ok… i try your advice today and… no luck… at all
my current config looks like this:
interfaces {
ethernet eth0 {
address 192.168.0.1/24
description INTERNAL-LAN
duplex auto
hw-id 14:da:e9:da:bd:3f
policy {
route pppoe-mangle-out
}
smp_affinity auto
speed auto
}
ethernet eth1 {
address dhcp
description WAN1-KOT
duplex auto
hw-id 00:40:f4:34:c0:cb
pppoe 0 {
default-route auto
local-address *.*.*.*
mtu 1492
name-server auto
password ****
policy {
route pppoe-mangle-in
}
user-id ****
}
smp_affinity auto
speed auto
}
ethernet eth2 {
address *.*.*.*/30
description WAN2-ALEKS
duplex auto
hw-id 00:e0:4c:9f:05:bb
smp_affinity auto
speed auto
}
loopback lo {
}
}
load-balancing {
wan {
disable-source-nat
flush-connections
hook /config/scripts/wan-lb-hook.script
interface-health eth2 {
failure-count 1
nexthop *.*.*.*
success-count 1
test 10 {
resp-time 5
target 8.8.8.8
ttl-limit 1
type ping
}
}
interface-health pppoe0 {
failure-count 1
nexthop dhcp
success-count 1
test 10 {
resp-time 5
target 8.8.8.8
ttl-limit 1
type ping
}
}
rule 10 {
failover
inbound-interface eth0
interface eth2 {
weight 1
}
interface pppoe0 {
weight 10
}
protocol all
}
}
}
policy {
route pppoe-mangle-in {
rule 10 {
protocol tcp
set {
tcp-mss 1452
}
tcp {
flags SYN,!RST
}
}
}
route pppoe-mangle-out {
rule 10 {
destination {
address !192.168.0.0/24
}
protocol tcp
set {
tcp-mss 1452
}
tcp {
flags SYN,!RST
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****
plaintext-password ""
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ""
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1" === $
/* Release version: VyOS 1.1.8 */
and my hook script
#!/bin/bash
set -e -E -u -o pipefail -o noclobber -o noglob +o braceexpand || exit 1
trap 'printf -- "[ee] failed: %s\n" "${BASH_COMMAND}" >&2' ERR || exit 1
test "${#}" -eq 0
test -n "${WLB_INTERFACE_NAME:?}"
test -n "${WLB_INTERFACE_STATE:?}"
case "${WLB_INTERFACE_STATE}" in
( ACTIVE )
iptables -t mangle -D "ISP_${WLB_INTERFACE_NAME}" -j ACCEPT
iptables -t mangle -I "ISP_${WLB_INTERFACE_NAME}" 1 -j RETURN -m connmark ! --mark 0
iptables -t mangle -I "ISP_${WLB_INTERFACE_NAME}_IN" -j RETURN -m connmark ! --mark 0
;;
( FAILED)
;;
esac
exit -- 0
now if my primary ISP is ok than i can ping internet resources from router, but can’t do it from client!
