Ok guys long time lurker first post for me so I hope I make some Sence here,

My current setup involves this WAN-------Mikrotik-------(vlan trunk)------- (clients)

my PPPoE WAN interface also has a /29 subnet on it (public Ip addresses) currently I have 10.0.x.0/29 subnets on about 4 vlans to separate traffic to the various zones etc these all point back to main mikrotik and go out to the internet. the public ip address also have their own vlan which i can allocate.

Now what i wish to do is add a second WAN provider but only route this to certain vlans for example vlan 1-will have access to WAN1 but not WAN2 and vlan 2 have access to WAN2 but not wan1. but to throw a spanner in the works i would also like to have access to the management vlan still.

Any help would be greatly appreciated
cheers

I have sort of the same setup, 4 vlans, 2 wans and using queue tree to limit traffic. What you will need is a bridge for each vlan. mangle traffic and place a routing mark for each wan for each bridge. if your on dhcp from isp then there is a need to script add route to gateway with routing mark, else you can manually add it for each wan gateway since it does not change. Debugging the setup is hard unless your used to routeros. Also dont mark traffic that you want to be routed between the bridges.

Ok so I have a bridge for each vlan already and dhcp set-up on these, I'm not too sure how to set up routing marks and mangle though are there any tutorials I could look at i really appreciate your help

Here is a good start, http://forum.mikrotik.com/viewtopic.php?t=74746

Ok so having a look at this setup have added routing marks to both WAN interfaces and it appears traffic is moving through them and being marked- but now just need to force the traffic to the correct VLAN interfaces, sorry for all the N00b questions here once I manage to get my head around this will be alot clearer

Could you post your config and a network diagram?

Ok behold my awesome paint skills haha - anyway here is a rough diagram and my current config

In general you need to identify the traffic and mark the connection, additional you need to route this marked connection to the specific network by define the routes with routing mark.

Also you should think about the traffic, may be there is traffic from you LAN to WAN, from WAN to LAN
First, you have double entries with same settings or i'm wrong ?

The configuration seems to mark connections depend on in-interface WAN, this marks traffic from WAN to LAN. May be you need also mark the traffic from LAN to WAN for e.g. if your clients have access to the internet (browsing etc)..

To route the marked connections / packets to specific route you need to add a static route with mark to the route table and than set the routing mark depend on the connection mark in the mangle table. Only than the packets of that connection route as you set.

