Hi, I am trying to get two ISP connections working on one MT RB4011.

I have ISP1 working on ether1 out to ISP1 modem
I have ISP2 connected to ether2 which is then connected to ISP2 modem

I have 3 statics working on ISP1 through ether1
I have 3 statics for ISP2 I am trying to run through ether2

I assigned a static IP from ISP2 on ether2 and added a route for 0.0.0.0/0 for eth2 gateway on ISP2 with a distance of 2...
the route shows up in blue and does not seem to work.

I read a few examples; but nothing helping; what am I missing with my config? ..

I read a few examples; but nothing helping; what I am I missing with my config? ..

You seem to lack several bits of information:

• the distance parameter of a route determines mutual priority of routes with identical dst-address prefixes when several of them are available. So when both ether1 and ether2 is up, the route with higher value of distance stays inactive; it only becomes active if the gateway interface of the other one goes down (or if you disable or remove the other route of course).
• a route with a longer (= more narrowly matching) dst-address prefix always wins over routes whose dst-address prefixes also match the packet's destination address but are shorter (= more widely matching), regardless the distance.
• unless you have your own pool of public IP addresses and can propagate it using BGP to both ISPs, you need to make sure that all upload packets of the same connection (TCP session or others) will use the same WAN the first one has used, or through which the initial download packet came in through, otherwise the remote host will not be able to assign them to the connection and will drop them (if the ISP won't drop them first because they are sent from an unknown address); hence if you want to distribute the load between the two WAN uplinks, you have to use some load distribution strategy which ensures this. The common name used in the Mikrotik community is "policy routing" (not to be confused with "IPsec policy"), and here is a description of one possible implementation. In there, you have to choose your own distribution strategy for the outgoing connections (from your LAN clients to servers in the internet) you'll use as ...list of classifying match conditions for handling A...
• it may not be safe to rely on the mere fact that a WAN interface is up, as the DSL line may be broken or the ISP equipment may be broken. Hence it is good to check availability of some immortal IP addresses in the internet, where popular public DNS servers are the best choice, through each WAN, and let the route through that WAN only be active if its reference IP is available through there. The best explanation can be found in this excellent article by Timo Puistaja.

Timo's method just provides a means to keep only really working routes active. Whether you use one of those routes as a primary for all traffic, or whether you want to distribute the traffic among them, is another layer. So for load distribution along with redundancy, you need to do the following:

• use two routing-mark values (one of them may be empty, i.e. main)
• with one routing mark, configure the recursive route via WAN1 to 0.0.0.0/0 with distance=1, and the recursive route via WAN2 to 0.0.0.0 with distance=2
• with the other routing mark, configure the same routes but with swapped distance values
• for the initial packet of those upload (LAN->internet) connections which can freely choose the WAN, do not set a connection-mark, set only the routing-mark. This will ensure that if one WAN is broken, connections which would normally establish through there will take the other one.
• if you plan any connections which have to always use a particular WAN no matter what, you'll need yet another routing-mark for this purpose (and a single route via that WAN with that routing-mark)
• assign the connection-mark only when mangling download pakets, based on the in-interface. This will make sure that the connection will stick to the WAN its first packet has used, for both connections initiated from your LAN and connections initiated from the internet (which you may or may not plan to use).
• of course, the translation of connection-mark to routing-mark for upload packets must stay in place, that's the whole trick.

Thanks for the reply.. I am stuck on getting the second ISP2 added and working.. have not gotten as far as your detailed information.. load balancing; marking routes etc..

It appeared as though I could simply assign the static IP for ISP2 to ether2 and then add a route for it with a distance of 2 for 0.0.0/0 and that would add the uplink for ISP2..
after which I could continue a more useful configuration for ISP2..
is this incorrect?

It appeared as though I could simply assign the static IP for ISP2 to ether2 and then add a route for it with a distance of 2 for 0.0.0/0 and that would add the uplink for ISP2..
after which I could continue a more useful configuration for ISP2..
is this incorrect?

You can do this, but to send any traffic via this uplink, you'll have to disconnect/disable the other one, or set the other default route's distance to 3 and above, as otherwise the default route via the other uplink will be used as it has distance=1.

Also, to let the traffic from LAN be responded from the internet, you have to make sure that also outgoing traffic via ether2 will get src-nated (or masqueraded, there is a subtle but important difference) - I don't know your existing configuration, but if you've been using the default firewall configuration so far, it should be enough to make ether2 a member of interface list WAN. If not, post your existing configuration, see anonymisation hints in my automatic signature below.

The complex setups build on the basics above and allow both uplinks to be used in parallel.

Okay.. Thanks again for your reply..

So... this is a remotely managed MT router. Unfortunately I don't have the luxury of disabling ether1 w/o losing access.
I need to be able to uplink ether2 to ISP2 and test that it is actually active and working from the WAN outside;
either by ICMP reply etc... If I put ISP2 route at distance of 1 and drop ISP1 route to a distance of 2.. if ISP2 is
failing; I suppose ISP1 would take over and still work even at a distance of 2..? my concern is losing connectivity
to the remote MT.. To be clear; I am not 100% that the person who connected ether2 to ISP2 modem even did
it correctly.. hence I have to be absolute with ether2 uplink.. so.. there must be a way to test ether2 uplink at
the very basic setup to confirm I can send traffic to that MT router destined for ether2 ISP2 network and it is
reaching its destination...?

OK, now I understand the pain

So, the simplest way to just test whether the second WAN is fit is to set up a route to some known public IP address which you won't mind to become eventually unreachable via that WAN's gateway (such as 8.8.8.8, 8.8.4.4, 9.9.9.9 - whichever you do not use as DNS for the Tik and its clients). Then, ping that single address from the Mikrotik itself, and in a second window, run /tool sniffer quick interface=ether2 protocol=icmp. If you can see the requests and responses to leave and come, the 2nd uplink works well and you've set this test route properly. If the ping is responded but the sniffer shows nothing, something is wrong in the setup and the packets still take the default route via WAN1; if the ping is not responded and disabling the added test route makes it respond (maybe you'll have to stop the ping and try again in 11+ seconds), the 2nd uplink doesn't work.

As that route will have a /32 prefix (the complete IP address), it will override any default route, regardless the distance value.

Thanks again..

I tried this test with route to 9.9.9.9 from ether2 via ISP2; and all ICMP requests/responses are timeouts..
So it does not appear that this ISP2 uplink is active or working... I have to further investigate this ISP2
and come back to this post with more info..

Okay, so this was indeed the issue... Long story short; ISP2 was not active.

So now, ISP2 is active and I have uplinked it to ether2 on the bridge with its statics.
Testing on ISP2 uplink ether2 has succeeded.

Ready for the configuration now.. but what to choose.. Bonding; PCC matcher ;..?
Pros:Cons?

Bonded links must share the same L2 space (the fact that the particular link may be chosen based on L3 or even L4 changes nothing about that) so you'd have to use an L2 tunnel to some central device at a remote data center via each ISP; doing so only makes a limited sense in special cases and causes all kinds of issues, MTU reduction being the most notable one.

PCC matching alone makes things simple but has limitations - it can only be used if all connections are initiated in LAN->WAN direction. With any application which uses two distinct data streams (VoIP, IPsec, leaving aside dinosaurs like PPTP or FTP) PCC without connection tracking will break things as the data session may end up on another WAN than the control session.

So it depends on the role of the 4011, but as you mention three (probably public) static IPs per WAN, I assume you want to use port forwarding etc., and in such case PCC can be used to choose the WAN for the first packets of outgoing (LAN->WAN) connections, but then connection tracking must take over.