Custom URL's to select interface route to same IP

LarsK · March 16, 2021, 8:58pm

Dear all,

I have an OpenWRT router setup which runs MWAN3 across 3 interfaces;

4G modem
WAN_A
WAN_B

WAN_A and WAN_B both requires me to login to the network to access the internet through the same portal at the same IP address.

If neither are logged in, then MWAN3 redirects to the 4G modem, so I setup a static route across a gateway to ensure that when I call up the IP address (10.28.108.1) it goes to WAN_A or WAN_B.

Here is the problem.

I'm tired of having to login to my router, go to static routes, then change the IP depending on which interface I want to use today.

I would like to create two custom URL's that shall work on my LAN network so when I open my browser and type:

WAN_A/ --> It goes to login portal (10.28.108.1) on the WAN_A interface
WAN_B/ --> It goes to login portal (10.28.108.1) on the WAN_B interface

Any guidance on how to do this will be greatly appreciated!

vgaetera · March 16, 2021, 9:39pm

Create 2 firewall DNAT redirects from your router's custom IP/port to the portal's IP.
Then create 2 rules to mark traffic based on the original destination IP/port.
The marked traffic can be routed to the WAN-specific routing table.

LarsK · March 17, 2021, 4:54am

Hey,

Thank you for the reply.

I'm trying to follow your instructions but my understanding of firewall rules may fall short.

I understand you want me to establish a dummy IP address that I then pick up and redirect when going in and out of LAN--WAN.

I would like to go step by step - So I'm hoping for help with just this first part - Establishing a dummy IP that will redirect all traffic back and forth.

This is what I got:

I'm picking up the traffic using a dummy IP 1.2.3.4 and redirecting it, then when it comes back in. At this time I just plain forward it to my actual PC IP.

In firewall:

config redirect
        option target 'DNAT'
        option src 'lan'
        option dest 'wan'
        option proto 'tcp'
        option src_dip '1.2.3.4'                 # Source destination
        option src_dport '8443'              #Source port
        option dest_ip '10.28.108.1'      # Actual destination we want 
        option dest_port '8443'             # Same port
        option name 'DummyIpTest'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8443'                 # Pick all traffic coming into lan on 8443
        option dest_ip '192.168.10.175'   # Redirect to my PC while testing. 
        option dest_port '8443'
        option name 'DummyIpTestReturn'

config redirect
        option target           'SNAT'
        option src              'wan'
        option dest             'lan'
        option proto            'tcp'
        option src_ip           '10.28.108.1' 
        option src_dip          '1.2.3.4' #  Re-write the source IP as it looks to my PC, so it seems like I'm talking to this IP
        option dest_port        '8443'
        option name             'SNATScript'
        option enabled          '1'

This does not work.

Chrome gives me:

1.2.3.4 didn’t send any data.

ERR_EMPTY_RESPONSE

Traceroute gives me:

traceroute to 1.2.3.4:8443 (1.2.3.4), 30 hops max, 38 byte packets
 1  100.100.100.253  3.682 ms
 2  10.247.28.1  16.844 ms
 3  10.219.17.69  30.448 ms
 4  10.219.17.70  18.594 ms
 5  172.31.247.217  23.393 ms
 6  200.0.16.24  23.002 ms
 7  200.0.16.20  22.606 ms
 8  200.0.16.17  23.016 ms
 9  216.152.165.141  56.348 ms
10  216.152.164.134  72.446 ms
11  *

I feel like the issue is that I did not proper tag the traffic, but I do not understand how I'm supposed to do it.

