Change Details

Main idea is to be able to distribute connections from a LAN to multiple WANs, using policy routes. Something similar to [[ https://wiki.mikrotik.com/wiki/Manual:PCC | Mikrotik pcc ]] A proposed cli could be: ``` set policy route <name> rule <number> connection-classifier selection-pattern <destination-address | destination-port| source-address | source-port> set policy route <name> rule <number> connection-classifier rule 1 probability <0-100> jump-target <jump_target_01> set policy route <name> rule <number> connection-classifier rule 2 probability <0-100> jump-target <jump_target_02> ... ``` Example: matching based on src and dst ip address: ``` set policy route LAN rule 30 connection-classifier selection-pattern source-address set policy route LAN rule 30 connection-classifier selection-pattern destination-address set policy route LAN rule 30 connection-classifier rule 1 probability 50 jump-target OUT_WAN01 set policy route LAN rule 30 connection-classifier rule 2 probability 50 jump-target OUT_WAN02 # Which should lead next nft command: sudo nft add rule ip vyos_mangle VYOS_PBR_LAN ct mark 0 counter jhash ip saddr . ip daddr mod 100 vmap { 0-49 : jump VYOS_PBR_LAN-TO-WAN01 , 50-99 : jump VYOS_PBR_LAN-TO-WAN02 } ### Then also create both chains to associate previous selection to desired routing table # LAN-TO-WAN01 set policy route LAN-TO-WAN01 rule 10 set table 111 # LAN-TO-WAN02 set policy route LAN-TO-WAN02 rule 10 set table 122 ``` References: https://manpages.debian.org/testing/nftables/nft.8.en.html#HASH_EXPRESSIONS https://manpages.debian.org/testing/nftables/nft.8.en.html#VMAP_STATEMENT https://manpages.debian.org/testing/nftables/nft.8.en.html#VERDICT_STATEMENT

Main idea is to be able to distribute connections from a LAN to multiple WANs, using policy routes. Something similar to [[ https://wiki.mikrotik.com/wiki/Manual:PCC | Mikrotik pcc ]] A proposed cli could be: ``` set policy route <name> rule <number> connection-classifier selection-pattern <destination-address | destination-port| source-address | source-port> set policy route <name> rule <number> connection-classifier rule 1 probability <0-100> jump-target <jump_target_01> set policy route <name> rule <number> connection-classifier rule 2 probability <0-100> jump-target <jump_target_02> ... ``` Example: matching based on src and dst ip address: ``` set policy route LAN rule 30 connection-classifier selection-pattern source-address set policy route LAN rule 30 connection-classifier selection-pattern destination-address set policy route LAN rule 30 connection-classifier rule 1 probability 50 jump-target OUT_WAN01 set policy route LAN rule 30 connection-classifier rule 2 probability 50 jump-target OUT_WAN02 # Which should lead next nft command: sudo nft add rule ip vyos_mangle VYOS_PBR_LAN ct mark 0 counter jhash ip saddr . ip daddr mod 100 vmap { 0-49 : jump VYOS_PBR_LAN-TO-WAN01 , 50-99 : jump VYOS_PBR_LAN-TO-WAN02 } ### Then also create both chains to associate previous selection to desired routing table # LAN-TO-WAN01 set policy route LAN-TO-WAN01 rule 10 set table 111 # LAN-TO-WAN02 set policy route LAN-TO-WAN02 rule 10 set table 122 ``` References: https://manpages.debian.org/testing/nftables/nft.8.en.html#HASH_EXPRESSIONS https://manpages.debian.org/testing/nftables/nft.8.en.html#VMAP_STATEMENT https://manpages.debian.org/testing/nftables/nft.8.en.html#VERDICT_STATEMENT https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing

Main idea is to be able to distribute connections from a LAN to multiple WANs, using policy routes. Something similar to [[ https://wiki.mikrotik.com/wiki/Manual:PCC | Mikrotik pcc ]] A proposed cli could be: ``` set policy route <name> rule <number> connection-classifier selection-pattern <destination-address | destination-port| source-address | source-port> set policy route <name> rule <number> connection-classifier rule 1 probability <0-100> jump-target <jump_target_01> set policy route <name> rule <number> connection-classifier rule 2 probability <0-100> jump-target <jump_target_02> ... ``` Example: matching based on src and dst ip address: ``` set policy route LAN rule 30 connection-classifier selection-pattern source-address set policy route LAN rule 30 connection-classifier selection-pattern destination-address set policy route LAN rule 30 connection-classifier rule 1 probability 50 jump-target OUT_WAN01 set policy route LAN rule 30 connection-classifier rule 2 probability 50 jump-target OUT_WAN02 # Which should lead next nft command: sudo nft add rule ip vyos_mangle VYOS_PBR_LAN ct mark 0 counter jhash ip saddr . ip daddr mod 100 vmap { 0-49 : jump VYOS_PBR_LAN-TO-WAN01 , 50-99 : jump VYOS_PBR_LAN-TO-WAN02 } ### Then also create both chains to associate previous selection to desired routing table # LAN-TO-WAN01 set policy route LAN-TO-WAN01 rule 10 set table 111 # LAN-TO-WAN02 set policy route LAN-TO-WAN02 rule 10 set table 122 ``` References: https://manpages.debian.org/testing/nftables/nft.8.en.html#HASH_EXPRESSIONS https://manpages.debian.org/testing/nftables/nft.8.en.html#VMAP_STATEMENT https://manpages.debian.org/testing/nftables/nft.8.en.html#VERDICT_STATEMENT https://wiki.nftables.org/wiki-nftables/index.php/Load_balancing