Split tunneling question and egressing out the correct interface for inbound connections

[Philip Prindeville]

> On Apr 10, 2026, at 11:37 AM, Jonas Lochmann <openwrt at jonaslochmann.de> wrote:
> 
> Am Tue, Apr 07, 2026 at 12:49:02PM -0600, schrieb Philip Prindeville via openwrt-devel:
>> So the problem is that traffic that came in from outside wants to egress via my 'wan' interface as that's the default route out.  Even doing a ping of 50.20.195.61 (without that last rule).
>> 
>> How do I force traffic that was an inbound connection to egress via the same interface it came in on?  The connection table in iptables should track that, right?
>> 
>> The problem is that other services (HTTP, HTTPS, IMAP/S, Submission) might be connected to internally (via 'lan'), or externally (via 'wan2') and the traffic needs to do the right thing.
>> 
>> How do I leverage the connection table to do that?  Or what mechanisms exist in firewall4 or pbr to make sure it happens correctly?
>> 
>> Reflection only affects internal traffic trying to reach a redirected port via the external address, right?
> 
> mwan3 supports this. It uses fwmarks, connection marks and ip rules in
> combination to send replies back to the right interface.

Good to know.  I'll try to set it up.

Wondering if that isn't something that firewall4 should handle on its own...

As part of the "strong host" model enforcing that return traffic egresses via the same NATting would seem to be a firewall function and not a PBR function (I think of PBR as applying to egress traffic).