HTTPS with mwan3

0x2f0713 · March 16, 2020, 6:23pm

Hi, sorry for my bad English
I want to use HTTPS with combined speed of 2 WANs. So I try adding WireGuard zone as image below but it is not working. Do you have any solution for this problem? Thank you!

eduperez · March 16, 2020, 6:33pm

I'm confused... you mention two WANs, mwan3, and a Wireguard connection, but you do not give any more details about how they are configured or related to each other.

0x2f0713 · March 16, 2020, 7:06pm

Interfaces

The first WAN is wan and wan6 interface, plugged in port WAN on my router
The second WAN is wanb interface, Wireless WAN
The wg0 interface is in vpn zone

Firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option network 'wan wan6 wanb'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding 'lan_wan'
	option dest 'wan'
	option src 'lan'
	option enabled '1'

config zone
	option network 'wg0'
	option forward 'REJECT'
	option name 'vpn'
	option output 'ACCEPT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding 'wan_vpn'
	option dest 'vpn'
	option src 'wan'
	option enabled '1'

Mwan3
Image URL:
Interfaces: https://forum.openwrt.org/uploads/default/original/3X/3/5/352713883cf38bbbacc00e7b3edd5bf5eaab10aa.png
Policies:
https://forum.openwrt.org/uploads/default/original/3X/e/1/e1ec2c3ad8a64e769dd94fcd44332b363eb5e0ce.png
Rules:
https://forum.openwrt.org/uploads/default/original/3X/3/6/36cca28fe530c8abecc25e6c050e1d329a47344d.png

lleachii · March 16, 2020, 7:30pm

@0x2f0713, welcome to the community!

Any given connection will only be as fast at the link it used.
Both WANs use 192.168.1.0/24, this could cause problems.

0x2f0713 · March 16, 2020, 7:32pm

Hmm I don't understand

Any given connection will only be as fast at the link it used.

Can you explain it?

lleachii · March 16, 2020, 7:34pm

You only use 1 connection you can have 2 links and magically split/double the TCP connection speed - if that's your goal. You can use both WANs, though.

0x2f0713 · March 16, 2020, 7:58pm

But when downloading file with HTTPS, router use only one WAN , want to download with double speed by 2 WANs

eduperez · March 16, 2020, 8:19pm

Yes, that is fine, but unfortunately TCP does not work like that. You need an ISP that supports bonding, or an external VPS where you can bond your WANs, ...

0x2f0713 · March 16, 2020, 8:25pm

So, can I use WireGuard to solve this problem ?

0x2f0713 · March 17, 2020, 6:54am

Help me! Please

eduperez · March 17, 2020, 8:03am

Yes, Wireguard could help:

Rent an external VPS with at least double the total bandwidth that you have on-site.
Create two Wireguard connections between your site and the VPS.
Bond both connections together.

0x2f0713 · March 17, 2020, 9:35am

Can you give me detailed instructions? I tried CloudFlare WARP+ but I don't have Internet

eduperez · March 17, 2020, 12:50pm

I do not see what role does Cloudfare's WARP plays here, and I do not understand what "I don't have internet" means here.

Sorry, but I do not have detailed instructions available. But I have you a three step guide, have you done any work on those steps?