hi
I've been testing wan load balancing feature , I found an issues when you want to create a policy traffic rule , it doesn't work as expected .let me show.
case reference :
https://forum.vyos.io/t/multi-wan-load-balancing-configurations-have-no-effect/8738
#vyos verison : vyos-1.4-rolling-202204060217
## dual-wan configuration ,with rule policy traffic set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth0 description 'WAN1' set interfaces ethernet eth1 address 'dhcp' set interfaces ethernet eth1 description 'WAN2' set interfaces ethernet eth3 address '172.16.80.1/24' set interfaces ethernet eth3 description 'LAN' set load-balancing wan interface-health eth0 failure-count '5' set load-balancing wan interface-health eth0 nexthop 'dhcp' set load-balancing wan interface-health eth0 success-count '1' set load-balancing wan interface-health eth0 test 10 resp-time '5' set load-balancing wan interface-health eth0 test 10 target '186.57.128.104' set load-balancing wan interface-health eth0 test 10 ttl-limit '1' set load-balancing wan interface-health eth0 test 10 type 'ttl' set load-balancing wan interface-health eth0 test 20 resp-time '5' set load-balancing wan interface-health eth0 test 20 target '1.0.0.1' set load-balancing wan interface-health eth0 test 20 ttl-limit '1' set load-balancing wan interface-health eth0 test 20 type 'ping' set load-balancing wan interface-health eth1 failure-count '5' set load-balancing wan interface-health eth1 nexthop 'dhcp' set load-balancing wan interface-health eth1 success-count '1' set load-balancing wan interface-health eth1 test 10 resp-time '5' set load-balancing wan interface-health eth1 test 10 target '8.8.8.8' set load-balancing wan interface-health eth1 test 10 ttl-limit '1' set load-balancing wan interface-health eth1 test 10 type 'ping' set load-balancing wan interface-health eth1 test 20 resp-time '5' set load-balancing wan interface-health eth1 test 20 target '8.8.4.4' set load-balancing wan interface-health eth1 test 20 ttl-limit '1' set load-balancing wan interface-health eth1 test 20 type 'ping' set load-balancing wan rule 100 description 'SpeedTest - Spectrum' set load-balancing wan rule 100 destination address '24.29.97.0/24' set load-balancing wan rule 100 inbound-interface 'eth3' set load-balancing wan rule 100 interface eth1 weight '1' set load-balancing wan rule 100 protocol 'all' set load-balancing wan rule 100 source address '172.16.80.0/24' set load-balancing wan rule 110 description 'SpeedTest - NaturalWireless' set load-balancing wan rule 110 destination address '163.182.128.0/24' set load-balancing wan rule 110 inbound-interface 'eth3' set load-balancing wan rule 110 interface eth0 weight '1' set load-balancing wan rule 110 protocol 'all' set load-balancing wan rule 110 source address '172.16.80.0/24' set load-balancing wan rule 1000 description 'DEFAULT FAILOVER RULE' set load-balancing wan rule 1000 failover set load-balancing wan rule 1000 inbound-interface 'eth3' set load-balancing wan rule 1000 interface eth0 weight '3' set load-balancing wan rule 1000 interface eth1 weight '2' set load-balancing wan rule 1000 protocol 'all' set load-balancing wan sticky-connections inbound set protocols static route 1.0.0.1/32 next-hop 172.16.50.1 set protocols static route 1.1.1.1/32 next-hop 172.16.50.1 set protocols static route 8.8.4.4/32 next-hop 10.10.0.1 set protocols static route 8.8.8.8/32 next-hop 10.10.0.1
if we see the wan load balance status and checking sudo nft -a list ruleset
