Hello everyone! I'm trying to create HA firewall, which will dst-nat traffic from outside to local network, but I can't understand how to do this. If i enable sync-connection-track=yes all dnat'ed connections are synced to backup router, but without dstnat flag and them are not src-natted(and dst-natted) by backup router [they are routed as-is from LAN to WAN without any address translation], but SRC-NAT works fine, if I trying to connect from LAN to WAN and shutting down master router connection does not dropping. Can anyone help with that? (https://imgur.com/a/O3EiSn4)

Not sure, but

1. They should be using src-nat rather than masquerade
2. dst-nat rules are same on both routers

DST-NAT rules are same on both routers and I'm using SRC-NAT to hide LAN behind WAN IP

Connection tracking is confusing. So I'm not sure, especially how NAT is handled.

But my first thought would be to disable fast-track rule (if enabled) to see if that changes this "d" vs "s".

Fast-track is disabled everywhere it can be disabled, any configuration I've tried syncs SRC-NAT but not DST-NAT