load balance status
vyos@vyos:~$ show wan-load-balance
Interface: eth2
Status: active
Last Status Change: Fri Aug 24 06:07:06 2018
+Test: ping Target: 8.8.8.8
Last Interface Success: 0s
Last Interface Failure: n/a
# Interface Failure(s): 0
Interface: pppoe0
Status: active
Last Status Change: Fri Aug 24 06:10:56 2018
+Test: ping Target: 8.8.8.8
Last Interface Success: 0s
Last Interface Failure: 4m47s
# Interface Failure(s): 0
tcpdump
vyos@vyos:~$ tcpdump
06:17:17.035538 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [.], ack 200124, win 2053, length 0
06:17:17.035747 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [.], ack 202052, win 2053, length 0
06:17:17.035867 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [.], ack 203980, win 2053, length 0
06:17:17.035937 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [.], ack 205272, win 2048, length 0
06:17:17.038497 IP sad.domain.local.56918 > google-public-dns-a . google . com . domain: 2774+ A? tsfe. trafficshaping . dsp . mp . microsoft . com. (58)
06:17:17.038592 IP is.domain.local.44458 > ad.domain.local.domain: 32552+ PTR? 8.8.8.8.in-addr.arpa. (38)
06:17:17.039466 IP ad.domain.local.62901 > google-public-dns-a . google . com . domain: 542+ PTR? 8.8.8.8.in-addr.arpa. (38)
06:17:17.050090 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [P.], seq 409:493, ack 205272, win 2048, length 84
06:17:17.050108 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [P.], seq 493:545, ack 205272, win 2048, length 52
06:17:17.050127 IP is.domain.local.ssh > pc-34.domain.local.49754: Flags [.], ack 545, win 821, length 0
06:17:17.050152 IP is.domain.local.ssh > pc-34.domain.local.49754: Flags [P.], seq 205272:205440, ack 545, win 821, length 168
06:17:17.050174 IP is.domain.local.ssh > pc-34.domain.local.49754: Flags [P.], seq 205440:206228, ack 545, win 821, length 788
06:17:17.050958 ARP, Request who-has is.domain.local (14:da:e9:da:bd:3f (oui Unknown)) tell pc-24.domain.local, length 46
06:17:17.050970 ARP, Reply is.domain.local is-at 14:da:e9:da:bd:3f (oui Unknown), length 28
06:17:17.051042 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [.], ack 206228, win 2053, length 0
06:17:17.053385 IP pc-15.domain.local.49753 > 157.55.56.142.40027: Flags [S], seq 3111884987, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
06:17:17.058432 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [P.], seq 545:629, ack 206228, win 2053, length 84
06:17:17.058450 IP pc-34.domain.local.49754 > is.domain.local.ssh: Flags [P.], seq 629:681, ack 206228, win 2053, length 52
06:17:17.058470 IP is.domain.local.ssh > pc-34.domain.local.49754: Flags [.], ack 681, win 821, length 0
06:17:17.058489 IP is.domain.local.ssh > pc-34.domain.local.49754: Flags [P.], seq 206228:206264, ack 681, win 821, length 36
06:17:17.064049 IP pc-32.domain.local.49906 > 185.72.247.32.socks: Flags [S], seq 3224682067, win 17520, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
06:17:17.067752 IP pc-32.domain.local.49907 > 185.72.247.32.socks: Flags [S], seq 540582427, win 17520, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
06:17:17.087120 IP pc-24.domain.local.62251 > google-public-dns-a . google . com . domain: 15578+ A? google . com. (28)
06:17:17.087665 IP ad.domain.local.61357 > google-public-dns-a . google . com . domain: 37763+ A? google . com. (28)
06:17:17.089233 IP pc-24.domain.local.60287 > 104.130.209.20.9095: Flags [S], seq 771173741, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
06:17:17.089458 IP pc-24.domain.local.60288 > 104.130.211.185.1457: Flags [S], seq 698906952, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
^C^C
^C06:17:17.089669 IP pc-24.domain.local.60289 > 23.253.156.234.3398: Flags [S], seq 2839844023, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
1204 packets captured
6644 packets received by filter
5410 packets dropped by kernel
messages from log
vyos@vyos:~$ tail /var/log/messages
Aug 24 06:10:56 vyos wan_lb: Interface pppoe0 has changed state to ACTIVE
Aug 24 06:10:56 vyos wan_lb: executing script: /config/scripts/wan-lb-hook.script
Aug 24 06:11:07 vyos wan_lb: wan_lb, rechecking interfaces…
Aug 24 06:18:02 vyos wan_lb: wan_lb, rechecking interfaces…
