On latest 1.4 releases, after a fresh install, this is the content of NAT table:
# pre-nat
vyos@vyos:~$ sudo nft list table ip nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 0 bytes 0 jump VYOS_PRE_DNAT_HOOK
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 30 bytes 1800 jump VYOS_PRE_SNAT_HOOK
}
chain VYOS_PRE_DNAT_HOOK {
return
}
chain VYOS_PRE_SNAT_HOOK {
return
}
}There we can see both jumps from PREROUTING and POSTROUTING to VYOS_PRE_XNAT_HOOK. Also, return action present at chains VYOS_PRE_XNAT_HOOK
But, after adding, for example a simple nat source rule, we get:
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth0" ip saddr 192.168.99.0/24 counter packets 0 bytes 0 masquerade comment "SRC-NAT-10"
}
chain VYOS_PRE_DNAT_HOOK {
}
chain VYOS_PRE_SNAT_HOOK {
}
}No jumps to VYOS_PRE_XNAT_HOOK present on PRE and POST routing chains. Also, no return action on VYOS_PRE_XNAT_HOOKs
This leads to misbehavior of other components, such as WAN Load Balance. Some entries on the forum:
- https://forum.vyos.io/t/wan-load-balancing-fails-to-work-properly-for-pppoe-clients/8782
- https://forum.vyos.io/t/multi-wan-load-balancing-configurations-have-no-effect/8738/5
Bugs related to this main cause: