Multiple WAN connection (MultiWAN), the most popular Internet Connection concept in Cuba, trying to take it to OpenWrt

Hello!!! This is the first time I participate in this forum, so, first of all, excuse me if I use an inappropriate term in this world of the Internet. Also, I do not speak English well, so I have to help a translator for some things.
I have a Router with OpenWRT and I would like to establish the configuration that I show in the image.

I explain better:
My ISP provides the Internet through a captive portal and individual IP addresses. What I want is to establish a multiple connection from my OpenWRT Router as ROUTED CLIENT to give Internet service to 2 PCs in a LAN without sharing the Internet, but keeping the traffic between them in the LAN (I hope I have understood). I have researched about it and I know that it can be done by using the MWAN3 package, but it has some drawbacks that I want to avoid. The individual WAN connections are already created, but I do not know how to configure the Firewall and the Routes. It is in this detail where I need help. How do I set that configuration to work?
Note: Since done that configuration in teams with RouterOS (Mikrotik) and it works OK. I want to take that configuration to OpenWRT. I hope you can help me

You should not need two connections to the ISP. The NAT function of a router lets several PCs share one ISP connection. When you use any one of the PCs to authenticate with the captive portal, it will authorize the router's MAC. The ISP will not know how many PCs are sharing the connection.

The fact is that in Cuba, the ISP provides us 2mb for each wan, the idea is to create several wan so that we can have more speed. I am also Cuban and I am interested in this topic, I appreciate any help you can give us.

1 Like

That would be to share the same access portal among several users, but what I want is that, in the LAN, each user has access to the captive portal, as if it were connected directly to the ISP. The internet connection would be individual, the only thing users would share is the local traffic on the LAN. The Router would redirect the portals to each user. Actually, in the diagram that I made, each PC represents a group of about 4 users connected through a Switch, that they will share the Internet of the Assigned Portal between them. They are separated in groups of 4 since Assigning more users per Portal (or IP of the ISP) would create congestion since each IP assigned by the ISP has 2 mbps (256 kb of real copy) of bandwidth. That's where the difficulty is that I found. In RouterOS I have already done it successfully and I want to try that same configuration in OpenWRT.
If they do not understand what I want to do, I can detail more, what I would need is for them to tell me that they do not understand.

mwan3 is really not applicable to this situation. mwan3 is built for two use cases:

  • "Failover" by using one ISP exclusively, unless it loses its ability to reach the Internet, then switch everyone to the other ISP.
  • "Load balance" a single large group of users into multiple slow ISP connections. The problem here is that each user doesn't know which ISP will be used for a particular connection session, so they may not stay authenticated on the captive portal.

It sounds like you want to simplify it to several independent virtual networks sharing one hardware device. Each network having two parts, a LAN side with a group of users, and a WAN side with a dedicated connection to the wifi ISP. That is possible with OpenWrt. Set up a separate VLAN, a separate LAN, a LAN firewall zone, a WAN, and a WAN firewall zone for each one.

3 Likes

+1; for a simpler beginning, completely remove the firewall of openwrt, just use minimal, well documented iptable-rules instead.

In case of using a rather powerful openwrt-device, with mass storage or lot of RAM, integration of a good cache (like squid) might help all connected PCs.
In case, this is an office installation, even squids https-proxying might be reasonable, as installation of certificates can be enforced on the PCs.
However, it might be a better idea to set up a combination of mikrotik plus squid (and some more tricks, like ad blocking, or compression+graphics reduction) on separate full blown LINUX box, to minimize WAN-load.

1 Like

Here there was already someone who made a configuration for what we need, but as you said, MWAN3 is not for that, but for what you say. Here what was able to adapt its operation to achieve something similar to what I raise in the post, but using VLANs.
See this article, it is in Spanish:

If this configuration works, what is wanted is to do it without the use of VLANs, that is, redirecting WAN traffic to specific IPs within the LAN, each with its assigned WAN interface.

1 Like

Greetings Dunie, I'm glad to see a brother from Cuba interested in this too. What you propose is related to the Load Balance. First you have to see if OpenWRT can individualize the portals in the LAN. If it is done, we can start thinking about doing Load Balancing to give more Bandwidth.
I also tell you that with OpenWRT if you can do Load Balancing behind a Mikrotik previously configured for the portals. What is needed is the MWAN3 package and work the configuration.

2 Likes

Analyzing the settings made in Mikrotik, I can see that there are 2 fundamental elements to keep the WAN connections separate in the LAN when the NAT is applied:

  • Marking of Routes (in the Mangle), as in this example using Terminal:

/ ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Client 1
passthrough=yes src-address=192.168.1.2
/ ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Client 2
passthrough=yes src-address=192.168.1.3
/ ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Client 3
passthrough=yes src-address=192.168.1.4

  • Make static routes in Routes (see the following example based on Terminal):

/ ip route
add distance=1 gateway=10.xxx.xxx.xxx% wlan1 routing-mark=Client 1
add distance=1 gateway=10.xxx.xxx.xxx% wlan2 routing-mark=Client 2
add distance=1 gateway=10.xxx.xxx.xxx% wlan3 routing-mark=Client 3

  • Make the NAT to each Interface:

/ ip firewall nat
add action=masquerade chain=srcnat out-interface=wlan1 routing-table=
Client 1 src-address=192.168.1.2
add action=masquerade chain=srcnat out-interface=wlan2 routing-table=
Client 2 src-address=192.168.1.3
add action=masquerade chain=srcnat out-interface=wlan3 routing-table=
Client 3 src-address=192.168.1.4

This is the Core of the configuration once the NAT has been made to each WLAN Interface.
I have set this example so that the most advanced users in OpenWRT can see and if possible understand what we do here with Internet, and if possible, take it to OpenWRT.

1 Like

A possible implementation of this is found in this article. If the dynamic WAN IPs can be combined with SNAT, the objective will have been achieved. At the moment, it was only possible using static IPs in the WAN and using the SNAT function. To see the proposed configuration and some solution to the problems it poses, go to this article. This post is already closed.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.