Hi !
I’m very sorry - I’m forgot that 6 hairpin rules (on 3rd post of this thread) are from system with artifacts, yet iptables rules are pasted from the same system which I get working a bit later by deleting these 3 rules, which correspond to hairpin NAT and DMZ 192.168.1.x :
set load-balancing wan rule 22 description 'for NAT reflection (Hairpin NAT)'
set load-balancing wan rule 22 'exclude'
set load-balancing wan rule 22 inbound-interface 'eth2'
set load-balancing wan rule 22 destination address 'isp1.ip1.xx.xx'
set load-balancing wan rule 22 protocol all
set load-balancing wan rule 23 description 'for NAT reflection (Hairpin NAT)'
set load-balancing wan rule 23 'exclude'
set load-balancing wan rule 23 inbound-interface 'eth2'
set load-balancing wan rule 23 destination address 'isp2.ip1.yy.yy'
set load-balancing wan rule 23 protocol all
set nat source rule 151 description 'NAT Reflection (Hairpin NAT) 192.168.1.0/24'
set nat source rule 151 destination address '192.168.1.0/24'
set nat source rule 151 source address '192.168.1.0/24'
set nat source rule 151 outbound-interface 'eth2'
set nat source rule 151 translation address 'masquerade'
Hairpin NAT now works from local 192.168.0.x only, not from DMZ 192.168.1.x, which is still acceptable. Upload speed through eth0/ISP1 is fine now, one small glitch remains - connecting via SSH to eth1 / ISP#2 happens instantly, yet to eth0 / ISP#1 it takes about a minute or so to establish connection, and often simply ends without password prompt. Have no idea why.
Its possible to paste 3 deleted rules again to the system to check iptables - yet I’m not sure we can make load-balancing and hairpin NAT to get working together as expected, at least without direct hacks into iptables rules generated by VyOS. There are samples around - yet no one which combines load-balancing and hairpin NAT.
Another strange thing - currently there are no explicit masquerading rules for local and DMZ (they were, but I removed ones during debugging), yet masquerading from local and DMZ works. I launched web browser on DMZ server and loaded youtube page:
vyos@linrt-aio# run show nat source translations
Pre-NAT Post-NAT Prot Timeout
192.168.1.3 isp1.ip1.xx.xx tcp 431995
192.168.1.3 isp2.ip2.yy.yy tcp 431987
216.244.66.245 isp2.ip2.yy.yy udp 5
192.168.1.3 isp2.ip2.yy.yy udp 170
192.168.1.3 isp2.ip2.yy.yy udp 167
192.168.1.3 isp2.ip2.yy.yy tcp 95
192.168.1.3 isp2.ip2.yy.yy tcp 62
192.168.1.3 isp2.ip2.yy.yy udp 131
192.168.1.3 isp1.ip1.xx.xx tcp 431997
192.168.1.3 isp2.ip2.yy.yy tcp 431996
192.168.1.3 isp2.ip2.yy.yy udp 165
192.168.1.3 isp2.ip2.yy.yy tcp 62
192.168.1.3 isp2.ip2.yy.yy tcp 67
192.168.1.3 isp2.ip2.yy.yy tcp 62
192.168.1.3 isp2.ip2.yy.yy udp 108
192.168.1.3 isp1.ip1.xx.xx tcp 62
Removed masquerading rules:
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 100 protocol all
set nat source rule 101 outbound-interface 'eth0'
set nat source rule 101 source address '192.168.1.0/24'
set nat source rule 101 translation address 'masquerade'
set nat source rule 101 protocol all
set nat source rule 120 outbound-interface 'eth1'
set nat source rule 120 source address '192.168.0.0/24'
set nat source rule 120 translation address 'masquerade'
set nat source rule 120 protocol all
set nat source rule 121 outbound-interface 'eth1'
set nat source rule 121 source address '192.168.1.0/24'
set nat source rule 121 translation address 'masquerade'
set nat source rule 121 protocol all
PS. Its a VyOS 1.1.8 under KVM host on Debian 9, running on Jetway fanless PC with 10 Ethernet interfaces, KVM network device model - virtio.