actual setup I have is 2 ISPs, one LAN and multiple vlans. Each ISP is connected to a switch port having vlan 1001 for the first one, vlan 1002 for the second one with PVID reflecting the vlan. A server -Debian bookworm- is connected to the switch to a port who transport all vlans in one interface named bone. From here, each vlan on this host get his interface using ifup/ifdown. bonne.1001 bone.1002 bone.1 bone.210 (guests) aso. This host is part of the LAN, his IF lan being bridged with bone.1
From here, using kvm/virt-manager, I setup a fw/router using Sophos UTM9 in a VM which is doing all stuff (NAT, port forwarding, aso).
Note: ISP2 brings one ipv4 in a /28 net as well as a ipv6 /48 as ISP1 is a 192.168.136.0/24, 192.168.136.1 being the DMZ IP connected to UTM9, 192.168.136.254 being the GW to Internet and having a public ipv4 IP. All incoming traffic coming to this public ipv4 IP is redirected to 192.168.136.1, the DMZ. The UTM9 has all his interfaces connected to a IF.vlan except for local one which is bridged to the lan IF from host.
Few services are running behind the UTM9 like https, matrix, wireguard, ssh to some hosts aso.
Question: would OpenWRT be able to replace UTM9 (EOL 2026/06)? I did some tests but they failed, that's why I'm asking here ;).
Hi, thanks for your reply. First of all, aso stands for "and so on"
I face few problems:
for load balancing, mwan3 wasn't installed that's why I could'nt get it work
install is new, and by adding mwan3 I know have a warning concerning mix of iptables/nftables. I would like to use only the later one:
Legacy rules detected
There are legacy iptables rules present on the system. Mixing iptables and nftables rules is discouraged and may lead to incomplete traffic filtering.
concerning network: from virt-manager/KVM I create 2 IF, one bridged to host lan interface (eth0 in openWRT), the other one bridged to the existing bone interface which include all vlans (eth3 in OpenWRT). In OpenWRT I then create again a bone interface bridged to eth3 and finally the various 802.1q bone.vlan devices. Don't know if that's correct
ip -4 route list table 1-250
Error: argument "1-250" is wrong: table id value is invalid
Why as in Multi WAN troubleshooting logs I see
Output of "ip -4 route list table 1-250"
Which bring me to the point where are those route located, not in /etc/iproute2/rt_tables
Voila, this is the stand of my actual tests, it shows that effectively OpenWRT is able to continue the job from UTM9. Great
No, I really wanted to see table 1 and 2 from rule sh
0: from all lookup local
1001: from all iif bone.1001 lookup 1
1002: from all iif bone.1002 lookup 2
2001: from all fwmark 0x100/0x3f00 lookup 1
2002: from all fwmark 0x200/0x3f00 lookup 2
root@host:/etc/config# ip r list table 1
default via 192.168.136.254 dev bone.1001 proto static metric 3
192.168.10.0/24 dev eth0 proto static scope link metric 3
192.168.136.0/24 dev bone.1001 proto static scope link metric 3
root@host:/etc/config# ip r list table 2
default via xxx.yyy.252.177 dev bone.1002 proto static
xxx.yyy.252.176/28 dev bone.1002 proto kernel scope link src xxx.yyy.252.179
192.168.10.0/24 dev eth0 proto static scope link metric 3
192.168.136.0/24 dev bone.836 proto kernel scope link src 192.168.136.2
Thanks for your reply, seems that the troubleshooting output is a mix of cmd and shortcut, I can live with
Since you validate the fact that OpenWRT is a candidat to achieve my goal, step by step I discover how to configure it. At this time I have a general working router/FW , now it's time to apply various rules I need like port forwarding and others.
Concerning iptables/nftables, do you have an idea how this mix is possible? Having to reinstall from scratch would not be a problem if it solve this.
It may help if you showed your commands - I see that you posted the IP rules for your system, but didn't show the commands (nor explained why you posted the rules).
It’s more than “under way”. It’s done and just waiting on some others to test it. I’ve been using it a while now.
I’m currently testing a newer version where mwan3rtmon has been rewritten in ucode, since there’s a real advantage to be had there because of the tighter and structured netlink interface in ucode which means we don’t have to shell out to ip commands and parse text output like we do in the shell code version
I'm ready to deploy, just don't know how. README file explain the work done but not how to install. Is it only a copy of the files? I have doubts as I saw a makefile.
You need to use either a full build system or the Openwrt SDK to compile and create installable apks. This is very much a beta, so ideally something to be tested by someone with fairly good knowledge of openwrt and some mastery of the build system.
I don’t have the time myself at the moment to create a bunch of release versions. I’ll get around to that when time permits.
mwan3 is, except for /lib/mwan3/libwrap_mwan3_sockopt.so.1.0 (which remains unchanged) entirely shell script, so you could just copy the files in mwan3/files over the files on your live system and it will work (although don’t copy the etc/config of course).
That will let you use the new mwan3, but you won’t have the updated luci-app-mwan3 which is harder to deploy manually.
If you don’t have the knowledge yet to compile an app then I’d suggest you’re better off waiting than trying to manually deploy it in this way.
For now I have following problem: both WAN have a default route setted
ip r
default via xxx.yyy.252.177 dev bone.1002 proto static
default via 192.168.136.254 dev bone.1001 proto static metric 3
xxx.yyy.252.176/28 dev bone.1002 proto kernel scope link src xxx.yyy.252.179
192.168.10.0/24 dev eth0 proto static scope link metric 3
192.168.136.0/24 dev bone.1001 proto static scope link metric 3
When I open external service (ex: wireguard) to WAN1 corresponding to bone.1001 I see the incoming traffic on bone.1001 but the reply is going out on bone.1002 with source address of bone.1001 which is 192.168.136.1 !!!
If I remove the default route from WAN2/bone.1002 -the 1st one- it's working as expected. It seems that the reply-to fom VLAN is not honored. I didn't try reversing order of default route.
Output of ip rule sh
root@host:~# ip rule sh
0: from all lookup local
1001: from all iif bone.1001 lookup 1
1002: from all iif bone.1002 lookup 2
2001: from all fwmark 0x100/0x3f00 lookup 1
2002: from all fwmark 0x200/0x3f00 lookup 2
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
3001: from all fwmark 0x100/0x3f00 unreachable
3002: from all fwmark 0x200/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
Output of table 1 and 2
root@guava:~# ip r sh table 1
default via 192.168.136.254 dev bone.1001 proto static metric 3
192.168.10.0/24 dev eth0 proto static scope link metric 3
192.168.136.0/24 dev bone.1001 proto static scope link metric 3
root@guava:~# ip r sh table 2
xxx.yyy.252.176/28 dev bone.1002 proto kernel scope link src xxx.yyy.252.179
192.168.10.0/24 dev eth0 proto static scope link metric 3
If I reboot the from GUI problem arise, no incoming traffic, at least for wireguard, didn´t test others. If I shutdown/start the VM from virsh, the traffic is immediately coming in when OpenWRT is up.
!