Regards
Marcus

OK so i appear to have had some form of success yay me , but have opened another can of worms it seams i am now unable to route between LAN's for instance if my pc is on the 10.0.4.0/23 lan i cannot access anything on the 10.0.2.0/23 network only the interface on the router :/ also my WAN speeds have also dropped went from 90-100mbs down to about 30 :/ - it is a cloud core router the cpu load sits at about 1% so i assume its just my config, here is a dump from it hopefully someone can see something i cant :/
# mar/25/2015 19:04:52 by RouterOS 6.27
# software id = A3GH-K616
#
/interface bridge
add comment="Chevelle Bridge" name=Belle_Bridge
add comment="Static Framed IP Bridge" name=Framed_IP_Bridge_VLAN666
add comment="General Traffic Bridge" name=General_Traffic_VLAN31_Bridge
add comment="Managment Traffic Bridge" name=Managment_Bridge_VLAN101
add comment="Mt Barrow Bridge" name=Mt_Barrow_Bridge_VLAN56
add comment="Secondary Traffic Bridge " name="Secondry Traffic Bridge"
/interface ethernet
set [ find default-name=ether7 ] name="Ether 7"
set [ find default-name=ether1 ] name="ether1 - Internode"
set [ find default-name=ether2 ] name="ether2 - Exetel"
set [ find default-name=ether3 ] name="ether3 - Radio Link"
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
auto-negotiation=no disabled=yes name="sfp1-Trunk Out" rx-flow-control=\
auto speed=100Mbps tx-flow-control=auto
/interface pppoe-client
add add-default-route=yes disabled=no interface="ether1 - Internode" name=\
pppoe-out1-Internode-Eth1 password=********** service-name=Internode \
use-peer-dns=yes user=**********
add add-default-route=yes disabled=no interface="ether2 - Exetel" \
keepalive-timeout=disabled name=pppoe-out2-Exetel-Eth2 password=\
************** use-peer-dns=yes user=**************
/ip neighbor discovery
set Belle_Bridge comment="Chevelle Bridge"
set Framed_IP_Bridge_VLAN666 comment="Static Framed IP Bridge"
set General_Traffic_VLAN31_Bridge comment="General Traffic Bridge"
set Managment_Bridge_VLAN101 comment="Managment Traffic Bridge"
set Mt_Barrow_Bridge_VLAN56 comment="Mt Barrow Bridge"
set "Secondry Traffic Bridge" comment="Secondary Traffic Bridge "
/interface vlan
add comment="Belle Interface VLAN" interface="ether3 - Radio Link" l2mtu=1574 \
name=Belle_Interface_VLAN42 vlan-id=42
add comment="Framed Public IP Addresses VLAN" interface="ether3 - Radio Link" \
l2mtu=1574 name=Framed_Route_VLAN_666 vlan-id=666
add comment="General Traffic VLAN" interface="ether3 - Radio Link" l2mtu=1574 \
name=General_Traffic_VLAN_31 vlan-id=31
add comment="Managment VLAN" interface="ether3 - Radio Link" l2mtu=1574 name=\
Managment_VLAN_101 vlan-id=101
add comment="Mt Barrow Route VLAN" interface="ether3 - Radio Link" l2mtu=1574 \
name=Mt_Barrow_VLAN56 vlan-id=56
add comment="Secondary Traffic VLAN" interface="ether3 - Radio Link" l2mtu=\
1574 name=Secondary_Traffic_VLAN32 vlan-id=32
/ip neighbor discovery
set Belle_Interface_VLAN42 comment="Belle Interface VLAN"
set Framed_Route_VLAN_666 comment="Framed Public IP Addresses VLAN"
set General_Traffic_VLAN_31 comment="General Traffic VLAN"
set Managment_VLAN_101 comment="Managment VLAN"
set Mt_Barrow_VLAN56 comment="Mt Barrow Route VLAN"
set Secondary_Traffic_VLAN32 comment="Secondary Traffic VLAN"
/ip pool
add name=Management ranges=10.0.2.21-10.0.3.254
add name="General Traffic" ranges=10.0.4.2-10.0.5.254
add name="Ross Harrison " ranges=10.0.6.2-10.0.7.254
add name="Belle Pool" ranges=10.0.8.2-10.0.9.254
add name="Bec Pool" ranges=10.0.10.2-10.0.11.254
add name=VPN-Pool ranges=172.16.6.2-172.16.6.126
add name="Public Address Pool" ranges=59.167.205.242-59.167.205.246
/ip dhcp-server
add add-arp=yes address-pool=Management disabled=no interface=\
Managment_Bridge_VLAN101 name="Management DHCP"
add add-arp=yes address-pool="Ross Harrison " disabled=no interface=\
"Secondry Traffic Bridge" name="Ross Harrison VLAN32"
add add-arp=yes address-pool="Belle Pool" disabled=no interface=Belle_Bridge \
name="Belle Traffic"
add add-arp=yes address-pool="General Traffic" disabled=no interface=\
General_Traffic_VLAN31_Bridge name="General Traffic"
add add-arp=yes address-pool="Bec Pool" disabled=no interface=\
Mt_Barrow_Bridge_VLAN56 name="Mt Barrow"
add add-arp=yes address-pool="Public Address Pool" disabled=no interface=\
Framed_IP_Bridge_VLAN666 name="Public IP addresses"
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes local-address=172.16.6.1 name="Aaron Remote" \
remote-address=VPN-Pool
/queue simple
add max-limit=128k/128k name="Media PC Rate Limit target=\
10.0.5.67/32
/interface bridge port
add interface="ether2 - Exetel"
add interface="ether3 - Radio Link"
add interface=ether4
add bridge="Secondry Traffic Bridge" interface=ether5
add bridge="Secondry Traffic Bridge" interface=ether6
add bridge="Secondry Traffic Bridge" comment="Management Port" interface=\
"Ether 7"
add bridge="Secondry Traffic Bridge" interface=ether8
add bridge=General_Traffic_VLAN31_Bridge interface=General_Traffic_VLAN_31
add bridge=Belle_Bridge interface=Belle_Interface_VLAN42
add bridge=Framed_IP_Bridge_VLAN666 interface=Framed_Route_VLAN_666
add bridge=Mt_Barrow_Bridge_VLAN56 interface=Mt_Barrow_VLAN56
