Running 1.3.4, and having two issues.
First when visiting new sites dns resolution takes a long time, sometimes up to 3 seconds, and some websites will not load at all. Looking at firefox web console I’m seeing errors such as NS_ERROR_NET_TIMEOUT and NS_ERROR_NET_INTERRUPT. It seems to function fine when using dig from the terminal, but having the above issues when using a browser across multiple clients.
Second, I have configured wan load balancing in failover mode and whenever I connect the primary connection (eth1) I lose internet connectivity from lan and also lose ssh access from lan to the router. I can ping the router but I cannot ssh into it. If I remove the primary connection it falls back to the secondary (pppoe0) and everything works again.
config.boot
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name lan-local {
default-action accept
enable-default-log
}
name lan-wan {
default-action accept
enable-default-log
}
name local-lan {
default-action accept
enable-default-log
}
name local-wan {
default-action accept
enable-default-log
}
name wan-lan {
default-action drop
enable-default-log
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
}
name wan-local {
default-action drop
enable-default-log
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
rule 30 {
action accept
description "Allow Wireguard Traffic"
destination {
port 51820
}
protocol udp
source {
}
state {
new enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
hw-id 00:1a:8c:45:4a:b0
}
ethernet eth1 {
address dhcp
hw-id 00:1a:8c:45:4a:b1
}
ethernet eth2 {
disable
hw-id 00:1a:8c:45:4a:b2
}
ethernet eth3 {
address 10.5.10.1/24
hw-id 00:1a:8c:45:4a:b3
vif 520 {
address 10.5.20.1/24
}
vif 521 {
address 10.5.21.1/24
}
vif 522 {
address 10.5.22.1/24
}
vif 530 {
address 10.5.30.1/24
}
vif 531 {
address 10.5.31.1/24
}
vif 532 {
address 10.5.32.1/24
}
vif 542 {
address 10.5.42.1/24
}
}
loopback lo {
}
pppoe pppoe0 {
authentication {
password <REDACTED>
user <REDACTED>
}
description "Centurylink PPPOE"
source-interface eth0
}
wireguard wg01 {
address 172.16.10.2/24
peer to-iphone {
allowed-ips 172.16.10.101/32
pubkey <REDACTED>
}
peer to-r1 {
address <REDACTED>
allowed-ips 172.16.10.1/32
allowed-ips 10.4.0.0/16
allowed-ips 10.68.0.0/16
persistent-keepalive 15
port 51820
pubkey <REDACTED>
}
port 51820
}
wireless wlan0 {
disable
hw-id d0:ab:d5:45:43:db
physical-device phy0
}
wireless wlan1 {
disable
hw-id 00:0e:8e:69:a1:62
physical-device phy0
}
}
load-balancing {
wan {
enable-local-traffic
flush-connections
interface-health eth1 {
failure-count 1
nexthop dhcp
success-count 1
}
interface-health pppoe0 {
failure-count 1
nexthop dhcp
success-count 1
}
rule 520 {
failover
inbound-interface eth3.520
interface eth1 {
weight 9
}
interface pppoe0 {
weight 1
}
protocol all
}
rule 521 {
failover
inbound-interface eth3.521
interface eth1 {
weight 9
}
interface pppoe0 {
weight 1
}
protocol all
}
rule 522 {
failover
inbound-interface eth3.522
interface eth1 {
weight 9
}
interface pppoe0 {
weight 1
}
protocol all
}
rule 530 {
failover
inbound-interface eth3.530
interface eth1 {
weight 9
}
interface pppoe0 {
weight 1
}
protocol all
}
rule 531 {
failover
inbound-interface eth3.531
interface eth1 {
weight 9
}
interface pppoe0 {
weight 1
}
protocol all
}
rule 532 {
failover
inbound-interface eth3.532
interface eth1 {
weight 9
}
interface pppoe0 {
weight 1
}
protocol all
}
rule 542 {
failover
inbound-interface eth3.542
interface eth1 {
weight 9
}
interface pppoe0 {
weight 1
}
protocol all
}
}
}
nat {
source {
rule 100 {
outbound-interface pppoe0
source {
address 10.5.0.0/16
}
translation {
address masquerade
}
}
}
}
protocols {
static {
interface-route 172.16.10.1/32 {
next-hop-interface wg01 {
}
}
route 10.4.0.0/16 {
next-hop 172.16.10.1 {
}
}
}
}
service {
dhcp-relay {
interface eth3.530
interface eth3.531
interface eth3.532
server 10.4.30.15
}
dhcp-server {
shared-network-name HOME-INT {
subnet 10.5.20.0/24 {
default-router 10.5.20.1
domain-name int.example.com
domain-search int.example.com
name-server 10.5.10.1
ping-check
range 0 {
start 10.5.20.210
stop 10.5.20.250
}
}
}
shared-network-name HOME-GUEST-WIFI {
subnet 10.5.42.0/24 {
default-router 10.5.42.1
name-server 10.5.10.1
range 0 {
start 10.5.42.10
stop 10.5.42.199
}
}
}
shared-network-name HOME-INT-CLIENT {
name-server 10.5.10.1
subnet 10.5.21.0/24 {
default-router 10.5.21.1
domain-name int.example.com
domain-search int.example.com
name-server 10.5.10.1
ping-check
range 0 {
start 10.5.21.10
stop 10.5.21.250
}
}
}
shared-network-name HOME-INT-CLIENT-WIFI {
name-server 10.5.10.1
subnet 10.5.22.0/24 {
default-router 10.5.22.1
domain-name int.example.com
domain-search int.example.com
name-server 10.5.10.1
range 0 {
start 10.5.22.10
stop 10.5.22.250
}
}
}
}
dns {
dynamic {
interface pppoe0 {
service cloudflare {
host-name r2.example.com
login <REDACTED>
password <REDACTED>
protocol cloudflare
server www.cloudflare.com
zone example.com
}
}
}
forwarding {
allow-from 10.4.0.0/16
allow-from 10.5.0.0/16
dnssec log-fail
domain 10.4.10.in-addr.arpa. {
addnta
server 10.4.20.11
server 10.4.20.12
}
domain 20.4.10.in-addr.arpa. {
addnta
server 10.4.20.11
server 10.4.20.12
}
domain 21.4.10.in-addr.arpa. {
addnta
server 10.4.20.11
server 10.4.20.12
}
domain 22.4.10.in-addr.arpa. {
addnta
server 10.4.20.11
server 10.4.20.12
}
domain 30.4.10.in-addr.arpa. {
addnta
server 10.4.30.11
server 10.4.30.12
}
domain 31.4.10.in-addr.arpa. {
addnta
server 10.4.30.12
server 10.4.30.11
}
domain 32.4.10.in-addr.arpa. {
addnta
server 10.4.30.11
server 10.4.30.12
}
domain ad.example.com {
addnta
server 10.4.30.11
server 10.4.30.12
}
domain example.com {
addnta
server 10.4.20.11
server 10.4.20.12
}
domain int.example.com {
addnta
server 10.4.20.12
server 10.4.20.11
}
domain k8s.example.com {
addnta
server 10.4.20.11
server 10.4.20.12
}
domain mgmt.example.com {
addnta
server 10.4.20.11
server 10.4.20.12
}
domain roc.example.com {
server 10.4.20.11
server 10.4.20.12
}
listen-address 10.5.10.1
source-address 10.5.10.1
system
}
}
mdns {
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name r2.example.com
ipv6 {
disable
}
login {
user vyos {
authentication {
encrypted-password <REDACTED>
}
}
}
name-server 8.8.8.8
ntp {
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
zone-policy {
zone lan {
default-action drop
from local {
firewall {
name local-lan
}
}
from wan {
firewall {
name wan-lan
}
}
interface eth3
interface eth3.520
interface eth3.521
interface eth3.522
interface eth3.530
interface eth3.531
interface eth3.532
interface eth3.542
interface wg01
}
zone local {
default-action drop
from lan {
firewall {
name lan-local
}
}
from wan {
firewall {
name wan-local
}
}
local-zone
}
zone wan {
default-action drop
from lan {
firewall {
name lan-wan
}
}
from local {
firewall {
name local-wan
}
}
interface eth0
interface eth0.201
interface pppoe0
interface eth1
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
// Release version: 1.3.4