I have a relatively simple setup where two public IP's are assigned to my ether1 interface. I have an internal interface on ether2. The specifics of this setup is to create two different Dyn DNS internet guide policies. To accomplish this, there is an address list of computers that get the "non-standard" Dyn DNS policy.

The setup listed below works perfectly under 5.24. With 6.5, it does not work because the second NAT rule to change the source IP does not get any traffic. I can see the connections and packets increment for the first dstnat rule, but no connections or packets ever increment on the secondary srcnat rule. The configuration is below and I've replaced my secondary public IP with OTHERIP for security.

Any idea on why this won't work for 6.5?

# Create the address list for test computers
/ip firewall address-list add list=test-dyn address=192.168.1.15

# Set up test for secondary Dyn DNS policy
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connections to test DYN" \
dst-address=192.168.1.1 dst-port=53 new-connection-mark=test-dyn passthrough=no protocol=udp \
src-address-list=test-dyn disabled=no
/ip firewall nat
add action=dst-nat chain=dstnat connection-mark=test-dyn to-addresses=216.146.35.35 \
comment="Test second Dyn DNS policy"
add action=src-nat chain=srcnat connection-mark=test-dyn to-addresses=OTHERIP \
comment="Test second Dyn DNS policy - Mark different source IP"

Anyone? No one seems concerned that the connection marks are not getting properly processed in 6.5? Based on the packet flow diagram for v6, these particular rules should work the same under 5.24 and 6.5. They aren't.

Are there no suggestions or ideas on why this is happening with v6? v5.24 and v5.26 work without issue.