Everything works fine when using with separate line connection between modem.
The problem occurred when connecting to the same switch lan.
Wan connected to wan interface and setting up with static address for modem A and work. no trouble found
Wanb connected to lan interface and setting up with static IP class modem B.
Then It has strange behavior usually it not connected to modem B, ping not replied. But some time it connect to modem and works fine but it always failed again after reboot or disconnected.
When only modem B DHCP server activated wanb cannot get DHCP Address even though another device connected the same switch successfully get DHCP Address.
You can't just connect a WAN to the LAN. That will not work. If you have two physical connections, you need to re-assign one port from the built-in switch such that it is not associated with the LAN, but instead is another network interface. Then you can setup the connection details and assign it to the wan firewall zone. You'll need to use mwan to enable proper failover and/or load balancing.
Yes it related but it another approach.
I'm sorry, the lan port already ported to wanb and it not connected to lan and it worked when it used with separate link to modem(not via switch
note: the switch link work with built in load balancing like brand tenda.
This absolutely will not work unless both of those switches are replaced with managed switches so that you can use VLANs. In addition, your wireless bridge device must also support VLANs.
I believe vlan is the best option but right now I can't upgrade the vlan switch.
1.Why load balancing like tenda can work consistently.
Open wrt can work consistently if it added nat router on wan b port
Any solution to remove nat router without adding vlan. It look like open wrt confuse packet between wan eth and wanb eth if it connected to that same switch directly. Is it Any option to completely separate trafficit look like an arp conflict because open wrt not completely seperated packets between eth wan and eth wanb
But in the past at college I'm learning ip class and subneting ipv4 .
Every computer or device should be connected to the gateway at spesifik IP class and subnet. No matter how many gateway and PC on single connected switch It will work at correct device.
At that time vlan not yet popular.
And the problem here is openwrt dual wan with dual ether look like not completely separated. Because it ported via software based not actual hardware based.
I m using mi router 4a
So the arp maybe get conflict between wan eth and ported wanb eth.
Yes added router for NAT connection from modem B , so openwrt wan eth can't reach wanB eth blocked by router nat. And if no direct connection between this two eth open wrt work fine.
I'm not sure it was completely flawed design.
But in the past at college I'm learning ip class and subneting ipv4 .
Every computer or device should be connected to the gateway at spesifik IP class and subnet. No matter how many gateway and PC on single connected switch It will work at correct device.
At that time vlan not yet popular.
And the problem here is openwrt dual wan with dual ether look like not completely separated. Because it ported via software based not actual hardware based.
I m using mi router 4a
So the arp maybe get conflict between wan eth and ported wanb eth.
Yes added router for NAT connection from modem B , so openwrt wan eth can't reach wanB eth blocked by router nat. And if no direct connection between this two eth open wrt work fine.
I'm not sure it was completely flawed design.
But in the past at college I'm learning ip class and subneting ipv4 .
Every computer or device should be connected to the gateway at spesifik IP class and subnet. No matter how many gateway and PC on single connected switch It will work at correct device.
At that time vlan not yet popular.
And the problem here is openwrt dual wan with dual ether look like not completely separated. Because it ported via software based not actual hardware based.
I m using mi router 4a
So the arp maybe get conflict between wan eth and ported wanb eth.
Without a managed switch and VLANs, you have several potential issues
ambiguity of which network a packet belongs to (in theory, the address and subnet should handle this, but there may be times when broadcast or discovery type packets end up running through the switch).
potential for switching loops (which can bring down the entire network)
potential for DHCP server clashes (if either or both of the routers have a DHCP server is enabled)
reduced efficiency of the network, potentially increasing latency or slowing things down
reduced security since multiple networks are intermixed on the switch.
And I'm sure there are more that I haven't though of. You may ask "will these things absolutely happen on my network?" -- and the answer is maybe. But why risk it. A pair of simple managed switches can do the trick. Or if you are a bit creative, you can actually do this with the built-in switches in your routers, assuming they are user configurable and support VLANs.
There is no doubt in my mind that you are using/proposing the wrong topology to achieve your goals. The correct way to do this is with VLANs and managed switches.
I agree than vlan is the Best.
But the ultimate question despite of topology, what makes openwrt conflict between two Ethernet did any firewall setting or other can prevent this. Because real separated eth will not have behavior like this.
Is this any possibilities because wanb port is virtual eth with virtual Mac Address. Not hardware dedicated Mac address.
