Ipset list (iphash) as Source IPs list in MWAN3 rules

Is this possible? In Luci, or config files, or with custom rules/scripts?

@g.L.77 , welcome to the community!

Yes, it is possible to make a firewall rule to ALLOW/REJECT/DROP from a given list of SRC IPs.

It is...but I'm not sure I'm clear on what do you mean by this (since you mention mwan3)?

Hi [lleachii], yhank you for your response!

I want to do policy based routing with 2 outgoing interfaces, based on source IP address - I need some IP addresses (client PCs) from LAN side to go out from WAN, and other from WAN2.

As there may be hundreds of non-contiguous IP addresses in both group I need to use ipsets in source address in rules.

In addition, for one of the IP group I need failover, so MWAN3 seems to be the tool for my purposes.

There is another request for same, but I saw it later:

Can mwan3.user file be used for iptables commands in Chain "mwan3_rules"?

To answer myself, mwan3.user can be used, just add iptables rule
"iptables -t mangle -I mwan3_rules -m set --match-set s_ipset src -m mark --mark 0x0/0x3f00 -j mwan3_policy_wan2_only", where "s_ipset" is ipset list with source IP addresses.

This make double rules in "mwan3_rules" chain because of double invoking of script on 2 WAN interfaces events, but it is not a problem.
This rule do only source IP based policy routing, not failover, nor balancing.

1 Like