I have an ER605 controlled by an OC200, I also have two WAN links - WAN1 has static IP and is accessible from the outside world while WAN2 is Starlink and uses CG-NAT, so no external access. I run a number of services at home for my external use and some small websites.

The external ports are NAT forwarded to a handful of hosts (3 right now).

I have made sure "Application Optimized Routing" (which I read as IP stateful routing, the description is quite vague and poor) is set.

Without policy routing inbound connection to Plex and my website(s) tend to fail, which is surprising in itself with the above setting as it implies the outbound WAN is chosen based on the inbound on using IP/ports to match - and these connections are inbound TCP being established.

So, I implemented IP-Group policy routing for ONLY those ports I need to serve to the outside and they all work as expected.

So far so good.

What now breaks is that when I go onto any of the systems from the LAN to make outbound connections on those ports they are sent via the policy route - even though the port number is on the destination and not the internal source. e.g. I want to download some (public) video files served on port 443 then the traffic from server1 will always go out WAN1, instead of obeying the ratios I have set. Making the same request from a desktop PC that is not in an policy routing does the right thing and goes out the other WAN with the much higher ratio.

The way I read the docs, the IP-Port Group matches an IP and ports in the direction of where they appear in the policy route, so "traffic to IP-Port group 1" should not match "traffic from IP-Port group 1".

Bug or poorly documented feature?