To answer that question, you'd have to provide your config files (mainly /etc/config/network and /etc/config/firewall) and you'd have to show your complete topology, including the physical ports that are in use as well the IP addresses of each device (don't obfuscate the network addresses when they are RFC1918 -- these are safe to disclose because they are reserved for private network use and are not publicly routable).
The diagram above could work, even without vlans. When OpenWrt sends an arp for 192.168.1.1 it will receive an answer from modem A. Likewise for the modem B. Then it knows at which physical address to find them and the switches will forward the frames to the appropriate port.
However it is not secure and definitely not elegant. There will be many unnecessary broadcasts from one side of the wireless to the other, but that wouldn't be avoided by vlans either.
Also you are talking about load balancing, but you have not mentioned how are you doing it ( mwan3? )
Therefore we need to check the configuration first.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export mwan3; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
Ok it worth to try. Thanks for understanding. it has been a busy day but i Will try to give what you ask to solved the conflict . Right now it has no isues with adding Nat router before wanb eth.
Even though i still have plan to remove additional Nat router.
root@OpenWrt:~# ubus call system board { "kernel": "5.4.143", "hostname": "OpenWrt", "system": "MediaTek MT7621 ver:1 eco:3", "model": "Xiaomi Mi Router 4A Gigabit Edition", "board_name": "xiaomi,mi-router-4a-gigabit", "release": { "distribution": "OpenWrt", "version": "21.02.0", "revision": "r16279-5cc0535800", "target": "ramips/mt7621", "description": "OpenWrt 21.02.0 r16279-5cc0535800" } }
-----------------------------------------------
root@OpenWrt:~# uci export network package network config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option packet_steering '1'
option ula_prefix 'fd3c:c8ac:4fb5::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
option stp '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
list dns '8.8.8.8'
list dns '1.1.1.1'
option delegate '0'
config interface 'wan'
option device 'wan'
option proto 'static'
option gateway '192.168.1.1'
option metric '10'
option force_link '0'
option netmask '255.255.255.0'
option ipaddr '192.168.1.10'
config interface 'wanb'
option device 'lan1'
option proto 'static'
option netmask '255.255.255.0'
option metric '20'
option gateway '192.168.2.1'
option ipaddr '192.168.2.15'
config interface 'wanc'
option proto 'static'
option ipaddr '192.168.2.4'
option gateway '192.168.2.1'
option netmask '255.255.255.0'
option metric '31'
config interface 'wand'
option proto 'dhcp'
option metric '40'
option delegate '0'
config device
option name 'lan1'
option macaddr '3C:CD:57:42:93:xx'
config interface 'wwan'
option proto 'dhcp'
-------------------------
root@OpenWrt:~# uci export mwan3
package mwan3
config member 'wan_m1_w1'
option interface 'wan'
option metric '1'
option weight '1'
config member 'wanb_m1_w1'
option interface 'wanb'
option metric '1'
option weight '1'
config member 'wan_metrik2'
option interface 'wan'
option metric '2'
option weight '1'
config member 'wanb_metrik2'
option interface 'wanb'
option metric '2'
option weight '1'
config rule 'IoT'
option proto 'all'
option sticky '0'
option src_ip '192.168.10.11-192.168.10.16'
option use_policy '1indi_2fmed'
config rule 'spesial'
option proto 'all'
option sticky '0'
option src_ip '192.168.10.18-192.168.10.19'
option use_policy '1fmed_2indi'
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'balanced2wan'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option family 'ipv4'
option proto 'all'
option timeout '1800'
option sticky '0'
option use_policy 'balanced2wan'
config rule 'default_rule_v6'
option dest_ip '::/0'
option family 'ipv6'
option proto 'all'
option sticky '0'
option use_policy 'balanced2wan'
config rule 'ip189'
option src_ip '192.168.10.189'
option proto 'all'
option sticky '0'
option use_policy 'balanced2wan'
config policy 'wan_only'
option last_resort 'unreachable'
list use_member 'wan_m1_w1'
config policy 'wanb_only'
option last_resort 'unreachable'
list use_member 'wanb_m1_w1'
config globals 'globals'
option mmx_mask '0x3F00'
config interface 'wan'
option enabled '1'
option family 'ipv4'
option initial_state 'online'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option failure_interval '3'
option down '3'
option timeout '1'
option recovery_interval '30'
option interval '1'
list track_ip '8.8.8.8'
list track_ip 'www.youtube.com'
list track_ip '1.1.1.1'
option up '5'
option check_quality '0'
option reliability '2'
config interface 'wanb'
option family 'ipv4'
option initial_state 'online'
option track_method 'ping'
option reliability '2'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option failure_interval '3'
option down '3'
option timeout '1'
option interval '1'
option recovery_interval '30'
option up '5'
list track_ip '8.8.8.8'
list track_ip '1.1.1.1'
option enabled '1'
config interface 'wanc'
option family 'ipv4'
list track_ip '8.8.8.8'
list track_ip '8.8.4.4'
option track_method 'ping'
option reliability '2'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option timeout '4'
option failure_interval '3'
option down '3'
option up '3'
option interval '5'
option recovery_interval '5'
option enabled '0'
option initial_state 'offline'
config interface 'wand'
option family 'ipv4'
list track_ip '8.8.8.8'
list track_ip '8.8.4.4'
option track_method 'ping'
option reliability '2'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option timeout '4'
option failure_interval '3'
option down '3'
option up '3'
option interval '5'
option recovery_interval '5'
option enabled '0'
option initial_state 'offline'
config policy 'balanced2wan'
option last_resort 'unreachable'
list use_member 'wan_m1_w1'
list use_member 'wanb_m1_w1'
config policy '1indi_2fmed'
option last_resort 'unreachable'
list use_member 'wan_m1_w1'
list use_member 'wanb_metrik2'
config policy '1fmed_2indi'
list use_member 'wanb_m1_w1'
list use_member 'wan_metrik2'
option last_resort 'unreachable'
------------------------------
root@OpenWrt:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option start '100'
option limit '150'
option leasetime '12h'
option ignore '1'
option dynamicdhcp '0'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wanb'
option interface 'wanb'
option start '100'
option limit '150'
option leasetime '12h'
option dynamicdhcp '0'
list ra_flags 'none'
config dhcp 'wanc'
option interface 'wanc'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config dhcp 'wand'
option interface 'wand'
list ra_flags 'none'
config host
option mac 'D0:50:99:2F:1A:xx'
option ip '192.168.10.222'
option name 'GeniusTV'
option dns '1'
config host
option name 'Cisco00802'
option ip '192.168.10.115'
option mac '20:AA:4B:D8:98:xx'
config host
option name 'pir'
option dns '1'
option mac '70:89:76:29:ff:xx'
option ip '192.168.10.11'
config host
option name 'wlan0'
option mac '7C:F6:66:B0:E6:xx'
option ip '192.168.10.12'
config host
option mac '7C:F6:66:B0:CF:xx'
option name 'BardiBreaker1'
option dns '1'
option ip '192.168.10.13'
config host
option mac '7C:F6:66:AE:67:xx'
option name 'BardiBreaker2'
option dns '1'
option ip '192.168.10.14'
config host
option mac '7C:F6:66:B0:E5:xx'
option dns '1'
option name 'BardiBreaker3'
option ip '192.168.10.15'
config host
option mac '7C:F6:66:B1:11:xx'
option name 'BardiBreaker4'
option dns '1'
option ip '192.168.10.16'
config host
option mac 'A4:E5:7C:AE:57:xx'
option name 'ESPAE5764'
option dns '1'
option ip '192.168.10.17'
config host
option name 'M2101K6G'
option mac '8C:AA:CE:18:D7:xx'
option ip '192.168.10.18'
config host
option name 'realme-U1'
option mac '70:5E:55:2A:9C:xx'
option ip '192.168.10.19'
---------------------------------+-++++
root@OpenWrt:~# uci export firewall package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config rule
option name 'Wan_b_Allow-DHCP-Renew'
option src 'wan_b'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Wan_b_Allow-Ping'
option src 'wan_b'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Wan_b_Allow-IGMP'
option src 'wan_b'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Wan_b_Allow-DHCPv6'
option src 'wan_b'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_b_Allow-MLD'
option src 'wan_b'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_b_Allow-ICMPv6-Input'
option src 'wan_b'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_b_Allow-ICMPv6-Forward'
option src 'wan_b'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_b_Allow-IPSec-ESP'
option src 'wan_b'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Wan_b_Allow-ISAKMP'
option src 'wan_b'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Wan_b_Support-UDP-Traceroute'
option src 'wan_b'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config rule
option name 'Wan_c_Allow-DHCP-Renew'
option src 'wan_c'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Wan_c_Allow-Ping'
option src 'wan_c'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Wan_c_Allow-IGMP'
option src 'wan_c'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Wan_c_Allow-DHCPv6'
option src 'wan_c'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_c_Allow-MLD'
option src 'wan_c'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_c_Allow-ICMPv6-Input'
option src 'wan_c'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_c_Allow-ICMPv6-Forward'
option src 'wan_c'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_c_Allow-IPSec-ESP'
option src 'wan_c'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Wan_c_Allow-ISAKMP'
option src 'wan_c'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Wan_c_Support-UDP-Traceroute'
option src 'wan_c'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config rule
option name 'Wan_d_Allow-DHCP-Renew'
option src 'wan_d'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Wan_d_Allow-Ping'
option src 'wan_d'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Wan_d_Allow-IGMP'
option src 'wan_d'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Wan_d_Allow-DHCPv6'
option src 'wan_d'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_d_Allow-MLD'
option src 'wan_d'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_d_Allow-ICMPv6-Input'
option src 'wan_d'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_d_Allow-ICMPv6-Forward'
option src 'wan_d'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Wan_d_Allow-IPSec-ESP'
option src 'wan_d'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Wan_d_Allow-ISAKMP'
option src 'wan_d'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Wan_d_Support-UDP-Traceroute'
option src 'wan_d'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'wan_b'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wanb'
config forwarding
option src 'lan'
option dest 'wan_b'
config zone
option name 'wan_c'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wanc'
config forwarding
option src 'lan'
option dest 'wan_c'
config zone
option name 'wan_d'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wand'
config forwarding
option src 'lan'
option dest 'wan_d'
----------------------++++++++
root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are
type or paste code here
---------------------------------------
root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
-------------------------------------
root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.15/24 brd 192.168.2.255 scope global lan1
valid_lft forever preferred_lft forever
5: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.10/24 brd 192.168.1.255 scope global wan
valid_lft forever preferred_lft forever
13: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wan table 1 proto static metric 10
192.168.1.0/24 dev wan table 1 proto static scope link metric 10
192.168.10.0/24 dev br-lan table 1 proto kernel scope link src 192.168.10.1
default via 192.168.2.1 dev lan1 table 2 proto static metric 20
192.168.2.0/24 dev lan1 table 2 proto kernel scope link src 192.168.2.15
192.168.2.0/24 dev lan1 table 2 proto static scope link metric 20
192.168.10.0/24 dev br-lan table 2 proto kernel scope link src 192.168.10.1
default via 192.168.1.1 dev wan proto static metric 10
default via 192.168.2.1 dev lan1 proto static metric 20
192.168.1.0/24 dev wan proto static scope link metric 10
192.168.2.0/24 dev lan1 proto static scope link metric 20
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.10
local 192.168.1.10 dev wan table local proto kernel scope host src 192.168.1.10 broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.10
broadcast 192.168.2.0 dev lan1 table local proto kernel scope link src 192.168.2.15
local 192.168.2.15 dev lan1 table local proto kernel scope host src 192.168.2.15
broadcast 192.168.2.255 dev lan1 table local proto kernel scope link src 192.168.2.15
broadcast 192.168.10.0 dev br-lan table local proto kernel scope link src 192.168.10.1
local 192.168.10.1 dev br-lan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local proto kernel scope link src 192.168.10.1
0:from all lookup local
1001:from all iif wan lookup 1
1002:from all iif lan1 lookup 2
2001:from all fwmark 0x100/0x3f00 lookup 1
2002:from all fwmark 0x200/0x3f00 lookup 2
2061:from all fwmark 0x3d00/0x3f00 blackhole
2062:from all fwmark 0x3e00/0x3f00 unreachable
3001:from all fwmark 0x100/0x3f00 unreachable
3002:from all fwmark 0x200/0x3f00 unreachable
32766:from all lookup main
32767:from all lookup default`Preformatted text`
thx for help. that my setting thaht you request. `Preformatted text`
wanb and wanc are using the same subnet. This cannot work.
There is dhcp server running on wanb and wanc. Why is that?
It would also be easier to assign all the wan* interfaces in wan firewall zone, since you are applying the same rules everywhere.
The biggest issue I see here is the mix of dhcp server on the wanb interface.
