For my Router1, MultiWAN seems to be working. I'm not masquerading the internal connections. And I can ping the PC1 from PC2 and viceversa.
For checking the modem, I created a @wan alias (without gateway) and added it to the WAN firewall zone. Hence, I can access the modem configuration from PC1 as it should. I can also ping the @wan interface from PC2, but I haven't figured out how to ping/access the modem from PC2 or the Router2. I suppose I need to do something else on Router1, but I'm not sure whether the issue lies on a missing static route, or additional tweakings to the firewall rules. Suggestions are welcome.
Assuming wanb is assigned to the wan firewall zone, you will need to create a traffic rule on Router1.
config rule
option name 'R2_to_modem'
list proto 'all'
option src 'wan'
list src_ip '192.168.2.0/24'
option dest 'wan'
list dest_ip '192.168.1.1'
option target 'ACCEPT'
Thanks for the reply. I tried that rule and several variations, but it didn't work.
In fact, I have tried the default of having the modem-if in the WAN zone, and also to create a different firewall zone to try other things, but I haven't succeeded. One thing to keep in mind is the modem fw doesn't allow me to define an static route.
Here's the most vanilla configuration I'm trying:
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.100.1'
config device
option name 'eth0.2'
option ipv6 '0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option metric '10'
config interface 'wanb'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.2.1'
option ipaddr '192.168.2.2'
option metric '20'
config interface 'modem'
option proto 'static'
option device '@wan'
option defaultroute '0'
list ipaddr '192.168.1.2/24'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option family 'ipv4'
list network 'modem'
list network 'wan'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'wan2'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'wanb'
option family 'ipv4'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan2'
config forwarding
option src 'wan2'
option dest 'lan'
Since you can ping 192.168.1.2 from PC2, it looks like a firewall issue.
Also, my assumption was wrong because wanb is in a separate firewall zone.
Please run these commands on Router1 to see if it makes a difference:
nft insert rule inet fw4 forward ip saddr 192.168.2.0/24 ip daddr 192.168.1.1 counter accept
nft insert rule inet fw4 srcnat ip saddr 192.168.2.0/24 ip daddr 192.168.1.1 counter snat ip to 192.168.1.2
Yes, I tried your suggestion from wanb to wan, and also from any to any, but it didn't work.
I'm using 22.03.x on Router1 and 23.05.x on Router 2. I don't see nft installed but iptables.
For this to be routed, the modem would had to allow me define an static route redirecting to the @wan-if, but because that's not feasible, the NAT seems the way to go, and that's why your new suggestion looks promising, except to-source is not supported on this version.
I really didn't copy/paste the commands because I'm in the process of changing ISP and IP addresses, and I made a mistake in the translation, sorry about that. Now my other router is .3.0/24, my @wan is .1.20, and my modem is .1.254. I checked again, did a power-cycle, and ran the following commands:
root@SVdP2:~# nft insert rule inet fw4 forward ip saddr 192.168.3.0/24 ip daddr 192.168.1.254 counter accept
root@SVdP2:~# nft insert rule inet fw4 srcnat ip saddr 192.168.3.0/24 ip daddr 192.168.1.254 counter snat ip to 192.168.1.20
root@SVdP2:~# ping -c 2 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: seq=0 ttl=255 time=1.389 ms
64 bytes from 192.168.1.254: seq=1 ttl=255 time=0.785 ms
root@SVdP:~# ping -c 2 192.168.1.20
PING 192.168.1.20 (192.168.1.20): 56 data bytes
64 bytes from 192.168.1.20: seq=0 ttl=64 time=1.734 ms
64 bytes from 192.168.1.20: seq=1 ttl=64 time=5.827 ms
--- 192.168.1.20 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.734/3.780/5.827 ms
root@SVdP:~# ping -c 2 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
root@SVdP2:~# nft list chain inet fw4 forward; nft list chain inet fw4 srcnat
table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;
ip saddr 192.168.3.0/24 ip daddr 192.168.1.254 counter packets 7 bytes 588 accept
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
meta nfproto ipv4 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4 forward traffic"
meta nfproto ipv4 iifname "eth0.2" jump forward_wan comment "!fw4: Handle wan IPv4 forward traffic"
meta nfproto ipv4 iifname "wlan1" jump forward_wan2 comment "!fw4: Handle wan2 IPv4 forward traffic"
jump handle_reject
}
}
table inet fw4 {
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.3.0/24 ip daddr 192.168.1.254 counter packets 2 bytes 168 snat ip to 192.168.1.20
meta nfproto ipv4 oifname "eth0.2" jump srcnat_wan comment "!fw4: Handle wan IPv4 srcnat traffic"
}
}
