Hello,
I have two routers on the same subnet, each one has its own path to the Internet.
The configs are pretty basic, public IP on WAN interfaces, private IP subnet on the LAN side and default config's masquerade for Internet access.
The goal is to redirect Internet traffic from hosts that have gw2 192.168.49.2 as their default route to go out via the gw1 router.
The below config works, except for dst-nat port forwarding from the Internet:
LAN addresses:
gw1 192.168.49.1
gw2 192.168.49.2
/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=to_gw1 passthrough=yes
src-address=192.168.49.0/26 dst-address-type=!local connection-mark=no-mark
in-interface=bridge
/ip firewall route
dst-address=0.0.0.0/0 gateway=192.168.49.1 gateway-status=192.168.49.1 reachable via bridge
check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=to_gw1
It appears that the marking and routing is good, when testing on a LAN host with default gw set to gw2, I get responses from things outside of gw1 through gw1 as expected.
I have a port NAT'd to the the above LAN host on gw1 and when attempting to access it from the Internet via gw1, I see the Internet-sourced syn packets come in to the host via gw1 and the host responds with a syn-ack. The syn-ack packets appear to make it to gw1 but do not appear make it through gw1.
Note that when the host is configured to use gw1, the dst-nat for it on gw1 works correctly.
Any ideas why gw1 doesn't appear to be dealing with the return traffic for the NAT'd traffic?