So I was looking at this presentation for load balancing https://mum.mikrotik.com/presentations/US12/tomas.pdf (It is an excellent presentation and highly recommended as a Load Balancing guide)
1. One aspect of load balancing is to make sure that when a connection is initiated through one of the ISPs to the router (packet forwarding for internal services), we need to ensure that this connections is routed out from the internal service through the same ISP. I understand this and have implemented it.
2. What I don't understand is he goes on to do the following (page 33):
/ip firewall mangle
add chain=forward connection-mark=no-mark in-interface=ISP_1 action=mark-connection new-connection-mark=WAN1->LANs
add chain=forward connection-mark=no-mark in-interface=ISP_2 action=mark-connection new-connection-mark=WAN2->LANs
add chain=prerouting connection-mark=WAN1->LANs src-address-list=LAN action=mark-routing new-routing-mark=ISP1_Route
add chain=prerouting connection-mark=WAN2->LANs src-address-list=LAN action=mark-routing new-routing-mark=ISP2_Route
The explanation is: connections initiated from the internet to LAN through one ISP should be replied through the same ISP.
My question is: any connections initiated from WAN to LAN on the forward chain should be dropped at the NAT firewall. There is no way for packets from WAN to reach LAN unless it hits the public ip of the router and dstnat-ed inside (hence input chain, not forward). Why is he doing this second step, what am I not understanding?