MultiWan3 problem with Tunnel

Lu5ck · April 18, 2025, 12:55pm

Hello!!
I am a home user and have setup IPv4 FOU tunnel, it is not well supported by OpenWRT (no protocol, no luci) but I managed to by creating a static address interface and add my ip link codes to it via local startup. The static address interface able to automatically create a default route to the tunnel. I then added some routing tables so I can add static route to my VPS via wan by looking up the wan table.

At this point, everything works, I can reboot the router and the tunnel will be created via the local startup codes, I can also ping the other side of the tunnel. I can also route all my traffics via the tunnel, after changing the default route manually by changing interface gateway metric, able to access the internet via it.

Then, I want to add MultiWan3 failover for it. If the fou doesn't work, it will simply failover to wan. I install mwan3 and iptables-nft.. Under interface of luci mwan3, keeping it simple, I have only two which are wan and fou. Member too only have two, wan has metric 2 and fou has metric 1, both has weight 1. Policy only has one which is failover with both members in it. Finally, in the rule, v4 is assigned failover policy.

Everything seems to work at first, traffic is automatically routed to fou from wan default route which has metric of 10 while fou default route has metric of 20. Then, I proceed to do a ping and there is a problem. I got this ping: sendto: Operation not permitted. The first ping work then the next ping will have this error. if I do it on my computer, it will be 1st ping responded, 2nd ping timeout, 3rd ping responded, 4th ping timeout.

In router CLI, using ping -I fou has no error. If my fou tunnel is "dead", it will failover to wan and also has no error. If I disable mwan3 and proceed to manually change default route to fou, it works perfectly.

How do I use mwan3??

Edit: I am using TX-AX6000 (TUF-AX6000), OpenWRT 24.10.1

patrakov · April 19, 2025, 9:48am

You don't. It is effectively unmaintained. Switch to PBR if you don't need tunnel liveness probing.

That said, what you see is a known issue with a known fix that the maintainer ignores for two years: https://github.com/openwrt/packages/pull/20923

You can directly edit the files on your OpenWrt device as indicated in the pull request.

Alternatively, if you want something that survives reinstallations (but is not 100% equivalent), please create a file, /etc/firewall.bugfix, with the following content:

#!/bin/sh

# https://github.com/openwrt/packages/issues/19607 and its duplicates

iptables -t mangle -D PREROUTING -m comment --comment "Do not inherit the mark of encrypted packets" -j MARK --set-xmark 0x0/0x3f00
ip6tables -t mangle -D PREROUTING -m comment --comment "Do not inherit the mark of encrypted packets" -j MARK --set-xmark 0x0/0x3f00
iptables -t mangle -I PREROUTING 1 -m comment --comment "Do not inherit the mark of encrypted packets" -j MARK --set-xmark 0x0/0x3f00
ip6tables -t mangle -I PREROUTING 1 -m comment --comment "Do not inherit the mark of encrypted packets" -j MARK --set-xmark 0x0/0x3f00

Make it executable:

chmod 0755 /etc/firewall.bugfix

You will also need to install the iptables-nft and ip6tables-nft packages or their legacy versions (iptables-zz-legacy and ip6tables-zz-legacy).

Then, add the following to /etc/config/firewall:

config include
	option path '/etc/firewall.bugfix'
	option fw4_compatible '1'

Then add this line to /etc/sysupgrade.conf:

/etc/firewall.bugfix

After restarting the firewall, the tunnel will work for every packet.

Lu5ck · April 20, 2025, 8:39am

Thankyou! I think the PR need more people to test before he willing to merge it. I have added my test result there.

system · April 30, 2025, 8:39am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.