simple port forward not working!!!

newbie54321 · Fri May 10, 2024 2:59 pm

hi,
i have purchased few months ago a RB4011iGS + RM . it is 10 port gigabit switch like router. I have started from a clean slate (no defconfig).
i have watched some youtube videos and successfully configured 3 dhcp clients on port 1, port 2 ,port 3; with per connection classifier rules in firewall.
i want todo 2 seperate networks with the 3 isps. i.e. isp1 and isp3 (ether1, ether3) in one network with access to ONLY ports 4,5,9,10 . AAND other isp2 (ether2) in another network with access to ONLY ports 6,7,8. i successfully configured this and the 2 networks were working fine BUT i wanted to forward a port from isp2 to its second network, this did NOT work. can anyone help me?
i want the two dhcp servers (or vlans) to send traffic to their respective seperate isps. i want no communication between the 2 networks.
btw, what i am doing is: testing a openvpn and wireguard server. i.e. the server is in vlan 2 and i am connecting to it from a client which is in vlan 1. thus i cannot have the vlan1 to use isp2 or vlan2 to use isp1,isp3. the vlans should have their seperate isps. the forwarded traffic must go 'out' from vlan2 to isp2 and come "in" thru the other isps on a vlan1 pc.
VPN is for remote clients coming in on a particlular WAN.
vpn is for accessing office/vlan2 network from outside. Vlan2 has a single server and other normal PCs.
'outside' network (having wireguard client soft on windows PC) is supposed to be vlan1. vlan1 has PC with wireguard client. this client is tunneling/connecting to server in vlan2.
the traffic should go from one wan to another and NOT directly from one subnet/lan to other subnet (skipping wan). thus i not include vlan2 in "LAN" list. it has its own list called "LANhathway".
this "LANhathway" list is used for outbound connections to wan2 (firewall mangle rule). i dont want vlan2 to use wan1 or wan3. it should strictly use wan2. wan2/isp2 has static ip that i can use for the wireguard server.
BTW, do i need to allow wireguard packets (i.e. some special rule) to flow through the mikrotik? i am using a wireguard client (in vlan1) to dial a connection to the wireguard server (in vlan2).
BTW, i had posted my problem in another post in 'beginner basics' section. Forum member 'Anav' simply stopped responding

Someone please help. i dont want any vpn or wbg or such complex things from the router. please help.
My current config:
# 2024-04-26 16:39:55 by RouterOS 7.11.2
# software id = xxxxx
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-YOUbroad
set [ find default-name=ether2 ] name=ether2-hathway
set [ find default-name=ether3 ] name=ether3-TataPLAY
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=10
add interface=bridge1 name=vlan2Hathwaywala vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=LANhathway
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.9.100-192.168.9.254
add name=dhcp_pool4 ranges=192.168.12.100-192.168.12.200
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan1 name=dhcp1
add address-pool=dhcp_pool4 interface=vlan2Hathwaywala name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=toYOUbroad
add disabled=no fib name=tohathway
add disabled=no fib name=toTataPLAYy
/interface bridge port
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10
add bridge=bridge1 interface=ether6 pvid=20
add bridge=bridge1 interface=ether7 pvid=20
add bridge=bridge1 interface=ether8 pvid=20
add bridge=bridge1 interface=ether9 pvid=10
add bridge=bridge1 interface=ether10 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5,ether9,ether10 \
vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether6,ether7,ether8 vlan-ids=20
/interface list member
add interface=ether1-YOUbroad list=WAN
add interface=ether2-hathway list=WAN
add interface=ether3-TataPLAY list=WAN
add interface=vlan1 list=LAN
add interface=vlan2Hathwaywala list=LANhathway
/ip address
add address=192.168.9.9/24 interface=vlan1 network=192.168.9.0
add address=192.168.12.12/24 interface=vlan2Hathwaywala network=192.168.12.0
/ip dhcp-client
add add-default-route=no interface=ether1-YOUbroad
add add-default-route=no interface=ether2-hathway
add add-default-route=no interface=ether3-TataPLAY
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.9.9
add address=192.168.12.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.12.12
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input connection-nat-state=dstnat
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether1-YOUbroad new-connection-mark=\
ether1-youbroadin passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether2-hathway new-connection-mark=\
ether2-hathway-in passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether3-TataPLAY new-connection-mark=\
ether3-tata-in passthrough=yes
add action=mark-routing chain=output connection-mark=ether1-youbroadin \
new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=output connection-mark=ether2-hathway-in \
new-routing-mark=tohathway passthrough=yes
add action=mark-routing chain=output connection-mark=ether3-tata-in \
new-routing-mark=toTataPLAYy passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LAN \
new-connection-mark=toether1-youbroad passthrough=yes \
per-connection-classifier=src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LANhathway \
new-connection-mark=toether2-hathway passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LAN \
new-connection-mark=toether3-tata passthrough=yes \
per-connection-classifier=src-address-and-port:2/0
add action=mark-routing chain=prerouting connection-mark=toether1-youbroad \
in-interface-list=LAN new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=prerouting connection-mark=toether2-hathway \
in-interface-list=LANhathway new-routing-mark=tohathway passthrough=yes
add action=mark-routing chain=prerouting connection-mark=toether3-tata \
in-interface-list=LAN new-routing-mark=toTataPLAYy passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-YOUbroad
add action=masquerade chain=srcnat out-interface=ether2-hathway
add action=masquerade chain=srcnat out-interface=ether3-TataPLAY
add action=dst-nat chain=dstnat dst-port=11111 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.12.200 to-ports=11111
add action=dst-nat chain=dstnat dst-port=11111 in-interface-list=WAN \
protocol=udp to-addresses=192.168.12.200 to-ports=11111
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
1.1.1.1 pref-src="" routing-table=toYOUbroad scope=30 \
suppress-hw-offload=no target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 pref-src="" routing-table=tohathway scope=30 suppress-hw-offload=\
no target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=toTataPLAYy scope=30 \
suppress-hw-offload=no target-scope=32
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
1.1.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=32
add disabled=no dst-address=1.1.1.1/32 gateway=192.168.4.4 routing-table=main \
scope=30 suppress-hw-offload=no target-scope=31
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.72.72 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=31
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

anav · Fri May 10, 2024 6:27 pm

Try to add a network diagram as your explanation was confusing.
Also you do not connect wireguard between vlans on a router, you use firewall rules in the forward chain to manage connectivity between local subnets.

gotsprings · Fri May 10, 2024 6:51 pm

So if the port forward request comes in on ANY WAN interface you want it to go back out that connection?

You will need to mark and track the connections for that. That used to be mangle but now its routing table.

sindy · Sun May 12, 2024 2:08 pm

i am using a wireguard client (in vlan1) to dial a connection to the wireguard server (in vlan2).

So what you want and expect is that a packet sent from a device in 192.168.9.0/24 to the public IP address attached to ether2 port 11111 will go out via ether1 or ether3 depending on the PCC outcome, get src-nated to the public address of ether1 or ether3, and land on ether2 after passing through the internet. And then your dst-nat rule should forward that packet to 192.168.12.200. The response of the Wireguard peer on 192.168.12.200 should then go out via ether2, get un-dst-nated to the public IP of ether2, reach ether1 or ether3 depending on the source address of the initial request, get un-src-nated there and be delivered to 192.168.9.x, which has sent that request.

Is that a correct understanding?

If yes, the good news is that the port-forwarding rule is fine (for Wireguard, the UDP one is enough, the TCP one is not necessary).
The bad news is that your firewall is basically non-existent as the default handling in all firewall chains is "accept", so packets that didn't match to any rule in that chain get accepted. So your firewall filter accepts packets belonging to dst-nated connections explicitly and all other packets implicitly.

