I have an issue with using a connection-mark in a NAT rule. (Background: We have a webcam behind a static IP and I want to limit access, it should be reachable only if the right subdomain - let's say webcam.domain.tld, revealed by the HTTP Host:-header - was used.)
I have the following basic NAT rule (works):
chain=dstnat action=dst-nat to-addresses=192.168.200.11 to-ports=80 protocol=tcp in-interface=pppoe-out1 dst-port=80
I have the following mangle rule (works):
chain=prerouting action=mark-connection new-connection-mark=webcam passthrough=yes protocol=tcp dst-address=<public_ip> layer7-protocol=webcam dst-port=80 connection-mark=no-mark
I have the following L7 protocol rule (works):
# NAME REGEXP
0 webcam Host: webcam.domain.tld
I can see requests made via the webcam.domain.tld URL to get marked as webcam (in WinBox).
Now, when I change the NAT rule to have the requirement "connection-mark=webcam", it does NOT work anymore. No connection gets marked (and NATed) anymore.
It seems things are not happening in the order pre-routing, NAT?! Otherwise I would expect the mangle rule to still work?
EDIT: CCR, ROS 6.7