Add to the wiki now.
Just wondered if you considered moving this into a gist? You can embed gists on the community forum platform along with the fact for easy installation, this can get used as a wget target to automatically download and place on an OpenWrt router?
Thanks for updating the Wiki. I see the update toward the top in reference to 23.05. It might be a good idea to update the text in the ipset section as well.
As already noted on the Github Issue there is now a Gist also available:
Installation with it is now as easy as:
wget -O/etc/init.d/nft2ipset https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab/raw/
chmod +x /etc/init.d/nft2ipset
service nft2ipset enable
service nft2ipset start
@jmccabe06 Thanks for spotting that. Also added in the warning banner as well alongside the gist update.
@Kishi Gist version now published on the wiki as well.
Thank you so much. Just implemented today.
It works for me, finally!!
Just noticed that it is necessary to let the ipset family to ipv4+ipv6 otherwise, if set as ipv4, the ipset is ignored. There is a note here from jmccabe06
It is also not super obvious ipset must be declared both in dnsmasq settings (in luci DHCP & DNS > General tab) and in ipset settings section (in luci DHCP & DNS > IP Sets tab), in addition to firewall advanced settings.
...and I have no idea why... 
For me it works by properly by:
Nothing else should be required (it's not for me at least). Most people probably forget to do step 1 and just let dnsmasq define nftables sets with defaults (IPv4 without timeout) hence things not working properly with IPv6.
I'll add this additional info to the Wiki as well for clarity.
As I'm upgrading from 21.02 to 23.05 and need to reconfigure everything, I noted that the IPset extra will create everything.
I added the "DHCP & DNS -> IP Sets" and executed "ipset setup". After that the IPsets also appeared in "Firewall -> IPsets". Everytime "ipset setup" is executed (like running as cronjob or with hotplug), it will overwrite the configuration (so changes in "Firewall -> IPsets" will be lost).
I had to change 1 line in the script (IPset extra is located under /etc/profile.d/ipset.sh) to get it work in my setup:
Changed line in /etc/profile.d/ipset.sh from:
set firewall.'${IPSET_NAME//-/_}'.match='net'
to:
set firewall.'${IPSET_NAME//-/_}'.match='dest_ip'
Another observation:
I had different IPset ending with something like "....ipset" (e.g. "TestOpenipset"). They will be visible in "Firewall -> IPsets" and looks rigth incl. the name, but they are not added/handled properly and name is cut after "ip":
#ipset list
...
Name: TestOpenip
Type: hash:ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xe96198ed
Size in memory: 112
References: 0
Number of entries: 0
Members:
Those also didn't appear in IPset under mwan3.
After adding the same list removing the word "ipset" in the name (e.g. "TestOpen") and executed "ipset setup", everything was fine.
Not sure if I'm getting something wrong here or if in the meanwhile there is a better way to populate the lists.
DNS is handled by an PiHole within the network and so DNS request will not reach the router (and it's not planned to change this 
).
Apologies for the call for assistance but I am missing how to successfully complete the use of mwan3 & the script.
I believe I followed the steps correct and not sure what else to try. I am starting to make a lot of changes and none seem to be the right one.
Configuration:
My desired end state:
root@OpenWrt:~# ping -I wg0_proton aa.com -c 3
PING aa.com (23.59.182.130): 56 data bytes
64 bytes from 23.59.182.130: seq=0 ttl=55 time=222.792 ms
64 bytes from 23.59.182.130: seq=1 ttl=55 time=226.408 ms
64 bytes from 23.59.182.130: seq=2 ttl=55 time=231.638 ms
--- aa.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 222.792/226.946/231.638 ms
root@OpenWrt:~# ping aa.com -c 3
PING aa.com (23.59.182.130): 56 data bytes
64 bytes from 23.59.182.130: seq=0 ttl=53 time=9.693 ms
64 bytes from 23.59.182.130: seq=1 ttl=53 time=10.013 ms
64 bytes from 23.59.182.130: seq=2 ttl=53 time=9.792 ms
I would greatly appreciate some guidance on what to try/validate if you guys have the time.
The part I am most fuzzy on is step #2 here. I do not understand what or why I need to put fqdn's for lan clients I want routed over the vpn for everything. But am open to clarity on step #1 as well if thats where my issue is.
Usage:
Define the nftables sets in LuCI âFirewall â IP Setsâ first. Use the correct family (IPv4 or IPv6) there, match on dest_ip and define separate sets for IPv4 and IPv6 if necessary. Adding a timeout helps clearing old entries out of the ipsets automatically.
