Syed Jahanzaib Personal Blog to Share Knowledge !

October 27, 2011

MIKROTIK Policy Routing based on Client IP Address

~!!!~   Article  By  Syed Jahanzaib   ~!!!~


Recently at a local setup, I was asked by the admin that he wanted to add an extra DSL line just for some specific users (VIP users who are paying some extra money for better speed, as the current single dsl is getting congested by the over subscribed users). he wanted to manage all users via single Mikrotik BOX.
I accomplished this task by adding 2nd DSL line with the Mikrotik BOX and few rules, and Alhamdolillah it worked fine🙂. I am sharing just a basic logic , You can take this idea and modify it according to your requirement, either use this logic and mix it with hotspot or pppoe base setup. In this example, user MAC-IP was binded.

Let us assume that we have 2 Users lists.


DSL1 Router IP =
DSL2 Router IP =

And we want that depending on the source IP address, Mikrotik send the traffic out through DSL-1 OR DSL-2.

To accomplish this task, the simple logic is …
STEP#1: First we will create ADDRESS-LIST, and add our users in the list,
STEP#2: Then We have to add two IP Firewall Mangle rules to mark the packets originated from user 1 and user2.
STEP#3: Then we should specify two default routes (destination with appropriate routing marks and gateways.
STEP#4: Then simple add one NAT rule for local ip series and Action masquerade.

The complete script is as follows. The basic idea is taken from, Its a very nice GUI base tutorial to follow to achieve some advance subnet  base LB.

/ip address
add address= disabled=no interface=LAN network=
add address= disabled=no interface=WAN1 network=
add address= disabled=no interface=WAN2 network=

/ip firewall address-list
add address= disabled=no list=DSL1_USERS_LIST
add address= disabled=no list=DSL2_USERS_LIST

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan1_user passthrough=no src-address-list=DSL1_USERS_LIST
add action=mark-routing chain=prerouting disabled=no new-routing-mark=wan2_user passthrough=no src-address-list=DSL2_USERS_LIST

/ip route
add disabled=no distance=1 dst-address= gateway= routing-mark=wan1_user scope=30 target-scope=10
add disabled=no distance=2 dst-address= gateway= routing-mark=wan2_user scope=30 target-scope=10

/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=



Test the setup by tracing the route to some web address on the Internet!
Go to user1 whose ip address is and do tracert to any web site. for example or if u r testing only (considering you dunt have access to dns serveR)

tracert -d





Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

C:\Documents and Settings\zaib>tracert

Tracing route to []
over a maximum of 30 hops

1     <1 ms     <1 ms     2 ms
2      2 ms      2 ms     3 ms



Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-xx-xx-xx-xx-xx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :

C:\Documents and Settings\zaib>tracert

Tracing route to []
over a maximum of 30 hops

1     <1 ms     <1 ms     2 ms
2      2 ms      2 ms     3 ms



  1. Nice sharing Jahanzaib bhai! can we do this with any other open source linux distros???

    Comment by faizan — October 28, 2011 @ 12:22 AM

    • sir do this work with hotspot on same pc?

      Comment by adeel ahmed — November 13, 2011 @ 9:03 PM

      • I never tested this in on HOTSPOT particularly, But The theory says it can work🙂
        It will work I am sure.

        Comment by Pinochio~:) — November 14, 2011 @ 10:35 AM

  2. sir…i interested with this consep…how to setup this concep with external proxy…
    may u help me sir

    Comment by Mukhsin — January 3, 2012 @ 4:45 PM

    • Wan1 & Wan2 —- (eth1&2) RB450 (eth4) —- Lan
      ‘ |
      ‘ Proxy

      Comment by Mukhsin — January 3, 2012 @ 4:49 PM

  3. just wanna to ask you one question..

    1) can i change the default ip ( to different ip like

    2) Here my connection

    ISP RB750GL switch

    How i want to config my router? I have to use ip for my LAN

    Comment by nisa — January 9, 2012 @ 11:20 AM

  4. am so sorry that I post my recent post in “About Me” page
    how I can split the IP range of (for example in to two groups (A&B)
    Group A take NET from ADSL1 ,and Group B take NET from ADSL2 ?
    do I have to enter the IP for each Group ?
    as I mentioned before ,I use the article “”
    but it didn’t work for me
    I need it in PPoE and Hotspot
    am very grateful to you ,and to any one who can assist me in this
    My Best Regards
    (also I send you email about that)

    Comment by Firas A.Kareem — February 9, 2012 @ 8:18 PM

    • Dear its easy to achieve your goal. If you read the article thoroughly , you will be able to make it.

