Problems when I have LB and NAT together

General questions
,
1

Hi Guys,
I have been reading a lot of the documentation about it, but I don’t know what is wrong.
When I try ssh from 172.20.20.2 (DMZ network) to outside the internet, the SNAT gets 201.XX.201.93 or 182.208.XX.154 when should be 201.XX.201.92 or 182.208.XX.156. If I delete load-balancing I’ve got the correct behavior.

network
network833×769 58.8 KB 

vyos@VoIP# run show version 

Version:          VyOS 1.4-rolling-202206051402
Release train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Sun 05 Jun 2022 14:02 UTC
Build UUID:       02388a81-5d8d-48af-9737-b509d460c209
Build commit ID:  467062897966e7

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  To be filled by O.E.M.
Hardware model:   To be filled by O.E.M.
Hardware S/N:     To be filled by O.E.M.
Hardware UUID:    03000200-0400-0500-0006-000700080009

Copyright:        VyOS maintainers and contributors
[edit]

vyos@VoIP:~$ show configuration commands 
set interfaces ethernet eth0 address '201.XX.201.93/29'
set interfaces ethernet eth0 address '201.XX.201.92/29'
set interfaces ethernet eth0 description 'Algar'
set interfaces ethernet eth0 hw-id '00:90:27:e6:32:da'
set interfaces ethernet eth1 address '186.208.XX.154/29'
set interfaces ethernet eth1 address '186.208.XX.156/29'
set interfaces ethernet eth1 description 'Veloo'
set interfaces ethernet eth1 hw-id '00:90:27:e6:32:db'
set interfaces ethernet eth2 address '172.20.20.1/24'
set interfaces ethernet eth2 description 'DMZ'
set interfaces ethernet eth2 hw-id '00:90:27:e6:32:dc'
set interfaces ethernet eth3 address '172.21.21.1/24'
set interfaces ethernet eth3 description 'Interno'
set interfaces ethernet eth3 hw-id '00:90:27:e6:32:dd'
set interfaces ethernet eth4 hw-id '00:90:27:e6:32:de'
set interfaces ethernet eth5 hw-id '00:90:27:e6:32:df'
set interfaces loopback lo
set interfaces wireless wlan0 hw-id '1c:4b:d6:6d:d9:d9'
set interfaces wireless wlan0 physical-device 'phy0'
set load-balancing wan interface-health eth0 failure-count '1'
set load-balancing wan interface-health eth0 nexthop '201.XX.201.94'
set load-balancing wan interface-health eth0 success-count '1'
set load-balancing wan interface-health eth1 failure-count '1'
set load-balancing wan interface-health eth1 nexthop '186.208.XX.153'
set load-balancing wan interface-health eth1 success-count '1'
set load-balancing wan rule 10 failover
set load-balancing wan rule 10 inbound-interface 'eth2'
set load-balancing wan rule 10 interface eth0 weight '1'
set load-balancing wan rule 10 interface eth1 weight '1'
set load-balancing wan rule 10 protocol 'all'
set load-balancing wan rule 20 failover
set load-balancing wan rule 20 inbound-interface 'eth3'
set load-balancing wan rule 20 interface eth0 weight '1'
set load-balancing wan rule 20 interface eth1 weight '1'
set load-balancing wan rule 20 protocol 'all'
set nat destination rule 5000 destination address '201.XX.201.92'
set nat destination rule 5000 inbound-interface 'eth0'
set nat destination rule 5000 translation address '172.20.20.2'
set nat destination rule 6000 destination address '186.208.XX.156'
set nat destination rule 6000 inbound-interface 'eth1'
set nat destination rule 6000 translation address '172.20.20.2'
set nat source rule 1000 outbound-interface 'eth0'
set nat source rule 1000 source address '172.21.21.0/24'
set nat source rule 1000 translation address '201.XX.201.93'
set nat source rule 2000 outbound-interface 'eth0'
set nat source rule 2000 source address '172.21.21.0/24'
set nat source rule 2000 translation address '186.208.XX.154'
set nat source rule 3000 outbound-interface 'eth0'
set nat source rule 3000 source address '172.20.20.2'
set nat source rule 3000 translation address '201.XX.201.92'
set nat source rule 4000 outbound-interface 'eth1'
set nat source rule 4000 source address '172.20.20.2'
set nat source rule 4000 translation address '186.208.XX.156'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'VoIPforAll'
set system login user vyos authentication encrypted-password '$6$aQ5CAXVfXaTrnOQd$8Gy2quOD.JpyiWPkdTVA00YAcWAksgT73utuuK2l380ykCrvBi/VLaeJPvE6xnbajWTG9Vgr9mtvKiYdpQB1j1'
set system login user vyos authentication plaintext-password ''
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'America/Maceio'

Best regards,

2

I would start from:

set load-balancing wan disable-source-nat

Not sure if this is the only reason, but definitely a good point for the beginning.