But leaving security aside, there are multiple issues with your mangle rules that prevent the expected flow as outlined above from happening:

the mangle rules you want to assign a connection mark toether1-youbroad or toether3-tata to the initial request packet from 192.168.9.x to ip.of.ether.2 ignore that packet because there is a match condition dst-address-type=!local in these rules. Years ago someone has misunderstood the meaning and behavior of the dst-address-type match condition and posted rules that included it, and worse than that, many people who copy-paste without understanding have since posted their own configurations with the same mistake. The original intention was to prevent traffic between LANs of the same router from getting routed outside, but dst-address-type=!local doesn't do even that. What it actually does is that it prevents the rule from acting on packets whose destination address is any of the own addresses of the router (i.e. the WAN ones included).
So the initial request doesn't get any connection mark, hence it doesn't get any routing mark, and therefore it is delivered locally and never leaves the router, so the dst-nat rule matching on in-interface-list=WAN ignores it, and so does the router itself as no local service listens at UDP port 11111.
In your case, local traffic between 192.168.9.0/24 and 192.168.12.0/24 is not required, so you don't need to exempt corresponding packets from getting the connection marks and, subsequently, routing mark causing them to be routed via WAN, so it might seem there is no need to replace the incorrect match condition by a correct one and that it is enough to remove the incorrect dst-address-type=!local one. However, since you are running a newer RouterOS 7 than 7.6 or so, the presence of routing mark affects more routing decisions than it did before -namely, the fact that the destination address is one of router's own ones doesn't prevent the packet from getting routed according to the routing mark any more. Hence just removing that match condition would prevent the devices in LAN from talking to the Mikrotik itself. If this is an issue for you (e.g. because you want to manage the 4011 from LAN while connecting to its IP address rather than MAC address), you have to replace that match condition by e.g. dst-address=!192.168.0.0/16.
Once you do this, the initial request packet will start leaving through ether1 or ether3 and should return via ether2.
once the initial request packet arrives to ether2, it creates a new tracked connection, and thanks to the prerouting rule matching on in-interface=ether2-hathway, the connection will get a connection mark ether2-hathway-in. However, the only mark-routing rule that matches on this connection mark and "translates" it to routing mark tohathway is in mangle chain output, which only handles packets sent by the router itself, not those it forwards from one interface to another - these are handled in prerouting. But there, the only rule assigning the routing mark tohathway matches on a different connection mark, toether2-hathway, which is only assigned by the rules handling the transit traffic in prerouting. So the response packet ends up without any routing mark and thus gets locally delivered to the IP address of ether1 or ether3, where no local process expects it so it gets dropped.
Since the only purpose of both those connection marks is the same, to get "translated" to the same routing mark tohathway, the easiest way to solve this to replace ether2-hathway-in by toether2-hathway in all rules that assign it or match on it. While at it, I'd suggest you to do the same for the connection marks related to ether1 and ether3.

newbie54321 · Sun May 12, 2024 4:54 pm

Also you do not connect wireguard between vlans on a router, you use firewall rules in the forward chain to manage connectivity between local subnets.

i dont want wireguard to connect between vlans!! i want it to use the two different isps.

anav · Sun May 12, 2024 6:05 pm

Please do not explain requirements in terms of a VPN or a vlan, always express requirements in terms of needed traffic flow by users.

So.
a. you want users on VLANX to only use WAN1
b. you want users on VLANY to ony use WAN2

Q. Are there any other vlans and what should they use??

c. What happens to users on VLANX, if WAN1 is not available
d. What happens to users on VLANY, if WAN2 is not available.

I think you get the idea of how every requirement must be clearly established prior to creating a config, including what the admin (special user) requires.

Trying to read your text.
You mention per-connection classifier. That tells me you were at least at one time considering load balancing. But according to later text, Some POrts ( lets call in vlanX ) only use WANS on ether1 and ether3, and the other WAN on ether2, should only be accessed by other ports ( lets call in VLANY).

So, I could conclude that the ports or VLANX, should Load balance between WANs on ether1 and ether 3 ???

Now you note ports --> SHOULD the users on ports 4,5,9,10 be on the same subnet? And users on ports 6,7,8 be on the same subnet.
In other words those in the same grouping of ports can see each other at layer2. Any connection between different subnets would be controlled by L3 firewall rules.

Please do not use wireguard to test between vlans on the same router, its too confusing.
That is NOT a valid requirement. Traffic between different subnets is easily controlled by Firewall rules Layer 3.

Please state your valid requirements for Wireguard in terms of what users need -- either external users coming in, or going out to third party vpn etc, OR perhaps visiting subnets over two MT routers. (OVPN I dont touch with a 10 foot pole, so cant help you there).

sindy · Mon May 13, 2024 9:23 am

@newbie54321, the forum notifications may be confusing - have you noticed my post above?

newbie54321 · Mon May 13, 2024 2:40 pm

So what you want and expect is that a packet sent from a device in 192.168.9.0/24 to the public IP address attached to ether2 port 11111 will go out via ether1 or ether3 depending on the PCC outcome, get src-nated to the public address of ether1 or ether3, and land on ether2 after passing through the internet. And then your dst-nat rule should forward that packet to 192.168.12.200. The response of the Wireguard peer on 192.168.12.200 should then go out via ether2, get un-dst-nated to the public IP of ether2, reach ether1 or ether3 depending on the source address of the initial request, get un-src-nated there and be delivered to 192.168.9.x, which has sent that request.

Is that a correct understanding?

If yes, the good news is that the port-forwarding rule is fine (for Wireguard, the UDP one is enough, the TCP one is not necessary).
The bad news is that your firewall is basically non-existent as the default handling in all firewall chains is "accept", so packets that didn't match to any rule in that chain get accepted. So your firewall filter accepts packets belonging to dst-nated connections explicitly and all other packets implicitly.

yes. u understood it. this is what i want. i.e. i want the two vlans to act as if they are two different routers with their own seperate isps.
BTW, when i replied yesterday to 'anav', i had also read ur post BUT was shit tired (due to too much PC screen time) to try out anything u said or reply to it.

newbie54321 · Mon May 13, 2024 3:25 pm

the mangle rules you want to assign a connection mark toether1-youbroad or toether3-tata to the initial request packet from 192.168.9.x to ip.of.ether.2 ignore that packet because there is a match condition dst-address-type=!local in these rules. Years ago someone has misunderstood the meaning and behavior of the dst-address-type match condition and posted rules that included it, and worse than that, many people who copy-paste without understanding have since posted their own configurations with the same mistake. The original intention was to prevent traffic between LANs of the same router from getting routed outside, but dst-address-type=!local doesn't do even that. What it actually does is that it prevents the rule from acting on packets whose destination address is any of the own addresses of the router (i.e. the WAN ones included).
So the initial request doesn't get any connection mark, hence it doesn't get any routing mark, and therefore it is delivered locally and never leaves the router, so the dst-nat rule matching on in-interface-list=WAN ignores it, and so does the router itself as no local service listens at UDP port 11111.
In your case, local traffic between 192.168.9.0/24 and 192.168.12.0/24 is not required, so you don't need to exempt corresponding packets from getting the connection marks and, subsequently, routing mark causing them to be routed via WAN, so it might seem there is no need to replace the incorrect match condition by a correct one and that it is enough to remove the incorrect dst-address-type=!local one. However, since you are running a newer RouterOS 7 than 7.6 or so, the presence of routing mark affects more routing decisions than it did before -namely, the fact that the destination address is one of router's own ones doesn't prevent the packet from getting routed according to the routing mark any more. Hence just removing that match condition would prevent the devices in LAN from talking to the Mikrotik itself. If this is an issue for you (e.g. because you want to manage the 4011 from LAN while connecting to its IP address rather than MAC address), you have to replace that match condition by e.g. dst-address=!192.168.0.0/16.
Once you do this, the initial request packet will start leaving through ether1 or ether3 and should return via ether2.

