Help with mwan3 + wireguard + PBR

Hey guys, I'm having hard time trying to configure my router, I have used ai, guides, everything, but this one no matter what it fails, I'm not sure whats wrong.

Right now, i'm using mwan3 with failover on 2 physical wan connections, and it works perfectly fine, now, I also have created a wireguard interface which it seems to work, but only internally, I mean, you can ping -I the interface and it pings, and I need it to work so certain websites go through wireguard interface (warp+) using PBR, but this doesnt work, no matter how I define the rule on PBR, it never works.

Also I'm not sure if the wireguard interface will switch as mwan3 switches.

Let me know if you need any config that can help you to help me achieve this.

this is an example of what I have in PBR

config pbr 'config'
	option enabled '0'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '1'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_gc_interval ''
	option nft_set_policy 'performance'
	option nft_set_timeout ''
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config policy
	option name 'Twitter Traffic'
	option interface 'wwarp'
	option src_addr '192.168.2.0/24'
	option dest_addr 'x.com twitter.com api.twitter.com'
	option enabled '1'

mwan3

config globals 'globals'
	option mmx_mask '0x3F00'
	option flush_conntrack_on_member_down '1'

config interface 'wan'
	option enabled '1'
	option family 'ipv4'
	option track_method 'ping'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '2'
	option interval '5'
	option failure_interval '5'
	option recovery_interval '1'
	option down '3'
	option up '3'
	option initial_state 'online'
	option reliability '1'
	list track_ip '208.67.222.222'
	list track_ip '208.67.220.220'
	option metric '1'

config interface 'wanb'
	option enabled '1'
	option family 'ipv4'
	option track_method 'ping'
	option count '3'
	option size '56'
	option max_ttl '60'
	option timeout '2'
	option interval '5'
	option failure_interval '5'
	option recovery_interval '3'
	option down '3'
	option up '3'
	option initial_state 'online'
	option reliability '1'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option metric '2'

config member 'wan_m1_w3'
	option interface 'wan'
	option metric '1'
	option weight '1'

config member 'wanb_m1_w3'
	option interface 'wanb'
	option metric '2'
	option weight '2'

config policy 'wan_failover'
	list use_member 'wan_m1_w3'
	list use_member 'wanb_m1_w3'
	list use_member 'wwarp'
	option last_resort 'unreachable'
	option name 'vpn_policy'

config rule 'https'
	option sticky '0'
	option dest_port '443'
	option proto 'tcp'
	option use_policy 'wan_failover'

config rule 'default_rule_v4'
	option dest_ip '0.0.0.0/0'
	option use_policy 'wan_failover'
	option family 'ipv4'
	option proto 'all'
	option sticky '0'

config rule 'default_rule_v6'
	option dest_ip '::/0'
	option use_policy 'wan_failover'
	option family 'ipv6'
	option proto 'all'
	option sticky '0'

config member 'wwarp_m1_w3'
	option interface 'wwarp'
	option metric '1'
	option weight '1'

and the firewall rules that I think matter?

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wanb'
config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wwarp'
	option masq '1'
	option mtu_fix '1'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

Since mwan3 doesn't use nft/fw4 natively, if you really want to use it with pbr, I'd recommend you downgrade to pre-nft/pre-fw4 version of OpenWrt and use mwan3 there with the most recent pbr-iptables (and the mwan3 compatibility setting from the README). This setup has been known to work. You may have some luck using mwan3 and pbr-iptables on the nft/fw4-capable version of OpenWrt, but don't count on any support from the forum.

If/when mwan3 is re-written to create nft rules and becomes mwan4, I'll make sure it's compatible with the nft-capable pbr.

so the problem is mwan3 ? is there a way to use PBR and also have a failover setup that doesnt depend on mwan3 ?

No, the problem is a combination of mwan3 which uses iptables and pbr which uses nft on the OpenWrt systems which use nft natively and translate iptables calls into nft calls.

If you use mwan3 with pbr-iptables (and dnsmasq with the ipset support), you may get it working on a more modern OpenWrt. You'd have to experiment a lot, last I heard there were two options for using iptables on 23.05, not sure which one would be more compatible.

No, sorry, I'm not aware of any nft-capable alternative to mwan3.

Thanks anyway, I found a way with a script online to make failover work, first result in google, now after a factory reset and fesh install PBR works perfectly, thanks for that information!

Please share the script, so I could add a link to it to the README. No idea what you searched for, so can't reproduce your first link in google result.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.