I have a device that opens an IPv4 TCP connection to a specific port on the WAN. This device loses functionality when that connection goes away which happens when the TCP established timeout occurs. I want to bypass connection tracking for that device to that port. I created a Raw rule to set no-track on the prerouting chain based on destination port and source mac address. Turning on logging in key firewall rules, I have log entries indicating that the SYN packets were forwarded to the WAN interface, but I get no response. I cannot see any indication in firewall rule counters or log entries that a response is being blocked. Is there something else I need to do to get a response back to that device and establish the connection?
You likely need a similar raw rule marking return packets for non-tracking as well. If connection is not tracked, then firewall can’t recognise return packets by its own, you have to do it manually.
Currently those return packets are likely droped as invalid.
That makes sense. I had a filter to allow untracked on the forward chain, but the packet probably never got that far. Thanks.