I did not understand this first part of ur post.
if the packet matches the condition i.e. dst-address-type=!local THEN it SHOULD go out through the wan, right. and it IS matching the condition , since i am putting the isp2's external internet ip (which is NOT local subnet ip) in my connection request packet.

I did understand ur post's second part. i.e.

once the initial request packet arrives to ether2, it creates a new tracked connection, and thanks to the prerouting rule matching on in-interface=ether2-hathway, the connection will get a connection mark ether2-hathway-in. However, the only mark-routing rule that matches on this connection mark and "translates" it to routing mark tohathway is in mangle chain output, which only handles packets sent by the router itself, not those it forwards from one interface to another - these are handled in prerouting. But there, the only rule assigning the routing mark tohathway matches on a different connection mark, toether2-hathway, which is only assigned by the rules handling the transit traffic in prerouting. So the response packet ends up without any routing mark and thus gets locally delivered to the IP address of ether1 or ether3, where no local process expects it so it gets dropped.

thus, since there are 2 rules that are 'prerouting' chain, the packet is confused and doesnt get required connection mark. But (according to my understanding) ONE prerouting is for connection/packet coming from isp2/wan and the OTHER prerouting is for connection/packet coming from lan2 (hathway, PCC). thus they r seperate, i guess??
But, networking is not that simple. I dont have ANY experience in it. I understood ur complaint (this second part) and tried to resolve it.
Now, i have disabled/removed the pcc like connection rule of vlan2 or LANhathway (prerouting connection mark and prerouting routing mark). and have enabled a new 'main' route which points to hathway i.e. isp2/ether2.
so, the vlan2 will now be forced to use isp2 (hathway); since i ALSO have removed other two 'main' routes which were pointing to isp1 and isp3 (i.e. fallback isps used by vlan1) thus getting the same effect as this disabled/removed PCC like rule.

with this change i checked the router and guess what?? it WORKS!!!!!!!!! NOW THE PORT IS GETTING FORWARDED!!!!!!!!!!

BTW the condition 'dst-address-type=!local', in ur first part of post, is still as it is. (had implemented this EXACTLY as i saw in Mikrotik's youtube video on PCC. have no idea on anything more than that. i just see youtube videos and learn a FEW new things. didnt know that configuring a Mikrotik was THIS difficult). Have originally bought this (expensive) Mikrotik router JUST for getting aggregated download speeds from the many isps that i have.

Now, my new config : (just with the one rule of vlan2 deleted and a minor rule (in firewall filter rules) 'accept'ing 'forward'ed dst-nat state connection traffic, being deleted. everything else is SAME):
# 2024-05-13 17:44:58 by RouterOS 7.11.2
# software id = xxxxx
#
# model = RB4011iGS+
# serial number = xxxxxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-YOUbroad
set [ find default-name=ether2 ] name=ether2-hathway
set [ find default-name=ether3 ] name=ether3-TataPLAY
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=10
add interface=bridge1 name=vlan2Hathwaywala vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=LANhathway
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.9.100-192.168.9.254
add name=dhcp_pool4 ranges=192.168.12.100-192.168.12.200
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan1 name=dhcp1
add address-pool=dhcp_pool4 interface=vlan2Hathwaywala name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=toYOUbroad
add disabled=no fib name=tohathway
add disabled=no fib name=toTataPLAYy
/interface bridge port
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10
add bridge=bridge1 interface=ether6 pvid=20
add bridge=bridge1 interface=ether7 pvid=20
add bridge=bridge1 interface=ether8 pvid=20
add bridge=bridge1 interface=ether9 pvid=10
add bridge=bridge1 interface=ether10 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5,ether9,ether10 \
vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether6,ether7,ether8 vlan-ids=20
/interface list member
add interface=ether1-YOUbroad list=WAN
add interface=ether2-hathway list=WAN
add interface=ether3-TataPLAY list=WAN
add interface=vlan1 list=LAN
add interface=vlan2Hathwaywala list=LANhathway
/ip address
add address=192.168.9.9/24 interface=vlan1 network=192.168.9.0
add address=192.168.12.12/24 interface=vlan2Hathwaywala network=192.168.12.0
/ip dhcp-client
add add-default-route=no interface=ether1-YOUbroad
add add-default-route=no interface=ether2-hathway
add add-default-route=no interface=ether3-TataPLAY
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.9.9
add address=192.168.12.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.12.12
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether1-YOUbroad new-connection-mark=\
ether1-youbroadin passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether2-hathway new-connection-mark=\
ether2-hathway-in passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether3-TataPLAY new-connection-mark=\
ether3-tata-in passthrough=yes
add action=mark-routing chain=output connection-mark=ether1-youbroadin \
new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=output connection-mark=ether2-hathway-in \
new-routing-mark=tohathway passthrough=yes
add action=mark-routing chain=output connection-mark=ether3-tata-in \
new-routing-mark=toTataPLAYy passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LAN \
new-connection-mark=toether1-youbroad passthrough=yes \
per-connection-classifier=src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new dst-address-type=!local in-interface-list=LAN \
new-connection-mark=toether3-tata passthrough=yes \
per-connection-classifier=src-address-and-port:2/0
add action=mark-routing chain=prerouting connection-mark=toether1-youbroad \
in-interface-list=LAN new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=prerouting connection-mark=toether3-tata \
in-interface-list=LAN new-routing-mark=toTataPLAYy passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-YOUbroad
add action=masquerade chain=srcnat out-interface=ether2-hathway
add action=masquerade chain=srcnat out-interface=ether3-TataPLAY
add action=dst-nat chain=dstnat dst-port=11111 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.12.198 to-ports=11111
add action=dst-nat chain=dstnat dst-port=11111 in-interface-list=WAN \
protocol=udp to-addresses=192.168.12.198 to-ports=11111
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
1.1.1.1 pref-src="" routing-table=toYOUbroad scope=30 \
suppress-hw-offload=no target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.8.8 pref-src="" routing-table=tohathway scope=30 suppress-hw-offload=\
no target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=toTataPLAYy scope=30 \
suppress-hw-offload=no target-scope=32
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
1.1.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=32
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=32
add disabled=no dst-address=1.1.1.1/32 gateway=192.168.4.4 routing-table=main \
scope=30 suppress-hw-offload=no target-scope=31
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.72.72 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=31
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=32
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

newbie54321 · Mon May 13, 2024 3:36 pm

thank you soooooooo much to 'sindy'. do u have a paypal address? i would like to give u some money (just according to my worth!!) for the BIIIG interest u took in my problem. thank u once again.
i think u can get a few pizzas for 10 USD , right? (at least in the usa , i think. never been there). although, I dont know from where u are. i think i can definitely give u 10 USD.
GIGANTIC thank YOU to 'SINDY'. also , thank you very much to 'anav' who tried his level best at understanding my config or problem.

newbie54321 · Mon May 13, 2024 3:55 pm

And BTW, this is my temporary setup/config, when i want to test things that require 2 different isps. My regular config has ALL 3 isps PCCied and having fallback routes ('main') and all. during this testing phase , i dont need the fallback 'main' routes for vlan1. thus, i 'load' this given config whenever i want to test out things like the wireguard server (on pfsense or openwrt) and need two different isps AND two different networks.
otherwise normally i keep the other setup/config with 3 isps PCCied with one bridge or vlan. Thank u all.

anav · Mon May 13, 2024 4:07 pm

You are far from done my friend LOL. The mangles was just but one concern LOL

anav · Mon May 13, 2024 5:06 pm

You are missing firewall rules and thus should not be connected to the internet at all.
Also when you do introduce rules the config will have to be modified as right now your interface list approach is not quite there.
It is not clear also if there is any traffic between vlan1 and vlan2 ( is there a shared device, does the admin need to access both vlans etc.. )

