Page MenuHomeVyOS Platform
Create Task
Maniphest T2574

wan-load-balance snat bug and route problem
Resolved (N/A)PublicBUG
Actions

Description

bug: when I enabled wan-load-balance, I found the VYATTA_PRE_SNAT_HOOK and VYATTA_PRE_DNAT_HOOK were not added to chain PREROUTING and POSTROUTING which made the load-balance SNAT rule take no affect. And finally I disabled the wan-load-balance snat rule and add my own source nat rule to fix that.

route problem: when I enabled wan-load-balance, the access to local LAN network would be routed to WAN interface and be SNATed. otherwise i exclude the destination address to local LAN network from the load-balance rule. And the problem is caused by the policy route table which only contains one default route and lacks of link route. Finally I manually added the missing part of the link route and the problem was fixed.

Details

Difficulty level
Normal (likely a few hours)
Version
1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Demon_H created this task.Jun 9 2020, 1:51 PM
c-po added a subscriber: c-po.Jun 13 2020, 8:34 AM

Can you share what you did to make it work again? NAT has recently be rewritten which could be the root cause.

Demon_H added a comment.Jun 15 2020, 2:18 AM

This is my config below:

load-balancing {
    wan {
        enable-local-traffic
        interface-health pppoe0 {
            failure-count 5
            nexthop dhcp
            success-count 1
            test 0 {
                resp-time 5
                target 119.29.29.29
                ttl-limit 1
                type ping
            }
        }
        interface-health pppoe1 {
            failure-count 5
            nexthop dhcp
            success-count 1
            test 0 {
                resp-time 5
                target 119.29.29.29
                ttl-limit 1
                type ping
            }
        }
        interface-health pppoe2 {
            failure-count 5
            nexthop dhcp
            success-count 1
            test 0 {
                resp-time 5
                target 119.29.29.29
                ttl-limit 1
                type ping
            }
        }
        interface-health pppoe3 {
            failure-count 5
            nexthop dhcp
            success-count 1
            test 0 {
                resp-time 5
                target 119.29.29.29
                ttl-limit 1
                type ping
            }
        }
        rule 1 {
            inbound-interface eth1
            interface pppoe0 {
                weight 1
            }
            interface pppoe1 {
                weight 1
            }
            interface pppoe2 {
                weight 1
            }
            interface pppoe3 {
                weight 1
            }
            protocol all
        }
        sticky-connections {
        }
    }
}

And i excute the command:

sudo nft list table ip nat

It shows :

table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}

	chain VYATTA_PRE_DNAT_HOOK {
	}

	chain VYATTA_PRE_SNAT_HOOK {
		counter packets 0 bytes 0 jump WANLOADBALANCE
	}

	chain WANLOADBALANCE {
		ct mark 0xc9 counter packets 0 bytes 0 snat to 222.139.104.107
		ct mark 0xca counter packets 0 bytes 0 snat to 42.229.187.200
		ct mark 0xd3 counter packets 0 bytes 0 snat to 61.54.206.0
		ct mark 0xd5 counter packets 0 bytes 0 snat to 61.54.192.231
	}
}

There are two methods to have this problem fixed temporary and manully.
Method 1:
excute the command:

sudo nft add rule ip nat PREROUTING jump VYATTA_PRE_DNAT_HOOK
sudo nft add rule ip nat POSTROUTING jump VYATTA_PRE_SNAT_HOOK

Method 2:
excute the command:

set load-balancing wan disable-source-nat
set nat source rule 1 outbound-interface pppoe0
set nat source rule 1 translation address masquerade 
set nat source rule 2 outbound-interface pppoe1
set nat source rule 2 translation address masquerade 
set nat source rule 3 outbound-interface pppoe2
set nat source rule 3 translation address masquerade 
set nat source rule 4 outbound-interface pppoe3
set nat source rule 4 translation address masquerade
Demon_H added a comment.Jun 15 2020, 2:21 AM

And I found that when I changed the wan load-balance configuration, the load-balance process failed to come up.
And I excuted the show wan-load-balance command, it returned the message 'WAN load balancing is not configured'.
After reboot, it became all right then.

c-po added a comment.Jun 15 2020, 7:45 AM

Please also share your NAT configuration

Demon_H added a comment.Jun 15 2020, 8:00 AM

I did not config any nat rule.

vyos@vyos# show nat
Configuration under specified path is empty
[edit]
vyos@vyos#
Demon_H added a comment.Jun 15 2020, 9:28 AM

It seems to be ok in vyos-1.3-rolling-202006150117-amd64.iso. Thanks a lot.

And I suggest to add a "WANLOADBALANCE_INPUT" chain chained to "mangle table INPUT chain" which contains rules below:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
    0           0 WANLOADBALANCE_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0    

Chain WANLOADBALANCE_INPUT (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ISP_pppoe0  all  --  pppoe0 *       0.0.0.0/0            0.0.0.0/0            state NEW
       0        0 ISP_pppoe1  all  --  pppoe1 *       0.0.0.0/0            0.0.0.0/0            state NEW
       0        0 ISP_pppoe2  all  --  pppoe2 *       0.0.0.0/0            0.0.0.0/0            state NEW
......(more rules if more wan-load-balance interfaces)
       0        0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore

it solves some problems to access to the router when multi interfaces have the same gateway.

Demon_H added a comment.Jun 15 2020, 9:39 AM

And i wonder why there is a rule which is 'WANLOADBALANCE_OUT -p icmp -m icmp --icmp-type any -j ACCEPT'.
May i know the purpose of the rule ?

ajgnet added a subscriber: ajgnet.Jul 31 2020, 2:15 AM
kyle833 added a subscriber: kyle833.Mar 16 2021, 1:33 PM
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 5:40 AM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:41 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:37 PM
Viacheslav closed this task as Resolved N/A.Jan 20 2024, 1:19 AM