If you have a look at the routing table below you can see that I have two wan routes, one for the gateway off 192.168.10.125 and the other of 10.0.60.2, and that I have an IP address of 10.0.60.1 and 192.168.10.181(for this exercise lets pretend that they are publicly reachable :)
In this current situation if I were to set up a destination nat that comes in from the 192.168.10.181 interface to a server behind it the connection would most likely break.
The reason behind this is that the connection will not see that the return traffic is from the 192.168.10.181 src-address and instead it will instead see it as 10.0.60.1.
An example of this:
Using the routing table above if I try and access the server from the 10.0.60.1 address as shown by the red line below the traffic will be sent back through the same wan interface and the user will see that the packets came from the same IP as it was sending it to due to the usual masquerade we all have set on the outgoing interface..
Then if I try and access the same web server through the LTE connection on 192.168.10.181 as shown by the blue line, once the return traffic hits the router it will use the default route and the source address will be natted to the 10.0.60.1 address.
This is an issue for secure connections like HTTPS, VPNs, ssh, etc that require the source address of the return traffic to be from where it expects it and not from a totally different address.
The way that we can fix this is to mark all out traffic that comes in via the LTE connection then put it in its own routing table so that way it will go back out the interface it came in. In this case we will only need to mark the LTE connection since the fibre is the default route but in other situations you might need to mark more.
To get started we need to go to ip/firewall/mange and click the plus button to create a new rule, the chain should be pre-routing and we need to select the in interface as that wan port and the connection mark=no-mark, from there all we need to do is go to action as select the mark connection option, put in a connection mark and make sure we have passthrough enabled so it can continue to be processed by the mangle rules after it matches this rule.
From here we will make another prerouting rule but this time all we are going to do is filter it by the connection mark we just made, from there we will go to action and select mark routing and then make our routing mark. Make sure the passthrough is not selected on this rule.
The reason why we do the mark connection first is to reduce the CPU load, doing it this way will only mark connections coming in through the LTE interface with no marks rather than each individual packet causing a lot more processing.
From here all we need to do is go to the IP/route section and add a new route, in this route you will need to copy the wan route of the secondary interface then add the route mark in as we created in so that way tagged traffic will use this.
After this your traffic should be returning on the same path as it originated from :)