add bridge=Managment_Bridge_VLAN101 interface=Managment_VLAN_101
add bridge="Secondry Traffic Bridge" interface=Secondary_Traffic_VLAN32
/interface l2tp-server server
set authentication=mschap2 default-profile="Aaron Remote" enabled=yes \
ipsec-secret=Belleishot use-ipsec=yes
/ip address
add address=10.0.2.1/23 comment="Management Vlan" interface=\
Managment_Bridge_VLAN101 network=10.0.2.0
add address=10.0.4.1/23 comment="General Bridge" interface=\
General_Traffic_VLAN31_Bridge network=10.0.4.0
add address=10.0.6.1/23 comment="Aux Traffic" interface=\
"Secondry Traffic Bridge" network=10.0.6.0
add address=10.0.8.1/23 comment="Belle Bridge" interface=Belle_Bridge \
network=10.0.8.0
add address=10.0.10.1/23 comment="Mt Barrow Bridge" interface=\
Mt_Barrow_Bridge_VLAN56 network=10.0.10.0
add address=59.167.205.241/29 comment="Public IP Address Route" interface=\
Framed_IP_Bridge_VLAN666 network=59.167.205.240
/ip dhcp-server lease
add address=10.0.5.190 comment="AirControl Server" mac-address=\
00:E0:B1:20:8F:A3 server="General Traffic"
/ip dhcp-server network
add address=10.0.2.0/23 comment="Management Network" dns-server=10.0.2.1 \
gateway=10.0.2.1 netmask=23
add address=10.0.4.0/23 comment="General Network" dns-server=10.0.4.1 \
gateway=10.0.4.1
add address=10.0.6.0/23 comment="Aux Network Traffic" dns-server=10.0.6.1 \
gateway=10.0.6.1
add address=10.0.8.0/23 comment="Belle Networks" dns-server=10.0.8.1 gateway=\
10.0.8.1
add address=10.0.10.0/23 comment="Barrow Network" dns-server=10.0.10.1 \
gateway=10.0.10.1
add address=59.167.205.240/29 comment="Public Address Pool" dns-server=\
59.167.205.241 gateway=59.167.205.241
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.0.2.0/23 comment=Managment list=Lan-Connections
add address=10.0.4.0/23 comment="General Traffic" list=Lan-Connections
add address=10.0.2.0/23 list=support
add address=10.0.4.0/23 list=support
add address=10.0.6.0/23 list=support
add address=10.0.8.0/23 list=support
add address=10.0.10.0/23 list=support
add address=172.16.6.0/25 list=support
add address=59.167.205.240/29 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
disabled=yes list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=drop chain=input comment="Accept DNS - UDP" dst-port=53 \
in-interface=pppoe-out1-Internode-Eth1 protocol=udp
add action=drop chain=input comment="Accept DNS - TCP" dst-port=53 \
in-interface=pppoe-out1-Internode-Eth1 protocol=tcp
add chain=input comment="Accept to established connections" connection-state=\
established
add chain=input comment="Accept to related connections" connection-state=\
related
add chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 \
limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\
icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add chain=input comment="Accept to established connections" connection-state=\
established
add chain=input comment="Accept to related connections" connection-state=\
related
add chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 \
limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\
icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"Managment Traffic - Exetel Route" in-interface="Secondry Traffic Bridge" \
new-routing-mark=WAN2 passthrough=no
add action=mark-routing chain=prerouting in-interface=Belle_Bridge \
new-routing-mark=WAN2 passthrough=no
add action=mark-routing chain=prerouting in-interface=Mt_Barrow_Bridge_VLAN56 \
new-routing-mark=WAN2 passthrough=no
add action=mark-routing chain=prerouting in-interface=\
General_Traffic_VLAN31_Bridge new-routing-mark=WAN1 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1-Internode-Eth1 \
src-address=172.16.6.126
add action=masquerade chain=srcnat out-interface=pppoe-out1-Internode-Eth1 \
src-address=10.0.2.0/23
add action=dst-nat chain=dstnat dst-address=150.101.218.15 dst-port=80 \
protocol=tcp to-addresses=10.0.5.190 to-ports=80
add action=dst-nat chain=dstnat dst-address=150.101.218.15 dst-port=7080 \
protocol=tcp to-addresses=10.0.5.55 to-ports=7080
add action=dst-nat chain=dstnat dst-address=150.101.218.15 dst-port=7443 \
protocol=tcp to-addresses=10.0.5.55 to-ports=7443
add action=masquerade chain=srcnat out-interface=pppoe-out1-Internode-Eth1 \
src-address=10.0.4.0/23
add action=masquerade chain=srcnat out-interface=pppoe-out2-Exetel-Eth2 \
src-address=10.0.6.0/23
add action=masquerade chain=srcnat out-interface=pppoe-out2-Exetel-Eth2 \
src-address=10.0.8.0/23
add action=masquerade chain=srcnat out-interface=pppoe-out2-Exetel-Eth2 \
src-address=10.0.10.0/23
/ip route
add distance=1 gateway=220.233.1.203 routing-mark=WAN2
add distance=1 gateway=203.33.255.161 routing-mark=WAN1
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=General_Traffic_VLAN31_Bridge type=internal
add interface=pppoe-out1-Internode-Eth1 type=external
add interface=General_Traffic_VLAN_31 type=internal
add interface=pppoe-out2-Exetel-Eth2 type=external
/ppp secret
add name=ahinds password=********** profile="Aaron Remote"
/system clock
set time-zone-name=Australia/Sydney
/system identity
set name=Cloud.overlordnetworks.net
/system ntp client
set enabled=yes primary-ntp=192.231.203.132
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR

Once again i really appreciate your guys help its a steep learning curve but am loving it

You should only route mark traffic thats intended for WAN1/2. All other traffic should be unmarked since you want it to use the "default" routing table.

Ah I see how would I do this sorry just grasped the concept of routing marks

I used adress list to solve it, thus traffic not intended for an adresslist is marked as WAN1/2 traffic. Basically I only have static adresses in dhcp servers and add a address mark in the lease

Ok so I create an address list with the lan ranges in it, sorry for the stupid questions :/ do you have an example configuration I could use?

I dont have a good example, but check http://wiki.mikrotik.com/wiki/Manual:IP ... dress_list . You can add a range to a list

Ahh I see so I point the mangle rule at that address list and in that list I have the lan ranges instead of creating a rule for each range,? For example address list wan 1 and put in 10.0.2.0/23 and 10.0.4.0/23 and then for wan 2 I put 10.0.6.0/23 and so on?

Out of my head I think I would do this, add all subnets into a adresslist called internal_lan, then also add each subnet with wan1 and wan2 into lists. Then in mangle I would add a mangle list for each vlan/subnet with source list as wan1/wan2 and destination !internal_lan. That should lead to mangle only marking traffic thats to to outside and not internal traffic

If the mangle rules are getting too complicated, another simple workaround for this is to add static local routes for the various LANs into each routing table, and don't worry about leaving lan<>lan connections unmarked.

e.g.: 10.1.1.0/29 is connected to interface LAN1, and you want it to be reachable for routing marks lan2 and lan3, add a static route dst=10.1.1.0/29 gate=LAN1 routing-mark=lan2 (etc)

Just food for thought.

I like to keep chains as short and efficient as possible. They run faster AND they're easier to read.

That should work too

Ok so,
Am trying to get my head around these mangle rules - basically from my config listed earlier it is indeed marking all packets not just the ones intended for WAN(Internet) - so i have added all the Lan sub-nets into their own list and have gone from 4 to 2 mangle rules but am still seeing the same problem. i'm sure its a simple rule fix but just cannot seam to grasp it :/


am literally going insane trying to fix this

My guess is that your not allowing traffic in /ip filter. you need a rule there so you dont drop the traffic thats to be routed between bridges.