SNAT Rules generated by Load-Balancing

ciprian.craciun · June 24, 2018, 5:50pm

I’ve made a quick diff between the rules in earlier posts and the rules in your last message:

For NAT:

--- /tmp/nat-working	2018-06-24 20:40:26.950962472 +0300
+++ /tmp/nat-glitchy	2018-06-24 20:42:16.340855176 +0300
@@ -1,27 +1,28 @@
 -P PREROUTING ACCEPT
 -P INPUT ACCEPT
 -P OUTPUT ACCEPT
 -P POSTROUTING ACCEPT
 -N VYATTA_PRE_DNAT_HOOK
 -N VYATTA_PRE_SNAT_HOOK
 -N WANLOADBALANCE
 -A PREROUTING -j VYATTA_PRE_DNAT_HOOK
 -A PREROUTING -d isp1.ip1.xx.xx/32 -i eth0 -p tcp -m tcp --dport 88 -m comment --comment DST-NAT-510 -j DNAT --to-destination 192.168.0.xxx:8888
 -A PREROUTING -d isp2.ip2.yy.yy/32 -i eth1 -p tcp -m tcp --dport 88 -m comment --comment DST-NAT-511 -j DNAT --to-destination 192.168.0.xxx:8888
 -A PREROUTING -d isp1.ip1.xx.xx/32 -p tcp -m multiport --dports 80,443,25,465,110,995,143,993,21,40110:40210 -m comment --comment DST-NAT-700 -j DNAT --to-destination 192.168.1.3
 -A PREROUTING -d isp1.ip1.xx.xx/32 -p tcp -m tcp --dport 53 -m comment --comment "DST-NAT-705 tcp_udp" -j DNAT --to-destination 192.168.1.3
 -A PREROUTING -d isp1.ip1.xx.xx/32 -p udp -m udp --dport 53 -m comment --comment "DST-NAT-705 tcp_udp" -j DNAT --to-destination 192.168.1.3
 -A PREROUTING -d isp2.ip2.yy.yy/32 -p tcp -m multiport --dports 80,443,25,465,110,995,143,993,21,40110:40210 -m comment --comment DST-NAT-710 -j DNAT --to-destination 192.168.1.3
 -A PREROUTING -d isp2.ip2.yy.yy/32 -p tcp -m tcp --dport 53 -m comment --comment "DST-NAT-715 tcp_udp" -j DNAT --to-destination 192.168.1.3
 -A PREROUTING -d isp2.ip2.yy.yy/32 -p udp -m udp --dport 53 -m comment --comment "DST-NAT-715 tcp_udp" -j DNAT --to-destination 192.168.1.3
 -A PREROUTING -d isp1.ip1.xx.xx/32 -i eth0 -p tcp -m tcp --dport 10xxx -m comment --comment DST-NAT-720 -j DNAT --to-destination 192.168.1.3:22
 -A PREROUTING -d isp2.ip2.yy.yy/32 -i eth1 -p tcp -m tcp --dport 10xxx -m comment --comment DST-NAT-721 -j DNAT --to-destination 192.168.1.3:22
 -A PREROUTING -d isp1.ip1.xx.xx/32 -p tcp -m tcp --dport 10yy -m comment --comment DST-NAT-722 -j DNAT --to-destination 192.168.1.3:8080
 -A PREROUTING -d isp2.ip2.yy.yy/32 -p tcp -m tcp --dport 10yy -m comment --comment DST-NAT-723 -j DNAT --to-destination 192.168.1.3:8080
 -A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
 -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.0/24 -o eth3 -m comment --comment SRC-NAT-150 -j MASQUERADE
+-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o eth2 -m comment --comment SRC-NAT-151 -j MASQUERADE
 -A VYATTA_PRE_DNAT_HOOK -j RETURN
 -A VYATTA_PRE_SNAT_HOOK -j WANLOADBALANCE
 -A VYATTA_PRE_SNAT_HOOK -j RETURN
 -A WANLOADBALANCE -m connmark --mark 0x1 -j SNAT --to-source isp1.ip1.xx.xx
 -A WANLOADBALANCE -m connmark --mark 0x2 -j SNAT --to-source isp2.ip2.yy.yy

For mangle:

--- /tmp/mangle-working	2018-06-24 20:40:26.950962472 +0300
+++ /tmp/mangle-glitchy	2018-06-24 20:42:16.340855176 +0300
@@ -1,30 +1,32 @@
 -P PREROUTING ACCEPT
 -P INPUT ACCEPT
 -P FORWARD ACCEPT
 -P OUTPUT ACCEPT
 -P POSTROUTING ACCEPT
 -N ISP_eth0
 -N ISP_eth0_IN
 -N ISP_eth1
 -N ISP_eth1_IN
 -N WANLOADBALANCE_PRE
 -A PREROUTING -i eth1 -m state --state NEW -j ISP_eth1_IN
 -A PREROUTING -i eth0 -m state --state NEW -j ISP_eth0_IN
 -A PREROUTING -j WANLOADBALANCE_PRE
 -A ISP_eth0 -j CONNMARK --set-xmark 0x1/0xffffffff
 -A ISP_eth0 -j MARK --set-xmark 0x1/0xffffffff
 -A ISP_eth0 -j ACCEPT
 -A ISP_eth0_IN -j CONNMARK --set-xmark 0x1/0xffffffff
 -A ISP_eth1 -j CONNMARK --set-xmark 0x2/0xffffffff
 -A ISP_eth1 -j MARK --set-xmark 0x2/0xffffffff
 -A ISP_eth1 -j ACCEPT
 -A ISP_eth1_IN -j CONNMARK --set-xmark 0x2/0xffffffff
 -A WANLOADBALANCE_PRE -d isp1.ip1.xx.xx/32 -i eth3 -j ACCEPT
 -A WANLOADBALANCE_PRE -d isp2.ip2.yy.yy/32 -i eth3 -j ACCEPT
+-A WANLOADBALANCE_PRE -d isp1.ip1.xx.xx/32 -i eth2 -j ACCEPT
+-A WANLOADBALANCE_PRE -d isp2.ip2.yy.yy/32 -i eth2 -j ACCEPT
 -A WANLOADBALANCE_PRE -d 192.168.0.0/16 -i eth+ -j ACCEPT
 -A WANLOADBALANCE_PRE -i eth2 -m state --state NEW -m statistic --mode random --probability 0.50000000000 -j ISP_eth0
 -A WANLOADBALANCE_PRE -i eth2 -m state --state NEW -j ISP_eth1
 -A WANLOADBALANCE_PRE -i eth2 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
 -A WANLOADBALANCE_PRE -i eth3 -m state --state NEW -m statistic --mode random --probability 0.50000000000 -j ISP_eth0
 -A WANLOADBALANCE_PRE -i eth3 -m state --state NEW -j ISP_eth1
 -A WANLOADBALANCE_PRE -i eth3 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff

Unfortunately the three rules that seem to be extra (in the “glitchy” version) don’t seem to be the culprit in glitchy WAN behaviour…

Perhaps you’ve missed the configuration that actually caused the issue. (Next time you encounter issues make a snapshot of both the config and the iptables -t xxx -S output.)