Can't connect to openvpn when mwan3 is enabled (18.06.0-rc2)

Per · July 21, 2018, 10:09am

It works fine when mwan3 is disabled and the seemingly same configuration works well in 17.01.5. I used the OpenVPN server setup guide from the wiki in both setups. I would very much appreciate if anyone has any suggestions about how to fix it.

When I try to connect I get this in the client log (Parts of the external IPs have replaced by 1 in all the logs)

Sat Jul 21 11:29:31 2018 OpenVPN 2.4.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sat Jul 21 11:29:31 2018 Windows version 6.2 (Windows 8 or greater) 32bit
Sat Jul 21 11:29:31 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Sat Jul 21 11:29:31 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sat Jul 21 11:29:31 2018 Need hold release from management interface, waiting...
Sat Jul 21 11:29:32 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'state on'
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'log all on'
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'echo all on'
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'hold off'
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'hold release'
Sat Jul 21 11:29:32 2018 NOTE: --fast-io is disabled since we are running on Windows
Sat Jul 21 11:29:32 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 21 11:29:32 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 21 11:29:32 2018 MANAGEMENT: >STATE:1532165372,RESOLVE,,,,,,
Sat Jul 21 11:29:33 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:1194
Sat Jul 21 11:29:33 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jul 21 11:29:33 2018 UDP link local: (not bound)
Sat Jul 21 11:29:33 2018 UDP link remote: [AF_INET]1.1.1.1:1194
Sat Jul 21 11:29:33 2018 MANAGEMENT: >STATE:1532165373,WAIT,,,,,,
Sat Jul 21 11:30:03 2018 SIGTERM[hard,] received, process exiting
Sat Jul 21 11:30:03 2018 MANAGEMENT: >STATE:1532165403,EXITING,SIGTERM,,,,,

On the server side it says

Sat Jul 21 09:30:33 2018 47.60.41.55:61617 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 21 09:30:33 2018 47.60.41.55:61617 TLS Error: TLS handshake failed

Diagnostics from mwan with it is disabled (works):

MWAN Status - Troubleshooting
INFO: MWAN not running

Software-Version
-------------------------------------------------
OpenWrt - OpenWrt 18.06.0-rc2 r7141-e4d0ee5af5
LuCI - git-18.196.56128-9112198

Output of "ip a show"
-------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether bc:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
    inet6 1::beee:7bff:fe56:5855/64 scope link
       valid_lft forever preferred_lft forever
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 32:1c:61:cd:58:9b brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether da:62:b1:76:5a:b1 brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether be:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 1:1:17f:f900::1/60 scope global dynamic noprefixroute
       valid_lft 1207735sec preferred_lft 602935sec
    inet6 fdcb:b0a8:536c::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 1::bcee:7bff:fe56:5855/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether be:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:ee:7b:56:58:54 brd ff:ff:ff:ff:ff:ff
    inet 1.1.1.1/20 brd 1.1.239.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 1:0:c000:4:9087:f85a:83a8:b4fb/128 scope global dynamic noprefixroute
       valid_lft 1207735sec preferred_lft 602935sec
    inet6 1::beee:7bff:fe56:5854/64 scope link
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether bc:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
    inet6 1::beee:7bff:fe56:5855/64 scope link
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether bc:ee:7b:56:58:54 brd ff:ff:ff:ff:ff:ff
    inet6 1::beee:7bff:fe56:5854/64 scope link
       valid_lft forever preferred_lft forever
12: ovpns0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 192.168.200.1/24 brd 192.168.200.255 scope global ovpns0
       valid_lft forever preferred_lft forever
    inet6 1::b57b:45a2:85bd:6991/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

Output of "ip route show"
-------------------------------------------------
default via 1.1.224.1 dev eth0.2 proto static src 1.1.1.1 metric 10
1.1.224.0/20 dev eth0.2 proto static scope link metric 10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.200.0/24 dev ovpns0 proto kernel scope link src 192.168.200.1

Output of "ip rule show"
-------------------------------------------------
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Output of "ip route list table 1-250"
-------------------------------------------------

Output of "iptables -L -t mangle -v -n"
-------------------------------------------------
Chain PREROUTING (policy ACCEPT 408 packets, 212K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 164 packets, 29441 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 244 packets, 183K bytes)
 pkts bytes target     prot opt in     out     source               destination
  472 24552 TCPMSS     tcp  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  *      usb0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 124 packets, 89088 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 368 packets, 272K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain qos_Default (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xf
    0     0 qos_Default_ct  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 length 0:500 MARK xset 0x22/0xff
    0     0 MARK       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 udp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff

Chain qos_Default_ct (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 22,53 /* ssh, dns */ MARK xset 0x11/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 22,53 /* ssh, dns */ MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 /* ftp, smtp, http(s), imap */ MARK xset 0x33/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff

Diagnostics with mwan3 enabled (doesn't work):

MWAN Status - Troubleshooting

Software-Version
-------------------------------------------------
OpenWrt - OpenWrt 18.06.0-rc2 r7141-e4d0ee5af5
LuCI - git-18.196.56128-9112198