ip route
vyos@vyos:~$ ip route get 8.8.8.8
8.8.8.8 dev pppoe0 src 88.87.90.54
cache
iptables
vyos@vyos:~$ iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
VYATTA_PRE_FW_IN_HOOK all – anywhere anywhere
VYATTA_POST_FW_IN_HOOK all – anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
VYATTA_PRE_FW_FWD_HOOK all -- anywhere anywhere
VYATTA_POST_FW_FWD_HOOK all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
VYATTA_PRE_FW_OUT_HOOK all -- anywhere anywhere
VYATTA_POST_FW_OUT_HOOK all -- anywhere anywhere
Chain VYATTA_POST_FW_FWD_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VYATTA_POST_FW_IN_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VYATTA_POST_FW_OUT_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VYATTA_PRE_FW_FWD_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain VYATTA_PRE_FW_IN_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain VYATTA_PRE_FW_OUT_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
now i turn off ISP1 and now i can’t ping anything in internet even from router
load balancer status
vyos@vyos:~$ show wan-load-balance
Interface: eth2
Status: active
Last Status Change: Fri Aug 24 06:07:06 2018
+Test: ping Target: 8.8.8.8
Last Interface Success: 0s
Last Interface Failure: n/a
# Interface Failure(s): 0
Interface: pppoe0
Status: failed
Last Status Change: Fri Aug 24 06:21:05 2018
-Test: ping Target: 8.8.8.8
Last Interface Success: 7s
Last Interface Failure: 0s
# Interface Failure(s): 1
ip route
vyos@vyos:~$ ip route get 8.8.8.8
8.8.8.8 dev pppoe0 src 88.87.90.54
cache
iptables
vyos@vyos:~$ iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
VYATTA_PRE_FW_IN_HOOK all – anywhere anywhere
VYATTA_POST_FW_IN_HOOK all – anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
VYATTA_PRE_FW_FWD_HOOK all -- anywhere anywhere
VYATTA_POST_FW_FWD_HOOK all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
VYATTA_PRE_FW_OUT_HOOK all -- anywhere anywhere
VYATTA_POST_FW_OUT_HOOK all -- anywhere anywhere
Chain VYATTA_POST_FW_FWD_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VYATTA_POST_FW_IN_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VYATTA_POST_FW_OUT_HOOK (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VYATTA_PRE_FW_FWD_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain VYATTA_PRE_FW_IN_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain VYATTA_PRE_FW_OUT_HOOK (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
messages from log
Aug 24 06:21:05 vyos wan_lb: Interface pppoe0 has changed state to FAILED
Aug 24 06:21:05 vyos wan_lb: executing script: /config/scripts/wan-lb-hook.script
Aug 24 06:22:14 vyos pppd[4208]: Serial link appears to be disconnected.
Aug 24 06:22:14 vyos zebra[2635]: interface pppoe0 index 5 changed <POINTOPOINT,NOARP,MULTICAST>.
Aug 24 06:22:15 vyos pluto[4269]: shutting down
Aug 24 06:22:15 vyos pluto[4269]: forgetting secrets
Aug 24 06:22:15 vyos pluto[4269]: “remote-access-mac-zzz”: deleting connection
Aug 24 06:22:15 vyos pluto[4269]: “remote-access-win-aaa”: deleting connection
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface lo/lo ::1
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface lo/lo 127.0.0.1
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface lo/lo 127.0.0.1
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface eth0/eth0 192.168.0.1
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface eth0/eth0 192.168.0.1
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface eth2/eth2 ...
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface eth2/eth2 ...
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface pppoe0/pppoe0 ...
Aug 24 06:22:15 vyos pluto[4269]: shutting down interface pppoe0/pppoe0 ...
Aug 24 06:22:15 vyos ipsec_starter[4268]: pluto stopped after 20 ms
Aug 24 06:22:15 vyos ipsec_starter[4268]: charon stopped after 200 ms
Aug 24 06:22:15 vyos ipsec_starter[4268]: ipsec starter stopped
Aug 24 06:22:16 vyos wan_lb: wan_lb: error on sending icmp packet: 101
Aug 24 06:22:18 vyos ipsec_starter[5577]: Starting strongSwan 4.5.2 IPsec [starter]…
Aug 24 06:22:18 vyos ipsec_starter[5577]: no default route - cannot cope with %defaultroute!!!