Major changes only:

# model = RB4011iGS+

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=20
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=20
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=20
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether9 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether10 pvid=10

/interface list member
add interface=ether1-YOUbroad list=WAN
add interface=ether2-hathway list=WAN
add interface=ether3-TataPLAY list=WAN
add interface=vlan1 list=LAN
add interface=vlan2Hatawaywala list=LAN comment="for firewall usage"
add interface=vlan2Hathwaywala list=LANhathway { I found no use for this interface list by the way )

/ip dhcp-server network { since you have set the DNS servers, no need to put them in server-network as well }
add address=192.168.9.0/24 dns-server=192.168.9.9 gateway=192.168.9.9
add address=192.168.12.0/24 dns-server=192.168.12.12 gateway=192.168.12.12

/ip firewall address-list
add address=192.168.9.0/24 list=MySubnets { for the case of local vlan to vlan traffic, otherwise omit }
add address=192.168.12.0/24 list=MySubnets { for the case of local vlan to vlan traffic, otherwise omit }

/ip firewall mangle { first rule in mangle chain }
add action=accept chain=prerouting in-interface-list=LAN dst-address=MySubnets { for the case of local vlan to vlan traffic, otherwise omit }

/ip firewall address-list
add 192.168.9.XX list=Authorized comment="Admin desktop"
add 192.168.9.XY list=Authorized comment="Admin WIFI"
add futureWG-IP list=Authorized comment="Admin remote connection"

/ip firewall
{default rules to keep}
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{admin rules}
add action=accept chain=input in-interface-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment="users to services" dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="drop all else" { put this rule in last or you will lock yourself out }
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{admin rules}
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=Authorized out-interface-list=LAN { may not be required }
add action=drop chain=forward comment="drop all else"

Now, you claim the server is on vlan2 and should only use ISP2 and thus why not modify this to be accurate.
add action=dst-nat chain=dstnat dst-port=11111 in-interface=ether2-hathway \
protocol=tcp to-addresses=192.168.12.200 to-ports=11111
add action=dst-nat chain=dstnat dst-port=11111 in-interface=ether2-hathway \
protocol=udp to-addresses=192.168.12.200 to-ports=11111

NOW FOR OTHER MANGLES
{ FIRST YOU NEED TO TAKE CARE OF PORT FORWARDING FOR VLAN2 subnet
{ port forward mangle }
add action=mark-connection chain=forward connection-mark=no-mark \
new-connection-mark=from-ether2 in-interface=ether2-hathway \
dst-address=192.168.12.200 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=from-ether2 \
new-routing-mark=tohathway passthrough=no

Note: If you had multiple servers, then make up a dst-address-list of servers.

HOWEVER, your requirement is not just for the server on VLAN2 to get traffic via ether2 and RESPOND out ether2, you want
ALL vlan2 traffic originating on the LAN to go out ether 2, so we need another rule prior to the Load Balancing mangle rules.
One that states all traffic origination from vlan2 goes out vlan2.

add action= accept chain=prerouting in-interface=vlan2 routing-mark=tohathway passthrough=no

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ Now mangles for load balancing V1 between ether1 and ether3 }

add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local in-interface=vlan1 \
new-connection-mark=via-ether1 passthrough=yes \
per-connection-classifier=src-address-and-port:2/0
add action=mark-connection chain=forward connection-mark=no-mark \
dst-address-type=!local in-interface=vlan1 \
new-connection-mark=via-ether3 passthrough=yes \
per-connection-classifier=src-address-and-port:2/1
add action=mark-routing chain=prerouting connection-mark=via-ether1 \
new-routing-mark=toYOUbroad passthrough=no
add action=mark-routing chain=prerouting connection-mark=via-ether3 \
new-routing-mark=toTataPLAYy passthrough=no

( I would not recommend having the main routes all set to same distance, this case, I would make Ether2 have the greatest distance )
( If you are looking for different dns entities for ping check then having two from google, is not optimal )
( you only need check-gateway=ping on the first hop )

/ip route
{ MAIN ROUTES }
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=\
1.1.1.1 routing-table=main scope=30 target-scope=32
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 routing-table=main scope=30 target-scope=32
add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=\
9.9.9.9 routing-table=main scope=30 target-scope=32
{Closer hop}
add distance=1 dst-address=1.1.1.1/32 gateway=ether1-gateway-IP \
routing-table=main scope=30 target-scope=31
add distance=2 dst-address=8.8.4.4/32 gateway=ether3-gateway-IP \
routing-table=main scope=30 target-scope=31
add distance=3 dst-address=9.9.9.9/32 gateway=ether2-gateway-IP \
routing-table=main scope=30 target-scope=31

Now we will add in the Special Table Routes, setup for mangling etc...

add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=toYOUbroad
add dst-address=0.0.0.0/0 gateway=ether3-gateway-IP routing-table=toTataPLAYy
add dst-address=0.0.0.0/0 gateway=ether2-gateway-IP routing-table=tohathway

NOTE: If we start adding wireguard, there may be additional changes.,

sindy · Mon May 13, 2024 5:11 pm

if the packet matches the condition i.e. dst-address-type=!local THEN it SHOULD go out through the wan, right. and it IS matching the condition , since i am putting the isp2's external internet ip (which is NOT local subnet ip) in my connection request packet.

I'll try again from a different perspective. The router itself doesn't know anything about "LAN" (Local) or "WAN" (Wide) roles of the interfaces; it is the configuration that makes it use them one way or the other. Nor does it treat private and public addresses differently. And the local in dst-address-type does not refer to "local" within the scope of the site (LAN) but "local" within the scope of the router alone (own address of the router, attached to any of its interfaces). So if the router has e.g. addresses 1.1.1.1 in 1.1.1.0/30, 192.168.1.10 in 192.168.1.0/24, and 192.168.33.7 in 192.168.33.0/26, packets with destination addresses 1.1.1.1, 192.168.1.10, or 192.168.33.7 do match dst-address-type=local, but packets with destination addresses 1.1.1.2, 192.168.1.9, or 192.168.33.9 do not. dst-address-type=!local inverts this of course.

So the public address assigned to the WAN interface is considered a local one, hence for packets to that address, dst-address-type=!local gets evaluated to false, so the mangle rule that contains this match condition does not assign the connection mark to these packets.

So I'll have to look through your current configuration to understand why it started working the way you wish after the other changes you've made.

since there are 2 rules that are 'prerouting' chain, the packet is confused and doesnt get required connection mark. But (according to my understanding) ONE prerouting is for connection/packet coming from isp2/wan and the OTHER prerouting is for connection/packet coming from lan2 (hathway, PCC). thus they r seperate, i guess??
But, networking is not that simple.

There are no separate "preroutingS" for different types of traffic; there is a single prerouting stage/firewall chain common for all packets that arrive to the router from outside through any interface, and it is the combination of match conditions in the rules in that chain that determine which traffic type they will handle.

The purpose of the connection mark is to survive the lifetime of a single packet and affect the treatment of subsequent packets belonging to the same connection like the one that has caused the connection mark to be assigned to that connection. So for incoming connections from the internet, the connection mark is assigned when handling the initial packet coming from the internet, but used to modify the behaviour (in particular, assign a routing mark) when handling the packets that flow in the opposite direction, from the device in LAN (the Wireguard peer in your case) to internet.

