I have two internet links on eth1 and eth2, with eth1 being the default outgoing route. I have a set of rules that ensure connections initiated on a specific link are responded to on the same link.
On both links, I can connect normally using OpenVPN, but when I connect through Wireguard, the client doesn’t receive any response. From the packet tracing log I made, response packets are forwarded to eth1 (the default), even if they entered through eth2 in the case of Wireguard.
If I use eth2 as the default route, the opposite occurs: I can only connect using this link, and any attempt to connect using eth1 is responded to on eth2.
No ideia why as OpenVPN works fine with same config.
Dont like your firewall rules personally but nothing in there to stop traffic.
Lets look at mangle rules… add action=mark-connection chain=input comment=
“marca conexoes entrando pela porta 1” connection-state=new in-interface=
ether1-claro new-connection-mark=eth1-connection passthrough=yes
add action=mark-routing chain=output comment=
“marca pacotes saindo que entraram pela porta 1” connection-mark=
eth1-connection new-routing-mark=to-eth1 passthrough=no
add action=mark-connection chain=input comment=
“marca conexoes entrando pela porta 2” connection-state=new in-interface=
ether2-zetanet new-connection-mark=eth2-connection passthrough=yes
add action=mark-routing chain=output comment=
“marca pacotes saindo que entraram pela porta 2” connection-mark=
eth2-connection new-routing-mark=to-eth2 passthrough=no
TO (again personal preference) add action=mark-connection chain=prerouting comment=
“marca conexoes entrando pela porta 1” connection-mark=no-mark in-interface=
ether1-claro new-connection-mark=eth1-connection passthrough=yes
add action=mark-routing chain=output comment=
“marca pacotes saindo que entraram pela porta 1” connection-mark=
eth1-connection new-routing-mark=to-eth1 passthrough=no
add action=mark-connection chain=prerouting comment=
“marca conexoes entrando pela porta 2” connection-mark=no-mark in-interface=
ether2-zetanet new-connection-mark=eth2-connection passthrough=yes
add action=mark-routing chain=output comment=
“marca pacotes saindo que entraram pela porta 2” connection-mark=
eth2-connection new-routing-mark=to-eth2 passthrough=no
I would also change all your other mangles from connection-state=new to connection-mark=no-mark and that way you can still use fastrack by mofidying the normal fastrack rule
with connection-mark=no-mark. In this way all non-marked traffic can take advantage of fast strack.
