Load balancing with two PPPoE WANs fails to publish SSH from internet to the router itself

General questions
1

as documentation about LB & how it interacts with routes, NAT etc is quite confusing I have some questions:

  1. question 1: should I use
...
set interfaces pppoe pppoe0 no-default-route
...
set interfaces pppoe pppoe1 no-default-route

and than add something like:

set protocols static route 0.0.0.0/0 interface pppoe0
set protocols static route 0.0.0.0/0 interface pppoe1

looks odd ))
may be I should just let pppoe connection to automatically add the routes?

  1. Question 2: same odd thing with source NAT. Should have something like:
set nat source rule 100 source address "192.168.0.0/24"
set nat source rule 100 translation address masquerade
set nat source rule 100 outbound-interface pppoe pppoe0

set nat source rule 105 source address "192.168.0.0/24"
set nat source rule 105 translation address masquerade
set nat source rule 105 outbound-interface pppoe pppoe1
  1. and Question 3: why the SSH from the internet to my router on all WANs might not work when I turn LB on?
    while internal servers publications like:
set nat destination rule 12 destination port 1022
set nat destination rule 12 inbound-interface pppoe0 # or pppoe1
set nat destination rule 12 protocol 'tcp'
set nat destination rule 12 translation address "192.168.0.10"
set nat destination rule 12 translation port '22'

work well.

LB looks like:

set load-balancing wan interface-health pppoe0 nexthop 'dhcp'
set load-balancing wan interface-health pppoe1 nexthop 'dhcp'
set load-balancing wan rule 100 inbound-interface 'eth3'
set load-balancing wan rule 100 interface pppoe0 weight 1
set load-balancing wan rule 100 interface pppoe1 weight 1
set load-balancing wan sticky-connections inbound
  1. Question 4: what I might miss?

thank you!

2

  1. When manual configured, you can make one default having better distance than the other. So you can force packets that aren’t using LB logic to go out on single interface. Some linux versions can’t handle equidistant routes well. Even per flow, packets are balanced, which does IP spoofing on incorrect interface, which can be blocked.

  2. NAT isn’t odd. The routing determines which interface the packet leaves, only then rule 100 or 105 kicks in.

  3. Maybe dNAT is handled correct on LB configs.
    Workaround: Add 2 dNAT rules on both wan interfaces, mapping 22 on both WAN1 and WAN2 to lan interface of Vyos.

Disclaimer: Most of my understanding of LB comes from EdgeOS… :face_with_hand_over_mouth:

3

Dear colleague, thank you for your reply!
Will try the workaround you have recommended.
Do you know where NAT handling priority (with LB and firewall) described?

4

The original Codebase

5

Viacheslav, thank you for your reply.
Could you please be more specific or give a hint on what of the questions I’ve asked it helps with. :slight_smile:

6

p3 (dNAT to LAN:22) doesn’t work

7

after I

SSH start working ))
what is the difference with

set protocols static route 0.0.0.0/0 interface pppoe*

?

8

For the difference, compare the routing table for both cases. Hard-coding default route will get default administrative distance, better than pppoe learned default.
Having 2 equidistant default routes might cause issues for non-loadBalanced traffic. Like your ssh session.
Packets might split up 50/50 over both WAN links, effectively breaking communication