The configuration of the Mikrotik firewall is more or less an algorithmic programming.

newbie54321 · Tue May 14, 2024 5:13 pm

FUCK!!! i had written a LOT of stuff/post AND the website just logged me out!!!!!!!!!! ass!!!
in short.....i tried following 'anav's and 'sindy's comments, now port is getting forwarded. even with ANOTHER setup with 2 BRIDGES and all. as soon as the problematic "clash" of prerouting in vlan2/bridge2 is removed the forwarding WORKS!!! OR i can keep the "clash" BUT add a 'main' route with distance '1' pointing to isp2/hathway. BOTH methods r working fine.
The PCC of vlan1/bridge1 was setup after wtching mikrotik's official video on PCC, thus it said of cretaing 2 rules, one with mark-connection and other with mark-routing. according to 'sindy' , i should remove the mark-connection rules of vlan1 BUT the video said otherwise!!!!
i think my setup is now ok! everything is happening.

anav · Tue May 14, 2024 5:23 pm

Post your final config for review............

newbie54321 · Tue May 14, 2024 7:46 pm

Post your final config for review............

fuck. it aint working. the port is getting forwarded after many seconds (in the wireguard client). and the connection is shaky/lagging/verrry low bandwidth. shit, it was working fine earlier!!!!!

anav · Tue May 14, 2024 8:00 pm

Without the current config, unable to comment.

sindy · Tue May 14, 2024 8:54 pm

I never said you should remove mark-connection rules. What I've said was that you should use the same connection mark both for those connections from LAN to internet that you want to use WANx and for those connections from the internet to LAN that happened to come in via WANx, so that the translation of connection mark "WANx" to routing mark "WANx" would work in all cases the same. I.e. all the mark-connection and mark-routing rules should have stayed in place exactly as they were, except that same connection mark and same routing mark should be used in all the rules related to the same WAN.

newbie54321 · Wed May 15, 2024 12:37 pm

I never said you should remove mark-connection rules. What I've said was that you should use the same connection mark both for those connections from LAN to internet that you want to use WANx and for those connections from the internet to LAN that happened to come in via WANx, so that the translation of connection mark "WANx" to routing mark "WANx" would work in all cases the same. I.e. all the mark-connection and mark-routing rules should have stayed in place exactly as they were, except that same connection mark and same routing mark should be used in all the rules related to the same WAN.

Oh!! ok!

newbie54321 · Sat May 18, 2024 8:18 pm

ok. so its working absolutely fine. have posted BOTH configs. i.e. with 2 vlans and other with 2 bridges.
vlans:

# 2024-05-18 22:31:36 by RouterOS 7.11.2
# software id = xxxxx
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-YOUbroad
set [ find default-name=ether2 ] name=ether2-hathway
set [ find default-name=ether3 ] name=ether3-TataPLAY
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=10
add interface=bridge1 name=vlan2Hathwaywala vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=LANhathway
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.9.100-192.168.9.254
add name=dhcp_pool4 ranges=192.168.12.100-192.168.12.200
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan1 name=dhcp1
add address-pool=dhcp_pool4 interface=vlan2Hathwaywala name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=toYOUbroad
add disabled=no fib name=tohathway
add disabled=no fib name=toTataPLAYy
/interface bridge port
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10
add bridge=bridge1 interface=ether6 pvid=20
add bridge=bridge1 interface=ether7 pvid=20
add bridge=bridge1 interface=ether8 pvid=20
add bridge=bridge1 interface=ether9 pvid=10
add bridge=bridge1 interface=ether10 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5,ether9,ether10 \
    vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether6,ether7,ether8 vlan-ids=20
/interface list member
add interface=ether1-YOUbroad list=WAN
add interface=ether2-hathway list=WAN
add interface=ether3-TataPLAY list=WAN
add interface=vlan1 list=LAN
add interface=vlan2Hathwaywala list=LANhathway
/ip address
add address=192.168.9.9/24 interface=vlan1 network=192.168.9.0
add address=192.168.12.12/24 interface=vlan2Hathwaywala network=192.168.12.0
/ip dhcp-client
add add-default-route=no interface=ether1-YOUbroad use-peer-dns=no
add add-default-route=no interface=ether2-hathway use-peer-dns=no
add add-default-route=no interface=ether3-TataPLAY use-peer-dns=no
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.9.9
add address=192.168.12.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.12.12
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=input connection-nat-state=dstnat
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input in-interface-list=LANhathway
add action=drop chain=input connection-state=invalid
add action=drop chain=input
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether1-YOUbroad new-connection-mark=\
    ether1-youbroadin passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether2-hathway new-connection-mark=\
    ether2-hathway-in passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether3-TataPLAY new-connection-mark=\
    ether3-tata-in passthrough=yes
add action=mark-routing chain=output connection-mark=ether1-youbroadin \
    new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=output connection-mark=ether2-hathway-in \
    new-routing-mark=tohathway passthrough=yes
add action=mark-routing chain=output connection-mark=ether3-tata-in \
    new-routing-mark=toTataPLAYy passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface-list=LAN \
    new-connection-mark=toether1-youbroad passthrough=yes \
    per-connection-classifier=src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface-list=LAN \
    new-connection-mark=toether3-tata passthrough=yes \
    per-connection-classifier=src-address-and-port:2/0
add action=mark-routing chain=prerouting connection-mark=toether1-youbroad \
    in-interface-list=LAN new-routing-mark=toYOUbroad passthrough=no
add action=mark-routing chain=prerouting connection-mark=toether3-tata \
    in-interface-list=LAN new-routing-mark=toTataPLAYy passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-YOUbroad
add action=masquerade chain=srcnat out-interface=ether2-hathway
add action=masquerade chain=srcnat out-interface=ether3-TataPLAY
add action=dst-nat chain=dstnat dst-port=11111 in-interface=ether2-hathway \
    protocol=tcp to-addresses=192.168.12.198 to-ports=11111
add action=dst-nat chain=dstnat dst-port=11111 in-interface=ether2-hathway \
    protocol=udp to-addresses=192.168.12.198 to-ports=11111
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 pref-src="" routing-table=toYOUbroad scope=30 \
    suppress-hw-offload=no target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=toTataPLAYy scope=30 \
    suppress-hw-offload=no target-scope=32
add disabled=no dst-address=1.1.1.1/32 gateway=192.168.4.4 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=31
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.72.72 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=32
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

bridges:

