The default SNAT behavior of wan load balancer should be changing the source ip-address of the outgoing packets through the load balanced interfaces as per the documentation and as per my expectation. Vyos is satisfying this requirement, but in addition to this it is also doing SNAT for inbound connections from the outside. As a result, the IP address of the external clients are not visible to application deployed inside. This behaviour is not expected as per documentation. SNAT should be done in only outward direction for connections initiated from inside towards the wan.
The documentation states:
Source NAT rules Per default, interfaces used in a load balancing pool replace the source IP of each outgoing packet with its own address to ensure that replies arrive on the same interface. This works through automatically generated source NAT (SNAT) rules, these rules are only applied to balanced traffic. In cases where this behaviour is not desired, the automatic generation of SNAT rules can be disabled:
The bug is due to following rules being programmed, without considering outgoing interface:
table ip vyos_wanloadbalance {
chain wlb_nat_postrouting {
type nat hook postrouting priority srcnat - 1; policy accept;
ct mark 0x000000c9 counter packets 212 bytes 56527 snat to 192.168.101.10
ct mark 0x000000ca counter packets 359 bytes 118343 snat to 192.168.1.100
}