vgaetera · March 17, 2021, 5:45am

uci -q delete dhcp.lp_wana
uci set dhcp.lp_wana="domain"
uci set dhcp.lp_wana.name="lp_wana"
uci set dhcp.lp_wana.ip="172.16.0.1"
uci -q delete dhcp.lp_wanb
uci set dhcp.lp_wanb="domain"
uci set dhcp.lp_wanb.name="lp_wanb"
uci set dhcp.lp_wanb.ip="172.16.0.2"
uci commit dhcp
/etc/init.d/dnsmasq restart

uci -q delete firewall.lp_wana
uci set firewall.lp_wana="redirect"
uci set firewall.lp_wana.name="LoginPortal-WANA"
uci set firewall.lp_wana.src="lan"
uci set firewall.lp_wana.src_dip="172.16.0.1"
uci set firewall.lp_wana.dest_ip="10.28.108.1"
uci set firewall.lp_wana.dest_port="443"
uci set firewall.lp_wana.proto="tcp"
uci set firewall.lp_wana.target="DNAT"
uci -q delete firewall.lp_wanb
uci set firewall.lp_wanb="redirect"
uci set firewall.lp_wanb.name="LoginPortal-WANB"
uci set firewall.lp_wanb.src="lan"
uci set firewall.lp_wanb.src_dip="172.16.0.2"
uci set firewall.lp_wanb.dest_ip="10.28.108.1"
uci set firewall.lp_wanb.dest_port="443"
uci set firewall.lp_wanb.proto="tcp"
uci set firewall.lp_wanb.target="DNAT"
uci -q delete firewall.lp_marka
uci set firewall.lp_marka="rule"
uci set firewall.lp_marka.name="LoginPortal-MarkA"
uci set firewall.lp_marka.src="lan"
uci set firewall.lp_marka.dest_ip="172.16.0.1"
uci set firewall.lp_marka.dest_port="443"
uci set firewall.lp_marka.proto="tcp"
uci set firewall.lp_marka.set_mark="0x1"
uci set firewall.lp_marka.target="MARK"
uci -q delete firewall.lp_markb
uci set firewall.lp_markb="rule"
uci set firewall.lp_markb.name="LoginPortal-MarkB"
uci set firewall.lp_markb.src="lan"
uci set firewall.lp_markb.dest_ip="172.16.0.2"
uci set firewall.lp_markb.dest_port="443"
uci set firewall.lp_markb.proto="tcp"
uci set firewall.lp_markb.set_mark="0x2"
uci set firewall.lp_markb.target="MARK"
uci commit firewall
/etc/init.d/firewall restart

LarsK · March 24, 2021, 4:06am

Hey, thank you for the swift reply. I only had time to really investigate this evening.

This is where I am now -

The DHCP part works but requires users do not have their own DNS set. This part is fine overall. To avoid confusion I will below not mention the alias I have given for the different IPs.

As for the root of the problem, this is what I got:

Firewall:

config redirect 'WanB'
        option target 'DNAT'
        option src 'lan'
        option dest 'wan'
        option proto 'tcp'
        option src_dip '1.2.3.4'
        option name 'LoginWanB'
        option enabled '1'
        option src_dport '8443'
        option dest_ip '10.28.108.1'

Network:

config route
        option interface 'WANB'
        option gateway '100.100.100.253' # WAN B network gateway
        option target '1.2.3.4'

config route
        option target '10.28.108.1'
        option interface 'WANA'
        option gateway '192.168.1.1'  # Wan A is behind an upstream ADSL modem/router

And this works to the point that my core problem is solved

I type in my browser:

1.2.3.4 --> It opens the login window routing through WAN B
10.28.108.1:8443 --> It opens the login window rougting through WAN A

All the rest did not work or did not make a difference.

Marking traffic did not create any issue, but it did also not make any difference.
I am not able to create a custom IP for WAN A, I use the same settings as I use for WAN B, only changing the route to go on WAN A, and then it stops working. Something related to the upstream router?
I added: option dest 'wan' to the firewall setting, but not sure it makes much difference.

I feel that the bit you marked (0x1 and 0x2) is never getting used for anything, and that is why it never worked? Should there not somewhere be another configuration that looks for this bit and tells the router to identify that stream of data as originating from one or the other?