Then add those sets to dnsmasq resolving under âDHCP & DNS â IP Setsâ (Note: add both the IPv4 and the IPv6 set to the IP set option of the element as necessary. (Multiple nftables sets are possible to be specified for each group).
Finally add them to mwan3 rules. I use specific, separate rules for IPv4/IPv6, but IPv4+IPv6 works as well because it'll match the family if the ipset anyway (which is IPv4 by default if not explicitly defined under âFirewall â IPsetsâ as it is the default family for ipset).
Thank you in advance
Have you tried the other IP Sets under General Tab in Luci?
Hi and thank you for the response utop.
I eventually gave up on mwan3 and went with the functional PBR. It works for my current need even though I was wanting to get mwan3 going again after the code update.
Appreciate it. Maybe in the future there will be an update that allows it to work out of the box again but if not, I may take another stab in some future date.
I couldn't download the gist script by WGET. I spent a lot of time going over it. Finally, I uninstalled Mwan3 so I could download it ::
Guys, I have been messing around with OpenWrt and networking for over 10 years and I straight up don't understand how we're supposed to configure MWAN properly here:
- Define the nftables sets in LuCI âFirewall â IP Setsâ first. Use the correct family (IPv4 or IPv6) there, match on dest_ip and define separate sets for IPv4 and IPv6 if necessary. Adding a timeout helps clearing old entries out of the ipsets automatically.
Define what, exactly? There are two rules that pre-exist for me - MWAN-IPSetv4 and MWAN-IPSetv6. What am I entering here? This is my LAN subnet - I don't understand what this has to do with WAN or MWAN config.
https://i.imgur.com/hXWpfUf.jpeg
- Then add those sets to dnsmasq resolving under âDHCP & DNS â IP Setsâ (Note: add both the IPv4 and the IPv6 set to the IP set option of the element as necessary. (Multiple nftables sets are possible to be specified for each group).
Once again I am confused. Are we asking OpenWrt to look at local subnets for DNS? Why? Also what is with FQDNs - I don't understand how domain names have anything to do with this. Am I supposed to be defining the local FQDN, which in my case is ".lan"?
- Finally add them to mwan3 rules. I use specific, separate rules for IPv4/IPv6, but IPv4+IPv6 works as well because it'll match the family if the ipset anyway (which is IPv4 by default if not explicitly defined under âFirewall â IPsetsâ as it is the default family for ipset).
I suppose this section makes more sense once we understand what we're doing with steps 1 and 2, but some sort of additional information with examples would be highly appreciated.
I know this thread is old, but the issue doesn't seem to be solved. I'm struggling in the same way as @stephendt here. All I am looking for is a reliable failover, no fancy IP-based/load balancing multiWANing. I don't get the whole point with the IP Sets either. Why would you need any IP sets when all that is to be done is: look whether WAN_A fails (e.g., ping is lost >XXX seconds), then switch over to WAN_B. Any help on how to achieve this in the most simple manner?
Just as a heads up, I did get this working, these are my notes:
2024-08-08 Update
Versions based on 23.05.x require an additional script and actions for MWAN to work, apparently. See here: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#nft2ipset_init_script
https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#ipset_support
https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#nft2ipset_init_script
https://forum.openwrt.org/t/23-05-dnsmasq-ipsets-and-mwan3-incompatibility/174926
Step 1 - Configuring 4G USB modem for Load Balancing (if applicable)
If you are using a USB 4G modem without a NAT layer, you will need to enable a setting for load balancing to function after a reboot, as USB modems donât get initialised until some time after boot, which will likely disrupt your load balancing config. To do this:
Go to Modem -> Connection Profile
Advanced Tab
Set âEnable Load Balancing at Connectionâ to Yes.
Step 2 - Configuring Interfaces
NOTE: This has been updated for 23.05.
Go to Interfaces â WAN Interface(s)
Ensure that your IPv4 WAN DNS is 1.1.1.2 as a primary, and 9.9.9.9 as a secondary.
Configure your interface âmetricâ. Interfaces with a lower metric will be configured as the default router
Set your primary WAN metric as 1
Set your secondary WAN metric as 2
NOTE: your secondary WAN interface must be on a separate interface (e.g USB ethernet, dedicated VLANâed ethernet port, dedicated Wi-Fi client interface, etc). If you want to configure a WAN interface on your LAN interface (e.g. if there is a gateway somewhere else on your LAN) you will need to configure a MACVLAN interface, see here for more info.
