what can you do in your case:
1) Do not override "new-connection-mark", add to every mangle rule "connection-mark=no-mark" every time you do "new-connection-mark"
It gonna look like this:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connections for hairpin NAT" dst-address-list=WAN \
connection-mark=no-mark new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting dst-address-type=!local \
connection-mark=no-mark new-connection-mark=con-one passthrough=yes per-connection-classifier=\
src-address-and-port:2/0 src-address-list=DUAL
add action=mark-connection chain=prerouting dst-address-type=!local \
connection-mark=no-mark new-connection-mark=con-two passthrough=yes per-connection-classifier=\
src-address-and-port:2/1 src-address-list=DUAL
add action=mark-routing chain=prerouting connection-mark=con-one \
new-routing-mark=Antik passthrough=no src-address-list=DUAL
add action=mark-routing chain=prerouting connection-mark=con-two \
new-routing-mark=Telekom passthrough=no src-address-list=DUAL
2) Mark new connections, that comes from ISP sides:
Code: Select all
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=con-one passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=Telekom new-connection-mark=con-two passthrough=no
Code: Select all
/ip firewall mangle
so at the end mangle section gonna look like this:
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connections for hairpin NAT" dst-address-list=WAN \
connection-mark=no-mark new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting dst-address-type=!local \
connection-mark=no-mark new-connection-mark=con-one passthrough=yes per-connection-classifier=\
src-address-and-port:2/0 src-address-list=DUAL
add action=mark-connection chain=prerouting dst-address-type=!local \
connection-mark=no-mark new-connection-mark=con-two passthrough=yes per-connection-classifier=\
src-address-and-port:2/1 src-address-list=DUAL
add action=mark-routing chain=prerouting connection-mark=con-one \
new-routing-mark=Antik passthrough=no src-address-list=DUAL
add action=mark-routing chain=prerouting connection-mark=con-two \
new-routing-mark=Telekom passthrough=no src-address-list=DUAL
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=con-one passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=Telekom new-connection-mark=con-two passthrough=no