These posts seem similar to mine when traffic going to tun0 going to Cloudflare via GRE can connect but fails when upgrading to HTTP. Without WAN LB this works fine, just wondering why is this still a thing?
iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N VYATTA_FW_OUT_HOOK
-N VYATTA_FW_IN_HOOK
-N VYATTA_FW_LOCALOUT_HOOK
-N magic-wan
-N VYATTA_PBR_100
-N VYOS_FW_OPTIONS
-N WANLOADBALANCE_PRE
-N ISP_eth0
-N ISP_eth0_IN
-N ISP_eth1
-N ISP_eth1_IN
-A PREROUTING -i eth1 -m state --state NEW -j ISP_eth1_IN
-A PREROUTING -i eth0 -m state --state NEW -j ISP_eth0_IN
-A PREROUTING -j WANLOADBALANCE_PRE
-A PREROUTING -j VYATTA_FW_IN_HOOK
-A FORWARD -j VYOS_FW_OPTIONS
-A OUTPUT -j VYATTA_FW_LOCALOUT_HOOK
-A POSTROUTING -j VYATTA_FW_OUT_HOOK
-A VYATTA_FW_IN_HOOK -i eth2.200 -j magic-wan
-A magic-wan -s xxx.xxx.71.3/32 -p tcp -m comment --comment magic-wan-100 -j LOG --log-prefix "[magic-wan-100-] "
-A magic-wan -s xxx.xxx.71.3/32 -p tcp -m comment --comment magic-wan-100 -j VYATTA_PBR_100
-A magic-wan -s xxx.xxx.71.3/32 -p udp -m comment --comment magic-wan-100 -j LOG --log-prefix "[magic-wan-100-] "
-A magic-wan -s xxx.xxx.71.3/32 -p udp -m comment --comment magic-wan-100 -j VYATTA_PBR_100
-A magic-wan -s xxx.xxx.71.3/32 -p tcp -m tcp --tcp-flags SYN SYN -m comment --comment magic-wan-100 -j LOG --log-prefix "[magic-wan-100-] "
-A magic-wan -s xxx.xxx.71.3/32 -p tcp -m tcp --tcp-flags SYN SYN -m comment --comment magic-wan-100 -j TCPMSS --set-mss 1436
-A magic-wan -s xxx.xxx.71.3/32 -p udp -m comment --comment magic-wan-100 -j LOG --log-prefix "[magic-wan-100-] "
-A magic-wan -s xxx.xxx.71.3/32 -p udp -m comment --comment magic-wan-100 -j VYATTA_PBR_100
-A magic-wan -s xxx.xxx.69.6/32 -p udp -m comment --comment magic-wan-100 -j LOG --log-prefix "[magic-wan-100-] "
-A magic-wan -s xxx.xxx.69.6/32 -p udp -m comment --comment magic-wan-100 -j VYATTA_PBR_100
-A magic-wan -s xxx.xxx.71.4/32 -p udp -m comment --comment magic-wan-100 -j LOG --log-prefix "[magic-wan-100-] "
-A magic-wan -s xxx.xxx.71.4/32 -p udp -m comment --comment magic-wan-100 -j VYATTA_PBR_100
-A magic-wan -s xxx.xxx.71.3/32 -p udp -m comment --comment magic-wan-100 -j LOG --log-prefix "[magic-wan-100-] "
-A magic-wan -s xxx.xxx.71.3/32 -p udp -m comment --comment magic-wan-100 -j VYATTA_PBR_100
-A magic-wan -s xxx.xxx.71.5/32 -p udp -m comment --comment magic-wan-100 -j LOG --log-prefix "[magic-wan-100-] "
-A magic-wan -s xxx.xxx.71.5/32 -p udp -m comment --comment magic-wan-100 -j VYATTA_PBR_100
-A magic-wan -m comment --comment "magic-wan-1000000 default-action accept" -j LOG --log-prefix "[magic-wan-default-A]"
-A magic-wan -m comment --comment "magic-wan-1000000 default-action accept" -j RETURN
-A VYATTA_PBR_100 -j MARK --set-xmark 0x80000063/0xffffffff
-A VYATTA_PBR_100 -j ACCEPT
-A VYOS_FW_OPTIONS -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1436
-A WANLOADBALANCE_PRE -s xxx.xxx.69.0/24 -d xxx.xxx.70.0/24 -i eth2 -j ACCEPT
-A WANLOADBALANCE_PRE -s xxx.xxx.69.0/24 -d xxx.xxx.71.0/24 -i eth2 -j ACCEPT
-A WANLOADBALANCE_PRE -d xxx.xxx.72.20/31 -i eth2.100 -j ACCEPT
-A WANLOADBALANCE_PRE -d xxx.xxx.72.20/31 -i eth2.200 -j ACCEPT
-A WANLOADBALANCE_PRE -d xxx.xxx.72.20/31 -i eth2 -j ACCEPT
-A WANLOADBALANCE_PRE -i tun0 -m state --state NEW -j ISP_eth0
-A WANLOADBALANCE_PRE -i tun0 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A WANLOADBALANCE_PRE -i eth2.100 -m state --state NEW -j ISP_eth0
-A WANLOADBALANCE_PRE -i eth2.100 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A WANLOADBALANCE_PRE -i eth2.200 -m state --state NEW -j ISP_eth0
-A WANLOADBALANCE_PRE -i eth2.200 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A WANLOADBALANCE_PRE -i eth2 -m state --state NEW -j ISP_eth0
-A WANLOADBALANCE_PRE -i eth2 -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A ISP_eth0 -j CONNMARK --set-xmark 0xc9/0xffffffff
-A ISP_eth0 -j MARK --set-xmark 0xc9/0xffffffff
-A ISP_eth0 -j ACCEPT
-A ISP_eth0_IN -j CONNMARK --set-xmark 0xc9/0xffffffff
-A ISP_eth1 -j CONNMARK --set-xmark 0xca/0xffffffff
-A ISP_eth1 -j MARK --set-xmark 0xca/0xffffffff
-A ISP_eth1 -j ACCEPT
-A ISP_eth1_IN -j CONNMARK --set-xmark 0xca/0xffffffff