# status vyos@test-wan:~$ show wan-load-balance status Chain WANLOADBALANCE_PRE (1 references) pkts bytes target prot opt in out source destination 22 1848 ISP_eth1 all -- eth3 * 172.16.80.0/24 24.29.97.0/24 state NEW 0 0 CONNMARK all -- eth3 * 172.16.80.0/24 24.29.97.0/24 CONNMARK restore 60 5040 ISP_eth0 all -- eth3 * 172.16.80.0/24 163.182.128.0/24 state NEW 0 0 CONNMARK all -- eth3 * 172.16.80.0/24 163.182.128.0/24 CONNMARK restore 0 0 ISP_eth0 all -- eth3 * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore # ne vyos@test-wan:~$ sudo nft -a list ruleset table ip filter { # handle 28 chain VYOS_FW_FORWARD { # handle 1 type filter hook forward priority filter; policy accept; jump VYOS_POST_FW # handle 6 } chain VYOS_FW_LOCAL { # handle 2 type filter hook input priority filter; policy accept; jump VYOS_POST_FW # handle 7 } chain VYOS_FW_OUTPUT { # handle 3 type filter hook output priority filter; policy accept; jump VYOS_POST_FW # handle 8 } chain VYOS_POST_FW { # handle 4 return # handle 9 } chain VYOS_FRAG_MARK { # handle 5 type filter hook prerouting priority -450; policy accept; ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return # handle 10 } } table ip6 filter { # handle 29 chain VYOS_FW6_FORWARD { # handle 1 type filter hook forward priority filter; policy accept; jump VYOS_POST_FW6 # handle 6 } chain VYOS_FW6_LOCAL { # handle 2 type filter hook input priority filter; policy accept; jump VYOS_POST_FW6 # handle 7 } chain VYOS_FW6_OUTPUT { # handle 3 type filter hook output priority filter; policy accept; jump VYOS_POST_FW6 # handle 8 } chain VYOS_POST_FW6 { # handle 4 return # handle 9 } chain VYOS_FRAG6_MARK { # handle 5 type filter hook prerouting priority -450; policy accept; exthdr frag exists meta mark set 0x000ffff1 return # handle 10 } } table ip nat { # handle 30 chain PREROUTING { # handle 1 type nat hook prerouting priority dstnat; policy accept; } chain POSTROUTING { # handle 2 type nat hook postrouting priority srcnat; policy accept; } chain VYOS_PRE_DNAT_HOOK { # handle 3 } chain VYOS_PRE_SNAT_HOOK { # handle 4 counter packets 0 bytes 0 jump WANLOADBALANCE # handle 10 } chain WANLOADBALANCE { # handle 9 ct mark 0xc9 counter packets 0 bytes 0 snat to 172.16.50.16 # handle 11 ct mark 0xca counter packets 0 bytes 0 snat to 10.10.0.2 # handle 12 } } table ip6 nat { # handle 31 chain PREROUTING { # handle 1 type nat hook prerouting priority dstnat; policy accept; counter packets 0 bytes 0 jump VYOS_DNPT_HOOK # handle 5 } chain POSTROUTING { # handle 2 type nat hook postrouting priority srcnat; policy accept; counter packets 0 bytes 0 jump VYOS_SNPT_HOOK # handle 6 } chain VYOS_DNPT_HOOK { # handle 3 return # handle 7 } chain VYOS_SNPT_HOOK { # handle 4 return # handle 8 } } table inet mangle { # handle 32 chain FORWARD { # handle 1 type filter hook forward priority mangle; policy accept; } } table ip raw { # handle 33 ct helper rpc_tcp { # handle 10 type "rpc" protocol tcp l3proto ip } ct helper rpc_udp { # handle 11 type "rpc" protocol udp l3proto ip } ct helper tns_tcp { # handle 12 type "tns" protocol tcp l3proto ip } chain VYOS_TCP_MSS { # handle 1 type filter hook forward priority raw; policy accept; } chain PREROUTING { # handle 2 type filter hook prerouting priority -200; policy accept; counter packets 1789 bytes 114256 jump VYOS_CT_IGNORE # handle 16 counter packets 1782 bytes 112240 jump WLB_CONNTRACK # handle 63 counter packets 7 bytes 2016 jump VYOS_CT_HELPER # handle 57 counter packets 7 bytes 2016 jump VYOS_CT_TIMEOUT # handle 17 counter packets 7 bytes 2016 jump