Which is better, or would you prefer? Honestly I like the mangle-rule better. I have some troubles wrapping my head around what the routing-rule exactly does.
I can't really say. I'm starting to like routing rules, and I think they should be generally more efficient, because they can be simple and stateless. But I don't think there could be noticeable difference with small setups, so use whatever you like better.
And what it does is simple. If packet's source address is IP address of WAN2, it will try to find destination in routing table WAN-2. And if you have route to 0.0.0.0/0 there, it will find it. So it's simple and elegant way how to make connections to router itself work with multiple WANs, because it doesn't need anything else. If you'd not forward any ports inside and just had the router as e.g. multihomed VPN server, this is enough, no connection tracking required.
The DSTNAT rule states where the packet should go or is allowed to go is probably more accurate ...
Dstnat rule only changes destination address or port, nothing else. Where the packet actually goes is decided after that by routing.
Funny here I thought the whole time IP Route was only for going out the router..
Brace yourself. For router, there it no "in" or "out" in terms of interfaces, no LAN or WAN. It's all just interfaces. None of them has any special meaning for router. Packets can go from any interface to any other (or even the same). It's only the things you define (routes, firewall rules, routing rules, ...) that make it into something.
Yes I understand this is unique to unsolicited packets because they are new connections. Not an issue with return traffic origination from the LAN.
In fact, no. Routing in this context is a low-level thing. It just showels packets between interfaces. It doesn't care about any connections, if they are new, old, invalid, or whatever. Only those fancy high-level things like conntrack care about such unimportant details (from routing's perspective).
About how everything fits together, there are some interesting diagrams
. They will scare you at first, but don't worry, it's not just you, they really are scary, when you see them for the first time. But there's one which is less scary:
on first line is everything that happens when packet comes to router. Routing
(not in this image) comes after that. It checks routes, consults routing rules and comes up with decision where the packet should go. It can continue to either input
(if it went to forward, it will pass through postrouting
next). So if we stick to current topic, you can see that mangle rules in prerouting and dstnat are before any routing happens, and they can prepare a packet for it.
@Sob, won't it be easier if you mark connection / routing coming in on WAN2 in postrouting chain?
You can mark routing only in prerouting, it doesn't make sense anywhere else, because it's only useful before the routing happens. You could mark connection in forward (not postrouting, it doesn't support in-interface), and it would save the first packet. But not any following ones. What you can do, if you don't like routing rules, and I did mention it in very first reply, is to mark routing only for outgoing packets:
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=MARK-WAN-2 new-routing-mark=WAN-2 in-interface=LAN