# 2024-05-18 22:41:15 by RouterOS 7.11.2
# software id = xxxx
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add name=bridge1
add name=bridge2forHathway
/interface ethernet
set [ find default-name=ether1 ] name=ether1-YOUbroad
set [ find default-name=ether2 ] name=ether2-hathway
set [ find default-name=ether3 ] name=ether3-TataPLAY
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.9.50-192.168.9.254
add name=dhcp_pool1 ranges=192.168.9.100-192.168.9.254
add name=dhcp_pool2 ranges=192.168.9.100-192.168.9.254
add name=dhcp_pool3 ranges=192.168.12.100-192.168.12.200
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp1
add address-pool=dhcp_pool3 interface=bridge2forHathway name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=toYOUbroad
add disabled=no fib name=tohathway
add disabled=no fib name=toTataPLAYy
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge2forHathway interface=ether6
add bridge=bridge2forHathway interface=ether7
add bridge=bridge2forHathway interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip address
add address=192.168.9.9/24 interface=bridge1 network=192.168.9.0
add address=192.168.12.12/24 interface=bridge2forHathway network=192.168.12.0
/ip dhcp-client
add add-default-route=no interface=ether1-YOUbroad
add add-default-route=no interface=ether2-hathway
add add-default-route=no interface=ether3-TataPLAY
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.9.9
add address=192.168.12.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.12.12
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip firewall address-list
add address=192.168.9.0/24 list=Ajlan
add address=192.168.12.0/24 list=ajALN2hathway
/ip firewall filter
add action=drop chain=forward dst-address-list=ajALN2hathway \
    src-address-list=Ajlan
add action=drop chain=forward dst-address-list=Ajlan src-address-list=\
    ajALN2hathway
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface=bridge1
add action=accept chain=input in-interface=bridge2forHathway
add action=drop chain=input
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether1-YOUbroad new-connection-mark=\
    ether1-youbroadin passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether2-hathway new-connection-mark=\
    ether2-hathway-in passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether3-TataPLAY new-connection-mark=\
    ether3-tata-in passthrough=yes
add action=mark-routing chain=output connection-mark=ether1-youbroadin \
    new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=output connection-mark=ether2-hathway-in \
    new-routing-mark=tohathway passthrough=yes
add action=mark-routing chain=output connection-mark=ether3-tata-in \
    new-routing-mark=toTataPLAYy passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=ether1-youbroadout passthrough=yes \
    per-connection-classifier=src-address-and-port:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new dst-address-type=!local in-interface=bridge1 \
    new-connection-mark=tataOut passthrough=yes per-connection-classifier=\
    src-address-and-port:2/0
add action=mark-routing chain=prerouting connection-mark=ether1-youbroadout \
    in-interface=bridge1 new-routing-mark=toYOUbroad passthrough=no
add action=mark-routing chain=prerouting connection-mark=tataOut \
    in-interface=bridge1 new-routing-mark=toTataPLAYy passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-YOUbroad \
    src-address-list=Ajlan
add action=masquerade chain=srcnat out-interface=ether2-hathway \
    src-address-list=ajALN2hathway
add action=masquerade chain=srcnat out-interface=ether3-TataPLAY \
    src-address-list=Ajlan
add action=dst-nat chain=dstnat dst-port=11111 in-interface=ether2-hathway \
    protocol=tcp to-addresses=192.168.12.200 to-ports=11111
add action=dst-nat chain=dstnat dst-port=11111 in-interface=ether2-hathway \
    protocol=udp to-addresses=192.168.12.200 to-ports=11111
/ip route
add disabled=no dst-address=1.1.1.1/32 gateway=192.168.4.4 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.72.72 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=toTataPLAYy scope=30 \
    suppress-hw-offload=no target-scope=33
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 pref-src="" routing-table=toYOUbroad scope=30 \
    suppress-hw-offload=no target-scope=33
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

BTW, they r BOTH the SAME . except one is bridge and other is vlan.

newbie54321 · Thu Jul 18, 2024 3:46 pm

hi guys, need to trouble u again!!!!
i have done away with PCC completely. i want 3 vlans for the three ISPs with 2 ports attached to each vlan. the config is working properly BUT i can access my router (mikrotik) ONLY thru the mac address (in winbox) and NOT thru its ip. i want to be able to access the router thru its ip also. i have created 3 prerouting rules for the three vlans; essentially locking them to one ISP each. is all these mangle rules correct? please let me know.

my config:

# 2024-07-18 08:36:19 by RouterOS 7.11.2
# software id = xxxx
#
# model = RB4011iGS+
# serial number = xxxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-YOUbroad
set [ find default-name=ether2 ] name=ether2-hathway
set [ find default-name=ether3 ] name=ether3-TataPLAY
/interface vlan
add interface=bridge1 name=vlan1-tata vlan-id=10
add interface=bridge1 name=vlan2YOUbroad vlan-id=20
add interface=bridge1 name=vlan3-Hathywala vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.9.100-192.168.9.254
add name=dhcp_pool4 ranges=192.168.12.100-192.168.12.200
add name=dhcp_pool5 ranges=192.168.24.100-192.168.24.200
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan1-tata name=dhcp1
add address-pool=dhcp_pool4 interface=vlan2YOUbroad name=dhcp2
add address-pool=dhcp_pool5 interface=vlan3-Hathywala name=dhcp3
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=toYOUbroad
add disabled=no fib name=tohathway
add disabled=no fib name=toTataPLAYy
/interface bridge port
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10
add bridge=bridge1 interface=ether6 pvid=20
add bridge=bridge1 interface=ether7 pvid=20
add bridge=bridge1 interface=ether8 pvid=30
add bridge=bridge1 interface=ether9 pvid=30
add bridge=bridge1 interface=ether10 pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether6,ether7 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=ether8,ether9,ether10 vlan-ids=30
/interface list member
add interface=ether1-YOUbroad list=WAN
add interface=ether2-hathway list=WAN
add interface=ether3-TataPLAY list=WAN
add interface=vlan1-tata list=LAN
add interface=vlan2YOUbroad list=LAN
add interface=vlan3-Hathywala list=LAN
/ip address
add address=192.168.9.9/24 interface=vlan1-tata network=192.168.9.0
add address=192.168.12.12/24 interface=vlan2YOUbroad network=192.168.12.0
add address=192.168.24.24/24 interface=vlan3-Hathywala network=192.168.24.0
/ip dhcp-client
add add-default-route=no interface=ether1-YOUbroad use-peer-dns=no
add add-default-route=no interface=ether2-hathway use-peer-dns=no
add add-default-route=no interface=ether3-TataPLAY use-peer-dns=no
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.9.9
add address=192.168.12.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.12.12
add address=192.168.24.0/24 gateway=192.168.24.24
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=input connection-nat-state=dstnat
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=input connection-state=invalid
add action=drop chain=input
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether1-YOUbroad new-connection-mark=\
    ether1-youbroadin passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether2-hathway new-connection-mark=\
    ether2-hathway-in passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether3-TataPLAY new-connection-mark=\
    ether3-tata-in passthrough=yes
add action=mark-routing chain=output connection-mark=ether1-youbroadin \
    new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=output connection-mark=ether2-hathway-in \
    new-routing-mark=tohathway passthrough=yes
add action=mark-routing chain=output connection-mark=ether3-tata-in \
    new-routing-mark=toTataPLAYy passthrough=yes
add action=mark-routing chain=prerouting in-interface=vlan1-tata \
    new-routing-mark=toTataPLAYy passthrough=no
add action=mark-routing chain=prerouting in-interface=vlan2YOUbroad \
    new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=prerouting in-interface=vlan3-Hathywala \
    new-routing-mark=tohathway passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-YOUbroad
add action=masquerade chain=srcnat out-interface=ether2-hathway
add action=masquerade chain=srcnat out-interface=ether3-TataPLAY
add action=dst-nat chain=dstnat dst-port=22583 in-interface=ether2-hathway \
    protocol=tcp to-addresses=192.168.12.197 to-ports=22583
add action=dst-nat chain=dstnat dst-port=22583 in-interface=ether2-hathway \
    protocol=udp to-addresses=192.168.12.197 to-ports=22583
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 pref-src="" routing-table=toYOUbroad scope=30 \
    suppress-hw-offload=no target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=toTataPLAYy scope=30 \
    suppress-hw-offload=no target-scope=32
add disabled=no dst-address=1.1.1.1/32 gateway=192.168.4.4 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=31
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.150.150 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.72.72 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.8.8 pref-src="" routing-table=tohathway scope=30 suppress-hw-offload=\
    no target-scope=32
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

sorry for the trouble. but please help me. i think i am learning a little bit more of my mikrotik, everytime

Update: i did ' ! (Not) local ' for all the three mangle rules of vlans (prerouting going to ISPs) and now i can access my router thru its ip addres!!!!

anav · Thu Jul 18, 2024 6:35 pm

Are you sure you need mangling??
This should do what you desire, no mangling.

/routing rules
add min-prefix=0 action=lookup-only-in-table table=main
add src-address=192.168.9.0/24 action=lookup-only-in-table table=toTataPLAYy
add src-address=192.168.12.0/24 action=lookup-only-in-table table=toYOUbroad
add src-address=192.168.24.0/24 action=lookup-only-in-table table=tohathway

However what you dont disclose in your requirements but clear from the config is that you are also doing port forwarding.
This can still be addressed without mangling, simply make Ether2, the primary WAN in routes.
Also routes need fixing.

