Translation IP DNAT


#1

Hi guys!

I faced with next question.

Server has 2 public IPs(ISP). Configuration:

ethernet eth1 {
duplex auto
hw-id 00:50:56:8d:3d:1c
smp_affinity auto
speed auto
vif 900 {
description Kyivstar
vrrp {
vrrp-group 1 {
advertise-interval 1
hello-source-address 10.250.250.1
preempt true
priority 10
sync-group istrouter
virtual-address 178.34.154.XXX/29
}
}
}
vif 901 {
description Ukrtelekom
vrrp {
vrrp-group 1 {
advertise-interval 1
hello-source-address 10.250.250.1
preempt true
priority 10
sync-group istrouter
virtual-address 194.135.2.XXX/30

I have rules for DNAT:

rule 100 {
description “Mail server”
destination {
address 194.135.2.XXX
port 25
}
inbound-interface eth1.901
protocol tcp
translation {
address 10.32.0.99
port 25
}

rule 110 {
description “Mail server”
destination {
address 178.34.154.XXX
port 25
}
inbound-interface eth1.900
protocol tcp
translation {
address 10.32.0.99
port 25
}
}

And wan-balance:

rule 500 {
failover
inbound-interface eth0.302
interface eth1.900 {
weight 30
}
interface eth1.901 {
weight 10
}
protocol all

Issue in next. Why VyOS replace source IP address to my public IP. And packets to Mail server 10.32.0.99 recieved source from 78.34.154.XXX instead 108.170.5.18 :

root@terletskiy-vyos:~# tcpdump -nnn port 25 -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
08:37:08.527602 IP 108.170.5.18.42976 > 178.34.154.XXX.25: Flags [P.], seq 1286383029:1286383135, ack 3830043243, win 177, options [nop,nop,TS val 1580012551 ecr 471021942], length 106
08:37:08.527620 IP 178.34.154.XXX.42976 > 10.32.0.99.25: Flags [P.], seq 1286383029:1286383135, ack 3830043243, win 177, options [nop,nop,TS val 1580012551 ecr 471021942], length 106

For example, other server works without issues(There is not wan-balance):

root@VillaD-VyOS:~# tcpdump -i any -nnn port 8000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:17:13.422397 IP 91.200.47.XXX.50278 > 178.34.157.158.8000: Flags [S], seq 2614942082, win 65535, options [mss 1260,nop,wscale 2,nop,nop,sackOK], length 0
11:17:13.422435 IP 91.200.47.XXX.50278 > 192.168.91.221.8000: Flags [S], seq 2614942082, win 65535, options [mss 1260,nop,wscale 2,nop,nop,sackOK], length 0


#2

I have same problem.

Please note that WAN load-balancing have another issue:

I’m thinking of disbanding load balancing altogether.