      First create two address list, DSL1_Users and DSL2_Users , then add ips in these address list as per your requirements, now mark packets for these address list, and define route for specific marked packets to go through your desired wan link.
      Just follow the guide.

      in Address list, use your user ip pool (i.e hotspot or pppoe pool)

      Comment by Syed Jahanzaib / Pinochio~:) — February 10, 2012 @ 9:05 AM

      • you are right Mr.Sayd ,I did it ,I put in user list 1: and in user list 2
        many thanks to your wonderful ideas !
        I have simple question ..or request …
        can I put welcome screen in PPoE servers (like login screen of Hotspot)
        I want to put a page ,so my clients learn how to setup a PPoE connection
        i.e ,when some one connect to my router,rather than Hotspot Login page ,he see that page only,so he learn how to setup PPoE connection,and then connect
        Accept my Regards

        Comment by Firas A.Kareem — February 11, 2012 @ 6:09 AM

      • PPPoE doesn’t support this feature.

        However you can create custom pppoe dialer, through which when user connects, it opens your local intranet page with instructions. You can use auto-it to create automatd dialer, use your own logic with the following guide.

        Or another approach is to block internet ads and put your own ad with your local intranet page which have all the required links and your service info, for example like the following.

        Comment by Syed Jahanzaib / Pinochio~:) — February 11, 2012 @ 11:42 AM

      • Hi, I’ve been able to follow through your tutorials many times to solve my problems. I must say you are doing an excellent job.

        However, for this particular one, I use a RB1200 and have setup 2 hotspot on 2 interfaces earlier. Now I’m adding a second internet connection (ISP) and want to route traffic from each hotspot through different internet connection. The last instruction in your blog post tells me to add NAT rules for the scr address but I found out the rules have been placed there already by the hotspot setup.

        I could do a trace route when I finished the setup which means the setup should be ok, however I cannot do PING and cannot browse any site. Is it about the hotspot setup or what could have been the problem? Please what suggestion do you have for me to be able to get through this.

        Thank you!

        Comment by Sim1 — April 5, 2013 @ 2:59 PM

  5. Salaam Brother,

    Sorry my previous post does not make sence!

    I am thinking if the following scenrio is possible.

    Is it possible in policy routing? That it spread clients equally on wan links. For example:-

    If I have 3 wan links and there are 3 users are online, then each client should me on each wan etc etc…

    Hope you understand.

    Comment by nominet — May 8, 2012 @ 12:57 PM

    • You can’t do it using PCC. PCC have its algorithm to distribute users among multiple wan links. try with src-address.

      Or use policy base routing to distribute users using pools assignment.

      Comment by Syed Jahanzaib / Pinochio~:) — May 8, 2012 @ 3:09 PM

  6. It can be achieved by using pools assignments but this is not exactly thing I wanted to do.

    I want mikrotik to automatically spread users on wan’s. Is there no other ways other than PCC?


    Comment by nominet — May 8, 2012 @ 4:08 PM

  7. Jahanzaib Bro , how can i use it with failover ..

    Comment by AHMED — July 10, 2012 @ 7:31 PM

  8. Salaam, is it possible to do as following?

    ip addresses: to 192.168.199 go to DSL1
    ip addresses: to go to DSL2

    If yes, then can you please explain how?


    Comment by nominet — July 28, 2012 @ 4:27 PM

  9. Assalaamu Alaikum Syed Jahanzaib bhai aapnay youtube cache server ka jo project rakha howa hay wo menay kar lihay kaam bhi kar raha hay ALLAH aap ko kush rakhay salama rakhay per ek masla aa raha hay aghar main client ban kar use karta hoon to mujhay proxy lagani parti hay jo insterner explorer main lagai jati hay address main phiar port dena perta hay main chahta hoon auto detect chal jahay proxy internet explorer main use na karni paray is ka plz mujhay tareeqa batain

    Comment by abdulsami — September 5, 2012 @ 4:00 AM

  10. Mikrotik mujhay use nhi karna jahanziab bhai srif mujhay squid youtube cache server bana kar
    client site use kar raha hoon to proxy use karni perti hay bas itna bata dain yai proxy hat nhi sakti auto detect client side chal jahay plz help me

    Comment by abdulsami — September 5, 2012 @ 9:32 PM

  11. how to connect printer in mikrotik router

    Comment by rasheed — October 17, 2012 @ 5:20 PM

  12. Thanks a lot for sharing your idea. I learned many things from you Sir.

    Comment by Rodel Saludares — February 14, 2013 @ 3:32 PM

  13. thank you very much for your work, following your site I learned a lot on mikrotik and networking in general.

