Page MenuHomeVyOS Platform

Wan Load Balancing - Error on firewall NAT rules
Closed, ResolvedPublicBUG

Description

Tested on VyOS 1.4-rolling-202201100317

Commands for Wan Load Balancing:

# Load balancing config
set load-balancing wan interface-health eth0 nexthop '10.0.0.1'
set load-balancing wan interface-health eth1 nexthop '10.1.1.1'
set load-balancing wan rule 10 inbound-interface 'eth3.100'
set load-balancing wan rule 10 interface eth0
set load-balancing wan rule 10 interface eth1

This results on next nat rules:

[email protected]# sudo nft list table ip nat
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 215 bytes 18124 jump VYOS_PRE_DNAT_HOOK
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 273 bytes 21364 jump VYOS_PRE_SNAT_HOOK
	}

	chain VYOS_PRE_DNAT_HOOK {
		return
	}

	chain VYOS_PRE_SNAT_HOOK {
		return
	}

	chain WANLOADBALANCE {
		ct mark 0xc9 counter packets 0 bytes 0 snat to 10.0.0.2
		ct mark 0xca counter packets 0 bytes 0 snat to 10.1.1.2
	}
}

There's a missing rule in chain VYOS_PRE_SNAT_HOOK that jumps to WANLOADBALANCE. So, no source nat occurs at all.

Same config con VyOS 1.3, give us next nat rules:

[email protected]:~$ sudo nft list table ip nat
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 32 bytes 2784 jump VYATTA_PRE_DNAT_HOOK
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 23 bytes 1956 jump VYATTA_PRE_SNAT_HOOK
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}

	chain VYATTA_PRE_DNAT_HOOK {
		counter packets 32 bytes 2784 return
	}

	chain VYATTA_PRE_SNAT_HOOK {
		counter packets 23 bytes 1956 jump WANLOADBALANCE
		counter packets 0 bytes 0 return
	}

	chain WANLOADBALANCE {
		ct mark 0xc9 counter packets 14 bytes 1192 snat to 10.0.0.2
		ct mark 0xca counter packets 9 bytes 764 snat to 10.1.1.2
	}
}

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202201100317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Forgot that my PR for WLB was still a draft. That the jump does seem to be created properly with this PR in place.

PR: https://github.com/vyos/vyatta-wanloadbalance/pull/12

Viacheslav changed the task status from Open to In progress.Jan 12 2022, 4:37 PM
Viacheslav changed the task status from In progress to Needs testing.
Viacheslav assigned this task to sdev.

Tested and working as expected on VyOS 1.4-rolling-202201150317