an alternate route if useNET is not available.

Finally, the additional route.......
/ip route
add distance=5 check-gateway=ping dst-addresss=0.0.0.0/0 gateway=VIVO-gateway-IP routing-table=main
add distance=10 dst-addresss=0.0.0.0/0 gateway=NET-gateway-IP routing-table=main
add dst-addresss=0.0.0.0/0 gateway=NET-gateway-IP routing-table=useNET

Minor Point:

TOOL mac-server by itself is not a secure access method and should be set to NONE.
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

leandrosucesso · Mon Oct 09, 2023 4:13 pm

Good morning friends, how are you?

Yesterday I reset the settings and configured everything from scratch. But I had the same problem.
Then I did what @llamajaja indicated:

/iproute
add distance=5 check-gateway=ping dst-addresses=0.0.0.0/0 gateway=VIVO-gateway-IP routing-table=main
add distance=10 dst-addresses=0.0.0.0/0 gateway=NET-gateway-IP routing-table=main
add distance=1 dst-addresss=0.0.0.0/0 gateway=NET-gateway-IP routing-table=useNET

/routing table add fib table=useNET

/routing rule add action=lookup src-address=192.168.1.12 table=useNET

And I disabled all the mangles!

It worked, but it didn't resolve DNS, so I manually set DNS 1.1.1.1 to IP DNS. And it worked perfectly!!

Thank you very much @llamajaja and @raphaps for help!

DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Who is online