I’m having an issue with connections not being seen by the router as in new state, so SYN,ACK replies are being dropped with invalid connection.
The setup is that R1 (hex) has a mangle rule applied to a specific source and destination IP list to add a routing mark
There is then a second default route in a separate routing table to send traffic marked with that routing mark over to R2 (hap ax lite LTE), rather than using the local default gateway
Flow is as follows:
R1:
Src: 192.168.30.x (5 devices in IP list)
Destination: AWS Public IP list
Mangle - Add routing mark “4G”
R1 routing table name “4G” has a single route 0.0.0.0/0 via 192.168.66.254
R1 only applies NAT on traffic leaving via PPPoE client interface on R1, so no NAT applied to this traffic
R1 ether5 192.168.66.250 connected to R2 ether4 192.168.66.254
R2:
Static routes exist on R2 to send traffic for 192.168.30.x back via 192.168.66.250
LTE1 interface on R2 injects default route once connected
Default masquerade NAT rule exists on R2 (I can see this being applied as expected)
Traffic sourced directly from R2 LAN is working as expected
Traffic routed from R1 to R2 seems to match established/related rules on R2, rather than new/untracked rule.
Connection tracking therefore is dropping the SYN,ACK replies as invalid
I can’t understand what is causing this issue, as running a packet sniffer on LTE1 interface on R2, I only see SYN packets leaving R2 and SYN,ACK arriving (but being dropped).
Any suggestions?