Output of "ip a show"
-------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.1.1/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether bc:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
    inet6 1::beee:7bff:fe56:5855/64 scope link
       valid_lft forever preferred_lft forever
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 32:1c:61:cd:58:9b brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether da:62:b1:76:5a:b1 brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether be:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 1:11:17f:f900::1/60 scope global dynamic noprefixroute
       valid_lft 1207845sec preferred_lft 603045sec
    inet6 fdcb:b0a8:536c::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 1::bcee:7bff:fe56:5855/64 scope link
       valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether be:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:ee:7b:56:58:54 brd ff:ff:ff:ff:ff:ff
    inet 1.1.1.1/20 brd 1.1.239.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 1:10:c000:4:9087:f85a:83a8:b4fb/128 scope global dynamic noprefixroute
       valid_lft 1207845sec preferred_lft 603045sec
    inet6 1::beee:7bff:fe56:5854/64 scope link
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether bc:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
    inet6 1::beee:7bff:fe56:5855/64 scope link
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether bc:ee:7b:56:58:54 brd ff:ff:ff:ff:ff:ff
    inet6 1::beee:7bff:fe56:5854/64 scope link
       valid_lft forever preferred_lft forever
12: ovpns0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 192.168.200.1/24 brd 192.168.200.255 scope global ovpns0
       valid_lft forever preferred_lft forever
    inet6 1::b57b:45a2:85bd:6991/64 scope link stable-privacy
       valid_lft forever preferred_lft forever


Output of "ip route show"
-------------------------------------------------
default via 192.168.1.1 dev lo
default via 1.1.224.1 dev eth0.2 proto static src 1.1.1.1 metric 10
1.1.224.0/20 dev eth0.2 proto static scope link metric 10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.200.0/24 dev ovpns0 proto kernel scope link src 192.168.200.1

Output of "ip rule show"
-------------------------------------------------
0:      from all lookup local
1001:   from all iif eth0.2 lookup main
2001:   from all fwmark 0x100/0x3f00 lookup 1
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

Output of "ip route list table 1-250"
-------------------------------------------------
Table 1: default via 1.1.224.1 dev eth0.2

Output of "iptables -L -t mangle -v -n"
-------------------------------------------------
Chain PREROUTING (policy ACCEPT 78416 packets, 62M bytes)
 pkts bytes target     prot opt in     out     source               destination
78774   62M mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 14402 packets, 2604K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 63818 packets, 59M bytes)
 pkts bytes target     prot opt in     out     source               destination
  462 24032 TCPMSS     tcp  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
    0     0 TCPMSS     tcp  --  *      usb0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 9615 packets, 3534K bytes)
 pkts bytes target     prot opt in     out     source               destination
 9674 3538K mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 73433 packets, 63M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain mwan3_connected (2 references)
 pkts bytes target     prot opt in     out     source               destination
38512   57M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected dst MARK or 0x3f00

Chain mwan3_hook (2 references)
 pkts bytes target     prot opt in     out     source               destination
88448   66M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0x3f00
 3043  220K mwan3_ifaces_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
 2868  213K mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
 2177  160K mwan3_ifaces_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  887 51917 mwan3_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
88448   66M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0x3f00
67839   60M mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x3f00/0x3f00

Chain mwan3_iface_in_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
  175  7739 MARK       all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan */ MARK xset 0x100/0x3f00

Chain mwan3_iface_out_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1290  108K MARK       all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan */ MARK xset 0x100/0x3f00

Chain mwan3_ifaces_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3042  220K mwan3_iface_in_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00

Chain mwan3_ifaces_out (1 references)
 pkts bytes target     prot opt in     out     source               destination
 2177  160K mwan3_iface_out_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00

Chain mwan3_policy_balanced (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00

Chain mwan3_policy_wan2_wan (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00

Chain mwan3_policy_wan_only (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00

Chain mwan3_policy_wan_wan2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
  442 28388 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00

Chain mwan3_policy_wan_wanb (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00

Chain mwan3_policy_wanb_wan (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00

Chain mwan3_rule_https (1 references)
 pkts bytes target     prot opt in     out     source               destination
  430 22415 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 MARK xset 0x100/0x3f00
    2    92 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x100/0x3f00 ! match-set mwan3_sticky_https src,src MARK and 0xffffc0ff
    2    92 mwan3_policy_wan_wan2  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  430 22415 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_https src,src
  430 22415 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_https src,src

Chain mwan3_rules (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 mwan3_policy_wan_only  tcp  --  *      *       192.168.1.3          0.0.0.0/0            multiport sports 0:65535 multiport dports 119,563 mark match 0x0/0x3f00 /* nntp */
  430 22415 mwan3_rule_https  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 0:65535 multiport dports 443 mark match 0x0/0x3f00 /* https */
  440 28296 mwan3_policy_wan_wan2  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* default_rule */

Chain qos_Default (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xf
    0     0 qos_Default_ct  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 length 0:500 MARK xset 0x22/0xff
    0     0 MARK       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 udp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff

Chain qos_Default_ct (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 22,53 /* ssh, dns */ MARK xset 0x11/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 22,53 /* ssh, dns */ MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 /* ftp, smtp, http(s), imap */ MARK xset 0x33/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff

braian87b · August 3, 2018, 7:52pm

There is some problems with MWAN3 loopback on Lede 17 and possible it persist on 18, can you try Openwrt 15 too see if it fails too?

If you were able to solve your problem by yourself can you post your findings here please? thanks!

Per · August 3, 2018, 9:28pm

It works in Lede 17.01.5. I have not found a solution for OpenWRT 18.06, however I made a bug and someone just commented a few hours ago that it may have been fixed in a PR: https://github.com/openwrt/packages/issues/6551

Hopefully it will be merged, otherwise I'll try to put it together myself to test.

geoff · July 3, 2019, 8:08pm

It is broken again in 18.06.2 with the latest package upgrades from late June 2019. I am running an openvpn server on openwrt, and that breaks as soon as I install mwan3, even with the failover WAN still disabled and disconnected.