I wanted to share with Vyos community some weird behavior we have randomly in a vyos cluster.
I have some vyos VRRP clusters in version 1.2.6-S1, with a huge ruleset (more than 3000 rules). Sometimes it had happened that some random rules are not working properly (traffic dropped by vyos of some IPs which should be allowed by policy, or vice versa).
This problem is solved after rebooting vyos, and only happens when vyos is master (when switching service to “standby” node, ruleset works fine.
Does this behavior sound familiar to somebody? Could it be a bug of v 1.2.6-S1? Is just bad luck after a commit of iptables pushing?
Which ruleset? It doesn’t clear what are you talking about and which exactly doesn’t apply.
Could you describe more details or provide some examples/configuration
Did you try the same on 1.3/1.4?
I have 3 interfaces, WAN, LAN and MGMT, and local and inbound ruleset to all of them.
What I’ve noticed of bad performance was “wan-inbound filter”. In this ruleset I have more than 3000 rules.
I experienced for example that rule 1234, which is “allow this IP” was not working (I performed a tcpdump in vyos and I see traffic in one interface but not in other, like internal undesired packet discarding)
Other example, rule 987 that blocks all incoming traffic but one IP to a server, and I detected in the server that I had several login attempts from lot of undesired IPs.
This behavior is random, I can’t reproduce it. I think is not a configuration issue, because I checked that I had configuration properly running in vyos, and was the same as standby node, and when I switched traffic to standby, I had no issues. As I said, after a reboot I recovered the master vyos firewalling properly. So maybe is something related with internal process of applying ruleset from config.boot into vyos running memory/iptables…