VYOS_CT_PREROUTING_HOOK # handle 18 counter packets 7 bytes 2016 jump NAT_CONNTRACK # handle 59 counter packets 0 bytes 0 jump FW_CONNTRACK # handle 19 notrack # handle 20 } chain OUTPUT { # handle 3 type filter hook output priority -200; policy accept; counter packets 1700 bytes 81608 jump VYOS_CT_IGNORE # handle 21 counter packets 1700 bytes 81608 jump VYOS_CT_HELPER # handle 58 counter packets 1700 bytes 81608 jump VYOS_CT_TIMEOUT # handle 22 counter packets 1700 bytes 81608 jump VYOS_CT_OUTPUT_HOOK # handle 23 counter packets 1700 bytes 81608 jump NAT_CONNTRACK # handle 60 counter packets 0 bytes 0 jump FW_CONNTRACK # handle 24 notrack # handle 25 } chain VYOS_CT_HELPER { # handle 4 ct helper set "tns_tcp" tcp dport { 1521, 1525, 1536 } return # handle 46 ct helper set "rpc_udp" udp dport { 111 } return # handle 44 ct helper set "rpc_tcp" tcp dport { 111 } return # handle 42 return # handle 29 } chain VYOS_CT_IGNORE { # handle 5 return # handle 47 } chain VYOS_CT_TIMEOUT { # handle 6 return # handle 48 } chain VYOS_CT_PREROUTING_HOOK { # handle 7 return # handle 32 } chain VYOS_CT_OUTPUT_HOOK { # handle 8 return # handle 33 } chain FW_CONNTRACK { # handle 9 accept # handle 34 } chain NAT_CONNTRACK { # handle 55 counter packets 1707 bytes 83624 accept # handle 56 } chain WLB_CONNTRACK { # handle 61 counter packets 1782 bytes 112240 accept # handle 62 } } table ip6 raw { # handle 34 chain VYOS_TCP_MSS { # handle 1 type filter hook forward priority raw; policy accept; } chain PREROUTING { # handle 2 type filter hook prerouting priority raw; policy accept; counter packets 2 bytes 112 jump VYOS_CT_PREROUTING_HOOK # handle 7 counter packets 2 bytes 112 jump FW_CONNTRACK # handle 8 notrack # handle 9 } chain OUTPUT { # handle 3 type filter hook output priority raw; policy accept; counter packets 28 bytes 2912 jump VYOS_CT_OUTPUT_HOOK # handle 10 counter packets 28 bytes 2912 jump FW_CONNTRACK # handle 11 notrack # handle 12 } chain VYOS_CT_PREROUTING_HOOK { # handle 4 return # handle 13 } chain VYOS_CT_OUTPUT_HOOK { # handle 5 return # handle 14 } chain FW_CONNTRACK { # handle 6 accept # handle 15 } } table ip mangle { # handle 35 chain WANLOADBALANCE_PRE { # handle 1 iifname "eth3" ip saddr 172.16.80.0/24 ip daddr 24.29.97.0/24 ct state new counter packets 22 bytes 1848 jump ISP_eth1 # handle 19 iifname "eth3" ip saddr 172.16.80.0/24 ip daddr 24.29.97.0/24 counter packets 0 bytes 0 meta mark set ct mark # handle 20 iifname "eth3" ip saddr 172.16.80.0/24 ip daddr 163.182.128.0/24 ct state new counter packets 60 bytes 5040 jump ISP_eth0 # handle 21 iifname "eth3" ip saddr 172.16.80.0/24 ip daddr 163.182.128.0/24 counter packets 0 bytes 0 meta mark set ct mark # handle 22 iifname "eth3" ct state new counter packets 0 bytes 0 jump ISP_eth0 # handle 23 iifname "eth3" counter packets 0 bytes 0 meta mark set ct mark # handle 24 } chain PREROUTING { # handle 3 type filter hook prerouting priority mangle; policy accept; iifname "eth1" ct state new counter packets 0 bytes 0 jump ISP_eth1_IN # handle 18 iifname "eth0" ct state new counter packets 0 bytes 0 jump ISP_eth0_IN # handle 11 counter packets 1782 bytes 112240 jump WANLOADBALANCE_PRE # handle 4 } chain ISP_eth0 { # handle 5 counter packets 60 bytes 5040 ct mark set 0xc9 # handle 6 counter packets 60 bytes 5040 meta mark set 0xc9 # handle 7 counter packets 60 bytes 5040 accept # handle 8 } chain ISP_eth0_IN { # handle 9 counter packets 0 bytes 0 ct mark set 0xc9 # handle 10 } chain ISP_eth1 { # handle 12 counter packets 22 bytes 1848 ct mark set 0xca # handle 13 counter packets 22 bytes 1848 meta mark set 0xca # handle 14 counter packets 22 bytes 1848 accept # handle 15 } chain ISP_eth1_IN { # handle 16 counter packets 0 bytes 0 ct mark set 0xca # handle 17 } }
however ,we can't see matches on ct mark/CONNMARK , this configuration is working without problems 1.3.1 . here is an example:
