Page MenuHomeVyOS Platform
Create Task
Maniphest T5014

Destination NAT - Add Load Balancing capabilities
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

It would be good to add load balancing capabilities.

A possible cli could be:

set nat destination rule <rule> load-balance mode <round-robin|random>
set nat destination rule <rule> load-balance translation-address <address> probability <prob>/<total>

A complete example using random:

set nat destination rule 10 inbound interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 destination port 80
set nat destination rule 10 destination address 192.168.0.165
set nat destination rule 10 load-balance mode random
set nat destination rule 10 load-balance translation-address 10.0.0.101 probability 50/100
set nat destination rule 10 load-balance translation-address 10.0.0.102 probability 30/100
set nat destination rule 10 load-balance translation-address 10.0.0.103 probability 20/100

## nft rule generated:
sudo nft add rule ip vyos_nat PREROUTING ip daddr 192.168.0.165 tcp dport 80 counter dnat to numgen random mod 100 map { 0-49 : 10.0.0.101, 50-79 : 10.0.0.102 , 80-99 : 10.0.0.103 }

An example using round robin

set nat destination rule 10 inbound interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 destination port 80
set nat destination rule 10 destination address 192.168.0.165
set nat destination rule 10 load-balance translation-address 10.0.0.7 probability 1/3
set nat destination rule 10 load-balance translation-address 10.0.0.2 probability 1/3
set nat destination rule 10 load-balance translation-address 10.0.0.5 probability 1/3
## nft rule generated:
sudo nft add rule ip vyos_nat PREROUTING ip daddr 192.168.0.165 tcp dport 80 counter dnat to numgen inc mod 3 map { 0 : 10.0.0.101, 1 : 10.0.0.102, 2 : 10.0.0.103 }

Reference: https://manpages.debian.org/testing/nftables/nft.8.en.html#NUMGEN_EXPRESSION

Details

Difficulty level
Unknown (require assessment)
Version
vyos-1.4-rolling-202302150317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

n.fort created this task.Feb 17 2023, 6:11 PM
n.fort changed Version from - to vyos-1.4-rolling-202302150317.
n.fort changed Issue type from Unspecified (please specify) to Feature (new functionality).
Viacheslav added a subscriber: Viacheslav.Feb 18 2023, 9:01 AM

Without a hash, it can be useless.
For example, the client initiates a TCP session:

  • SYN is forwarded from the client to 10.0.0.7
  • 10.0.0.7 responds with SYN/ACK to the client
  • client sends ACK, which is forwarded to 10.0.0.2

TCP session, in this case, can not be established
Needs to check

n.fort added a comment.Feb 18 2023, 10:50 AM

When internal hosts are behind NAT, this is working as expected, because of conntrack.

Relevant config on Working lab:

vyos@NAT-ROUTER:~$ show config comm 
set interfaces bridge br0 address '10.0.0.1/24'
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface eth2
set interfaces bridge br0 member interface eth3
set interfaces bridge br0 member interface eth4
set interfaces ethernet eth0 address 'dhcp'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'

## Nat rule added manually:
sudo nft add rule ip vyos_nat PREROUTING ip daddr 192.168.0.165 tcp dport 178 counter dnat to numgen inc mod 3 map { 0 : 10.0.0.101, 1 : 10.0.0.102, 2 : 10.0.0.103 }

nft nat table:

vyos@NAT-ROUTER:~$ sudo nft list table ip vyos_nat
table ip vyos_nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                counter packets 60 bytes 8577 jump VYOS_PRE_DNAT_HOOK
                ip daddr 192.168.0.165 tcp dport 178 counter packets 7 bytes 420 dnat to numgen inc mod 3 map { 0 : 10.0.0.101, 1 : 10.0.0.102, 2 : 10.0.0.103 }
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 44 bytes 2636 jump VYOS_PRE_SNAT_HOOK
                oifname "eth0" counter packets 0 bytes 0 masquerade comment "SRC-NAT-10"
                oifname "eth5" counter packets 0 bytes 0 masquerade comment "SRC-NAT-20"
        }

        chain VYOS_PRE_DNAT_HOOK {
                return
        }

        chain VYOS_PRE_SNAT_HOOK {
                return
        }
}
vyos@NAT-ROUTER:~$

Conntrack status while 3 connections are established towatds three endpoints servers:

vyos@NAT-ROUTER:~$ sudo conntrack -L | grep tcp
conntrack v1.4.6 (conntrack-tools): 4 flow entries have been shown.
tcp      6 431694 ESTABLISHED src=192.168.70.22 dst=192.168.0.165 sport=43028 dport=178 src=10.0.0.102 dst=192.168.70.22 sport=178 dport=43028 [ASSURED] helper=tns use=1
tcp      6 431682 ESTABLISHED src=192.168.70.22 dst=192.168.0.165 sport=47800 dport=178 src=10.0.0.103 dst=192.168.70.22 sport=178 dport=47800 [ASSURED] helper=tns use=1
tcp      6 431716 ESTABLISHED src=192.168.70.22 dst=192.168.0.165 sport=50226 dport=178 src=10.0.0.101 dst=192.168.70.22 sport=178 dport=50226 [ASSURED] helper=tns use=1
vyos@NAT-ROUTER:~$
pasik added a subscriber: pasik.Feb 19 2023, 3:53 PM
n.fort added a comment.Jul 21 2023, 6:05 PM
vyos@nat-lb-july# run show config comm | grep nat
set nat destination rule 10 destination port '443'
set nat destination rule 10 inbound-interface 'eth3'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation load-balance mode 'round-robin'
set nat destination rule 10 translation load-balance translation-address 1.1.1.1 hash-value '0'
set nat destination rule 10 translation load-balance translation-address 2.2.2.2 hash-value '1'
set nat destination rule 10 translation load-balance translation-address 3.3.3.3 hash-value '2'
set nat destination rule 10 translation load-balance upper-limit '3'
set nat destination rule 20 destination port '53'
set nat destination rule 20 inbound-interface 'eth3'
set nat destination rule 20 protocol 'udp'
set nat destination rule 20 translation load-balance mode 'random'
set nat destination rule 20 translation load-balance translation-address 1.1.1.1 hash-value '0-24'
set nat destination rule 20 translation load-balance translation-address 2.2.2.2 hash-value '25-49'
set nat destination rule 20 translation load-balance translation-address 3.3.3.3 hash-value '50-99'
set nat destination rule 20 translation load-balance upper-limit '100'
set system host-name 'nat-lb-july'
[edit]


vyos@nat-lb-july# sudo nft list chain ip vyos_nat PREROUTING
table ip vyos_nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                counter packets 17 bytes 4092 jump VYOS_PRE_DNAT_HOOK
                iifname "eth3" tcp dport 443 counter packets 0 bytes 0 dnat to numgen inc mod 3 map { 0 : 1.1.1.1, 1 : 2.2.2.2, 2 : 3.3.3.3 } comment "DST-NAT-10"
                iifname "eth3" udp dport 53 counter packets 0 bytes 0 dnat to numgen random mod 100 map { 0-24 : 1.1.1.1, 25-49 : 2.2.2.2, 50-99 : 3.3.3.3 } comment "DST-NAT-20"
        }
}
[edit]
vyos@nat-lb-july# 
```Example that could work:
n.fort changed the task status from Open to In progress.Jul 21 2023, 6:05 PM
n.fort closed this task as Resolved.Oct 10 2023, 10:37 AM
n.fort claimed this task.