Failover with NAT

Apologies if this has been asked before - I couldn’t find an answer to exactly this question. Is there a simple way to clear/flush the conntrack table on failover to deal with SNAT / PAT? I’m playing with a simple active/passive configuration where the primary does not require SNAT but when failing to secondary, masquerading to the interface address is required.

The SNAT rule works as expected but when failing from primary to secondary, if there are active connections that get continually refreshed from before the failover (example would be continuous ping), they bypass the NAT check and egress the secondary without being subject to SNAT. You can of course stop the connection and start a new one and everything will work as expected.

Switching in the other direction (secondary to primary) has no issues; the NAT immediately stops even with an active session continuously being refreshed.

Load-balancing wan flush-connections looks like maybe exactly what I’m looking for, but the documentation suggests not using load-balancing with dynamic routing protocols. Is there an equivalent to this without using load-balancing?

There was comment to use hook ⚓ T5647 Extend failover route functionality to use dynamically assigned interface next hops
Needs to add a feature request for hooks

1 Like

Oh, that would be neat. Doesn’t apply exactly to my case, since in my case the primary circuit learns routes via BGP.

If nothing that triggers on route change like this exists, I can probably write a script to poll for neighbor flap and issue sudo conntrack -F or something.

Thanks!

Just wanted to check back in on the off chance that someone else is looking for a solution to similar/same issue; I actually will end up using WAN load balancer to accomplish this, just without any failover rules.

Because it allows me to define shell script as interface test, I can create test to poll BGP neighbor state, then return 1 if not established. Then, using the hook option under wan loadbalance, can invoke shell script to sudo conntrack -F (found that the built in Load-balancing wan flush-connections only flushed expect table, which wasn’t enough).

Something quick and dirty might look like:

set load-balancing wan hook ‘/config/scripts/start-dhcp-failover.sh’
set load-balancing wan interface-health eth1 nexthop ‘dhcp’
set load-balancing wan interface-health eth1 test 10 test-script ‘/config/scripts/test-connection-eth1.sh’
set load-balancing wan interface-health eth1 test 10 type ‘user-defined’

Without rules, it will not actually attempt to policy route.

test-connection-eth1.sh


#!/bin/bash

SHOWBGP=$(vtysh -c "show bgp neighbor <neighbor>")

if [[ ! "$SHOWBGP" =~ "BGP state = Established" ]]; then
    exit 1
else
    exit 0
fi

I looked at using event handler instead, but bgpd actually doesn’t throw much to logs when BGP state changes.

No idea if this is the “right” way to do anything, so I guess use at your own risk.

edit: actually probably need to add check to make sure it doesn’t fire too soon after boot; sometimes it doesn’t like when RIB is polled too early.