Recommended way to setup WAN Load Balancing for Containers

artooro · August 7, 2025, 4:16pm

I’m testing out the new WAN load balancing in VyOS 1.5, and I’m not sure how to get it to impact containers that are using host networking.

I’ve added enable-local-traffic and to test created a inbound-interface lo rule with a destination of 1.1.1.1.
But if I ping 1.1.1.1 from inside the container, the counters in show wan-load-balance status do not climb at all.

Has anyone got something similar to work?

 wan {
     enable-local-traffic
     interface-health eth0 {
         nexthop dhcp
     }
     interface-health eth1 {
         nexthop dhcp
     }
     rule 1 {
         failover
         inbound-interface eth2
         interface eth0 {
             weight 2
         }
         interface eth1 {
             weight 1
         }
     }
     rule 2 {
         destination {
             address 1.1.1.1
         }
         failover
         inbound-interface lo
         interface eth0 {
             weight 2
         }
         interface eth1 {
             weight 1
         }
     }
 }

16again · August 9, 2025, 8:16pm

run tcpdump, to verify if packets do cross lo interface

marc_s · August 11, 2025, 8:04am

What I did was:

set container network cntr-net description 'VyOS Container Network'
set container network cntr-net no-name-server
set container network cntr-net prefix '172.8.8.0/24'

This cntr-net networks translates to the following in Podman:

# ip l | grep cntr-net
28: pod-cntr-net: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000

Note the interface name is the container network name prepended with pod-. I then use the pod-cntr-net interface in all my rules.

artooro · August 11, 2025, 2:54pm

That would work. Unfortunately I need my container to run on the host network as it does some layer 2 stuff.

@16again the packets do not cross the lo interface, they only hit the WAN interface. So that rule is probably completely useless.

I’m not sure about the enable-local-traffic and how that’s supposed to work. The current version of WAN load balancing — VyOS 1.5.x (circinus) documentation does not even mention it, despite it still existing in the config system.

Edit: it looks like the solution might be to use protocols failover route. Will test it out when I have a minute.

artooro · August 12, 2025, 4:06pm

Well it looks like protocols failover route doesn’t have a way to work with DHCP WANs. So it’s kind of out of the question in my scenario.