I'm using an ER-Lite running 1.9.0 with dual uplinks and using vlan-tagged interfaces facing the clients. My ISP is extremely sensitive to spoofed packets and ONT will block ALL traffic for 5 minutes whenever a single packet with an IP different to that assigned to the cpe is seen on the wire.
I've been reading the thread here https://community.ubnt.com/t5/EdgeMAX/Offload-causes-NAT-packets-to-be-routed-to-wrong-client/m-p/1379430/highlight/true#M82878 which while marked as solved, pointed to some issues in the hw-offload module.
I've been using the deny action for invalid state on the WAN_OUT port and while this has helped, I still see the occasional packet beinge leaked out. Since the ISP blocks my connection, the impact is MAJOR as opposed to just being a hanging connection or a single customer's tcp connection being affected.
Also, since I use redundant uplinks with load balancing, I've also seen ICMP unreachable messages being sent out the wrong wan interface, especially for DNS responses coming back to the "wrong" WAN
I know my ISP is way stricter than usual, but there is nothing I can do about it and, to be honest, the sending of un-translated addresses is not acceptable IMHO.
To further complicate things, you can't really use the WAN_OUT rule to add an ACL that would match any packet's src-ip is different to the one assigned to the interface, since the IPTables rule is being hit before masquerading, so when I add that rule, all outgoing transit packets are dropped.