/ip route
{ main table }
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 scope=30 target-scope=32 comment=ether2
add distance=2 dst-address=8.8.8.8/32 gateway=192.168.150.150 scope=30 target-scope=31
+++++
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=30 target-scope=32 comment=ether1
add distance=4 dst-address=1.1.1.1/32 gateway=192.168.4.4 scope=30 target-scope=31 comment=ether1
+++++
add check-gateway=ping distance=6 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=30 target-scope=32 comment=ether3
add distance=6 dst-address=9.9.9.9/32 gateway=192.168.72.72 scope=30 target-scope=31
++++++++++++++++++++++++++++++++++++++++++++++++++
{ special routes }
add dst-address=0.0.0.0/0 gateweay=192.168.150.150 routing-table=tohathway
add dst-address=0.0.0.0/0 gateweay=192.168.4.4 routing-table=toYOUbroad
add dst-address=0.0.0.0/0 gateweay=192.168.72.72 routing-table=toTataPLAYy

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The rest of the config needs work......
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.9.9
add address=192.168.12.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
192.168.12.12
add address=192.168.24.0/24 gateway=192.168.24.24 Missing dns-server ????

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last }
++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip neighbor discovery-settings
set discover-interface-list=LAN

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Thu Jul 18, 2024 6:39 pm

Now please describe more precisely how you are attempting to reach winbox via its IP address.
You should only access the router for config purpose from the LAN SIDE, either from a local subnet or via VPN which brings you into the interior of the router.

The proper method by IP address using winbox is simple

You should be able to do so by instead of mac address use the following
192.168.9.9:winboxport
or
192.168.24.24:winboxport
or
192.168.12.12:winboxport

newbie54321 · Mon Jul 22, 2024 8:19 pm

hi i have tried out mangle as well as routing rules methods. here is the mangle setup: (port is just only getting forwarded ONCE at handshake but then no communicaton is happening over it)

# 2024-07-18 08:54:54 by RouterOS 7.11.2
# software id = xxxxx
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-YOUbroad
set [ find default-name=ether2 ] name=ether2-hathway
set [ find default-name=ether3 ] name=ether3-TataPLAY
/interface vlan
add interface=bridge1 name=vlan1-tata vlan-id=10
add interface=bridge1 name=vlan2YOUbroad vlan-id=20
add interface=bridge1 name=vlan3-Hathywala vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.9.100-192.168.9.254
add name=dhcp_pool4 ranges=192.168.12.100-192.168.12.200
add name=dhcp_pool5 ranges=192.168.24.100-192.168.24.200
add name=dhcp_pool6 ranges=192.168.24.100-192.168.24.200
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan1-tata name=dhcp1
add address-pool=dhcp_pool4 interface=vlan2YOUbroad name=dhcp2
add address-pool=dhcp_pool6 interface=vlan3-Hathywala name=dhcp3
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=toYOUbroad
add disabled=no fib name=tohathway
add disabled=no fib name=toTataPLAYy
/interface bridge port
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10
add bridge=bridge1 interface=ether6 pvid=20
add bridge=bridge1 interface=ether7 pvid=20
add bridge=bridge1 interface=ether8 pvid=30
add bridge=bridge1 interface=ether9 pvid=30
add bridge=bridge1 interface=ether10 pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether6,ether7 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=ether8,ether9,ether10 vlan-ids=30
/interface list member
add interface=ether1-YOUbroad list=WAN
add interface=ether2-hathway list=WAN
add interface=ether3-TataPLAY list=WAN
add interface=vlan1-tata list=LAN
add interface=vlan2YOUbroad list=LAN
add interface=vlan3-Hathywala list=LAN
/ip address
add address=192.168.9.9/24 interface=vlan1-tata network=192.168.9.0
add address=192.168.12.12/24 interface=vlan2YOUbroad network=192.168.12.0
add address=192.168.24.24/24 interface=vlan3-Hathywala network=192.168.24.0
/ip dhcp-client
add add-default-route=no interface=ether1-YOUbroad use-peer-dns=no
add add-default-route=no interface=ether2-hathway use-peer-dns=no
add add-default-route=no interface=ether3-TataPLAY use-peer-dns=no
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.9.9
add address=192.168.12.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.12.12
add address=192.168.24.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.24.24
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=input connection-nat-state=dstnat
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=input connection-state=invalid disabled=yes
add action=drop chain=input disabled=yes
add action=drop chain=forward disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether1-YOUbroad new-connection-mark=\
    ether1-youbroadin passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether2-hathway new-connection-mark=\
    ether2-hathway-in passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether3-TataPLAY new-connection-mark=\
    ether3-tata-in passthrough=yes
add action=mark-routing chain=output connection-mark=ether1-youbroadin \
    new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=output connection-mark=ether2-hathway-in \
    new-routing-mark=tohathway passthrough=yes
add action=mark-routing chain=output connection-mark=ether3-tata-in \
    new-routing-mark=toTataPLAYy passthrough=yes
add action=mark-routing chain=prerouting in-interface=vlan1-tata \
    new-routing-mark=toTataPLAYy passthrough=no
add action=mark-routing chain=prerouting in-interface=vlan2YOUbroad \
    new-routing-mark=toYOUbroad passthrough=no
add action=mark-routing chain=prerouting in-interface=vlan3-Hathywala \
    new-routing-mark=tohathway passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-YOUbroad
add action=masquerade chain=srcnat out-interface=ether2-hathway
add action=masquerade chain=srcnat out-interface=ether3-TataPLAY
add action=dst-nat chain=dstnat dst-port=22583 in-interface=ether2-hathway \
    protocol=tcp to-addresses=192.168.24.195 to-ports=22583
add action=dst-nat chain=dstnat dst-port=22583 in-interface=ether2-hathway \
    protocol=udp to-addresses=192.168.24.195 to-ports=22583
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 pref-src="" routing-table=toYOUbroad scope=30 \
    suppress-hw-offload=no target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=toTataPLAYy scope=30 \
    suppress-hw-offload=no target-scope=32
add disabled=no distance=1 dst-address=1.1.1.1/32 gateway=192.168.4.4 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.150.150 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.72.72 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=31
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.8.8 pref-src="" routing-table=tohathway scope=30 suppress-hw-offload=\
    no target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.8.8 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    1.1.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=32
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=32
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

i want to port forward on BOTH vlan1 and vlan3 simultanesously. BUT even single port foraward (on vlan3) is not happening properly!!!!!!
BTW , do u get messagees when an old topic/thread is replied on the forum? i hope 'sindy' can also read my new problem and help me.

newbie54321 · Wed Jul 24, 2024 2:45 pm

hiii!! anyone??

anav · Wed Jul 24, 2024 2:56 pm

1. what is the purpose of this rule??

add action=accept chain=input connection-nat-state=dstnat

2. Your mangles are wrong for port forwarding.

newbie54321 · Thu Jul 25, 2024 3:47 pm

that rule was told by you to me!!!! in an earlier post!!! OR it might be in defconfig (default config of mikrotik) that i borrowed/copied/implemented. i also thought it to be of no use BUT since it is in defconfig or U told me , i did it.

what should be the mangles then??

i had just started to understand mangles and now this 'routing rules' thing comes up!!!! WTF!!!
so, i am still stiking to mangles. i also tried ur said routing rules method, even then port is NOT getting forwarded!!!!!!!

mkx · Thu Jul 25, 2024 4:00 pm

that rule was told by you to me!!!! in an earlier post!!! OR it might be in defconfig

Don't yell.

And no, nobody in this thread (not even @anav) told you to inplement this rule (it's in the config, part of your initial post in this thread). It's not defconf either. And the reason is that it's nonsense ... because it's targeting chain=input ... defconf (and @anav) has similar rule but for chain=forward. This chain or another chain may seem a detail to you, but it makes huge difference.

anav · Thu Jul 25, 2024 9:54 pm

Also, it took me years to get to a reasonable level of understanding. Dont expect to get it in a day.

