Split tunneling question and egressing out the correct interface for inbound connections
Jonas Lochmann
openwrt at jonaslochmann.de
Fri Apr 10 10:37:00 PDT 2026
Am Tue, Apr 07, 2026 at 12:49:02PM -0600, schrieb Philip Prindeville via openwrt-devel:
> So the problem is that traffic that came in from outside wants to egress via my 'wan' interface as that's the default route out. Even doing a ping of 50.20.195.61 (without that last rule).
>
> How do I force traffic that was an inbound connection to egress via the same interface it came in on? The connection table in iptables should track that, right?
>
> The problem is that other services (HTTP, HTTPS, IMAP/S, Submission) might be connected to internally (via 'lan'), or externally (via 'wan2') and the traffic needs to do the right thing.
>
> How do I leverage the connection table to do that? Or what mechanisms exist in firewall4 or pbr to make sure it happens correctly?
>
> Reflection only affects internal traffic trying to reach a redirected port via the external address, right?
mwan3 supports this. It uses fwmarks, connection marks and ip rules in
combination to send replies back to the right interface.
More information about the openwrt-devel
mailing list