wan-load-balance with multiple translation IPs


#1

Long time user (since Vyatta before Brocade days, then Brocade Vyatta, then VyOS), first time poster. :slight_smile:

I have an office router/firewall/gateway/etc install which I’m converting to use wan-load-balance to use multiple ISPs without having a proper BGP setup. Currently, the single-provider SNAT setup uses custom rules to NAT traffic from different VLANs to different IPs on the same interface. What’s the current best practice for doing this with wan-load-balance?

Folks on the Ubiquiti side of the fence seem to use macvlan pseudo-ethernet devices for this, but I’ve had a lot of trouble having pseudo-ethernet devices when the next-hop isn’t in the same subnet as the address on the peth device.

Configuration looks something like the following:

interfaces {
  ethernet eth1 {
    address 1.2.3.5/31
    address 5.6.7.9/29
    address 5.6.7.10/29
    address 5.6.7.11/29
  }
  ethernet eth2 {
    vif 1 {
      address 192.168.1.1/24
    }
    vif 2 {
      address 192.168.2.1/24
    }
  }
}
protocols {
  static {
    route 0.0.0.0/0 {
      next-hop 1.2.3.4
    }
  }
}
nat {
  source {
    rule 1 {
      destination {
        address 10.0.0.0/8
      }
      exclude
    }
    rule 2 {
      destination {
        address 172.16.0.0/12
      }
      exclude
    }
    rule 3 {
      destination {
        address 192.168.0.0/16
      }
      exclude
    }
    rule 10 {
      source {
        address 192.168.1.0/24
      }
      outbound-interface eth1
      translation {
        address 5.6.7.10
      }
    }
    rule 11 {
      source {
        address 192.168.2.0/24
      }
      outbound-interface eth1
      translation {
        address 5.6.7.11
      }
    }
  }
}

These IP addresses are obviously made up.

I understant that in the load-balancing wan section I could set the disable-source-nat option and then add my own SNAT rules, but I’m not sure exactly where I’d add them, since the regular NAT configuration interface doesn’t have any way to match the MARKs set by the wan-load-balance tool. Would I be expected to just have a snippet in vyatta-postconfig-bootup.script that added manual rules to iptables?

Do y’all think it would be best for me to pursue manual SNAT rules that way or to try and hack something up using different interfaces for each IP? Has anyone else used wan-load-balance in a configuration like this?