##output 1.3.1: table ip nat { # handle 8 chain PREROUTING { # handle 1 type nat hook prerouting priority dstnat; policy accept; counter packets 2 bytes 168 jump VYATTA_PRE_DNAT_HOOK # handle 7 } chain INPUT { # handle 2 type nat hook input priority 100; policy accept; } chain POSTROUTING { # handle 3 type nat hook postrouting priority srcnat; policy accept; counter packets 2 bytes 168 jump VYATTA_PRE_SNAT_HOOK # handle 10 } chain OUTPUT { # handle 4 type nat hook output priority -100; policy accept; } chain VYATTA_PRE_DNAT_HOOK { # handle 5 counter packets 2 bytes 168 return # handle 6 } chain VYATTA_PRE_SNAT_HOOK { # handle 8 counter packets 2 bytes 168 jump WANLOADBALANCE # handle 12 counter packets 0 bytes 0 return # handle 9 } chain WANLOADBALANCE { # handle 11 ct mark 0xc9 counter packets 1 bytes 84 snat to 172.16.50.10 # handle 13 ct mark 0xca counter packets 1 bytes 84 snat to 10.10.0.2 # handle 14 } table ip mangle { # handle 35 chain WANLOADBALANCE_PRE { # handle 1 iifname "eth3" ip saddr 172.16.80.0/24 ip daddr 24.29.97.0/24 ct state new counter packets 22 bytes 1848 jump ISP_eth1 # handle 19 iifname "eth3" ip saddr 172.16.80.0/24 ip daddr 24.29.97.0/24 counter packets 0 bytes 0 meta mark set ct mark # handle 20 iifname "eth3" ip saddr 172.16.80.0/24 ip daddr 163.182.128.0/24 ct state new counter packets 60 bytes 5040 jump ISP_eth0 # handle 21 iifname "eth3" ip saddr 172.16.80.0/24 ip daddr 163.182.128.0/24 counter packets 0 bytes 0 meta mark set ct mark # handle 22 iifname "eth3" ct state new counter packets 0 bytes 0 jump ISP_eth0 # handle 23 iifname "eth3" counter packets 0 bytes 0 meta mark set ct mark # handle 24 } chain PREROUTING { # handle 3 type filter hook prerouting priority mangle; policy accept; iifname "eth1" ct state new counter packets 0 bytes 0 jump ISP_eth1_IN # handle 18 iifname "eth0" ct state new counter packets 0 bytes 0 jump ISP_eth0_IN # handle 11 counter packets 196 bytes 13908 jump WANLOADBALANCE_PRE # handle 4 } chain ISP_eth0 { # handle 5 counter packets 60 bytes 5040 ct mark set 0xc9 # handle 6 counter packets 60 bytes 5040 meta mark set 0xc9 # handle 7 counter packets 60 bytes 5040 accept # handle 8 } chain ISP_eth0_IN { # handle 9 counter packets 0 bytes 0 ct mark set 0xc9 # handle 10 } chain ISP_eth1 { # handle 12 counter packets 22 bytes 1848 ct mark set 0xca # handle 13 counter packets 22 bytes 1848 meta mark set 0xca # handle 14 counter packets 22 bytes 1848 accept # handle 15 } chain ISP_eth1_IN { # handle 16 counter packets 0 bytes 0 ct mark set 0xca # handle 17 vyos@test2:~$ show wan-load-balance status Chain WANLOADBALANCE_PRE (1 references) pkts bytes target prot opt in out source destination 1 84 ISP_eth1 all -- eth3 * 172.16.80.0/24 24.29.97.0/24 state NEW 9 756 CONNMARK all -- eth3 * 172.16.80.0/24 24.29.97.0/24 CONNMARK restore 1 84 ISP_eth0 all -- eth3 * 172.16.80.0/24 163.182.128.0/24 state NEW 9 756 CONNMARK all -- eth3 * 172.16.80.0/24 163.182.128.0/24 CONNMARK restore 0 0 ISP_eth0 all -- eth3 * 0.0.0.0/0 0.0.0.0/0 state NEW 18 1512 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
i think it's problem with 1.4 mark packet , so it's not able work properly.