In this blog post, I’ll share how to set up a MikroTik router with two WAN PPPoE connections using RouterOS 7. This configuration includes a primary PPPoE connection and a secondary one that serves as a backup. 


One key feature is ensuring that when when traffic comes in on a specific PPPoE interface, it will leave through the same interface, ensuring consistent routing behavior.

This configuration is particularly useful for maintaining consistent inbound/outbound traffic flow and ensuring proper failover for critical network environments.



Let’s break it down step by step.


1. Setting Up PPPoE Interfaces

The first step is to configure the two PPPoE clients, one for each WAN connection. The primary PPPoE connection will be set with the default route distance of 1, while the backup PPPoE connection will have a higher route distance (2), ensuring that it only takes over if the primary fails.


/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=ppp
add add-default-route=yes default-route-distance=2 disabled=no interface=ether2 \
    name=pppoe-out2 user=ppp
  • pppoe-out1: This is your primary WAN connection, connected via ether1.
  • pppoe-out2: This is your secondary WAN connection, connected via ether2. The higher route distance (2) makes this a backup.


By setting add-default-route=yes, the router will automatically add the default gateway for each PPPoE interface.


2. Routing Tables


Now we create two separate routing tables to handle traffic routing based on the connection. This will allow us to ensure that traffic coming in on a specific interface leaves via that same interface.


/routing table
add disabled=no fib name=PPPOE-1
add disabled=no fib name=PPPOE-2


  • PPPOE-1: This routing table handles traffic coming through and routed out from the first PPPoE connection.
  • PPPOE-2: This routing table will route traffic for the backup/secondary PPPoE connection.


3. Marking Connections Based on Interface


We need to mark the connections based on which PPPoE interface the traffic enters. This ensures that return traffic leaves via the correct interface.

/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=PPPOE-1 in-interface=bridge1 new-routing-mark=PPPOE-1 \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=PPPOE-2 in-interface=bridge1 new-routing-mark=PPPOE-2 \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "if traffic incoming on PPPOE-1, mark connection PPPOE-1" in-interface=\
    pppoe-out1 new-connection-mark=PPPOE-1 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "if traffic incoming on PPPOE-2, mark connection PPPOE-2" in-interface=\
    pppoe-out2 new-connection-mark=PPPOE-2 passthrough=yes
  • Marking Traffic from pppoe-out1: Traffic that enters via the primary PPPoE interface (pppoe-out1) is marked with PPPOE-1.
  • Marking Traffic from pppoe-out2: Traffic entering from the backup PPPoE interface (pppoe-out2) is marked with PPPOE-2.


4. Routing Marking


Next, we ensure that the router applies a routing mark based on the connection mark set above. This allows us to use specific routing tables for traffic based on its source interface.


add action=mark-routing chain=output comment=\
    "if connection mark PPPOE-1, add routing mark PPPOE-1" connection-mark=\
    PPPOE-1 new-routing-mark=PPPOE-1 passthrough=yes
add action=mark-routing chain=output comment=\
    "if connection mark PPPOE-2, add routing mark PPPOE-2" connection-mark=\
    PPPOE-2 new-routing-mark=PPPOE-2 passthrough=yes



This configuration ensures:
  • If traffic is marked as PPPOE-1, it will be routed using the routing table PPPOE-1.
  • If traffic is marked as PPPOE-2, it will be routed via the routing table PPPOE-2.


5. Adding IP Routes


Finally, we need to add static routes for each connection, ensuring that traffic is routed out the correct interface based on the marks.


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-table=PPPOE-1 scope=30 suppress-hw-offload=no target-scope=10 \
    vrf-interface=pppoe-out1
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=PPPOE-1 \
    suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=PPPOE-2 \
    suppress-hw-offload=no

This configuration ensures:


  • If traffic is marked as PPPOE-1, it will be routed using the routing table PPPOE-1.
  • If traffic is marked as PPPOE-2, it will be routed via the routing table PPPOE-2.