If one does not need to mangle, which is more complex, and can use routing rules, routing rules are generally preferred.
Routing rules force traffic to the table outlined period.
They cannot affect traffic that has been mangled though, mangling has a higher priority.

Its all logic based,
If you force all three subnets out to a special table using routing rules, then the local subnets will not be able to reach each other. If not required, who cares but often that is not the case.
Thus you have to make rules first in the order LIKE:
add dst-address=localSubnetA table=main
add dst-address=localSubnetB table=main
add dst-address=localSubnetC table=main

Then before being forced out the special table you would allow the subnets to reach each other.
Someone found a shortcut not sure what it actually means but its equivalent.
add min-prefix=0 table=main

You should be able to see that routing rules is good for subnets, or a few users, but if one needs many users but less than a subnet or users across subnets or a group of users that cannot be identified by subnet, then mangling is the only option in terms of forcing traffic out a specific table.

anav · Thu Jul 25, 2024 10:01 pm

Suggest instead of plugging provided config lines into your router you try to understand what each line is doing and if you dont know ask!!!

newbie54321 · Mon Aug 05, 2024 5:51 pm

hiiiiiiiii

newbie54321 · Mon Aug 05, 2024 5:56 pm

Also, it took me years to get to a reasonable level of understanding. Dont expect to get it in a day.

If one does not need to mangle, which is more complex, and can use routing rules, routing rules are generally preferred.
Routing rules force traffic to the table outlined period.
They cannot affect traffic that has been mangled though, mangling has a higher priority.

Its all logic based,
If you force all three subnets out to a special table using routing rules, then the local subnets will not be able to reach each other. If not required, who cares but often that is not the case.
Thus you have to make rules first in the order LIKE:
add dst-address=localSubnetA table=main
add dst-address=localSubnetB table=main
add dst-address=localSubnetC table=main

Then before being forced out the special table you would allow the subnets to reach each other.
Someone found a shortcut not sure what it actually means but its equivalent.
add min-prefix=0 table=main

You should be able to see that routing rules is good for subnets, or a few users, but if one needs many users but less than a subnet or users across subnets or a group of users that cannot be identified by subnet, then mangling is the only option in terms of forcing traffic out a specific table.

ok, so if i dont want the subnets to reach each other then i should omit this "add min-prefix=0 table=main" rule, right? thats exactly what i did in my following config. BUT if i dont include this rule AND dont have something in my main table THEN i cannot access my router thru its ip. only accessable thru its mac address (winbox, neighbors tab, select mac address). this is just like not creating the
"! local" option in mangle routing rules!!! does this routing rules thingy have this same functionality as "! local" anywhere?
BTW in both my configs (mangle and routing rules) the port forwards is working CORRECTLY. NOW i can port forward in all the vlans simultaneously!!!
just that ip address access is not possible in routing rules method.
my current routing rules config:

# 2024-07-30 12:25:12 by RouterOS 7.11.2
# software id = xxxxx
#
# model = RB4011iGS+
# serial number = xxxxx
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-YOUbroad
set [ find default-name=ether2 ] name=ether2-hathway
set [ find default-name=ether3 ] name=ether3-TataPLAY
/interface vlan
add interface=bridge1 name=vlan1-tata vlan-id=10
add interface=bridge1 name=vlan2YOUbroad vlan-id=20
add interface=bridge1 name=vlan3-Hathywala vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.9.100-192.168.9.254
add name=dhcp_pool4 ranges=192.168.12.100-192.168.12.200
add name=dhcp_pool6 ranges=192.168.24.100-192.168.24.200
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan1-tata name=dhcp1
add address-pool=dhcp_pool4 interface=vlan2YOUbroad name=dhcp2
add address-pool=dhcp_pool6 interface=vlan3-Hathywala name=dhcp3
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=toYOUbroad
add disabled=no fib name=tohathway
add disabled=no fib name=toTataPLAYy
/interface bridge port
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=10
add bridge=bridge1 interface=ether6 pvid=20
add bridge=bridge1 interface=ether7 pvid=20
add bridge=bridge1 interface=ether8 pvid=30
add bridge=bridge1 interface=ether9 pvid=30
add bridge=bridge1 interface=ether10 pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether6,ether7 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=ether8,ether9,ether10 vlan-ids=30
/interface list member
add interface=ether1-YOUbroad list=WAN
add interface=ether2-hathway list=WAN
add interface=ether3-TataPLAY list=WAN
add interface=vlan1-tata list=LAN
add interface=vlan2YOUbroad list=LAN
add interface=vlan3-Hathywala list=LAN
/ip address
add address=192.168.9.9/24 interface=vlan1-tata network=192.168.9.0
add address=192.168.12.12/24 interface=vlan2YOUbroad network=192.168.12.0
add address=192.168.24.24/24 interface=vlan3-Hathywala network=192.168.24.0
/ip dhcp-client
add add-default-route=no interface=ether1-YOUbroad use-peer-dns=no
add add-default-route=no interface=ether2-hathway use-peer-dns=no
add add-default-route=no interface=ether3-TataPLAY use-peer-dns=no
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.9.9
add address=192.168.12.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.12.12
add address=192.168.24.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.24.24
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=input connection-state=invalid
add action=drop chain=input
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether1-YOUbroad new-connection-mark=\
    ether1-youbroadin passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether2-hathway new-connection-mark=\
    ether2-hathway-in passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    connection-state=new in-interface=ether3-TataPLAY new-connection-mark=\
    ether3-tata-in passthrough=yes
add action=mark-routing chain=output connection-mark=ether1-youbroadin \
    new-routing-mark=toYOUbroad passthrough=yes
add action=mark-routing chain=output connection-mark=ether2-hathway-in \
    new-routing-mark=tohathway passthrough=yes
add action=mark-routing chain=output connection-mark=ether3-tata-in \
    new-routing-mark=toTataPLAYy passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-YOUbroad
add action=masquerade chain=srcnat out-interface=ether2-hathway
add action=masquerade chain=srcnat out-interface=ether3-TataPLAY
add action=dst-nat chain=dstnat dst-port=22583 in-interface=ether3-TataPLAY \
    protocol=udp to-addresses=192.168.9.244 to-ports=22583
add action=dst-nat chain=dstnat dst-port=55555 in-interface=ether2-hathway \
    protocol=udp to-addresses=192.168.24.194 to-ports=55555
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.72.72 pref-src="" routing-table=toTataPLAYy scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.4.4 \
    pref-src="" routing-table=toYOUbroad scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.150.150 pref-src="" routing-table=tohathway scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.9.0/24 table=\
    toTataPLAYy
add action=lookup-only-in-table disabled=no src-address=192.168.12.0/24 \
    table=toYOUbroad
add action=lookup-only-in-table disabled=no src-address=192.168.24.0/24 \
    table=tohathway
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

BTW, i had posted this same info a few days back!!!! (like 7/8) where did my post go????????? anyway after seeing it NOT here, i repost!!!!!!

newbie54321 · Mon Aug 05, 2024 5:58 pm

hiiii
hope the last few posts dont DISAPPEAR???? this is #34 i think.

newbie54321 · Sat Aug 17, 2024 1:04 pm

hello????

anav · Sat Aug 17, 2024 8:31 pm

ok, so if i dont want the subnets to reach each other then i should omit this "add min-prefix=0 table=main" rule, right?

WRONG, what makes you think routing rules are firewall rules??
You decided if traffic is allowed at L2 with firewall rules.
IP routes, routing rules, tables etc, simply provide possible paths for traffic.................
You want to keep the min prefix rule to allow traffic you allow in firewall rules.... to find its way !!

simple port forward not working!!!

simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!

Re: simple port forward not working!!!