1 Like
3

Thank Sir so much for your support. The behavior is correct now, however, when my main interface is down (eth0), I can’t access from Internet to my DMZ network (incoming connection). I’m almost there :wink:

4

Source NAT rule 2000 and 3000 has same outbound interface. Is that correct? Seems one should be eth0 and the other eth1

5

No Sir, that isn’t correct. The rule 2000 should be:

set nat source rule 2000 outbound-interface ‘eth1’
set nat source rule 2000 source address ‘172.21.21.0/24’
set nat source rule 2000 translation address ‘186.208.XX.154’

Thank you for your support.

6

Apparently, I’ve solved the issue by:
https://docs.vyos.io/en/equuleus/configuration/loadbalancing/index.html#sticky-connections

The final configuration for the first part is following:

vyos@VoIP:~$ show configuration commands
set interfaces ethernet eth0 address ‘201.XX.201.93/29’
set interfaces ethernet eth0 address ‘201.XX.201.92/29’
set interfaces ethernet eth0 description ‘Algar’
set interfaces ethernet eth0 hw-id ‘00:90:27:e6:32:da’
set interfaces ethernet eth1 address ‘186.208.XX.154/29’
set interfaces ethernet eth1 address ‘186.208.XX.156/29’
set interfaces ethernet eth1 description ‘Veloo’
set interfaces ethernet eth1 hw-id ‘00:90:27:e6:32:db’
set interfaces ethernet eth2 address ‘172.20.20.1/24’
set interfaces ethernet eth2 description ‘DMZ’
set interfaces ethernet eth2 hw-id ‘00:90:27:e6:32:dc’
set interfaces ethernet eth3 address ‘172.21.21.1/24’
set interfaces ethernet eth3 description ‘Interno’
set interfaces ethernet eth3 hw-id ‘00:90:27:e6:32:dd’
set interfaces ethernet eth4 hw-id ‘00:90:27:e6:32:de’
set interfaces ethernet eth5 hw-id ‘00:90:27:e6:32:df’
set interfaces loopback lo
set interfaces wireless wlan0 hw-id ‘1c:4b:d6:6d:d9:d9’
set interfaces wireless wlan0 physical-device ‘phy0’
set load-balancing wan disable-source-nat
set load-balancing wan interface-health eth0 failure-count ‘1’
set load-balancing wan interface-health eth0 nexthop ‘201.XX.201.94’
set load-balancing wan interface-health eth0 success-count ‘1’
set load-balancing wan interface-health eth1 failure-count ‘1’
set load-balancing wan interface-health eth1 nexthop ‘186.208.XX.153’
set load-balancing wan interface-health eth1 success-count ‘1’
set load-balancing wan rule 10 failover
set load-balancing wan rule 10 inbound-interface ‘eth2’
set load-balancing wan rule 10 interface eth0 weight ‘1’
set load-balancing wan rule 10 interface eth1 weight ‘1’
set load-balancing wan rule 10 protocol ‘all’
set load-balancing wan rule 20 failover
set load-balancing wan rule 20 inbound-interface ‘eth3’
set load-balancing wan rule 20 interface eth0 weight ‘1’
set load-balancing wan rule 20 interface eth1 weight ‘1’
set load-balancing wan rule 20 protocol ‘all’
set load-balancing wan sticky-connections inbound
set nat destination rule 5000 destination address ‘201.XX.201.92’
set nat destination rule 5000 inbound-interface ‘eth0’
set nat destination rule 5000 translation address ‘172.20.20.2’
set nat destination rule 6000 destination address ‘186.208.XX.156’
set nat destination rule 6000 inbound-interface ‘eth1’
set nat destination rule 6000 translation address ‘172.20.20.2’
set nat source rule 1000 outbound-interface ‘eth0’
set nat source rule 1000 source address ‘172.21.21.0/24’
set nat source rule 1000 translation address ‘201.XX.201.93’
set nat source rule 2000 outbound-interface ‘eth1’
set nat source rule 2000 source address ‘172.21.21.0/24’
set nat source rule 2000 translation address ‘186.208.XX.154’
set nat source rule 3000 outbound-interface ‘eth0’
set nat source rule 3000 source address ‘172.20.20.2’
set nat source rule 3000 translation address ‘201.XX.201.92’
set nat source rule 4000 outbound-interface ‘eth1’
set nat source rule 4000 source address ‘172.20.20.2’
set nat source rule 4000 translation address ‘186.208.XX.156’
set service ssh port ‘22’
set system config-management commit-revisions ‘100’
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed ‘115200’
set system host-name ‘VoIPforAll’
set system login user vyos authentication encrypted-password ‘$6$aQ5CAXVfXaTrnOQd$8Gy2quOD.JpyiWPkdTVA00YAcWAksgT73utuuK2l380ykCrvBi/VLaeJPvE6xnbajWTG9Vgr9mtvKiYdpQB1j1’
set system login user vyos authentication plaintext-password ‘’
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘America/Maceio’

Now I’m looking for how to implement (firewall and OpenVPN).