I have an EdgeRouter ER-8 with the following setup: 3 WANs (eth0 is ISP1, eth1 is ISP2, eth2 is a wireless link to another campus with its own ISP, and it is used to access the remote LAN and as a third and failover-only uplink); and 2 local LANs (eth6-192.168.1.1/24; eth7-172.18.16.1/22).
The LAN on eth6 was just added. An independent legacy router failed and we decided to integrate that LAN to the core services. Load-balance is configured and functioning as expected, for clients on boths LANs. PBR is configured, but apparently it is only working for clients on eth7, and not for clients on the second LAN, on eth6.
I created a couple of address groups, so as to force IPs listed on the first one, to always use ISP1/eth0, and those listed on the second one, to use ISP2/eth1.
If I add IPs from the 172.18.16.0/22 network to the lists, everything works as it should. If I add IPs from the 192.168.1.0/24 network those clients keep falling back to the default behavior (lb-group G).
Rules 95 and 96 of the firewall do the mangling, but by monitoring the statistics (show firewall modify statistics) I realized that requests from IPs (in the address groups) from the 172... network do hit those rules, BUT requests from IPs (again, in the exact same address groups) from the 192... network do not.
I verified this also by executing watch -n 1 'curl api.ipify.org' on clients on both networks. Those on the 172... network show the IP of the corresponding ISP, while those on the other network show alternating IPs (meaning, they are indeed following the load-balance parameters).
What I'm I missing? There must be something I'm not seeing or not applying to the eth6 interface.
Any help is much appreciated.
Here's my configuration:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group OUT-WAN-ETH0 {
address 192.168.1.251
description "Out through eth0"
}
address-group OUT-WAN-ETH1 {
address 192.168.1.252
description "Out through eth1"
}
network-group Old_LAN {
description "Legacy networks"
network 192.168.1.0/24
}
network-group PRIVATE_NETS {
network 172.18.16.0/22
network 172.18.20.0/22
network 172.18.24.0/29
network 172.18.24.8/29
network 172.18.24.16/29
network 192.168.1.0/24
}
port-group servicios_proxy {
port 80
port 443
port 873
port 11194
port 22
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 40 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth2
}
}
modify {
table main
}
}
rule 95 {
action modify
description "Output through WAN-eth0"
modify {
lb-group WAN-eth0
}
source {
group {
address-group OUT-WAN-ETH0
}
}
}
rule 96 {
action modify
description "Output through WAN-eth1"
modify {
lb-group WAN-eth1
}
source {
group {
address-group OUT-WAN-ETH1
}
}
}
rule 110 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description v-proxy
destination {
address 192.168.1.253
group {
port-group servicios_proxy
}
}
log disable
protocol tcp_udp
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name Wireless_backhaul {
default-action drop
description ""
rule 10 {
action accept
description "Allow to Backhaul"
destination {
address 0.0.0.0/0
}
log disable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN1
dhcp-options {
default-route update
default-route-distance 3
name-server no-update
}
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address dhcp
description WAN2
dhcp-options {
default-route update
default-route-distance 3
name-server no-update
}
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 172.18.24.1/29
description Wireless-SB448-In
duplex auto
firewall {
in {
name Wireless_backhaul
}
local {
name Wireless_backhaul
}
out {
name Wireless_backhaul
}
}
speed auto
vif 2 {
address 172.18.24.10/29
description Wireless-SB448-out
firewall {
in {
name Wireless_backhaul
}
local {
name Wireless_backhaul
}
out {
name Wireless_backhaul
}
}
}
vif 3 {
address 172.18.24.18/29
description Wireless-SB448-LAN
firewall {
in {
name Wireless_backhaul
}
local {
name Wireless_backhaul
}
out {
name Wireless_backhaul
}
}
}
}
ethernet eth6 {
address 192.168.1.1/24
description LAN-old
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
ethernet eth7 {
address 172.18.16.1/22
description LAN
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
loopback lo {
}
}
load-balance {
group G {
exclude-local-dns disable
flush-on-active enable
gateway-update-interval 1
interface eth0 {
route-test {
count {
failure 3
success 2
}
initial-delay 1
interval 2
type {
ping {
target 8.8.4.4
}
}
}
weight 100
}
interface eth1 {
route-test {
count {
failure 3
success 2
}
initial-delay 1
interval 2
type {
ping {
target 8.8.8.8
}
}
}
weight 100
}
interface eth2.2 {
failover-only
route-test {
count {
failure 3
success 5
}
initial-delay 1
interval 2
type {
ping {
target 172.18.24.9
}
}
}
weight 1
}
lb-local enable
lb-local-metric-change disable
sticky {
dest-addr enable
source-addr enable
}
}
group WAN-eth0 {
exclude-local-dns enable
flush-on-active enable
gateway-update-interval 5
interface eth0 {
route-test {
initial-delay 1
interval 10
type {
ping {
target 8.8.8.8
}
}
}
weight 100
}
lb-local disable
lb-local-metric-change disable
sticky {
dest-addr enable
source-addr enable
}
}
group WAN-eth1 {
exclude-local-dns enable
flush-on-active enable
gateway-update-interval 5
interface eth1 {
route-test {
initial-delay 1
interval 10
type {
ping {
target 8.8.8.8
}
}
}
weight 100
}
lb-local disable
lb-local-metric-change disable
sticky {
dest-addr enable
source-addr enable
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 172.18.24.9 {
description "SB448"
distance 5
}
next-hop 192.168.2.254 {
description "ISP2"
distance 4
}
}
route 172.18.20.0/22 {
next-hop 172.18.24.17 {
description LAN-SB448
distance 2
}
}
}
}
services {... OMITTED ...}
system {... OMITTED ...}
