I have two ISP providers, one offering me a static IP.
I want to use this static IP provider for servers where I need to have a static IP due to firewall restrictions.
All is fine if I create a static route but I though I could create a firewall list and use mangle to keep the routing table less poluted. I have this mangle rule
and this route
everything still works but it's slow as hell.
Disabling the mangle and adding a static route for the server I want to reach and everything is fast again.
This is on a RouterBOARD 952Ui-5ac2nD with router OS 6.42.1
What am I doing wrong?

Just to be clear.
1. static_IP is an address list comprised of the specific private LANIPs that are servers?
2. You have TWO ISPs and only want to use the secondary ISP (static) for your servers.

I would expect you have two routes setup for this.....
0.0.0.0/0 gateway IP of Primary ISP (not WANIP), ping gateway distance=1
0.0.0.0/0 gateway IP of Secondary ISP, distance=2

If you didn't want to allow WAN1 users to be able to failover to WAN 2 in case of issues then simply remove the second rule and the ping gateway part of the first rule.

For YOUR servers,, the only IPs that you want to use the Static WAN , a mangle rule and a route rule make sense.
chain=prerouting action=mark-routing new-routing-mark=isp2 source-address-list=static_ip
dst-address=0.0.0.0/0 gateway IP of static ISP, distance=1 routing-mark=isp2

If you wanted the servers to be able to get to the internet in case the secondary ISP was down.
then it would look like this...
dst-address=0.0.0.0/0 gateway IP of static ISP, ping gateway distance=1 routing-mark=isp2
dst-address=0.0.0.0/0 gateway IP of primary ISP, reachable distance=2 routing-mark=isp2

Hi, to make it simpler. let's just ignore the static ip for a moment.
I just want to route traffic to some public ip's over ISP 2.
If I do it via static route, it works great. If I do it over mangle, it's slow as hell.
I currently have about 10 dst-addresses where I need to go over isp 2. Having Mangle + address lists would make it simpler to manage but as mentioned, it's very very slow.

Replace the mangle and routes with below and test?

Can you describe in English what the affect of those rules are accomplishing and why you have set it up this way?
Also why you have passthrough selected for one but not the other............

CZFans config in English:

only mark new connections with a connection mark so less to do for the router, passthrough = no as the next rule needs to mark routing
2nd rule: every packet with that connection mark is cached by the 2nd rule, which marks routing with a new routing mark

this is instead of inspect every packet on prerouting chain and mark each packet with a routing mark.

if the CPU load wasn't too high with OP's original code, this approach would not make much difference.

this is what I use, works fine:
in Mangle then in routing:

Thanks Solar that makes it much clearer.

I do have a question on your setup though.

I am assuming you identify destination address (NOT the WANIP of the ADSL) but an external public internet IP, sorry correction "LIST" so group of external IPs, that would be associated with any network traffic destined for core servers somewhere, and because if you left that part out (the destination-address-list) all LAN traffic would go to the ADSL whereas you only want specific traffic to use the ADSL WANIP. (thus this specific traffic already knows its destination address on the internet as opposed to DNS resolving by domain right???)

Also, it is better to use source address src-address=10.10.2.0/24 OR make an addess list in IP Firewall NetworkLAN = 10.10.2.1 - 10.10.2.254 and just use the name in source-address-list ??

Also I have seen notation sometimes not sure where that is 10.10.2.1/24 (is this wrong)?

Hi Anav,

the mangle rule is very specific for what I need. I need to send traffic towards one public IP address (unifi controller) via the office ADSL link while everything else, should go through the guest wifi ADSL. all WiFi client device is on a VLAN (172.16.0..0/22, no routing mark applied) and will be routed to the guest WiFi ADSL.

Also, it is better to use source address src-address=10.10.2.0/24 OR make an addess list in IP Firewall NetworkLAN = 10.10.2.1 - 10.10.2.254 and just use the name in source-address-list ??

As far as I know they do the same job. cannot say one or another is better. really depends on what your network is and what you try to achieve. I use 10.10.2.0/24 because all our core network equipment is in that range, nothing else is in that range.

Also I have seen notation sometimes not sure where that is 10.10.2.1/24 (is this wrong)?

I believe, 10.10.2.0 is the network, / xx tells you what the subnet mask is.
10.10.2.1 is an IP address, / xx tells you what the mask is applied to it.

play with this
http://www.subnet-calculator.com/

so if you have 10.10.2.1 / 25, then the range of available IP (or the ones you could have access to) is 10.10.2.1 - 10.10.2.126. where the subnet ID is 10.10.2.0 and broadcast address is 10.10.2.127
if you have 10.10.2.129 / 25, then you have 10.10.2.129 - 10.10.2.254 where the subnet ID is 10.10.2.128 and broadcast address is 10.10.2.255

I am revisiting this thread in hopes of understanding it eventually.

1. I am stuck on your comment about passthrough being No for the first rule to ensure the mangle traffic gets used by the second rule.
If you look closely however, CZFANs first rule has passthrough=YES. Do not pass Go, do not collect $200, go directly to jail!
Did I understand your comment incorrectly??

2. Perhaps a bit more granular, but why does only marking the first new connection packet suffice to then ensure all packets associated get routed to ISP2?
Yes, the first packet gets routed out to the appropriate server through ISP2 but what about packets 2-n??? I am guessing that the router keeps track of the routing and then
by magic shovels the rest of those connection packets that way. I feel like I am missing something in the equation, and perhaps the role of passthrough?

3. I am appreciating CZfans route rules especially the efficiency of second one, which includes failover to the other primary route if down.

@Anav,

I think Solar77 made a typo re passthrough = no and should have been yes.

What happens with those rules are:
First (new) packet comes in, the "connection", important, is marked, so the following packets of that "connection" will not need to be inspected as connection tracking will keep track of the packets for that "connection". This is the same as the "new", then it becomes "established, related" in firewall filter.
The passthrough = yes tells it to continue down the mangle rule list for further processing. As that "connection" (already marked and does not need to be "detailed" inspected again, the router just looks for the "mark"), the router will mark all packets of that "connection with routing mark.
Then passthrough = no on the 2nd rule is there to stop the connection / packets from being marked again further down the mangle rules

Hope that makes sense.

Awesome CZFAN, i understand the use........
More importantly and finally!
anav-1 solar77-0