Use tcpdump to on ER-X interfaces to see where packets do show up.
Spoofing might be a problem in dual WAN port map.
If a ssh request on WAN1 is replied on WAN2 with WAN1 address as source, your spoofing. Most ISPs still allow this , maybe your test setup doesn't
There's a trick with packet marking that forces proper return path, can't find back the link though...
