If we add a second ISP line to our network, we need a couple of mangle entries to keep the traffic flowing in and out the correct interfaces. If we simply add a second WAN connection to the router (in this example we will use eth4), the router may not respond to pings or allow any services (like VPN servers) running on the router to work externally. The problem is due to the router choosing a connection / route with a lesser distance to respond back through, even if it wasn’t the connection / route that the request came in on.
Our example setup will be ISP1 coming in on eth1 (ether1-isp1), and ISP2 coming in on eth2 (ether2-isp2).
Let’s set some mangle rules to mark the connection and routing properly so that traffic coming in on a particular interface (ISP) leaves on the same interface:
[sourcecode language=”plain”]
/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=\
ether1-isp1 new-connection-mark=isp1-in passthrough=yes
add action=mark-routing chain=output connection-mark=isp1-in disabled=no \
new-routing-mark=isp1-out passthrough=no
add action=mark-connection chain=input disabled=no in-interface=\
ether2-isp2 new-connection-mark=isp2-in passthrough=yes
add action=mark-routing chain=output connection-mark=isp2-in disabled=no \
new-routing-mark=isp2-out passthrough=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=[GW IP of ISP1 HERE] \
routing-mark=isp1-out scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=[GW IP of ISP2 HERE] \
routing-mark=isp2-out scope=30 target-scope=10
[/sourcecode]
