Is there a (correct) way to define an interface address or subnet similarly to how this is done in EdgeOS/VyOS by selecting the interface or network address in a firewall rule?
Context:
We have a customer with a dynamic IP, and we’d like to mangle packets/connections destined to the router’s IP address (which is dynamic on that interface). Is there a way similar to how this is done in VyOS or EdgeOS with RouterOS? Or is a DHCP client script a work-around that adds the assigned IP to an address list?

Yes!

Do you have an example script how this can be done?

State the requirement more clearly, mangling is a tool it is not a reason.
A config pops from requirements not the other way round.
What is the traffic issue you are facing.

Context:
This site has 2 WAN’s, failover is configured by utilizing gateway distance and gateway check. We want to monitor both connections from our monitoring server (by simply pinging them, to see when one of the connections drop). The problem now is that we’re unable to ping the connection/ip in failover (standby) state as the replies are sent from the interface that is in the active state (with the source IP of the interface of the failover/standby interface weirdly enough). We want to utilize a mangle rule to mark packets coming IN this interface so that these are routed back through the same interface.

So you are saying that the secondary ISP for example is not pingable because Primary 1 WAN is up? More accurately the supposition is that the router attempts to answer ping out WAN1 and thus the response is not from the expected IP and dropped at your end. ( or something like that ).

The quick answer is to mangle any incoming on both wans, assign connection marks and then routing marks and then routes and tables to ensure any traffic coming in on a WAN goes out the same WAN.

Tables:
/routing-table add fib name=viaISP1
/routing-table add fib name=viaISP2

Mangles
/ip firewall mangle
_add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes

add action=mark-routing chain=prerouting connection-mark=WAN1
new-routing-mark=viaISP1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2
new-routing-mark=viaISP2 passthrough=no_

/ip route
add distance=5 gwy=WAN1 table=main check-gateway=ping {standard route}
add distance=10 gwy=WAN2 table=main {standard route}
add distance=1 gwy=WAN1 table=viaISP1 { route for external return traffic to go back out WAN1}
add distance=1 gwy=WAN2 table=viaISP2 {route for external return traffic to go back out WAN2}

Additional Step, to keep fastrack available for all other traffic modify forward chain rule to
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=no-mark connection-state=established,related

I’ve finally gotten the change to try the above, but as soon as I enable to mangle rules, my routes start flapping. My OSPF session that runs over a tunnel interface flaps as well. I’ve even configured the mangle rules to only work for ICMP traffic (for testing), but no difference.

I’ve tried the following now:

/ip firewall mangle
add action=mark-packet chain=input comment=\
    "Mark incoming packets on ISP2 as ISP2-in" in-interface=ether2 \
    new-packet-mark=ISP2-wan-ip passthrough=yes protocol=icmp
add action=mark-connection chain=input comment=\
    "Mark incoming connections on ISP2 as ISP2-in" new-connection-mark=\
    ISP2 packet-mark=ISP2-wan-ip passthrough=yes
add action=route chain=prerouting comment=\
    "Packets with ISP2 mark to ISP2 routing table" connection-mark=\
    ISP2 log=yes log-prefix=ISP2 passthrough=yes route-dst=ISP2.gateway.IP

I’ve tried the last rule using both the “route” and mark-routing (to the routing table with only the default GW for ISP 2), however this doesn’t work, as it appears the router doesn’t know where to output the packet? The counters do count up, so the rules are hit/executed as expected.

ISP2 prerouting: in:ether2 out:(unknown 0), connection-mark:ISP2 connection-state:established src-mac 3c:5e:c3xxxx, proto ICMP (type 8, code 0), Ext.Src.Ip.Addr->ISP2.ip.addr, len 84

To sum up: I need ICMP replies to be sent out the same interface they ware received from so I can monitor the backup/slave connection in a failed over configuration.

Well to ensure incoming WAN1 and incoming WAN2 go out same interface there are two spefic sets of mangling rules. (why do you have protocol on one of the rules??)
CHain is PREROUTING not INPUT!!


Set1 - Add connection-marks to traffic coming in on WANs
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark
in-interface=ether2 new-connection-mark=WAN2 passthrough=yes

Set 2. (ensure output traffic goes out the route it came in on based on connection marks and assigned routing mark (table)
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=ether1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=ether2-mark passthrough=yes

Thanks @anav,
This finally works:

/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "Mark incoming packets on ISP2 as ISP2-in" in-interface=ether2 \
    new-packet-mark=ISP2-wan-ip passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment=\
    "Mark incoming packets on ISP2 as ISP2-in" new-connection-mark=\
    ISP2 packet-mark=ISP2-wan-ip passthrough=yes
add action=mark-routing chain=output comment=\
    "Packets with ISP2 mark to ISP2 routing table" connection-mark=\
    ISP2 log-prefix=ISP2 new-routing-mark=ISP2 passthrough=yes

We have a customer with a dynamic IP, and we’d like to mangle packets/connections destined to the router’s IP address (which is dynamic on that interface). Is there a way similar to how this is done in VyOS or EdgeOS with RouterOS? Or is a DHCP client script a work-around that adds the assigned IP to an address list?
pikashow.fyi
ppssppgold.one

That was my original question, still pending an answer on that one!