    I wanted to ask you a question,
    I followed the guide and everything works perfectly

    I want to make sure that if the line DSL1 does not work , the group DSL1_USER must be connected to DSL2 line .
    when the line DSL1 back to work, the users DSL1_USER return to DSL1 line
    Thank you very much for your work

    Comment by Erasmo — February 22, 2013 @ 7:21 PM

  14. Jahanzaib Sir i want to know how to two vpn client network combine in one network

    Comment by Ghufran Khizar — May 1, 2013 @ 4:36 AM

  15. can we add fail over function. i.e. if DSL 1 is down. DSL 2 will all serve dsl 1 userlist and dsl 2 userlist.

    Comment by Alex Adamos — June 30, 2013 @ 7:14 AM

  16. How Can I mark the connections so as to know which or who is going through a particular host without having access to the client’s system to do a trace?
    Secondly I need the script for failover so that if DSL 1 is down. DSL 2 will all serve dsl 1 userlist and dsl 2 userlist.

    Comment by Jones Cosmos — July 26, 2013 @ 1:22 AM

  17. hi can u describe how i can i split browsing and mail with 2 isp in 1 routerboard (mikrotik)
    1 isp for mail and 1 other isp for browsing

    ether1 = WAN1
    ether2 = WAN2
    ether3 = LAN1
    ether4 = LAN2

    LAN1 is farm server
    LAN2 is client

    i want split client (LAN2) for browsing is via WAN2
    and for server farm (LAN1) i want via WAN1

    Comment by krak — December 16, 2013 @ 9:58 PM

  18. Assalam Syed Jahanzaib

    i have follow this tutorial and working like i want now i want if dsl1 is down i want list user in dsl1_user can use link dsl2 and if dsl1 is up then the user in list dsl1 go to link dsl1
    can u write script for failover for this one tutorial if can implement in this tutorial
    or can u email for me


    Comment by mozax — December 21, 2013 @ 9:31 PM

  19. Assalam o alikum.

    how to configure this rule with squid proxy server and mikrotik proxy ?

    Comment by asad — September 25, 2014 @ 11:56 PM

  20. السلام عليكم

    Dear Syed Jahanzaib is it posible to use pppoe client instead of ip as Wan2, i tested it and found problems with this method and tried other methods still got no working result.
    here’s what i’m trying to make..
    Wan01 is ip I use it to provide a pppoe server..
    Wan02 is a pppoe client1 to use it with single ip on lan, only mark rooting couldnt gave a clean result, thanks in advice bro.

    Comment by Red Heart — October 22, 2014 @ 7:45 AM

  21. My Dear Syed Jahanzaib,

    Your solution worked with me perfectly,
    Thanks a lot.

    You are a life saver🙂

    Jazak Allah

    Comment by Asim Khan — April 15, 2015 @ 6:56 PM

  22. Dear Syed Jahanzaib; i can’t access all network on this policy routing load balance methods. This is perfect for me but I can’t access other dsl list network. How can I do?

    Comment by eray — April 19, 2015 @ 8:13 AM

  23. Thx man I had to make isolation for 3 IP from my network company and pass them through second unused WAN. I read few articles but they were about how to combine all WAN together and use them as one. Only this article showed it is easy and you don’t have to mark any connections and packets🙂 just mark routing and pass it for address-list. Thx

    Comment by Konrad — July 29, 2015 @ 11:34 AM

  24. Hai..
    Thanks for your tutorial i use same as your configuration but i have problem when i ping from the ousite (from to my wan1 and wan2, i get timed Out. but when i set with no routing-mark in wan ip route configuration and i ping from outsite i get normally reply ping.

    There any one have solution for this problem ?

    Comment by Wahyu — October 30, 2015 @ 2:16 PM

  25. I have this configuration but with a pppoe server.

    lan ether1 – pppoe client:

    wan1 ether2
    wan2 ether3

    everything works perfectly.

    if I try to communicate from to can not.
    If I disable the rule mangle can communicate from to but if active rule mangle can not communicate between and

    Comment by Erasmo — November 22, 2015 @ 5:36 PM

    • you can use a simple NAT MASQUERADE rule to enable communication from SRC to DST subnet.

      Comment by Syed Jahanzaib / Pinochio~:) — November 23, 2015 @ 8:49 AM

      • I created a nat masquerade rule but the problem persists.
        The problem comes when I enable the rule mangle with routing mark

        Comment by Erasmo — November 23, 2015 @ 4:26 PM

      • any other ideas?

        Comment by Erasmo — November 27, 2015 @ 7:48 PM

  26. same problem with my network . users can’t communicate with each others ip or can’t open web server but if i enable ICMP option in mangle then they can communicate but they can’t use internet .. pls share if you have any solution i try every think on NAT and MANGLE

    Comment by Ahmed — August 7, 2016 @ 4:24 AM

  27. wan 6 link pcc

    Comment by زيد الصليحي — August 12, 2016 @ 11:25 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: