Mwan3 breaks port forwarding to internal PCs

Khurram · May 13, 2019, 7:31pm

I am using OpenWrt v18.06.1 on TP-LINK Archer C7 v4 with 2 WAN connections. I have defined a few port forwarding rules to access some LAN PCs. All of this works ok when mwan3 is not running. However, when I enable mwan3, I can no longer access the LAN PCs. My mwan3 configuration is:

config globals 'globals'
        option enabled '1'
        option mmx_mask '0xff00'
        option local_source 'lan'    #this I have tried with none as well but it makes no difference

config interface 'wan'
        option enabled '1'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option reliability '2'
        option count '1'
        option timeout '2'
        option interval '5'
        option down '3'
        option up '8'

config interface 'wanb'
        option enabled '1'
        list track_ip '8.8.8.8'
        list track_ip '208.67.220.220'
        option reliability '1'
        option count '1'
        option timeout '2'
        option interval '5'
        option down '3'
        option up '8'

config member 'wan1_m1_w2'
        option interface 'wan'
        option metric '1'
        option weight '2'

config member 'wan1_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan1_m1_w4'
        option interface 'wan'
        option metric '1'
        option weight '4'

config member 'wan1_m2_w4'
        option interface 'wan'
        option metric '2'
        option weight '4'

config member 'wan1_m2_w1'
        option interface 'wan'
        option metric '2'
        option weight '1'

config member 'wan2_m1_w2'
        option interface 'wanb'
        option metric '1'
        option weight '2'

config member 'wan2_m1_w3'
        option interface 'wanb'
        option metric '1'
        option weight '3'

config member 'wan2_m1_w4'
        option interface 'wanb'
        option metric '1'
        option weight '4'

config member 'wan2_m2_w1'
        option interface 'wanb'
        option metric '2'
        option weight '1'

config policy 'only_1'
        list use_member 'wan1_m1_w2'

config policy 'only_2'
        list use_member 'wan2_m1_w2'

config policy 'then_1_2'
        list use_member 'wan1_m1_w2'
        list use_member 'wan2_m2_w1'

config policy 'then_2_1'
        list use_member 'wan2_m1_w2'
        list use_member 'wan1_m2_w1'

config policy 'more_1_2'
        list use_member 'wan1_m1_w4'
        list use_member 'wan2_m1_w2'

config policy 'moremore_1_2'
        list use_member 'wan1_m2_w4'
        list use_member 'wan2_m1_w2'

config rule 'jazz_device_2'
        option dest_ip '192.168.84.0/24'
        option proto 'all'
        option sticky '0'
        option use_policy 'only_2'

config rule 'youtube'
        option sticky '1'
        option ipset 'youtube'
        option dest_port '80,443'
        option proto 'tcp'
        option use_policy 'moremore_1_2'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'more_1_2'

config rule 'openvpn'
        option sticky '1'
        option proto 'udp'
        option use_policy 'more_1_2'
        option dest_port 'xxxx,yyyy'
        option timeout '4'

config rule 'default_rule'
        option dest_ip '0.0.0.0/0'
        option use_policy 'more_1_2'

Can this be fixed somehow?

Thanks

lleachii · May 13, 2019, 8:00pm

Please confirm that you're not attempting to access the LAN devices from the backup WAN ISP.

Khurram · May 13, 2019, 10:56pm

I run 2 curl scripts in cron to assign names to the wan interfaces through DDNS. I am connecting through the primary WAN ddns name.

leeandy · May 14, 2019, 6:30am

Pls post firewall & network config.

Khurram · May 14, 2019, 7:07am

Firewall config:

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
option network 'wan wan6 wanb'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port 'xxxxx'
option name 'openvpn'
option src 'wan'
option enabled '0'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport 'xxx'
option dest_ip '192.168.x.1'
option dest_port 'yyy'
option name 'Internal PC port forwarding'

config forwarding
option dest 'wan'
option src 'lan'

config redirect
option target 'SNAT'
option src 'wan'
option dest 'lan'
option src_dip '192.168.x.254'
option name 'Internal PC SNAT'
option proto 'tcp'
option dest_port 'Internal PC service port'

Network config:

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd28:21d4:74a0::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.x.254'
option dns '8.8.8.8'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option metric '10'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2 3 4'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'

config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 5'

config interface 'wanb'
option proto 'dhcp'
option ifname 'eth0.3'
option metric '20'

Thanks

leeandy · May 14, 2019, 8:28am

I see this option incorrect, correct is:
option mmx_mask '0x3f00'

Khurram · May 14, 2019, 9:37am

I changed mask in the global section as you suggested but it did not work. I changed the local_source option to none and now it works.

The working options are:

config globals 'globals'
         option enabled '1'
         option mmx_mask '0x3f00'
         option local_source 'none'

I don't know what the local_source none option does. But I will stick with it for now.
Thanks

tmomas · May 14, 2019, 10:20am

Please use "Preformatted text </>" for logs, scripts, configs and general console output.
Please edit your postings accordingly (the 2 last postings by you).
Thanks.