VyOS 1.18 WAN Load balancing & bogus radio link - almost blocked outgoing traffic

I set zone-based firewall with 2 x ISP load-balancing.
eth0 - wan1, eth1 - wan2, eth2 - DMZ (192.168.1.1), eth3 - LAN (192.168.0.1)
Internet server IP (on DMZ) = 192.168.1.2

Several days ago radio link (connected to eth1/wan2) died in a really awkward way - it was still possible to ping gateway, but no traffic going through it.
This resulted in almost blocked outgoing traffic (~ several kb/sec) from working eth0/wan1 to ISP and very slow connection from private LAN.
I tested from another location, downloading large file (hosted on DMZ server) through http connected to working IP -> eth0/wan1

I’m understand this is really unusual situation, yet healthy link should not function this way.
Only set interfaces ethernet eth1 disable solved this problem.

set interfaces ethernet eth2 address '192.168.1.1/24'
set interfaces ethernet eth3 address '192.168.0.1/24'
set interfaces ethernet eth2 description INTF_DMZ
set interfaces ethernet eth3 description INTF_LOCAL_NET

set interfaces ethernet eth0 address 'isp1.xx.xx.ip1/24'
set interfaces ethernet eth0 description 'INTF_LTC1'
set interfaces ethernet eth1 address 'isp2.xx.xx.ip1/24'
set interfaces ethernet eth1 description 'INTF_BTC2'

set load-balancing wan 'flush-connections'
set load-balancing wan interface-health eth0 failure-count '3'
set load-balancing wan interface-health eth0 nexthop 'isp1.xx.xx.gw'
set load-balancing wan interface-health eth0 success-count '3'
set load-balancing wan interface-health eth0 test 10 resp-time '5'
set load-balancing wan interface-health eth0 test 10 target 'isp1.xx.xx.gw'
set load-balancing wan interface-health eth0 test 10 ttl-limit '1'
set load-balancing wan interface-health eth0 test 10 type 'ping'

set load-balancing wan interface-health eth1 failure-count '3'
set load-balancing wan interface-health eth1 nexthop 'isp2.xx.xx.gw'
set load-balancing wan interface-health eth1 success-count '3'
set load-balancing wan interface-health eth1 test 10 resp-time '5'
set load-balancing wan interface-health eth1 test 10 target 'isp2.xx.xx.gw'
set load-balancing wan interface-health eth1 test 10 ttl-limit '1'
set load-balancing wan interface-health eth1 test 10 type 'ping'

set load-balancing wan rule 10 inbound-interface 'eth2'
set load-balancing wan rule 10 interface eth0 weight '10'
set load-balancing wan rule 10 interface eth1 weight '10'
set load-balancing wan rule 10 'per-packet-balancing'
set load-balancing wan rule 10 protocol 'all'
set load-balancing wan rule 20 inbound-interface 'eth3'
set load-balancing wan rule 20 interface eth0 weight '10'
set load-balancing wan rule 20 interface eth1 weight '10'
set load-balancing wan rule 20 'per-packet-balancing'
set load-balancing wan rule 20 protocol 'all'

set load-balancing wan rule 4 destination address '192.168.0.0/23'
set load-balancing wan rule 4 'exclude'
set load-balancing wan rule 4 inbound-interface 'eth3'
set load-balancing wan rule 5 destination address '192.168.0.0/23'
set load-balancing wan rule 5 'exclude'
set load-balancing wan rule 5 inbound-interface 'eth2'

set protocols static route 0.0.0.0/0 next-hop 'isp1.xx.xx.gw'
set protocols static route 0.0.0.0/0 next-hop 'isp2.xx.xx.gw'

I disconnected cable from broken radio link, problem still persist.
“show wan load-balancing” now reports link correctly as “status: failed”.
Removed “per packet” load balancing, switched to default.
Changed rules to exclude DMZ and Internal zone from load balancing, made them more precise. Rebooted.
Problem still exists. Downloading anything from anywhere in external world from DMZ server is hell slow, several kbytes per sec.
Is this a bug or something wrong with my rules?

set load-balancing wan rule 30 'exclude'
set load-balancing wan rule 30 inbound-interface 'eth3'
set load-balancing wan rule 30 destination address '192.168.0.0/24'
set load-balancing wan rule 30 source address '192.168.1.0/24'

set load-balancing wan rule 40 'exclude'
set load-balancing wan rule 40 inbound-interface 'eth2'
set load-balancing wan rule 40 destination address '192.168.1.0/24'
set load-balancing wan rule 40 source address '192.168.0.0/24'

set load-balancing wan sticky-connections inbound
fixed this problem. Will do more tests tomorrow, for now looks like finally everything goes OK.

PS. It would be nice to have this WIKI updated with that, it really takes a lot of time to solve these puzzles.
https://wiki.vyos.net/wiki/WAN_load_balancing#Configure_the_load_balancer

Syncer, is it possible to move this [solved] thread to “General questions” forum ?

Moved it there and will close topic

This topic was automatically closed after 5 hours. New replies are no longer allowed.