Glad it’s working, and a great writeup! Now I will know where to refer people asking for this. It comes up several times a month.
The following part should be however corrected.
A connection can have only one connection mark, and in these scenarios we use it to mark the initiator of the connection (hence the connection-mark=no-mark in the marking rules). The connections initiated on the WAN side get marked as from-mgmt. Marking the connections as to-plcX defeats this. It’s unnecessary and should not be done.
should be condensed to one rule that directly applies the routing mark
add chain=prerouting in-interface=ether1 dst-address=172.29.10.102 action=mark-routing new-routing-mark=to-plc1 comment="Mark route to PLC1"
The solution as presented will still work in your use case, so it’s technically correct. The problem comes when you try to extend this to the case where the PLCs want to reach out to a host on the WAN side. (It’s not an uncommon next request that when PLC1 initiates a connection to 192.168.2.180, it should connect to 172.29.10.xxx, and the connection should be seen as coming from 172.29.10.102.)
If I drink too much coffee, I may even contribute to your article with a VRF-based approach to the same problem. I like it more, but it always gets brushed aside when I suggest it on this forum