Aug 24 06:22:18 vyos pluto[5597]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
Aug 24 06:22:18 vyos pluto[5597]: including NAT-Traversal patch (Version 0.6c)
Aug 24 06:22:18 vyos pluto[5597]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
Aug 24 06:22:18 vyos ipsec_starter[5596]: pluto (5597) started after 20 ms
Aug 24 06:22:18 vyos ipsec_starter[5596]: charon (5647) started after 20 ms
Aug 24 06:22:18 vyos pluto[5597]: Changing to directory ‘/etc/ipsec.d/crls’
Aug 24 06:22:18 vyos pluto[5597]: loading secrets from “/etc/ipsec.secrets”
Aug 24 06:22:18 vyos pluto[5597]: loading secrets from “/etc/dmvpn.secrets”
Aug 24 06:22:18 vyos pluto[5597]: loaded PSK secret for 88.87.90.54 %any
Aug 24 06:22:18 vyos pluto[5597]: Changing to directory ‘/etc/ipsec.d/crls’
Aug 24 06:22:18 vyos pluto[5597]: listening for IKE messages
Aug 24 06:22:18 vyos pluto[5597]: adding interface eth2/eth2 ...:500
Aug 24 06:22:18 vyos pluto[5597]: adding interface eth2/eth2 ...:4500
Aug 24 06:22:18 vyos pluto[5597]: adding interface eth0/eth0 192.168.0.1:500
Aug 24 06:22:18 vyos pluto[5597]: adding interface eth0/eth0 192.168.0.1:4500
Aug 24 06:22:18 vyos pluto[5597]: adding interface lo/lo 127.0.0.1:500
Aug 24 06:22:18 vyos pluto[5597]: adding interface lo/lo 127.0.0.1:4500
Aug 24 06:22:18 vyos pluto[5597]: adding interface lo/lo ::1:500
Aug 24 06:22:18 vyos pluto[5597]: forgetting secrets
Aug 24 06:22:18 vyos pluto[5597]: loading secrets from “/etc/ipsec.secrets”
Aug 24 06:22:18 vyos pluto[5597]: loading secrets from “/etc/dmvpn.secrets”
Aug 24 06:22:18 vyos pluto[5597]: loaded PSK secret for ... %any
Aug 24 06:22:18 vyos pluto[5597]: added connection description “remote-access-win-aaa”
Aug 24 06:22:18 vyos pluto[5597]: added connection description “remote-access-mac-zzz”
Aug 24 06:22:18 vyos pluto[5597]: the protocol must be the same for leftport and rightport
Aug 24 06:22:18 vyos ntpd[4390]: ntpd exiting on signal 15
Aug 24 06:22:20 vyos ntpd[5716]: ntpd 4.2.6p2@1.2194-o Fri Oct 13 03:32:58 UTC 2017 (1)
Aug 24 06:22:20 vyos ntpd[5717]: proto: precision = 0.106 usec
Aug 24 06:22:21 vyos pppd[4208]: Connection terminated: no multilink.
Aug 24 06:22:21 vyos zebra[2635]: interface pppoe0 index 5 deleted.
Aug 24 06:22:21 vyos ripd[2637]: interface delete pppoe0 index 5 flags 0x1090 metric 1 mtu 1492
Aug 24 06:22:21 vyos ripngd[2639]: interface delete pppoe0 index 5 flags 0x1090 metric 1 mtu 1492
Aug 24 06:22:21 vyos pppd[4208]: Modem hangup
Aug 24 06:22:27 vyos wan_lb: wan_lb: failure to bind to interface: pppoe0
Aug 24 06:23:00 vyos wan_lb: last message repeated 3 times
Aug 24 06:23:26 vyos wan_lb: last message repeated 2 times
Aug 24 06:23:26 vyos pppd[4208]: Timeout waiting for PADO packets
Aug 24 06:23:26 vyos pppd[4208]: Unable to complete PPPoE Discovery
Aug 24 06:23:28 vyos ntpd_intres[5735]: host name not found: 0.pool.ntp.org
Aug 24 06:23:33 vyos wan_lb: wan_lb: failure to bind to interface: pppoe0