Go to Interfaces â LAN
Ensure your DHCP Server settings are set in a way that configures your router as the primary DNS, and 9.9.9.9 as the secondary DNS, in case DNS breaks.
Install the necessary packages for MWAN3 via SSH. You may need to log out and log back in for web interface options to appear.
Go to Network â MultiWAN
Interfaces
Configure the primary WAN connection (usually âwanâ) by clicking âEditâ
Enabled = Yes
Tracking Hostname or IP address:
1.1.1.1
9.9.9.9
Ping Count = 2
Ping timeout = 1 second
Ping interval = 1 seconds
Failure interval = 1 second
Interface down = 2
Recovery interval = 10 seconds
Flush contrack = always / all
Configure any additional WAN connections by clicking âEditâ, or if it isnât in the list, define it manually (eg. âwanbâ or âlwanâ - be aware this is case sensitive).
Use the same settings as the primary WAN.
Any other WAN connections that are not needed should be removed.
Members
Ensure that there is a suitable member for each interface. For failover purposes we will be using weight as â3â in all situations, and we will just be changing the metric if needed.
Ensure that there is one member for each interface and remove all others. E.g.
wan_m1_w3
lwan_m2_w3
Policy
Click Edit on an appropriate policy, or create a new one (e.g wan_lwan)
Ensure that your members are correct. The primary wan should be first, followed by the secondary wan. Ensure that the items listed match the items available in the drop-down menu. Unreachable should be the âlast resortâ.
For routers running 23.05.x (and possibly above), this additional section is required, but can be skipped for other versions. Log in via SSH and run the nfinit script via following command:
wget -O /etc/init.d/nft2ipset https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab/raw/
chmod +x /etc/init.d/nft2ipset
service nft2ipset enable
service nft2ipset start
Once the script has run, we need to configure a couple of additional rules to ensure that our interfaces will always have the ability to reach our failover ping destination.
Go to Network â Firewall â IP Sets
Click add and configure an ipset with the following
Name = mwan4
Family = ipv4
Packet Field Match = dest_ip
IP / Networks / MACs = 1.1.1.1/30
Timeout = 60
Save and apply
Go to Network â DHCP & DNS â IP sets
Click Add and configure the IP Set
Name = mwan4
FQDN = one.one.one.one
Table IP Family IPv4+6
Save & Apply
Go back to Network â MultiWAN Manager â Rule
Add a rule
Name = mwan4
Internet Protocol = IPv4 only
Source address = YOUR_SUBNET (e.g. 192.168.1.0/24)
Destination address = 1.1.1.1/30
IPSet = mwan4
Policy assigned = wan_wanb (or your mwan policy name)
Save and apply
Update crontab to ensure that there is failover in case there is an issue with the above.
Go to Networking, Modems, Routers, Wi-Fi APs, Bridging, Repeaters, QOS, DNS, VPN and Custom Firmwares - Best Practices add the following to scheduled tasks:
Reboot every day at 11pm (or any suitable time - however daily reboot is recommended, especially with USB modems)
Restart Networking On DNS Drops (Alternative)
Restart Router on Ping Drops (Alternative)
Save your configuration and reboot your router.
Test your failover. Keep in mind that failover is slow on 23.05 and newer, and unfortunately there is no solution yet.
Thank you so much for sharing, Stephen! Still looks like a lot of hassle.
It sure is. On a related note, has anyone tested this with OpenWrt 24.10? I know it's still in RC, but it would be very nice if this worked properly...
Huge help! Thank you very much! the Wiki could use some better explanations.
I'd just point out, more like: 'remark' to be sure to have 'iptables-nft' an 'ip6tables-nft' installed.
However, i'm still having trouble in the fail-over switching this way:
In this case, mwan3 is useless. I have to personally stop the interface, which is the main purpose of mwan3...
So, I wonder if it could be possible to write a shell script to do that manual testing and stop the main wan interface... and then to restart it once it has tested for connectivity again. Automatically.
I've been stuck with this issue for months.
What am I missing?
I don't know if this is helpful or not but my MWAN setup does work when the ethernet is randomly pulled. It just takes a little while, sometimes up to a minute or more. Not sure why.
Pulling the ether-plug is detected by MWAN3 only via lost pings. And then there are a few retries, before switchover activated. You should read and understand the docs about MWAN3 config. (Are pings used, how often, how many retries)