Hi Dark Nate,
The good thing, is I really dont care about your personal opinions or feelings, the goal here is to help the OP.
After reading and talking to some folks it seems that IP filter setting on the mT routers is really not a feature/function designed for the home or soho setting.
From what I have been informed is that this is a feature or function that is suited and designed for ISP routers and not home routers.
As rextended helped elucidate is that RP filtering is for the purpose of ensuring that incoming traffic (packets) are dropped if a a response to that incoming traffic would not be routed through the same interface it arrived in. With loose being applied to any route using the existing interface and strict requiring the interface to be on the preferred route.
In any home case where one has dual wans, RP strict would be in most cases a bad idea.
So lets get back to the question at hand. Why are you espousing RP filtering as some sort of home secure solution to access ones router without VPN and using source address list??
+++++++++++++++++++++++++
The OPs post was clear in that he/she had a dual wan scenario which was interfering with accessing the router externally via winbox.
Gotsprings was addressing solely the dual wan bit, being a very focused on the problem individual.
Then you posted with your very good dual wan setup building upon what gotsprings noted.
My initial simple query was trying to understand if the OP wanted dual wan usage capability for accessing the router (via winbox) externally because according to my limited knowledge, accessing the router externally without protection was a dangerous security no no. Both experienced poster gotsprings and yourself seemed to be happily helping the OP into a potentially 'dark' place
by providing the means to do so through a legitimate configuration for a general case.
However, providing a method for the OP to potentially hang him/herself from a security breach perspective could not be left alone and is why i asked my question on security.
As per my post I never questioned you or gotsprings and merely asked the OP a simple question!!!
The point being external access to the router via winbox
without VPN or port knocking etc is not a safe or prescribed method for anyone, home user or network engineer of any repute.
Perhaps the OP was not aware of the dangers of exposing winbox to the external internet and thus its an education piece.
If we are to give advice, then I had to point out the potential problems with going ahead with the advice provided if indeed it was to access winbox etc.
If you think I am going to change on this outlook, you are very much mistaken.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Instead of that you arrogantly boasted that you access your winbox with a plain input chain rule using source address list. How does this help the conversation/education?
The OP has already stated he will use a VPN, which is the good news and that he/she just wanted to ensure that when setup the access would be accomplished with his/her particular dual WAN setup.
In summary, the dual wan setup provided is what he needed. I wanted to ensure the op understood that a secure method was required to access winbox , and the OP confirmed that VPN was going to be used to gain access to the router via the dual wan mangling.
So I am happy with the end result.
As for the solution, of dual wans and mangling
Why not use routes and route rules as I try to avoid mangling where possible.
If the OP comes in on WAN1
ISP1 route distance=10
ISP2 route distance=5
ISP1 route distance=10 routing-mark=configure-winbox
Route Rule
src address: {EITHER INTERNALLY ASSIGNED VPN ADDRESS}
or
Interface; {EITHER VPN INTERFACE}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Action: lookup only in table
Table: configure-winbox
PS. Dont worry I wont be answering threads or giving advice on route inter-VLAN for 1000+ users behind 100 PPPoE servers on 100 VLANs LOL.