Main idea is to be able to distribute connections from a LAN to multiple WANs, using policy routes.
Something similar to Mikrotik pcc
A proposed cli could be:
set policy route <name> rule <number> connection-classifier selection-pattern <destination-address | destination-port| source-address | source-port> set policy route <name> rule <number> connection-classifier rule 1 probability <0-100> jump-target <jump_target_01> set policy route <name> rule <number> connection-classifier rule 2 probability <0-100> jump-target <jump_target_02> ...
Example: matching based on src and dst ip address:
set policy route LAN rule 30 connection-classifier selection-pattern source-address set policy route LAN rule 30 connection-classifier selection-pattern destination-address set policy route LAN rule 30 connection-classifier rule 1 probability 50 jump-target OUT_WAN01 set policy route LAN rule 30 connection-classifier rule 2 probability 50 jump-target OUT_WAN02 # Which should lead next nft command: sudo nft add rule ip vyos_mangle VYOS_PBR_LAN ct mark 0 counter jhash ip saddr . ip daddr mod 100 vmap { 0-49 : jump VYOS_PBR_LAN-TO-WAN01 , 50-99 : jump VYOS_PBR_LAN-TO-WAN02 } ### Then also create both chains to associate previous selection to desired routing table # LAN-TO-WAN01 set policy route LAN-TO-WAN01 rule 10 set table 111 # LAN-TO-WAN02 set policy route LAN-TO-WAN02 rule 10 set table 122
References:
https://manpages.debian.org/testing/nftables/nft.8.en.html#HASH_EXPRESSIONS
https://manpages.debian.org/testing/nftables/nft.8.en.html#VMAP_STATEMENT
https://manpages.debian.org/testing/nftables/nft.8.en.html#VERDICT_STATEMENT
https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing