Mwan3: network outside NAT accessible only from router

skycocker · July 4, 2019, 1:37pm

Hello, I'm trying to create a failover connection with USB LTE modem using openwrt + mwan3. My device is Linksys WRT3200ACM, openwrt with mwan3 were built yesterday from the trunk. I can ping both interfaces (main wan and the lte wan) from the router itself, when I start the mwan3 it works correctly (switches the wan when one is down), and the internet works from the router itself, but not from any other client in the network. As soon as I stop mwan3, everything works immediately again.

Traceroute from any client in the network hangs on the first line with mwan3 working.

Perhaps the fact that the LTE modem I'm using is on 192.168.8.1 address will be important.

My config:

/etc/config/network

config interface 'loopback'
  option ifname 'lo'
  option proto 'static'
  option ipaddr '127.0.0.1'
  option netmask '255.0.0.0'

config globals 'globals'
  option ula_prefix 'fdc5:46b6:6734::/48'

config interface 'lan'
  option type 'bridge'
  option proto 'static'
  option ipaddr '192.168.1.1'
  option netmask '255.255.255.0'
  option ip6assign '60'
  option macaddr 'MY_MAC_HERE'
  option ifname 'eth0.1'

config interface 'wan'
  option ifname 'eth1.2'
  option proto 'pppoe'
  option username 'some_username'
  option password 'some_password'
  option ipv6 'auto'
  option keepalive '3 3'
  option metric '10'
  option dns '8.8.8.8 8.8.4.4'
  option peerdns '0'

config interface 'wan6'
  option ifname 'eth1.2'
  option proto 'dhcpv6'

config switch
  option name 'switch0'
  option reset '1'
  option enable_vlan '1'

config switch_vlan
  option device 'switch0'
  option vlan '1'
  option ports '0 1 2 3 5t'

config switch_vlan
  option device 'switch0'
  option vlan '2'
  option ports '4 6t'

config interface 'lte'
  option proto 'dhcp'
  option ifname 'eth2'
  option metric '20'
  option peerdns '0'
  option dns '8.8.4.4 8.8.8.8'

/etc/config/firewall

config defaults
  option syn_flood '1'
  option input 'ACCEPT'
  option output 'ACCEPT'
  option forward 'REJECT'

config zone
  option name 'lan'
  option input 'ACCEPT'
  option output 'ACCEPT'
  option forward 'ACCEPT'
  option network 'lan'

config zone
  option name 'wan'
  option conntrack '1'
  option output 'ACCEPT'
  option mtu_fix '1'
  option masq '1'
  option input 'REJECT'
  option forward 'REJECT'
  option network 'wan wan6 lte'

config forwarding
  option src 'lan'
  option dest 'wan'

config rule
  option name 'Allow-DHCP-Renew'
  option src 'wan'
  option proto 'udp'
  option dest_port '68'
  option target 'ACCEPT'
  option family 'ipv4'

config rule
  option name 'Allow-Ping'
  option src 'wan'
  option proto 'icmp'
  option icmp_type 'echo-request'
  option family 'ipv4'
  option target 'ACCEPT'

config rule
  option name 'Allow-IGMP'
  option src 'wan'
  option proto 'igmp'
  option family 'ipv4'
  option target 'ACCEPT'

config rule
  option name 'Allow-DHCPv6'
  option src 'wan'
  option proto 'udp'
  option src_ip 'fc00::/6'
  option dest_ip 'fc00::/6'
  option dest_port '546'
  option family 'ipv6'
  option target 'ACCEPT'

config rule
  option name 'Allow-MLD'
  option src 'wan'
  option proto 'icmp'
  option src_ip 'fe80::/10'
  list icmp_type '130/0'
  list icmp_type '131/0'
  list icmp_type '132/0'
  list icmp_type '143/0'
  option family 'ipv6'
  option target 'ACCEPT'

config rule
  option name 'Allow-ICMPv6-Input'
  option src 'wan'
  option proto 'icmp'
  list icmp_type 'echo-request'
  list icmp_type 'echo-reply'
  list icmp_type 'destination-unreachable'
  list icmp_type 'packet-too-big'
  list icmp_type 'time-exceeded'
  list icmp_type 'bad-header'
  list icmp_type 'unknown-header-type'
  list icmp_type 'router-solicitation'
  list icmp_type 'neighbour-solicitation'
  list icmp_type 'router-advertisement'
  list icmp_type 'neighbour-advertisement'
  option limit '1000/sec'
  option family 'ipv6'
  option target 'ACCEPT'

config rule
  option name 'Allow-ICMPv6-Forward'
  option src 'wan'
  option dest '*'
  option proto 'icmp'
  list icmp_type 'echo-request'
  list icmp_type 'echo-reply'
  list icmp_type 'destination-unreachable'
  list icmp_type 'packet-too-big'
  list icmp_type 'time-exceeded'
  list icmp_type 'bad-header'
  list icmp_type 'unknown-header-type'
  option limit '1000/sec'
  option family 'ipv6'
  option target 'ACCEPT'

config rule
  option name 'Allow-IPSec-ESP'
  option src 'wan'
  option dest 'lan'
  option proto 'esp'
  option target 'ACCEPT'

config rule
  option name 'Allow-ISAKMP'
  option src 'wan'
  option dest 'lan'
  option dest_port '500'
  option proto 'udp'
  option target 'ACCEPT'

config include
  option path '/etc/firewall.user'

/etc/config/mwan3

config globals 'globals'
  option mmx_mask '0x3F00'
  option local_source 'lan'

config interface 'wan'
  list track_ip '8.8.8.8'
  list track_ip '8.8.4.4'
  option enabled '1'
  option reliability '1'
  option count '1'
  option timeout '2'
  option interval '2'
  option down '2'
  option up '8'

config interface 'lte'
  list track_ip '8.8.8.8'
  list track_ip '8.8.4.4'
  option enabled '1'
  option reliability '1'
  option count '1'
  option timeout '2'
  option interval '5'
  option down '3'
  option up '10'

config policy 'wan_lte'
  list use_member 'wan_m1_w1'
  list use_member 'lte_m2_w2'

config member 'wan_m1_w1'
  option interface 'wan'
  option metric '1'
  option weight '1'

config member 'lte_m2_w2'
  option interface 'lte'
  option metric '2'
  option weight '2'

config rule 'default_rule'
  option dest_ip '127.0.0.1/0'
  option use_policy 'wan_lte'

trendy · July 4, 2019, 2:41pm

Change that rule into 0.0.0.0/0

skycocker · July 4, 2019, 2:44pm

Thank you for the reply. I did that already couple of times. Doesn't help.

trendy · July 4, 2019, 3:13pm

What is the output of mwan3 status ; ip -4 ro ls tab all ?

skycocker · July 4, 2019, 3:28pm

# mwan3 status ; ip -4 ro ls tab all
Interface status:
 interface wan is online and tracking is active
 interface lte is online and tracking is active

Current ipv4 policies:
wan_lte:
 wan (100%)

Current ipv6 policies:
wan_lte:
 unreachable

Directly connected ipv4 networks:
193.25.0.10
127.0.0.0
192.168.1.0/24
127.255.255.255
127.0.0.0/8
192.168.8.100
192.168.1.255
192.168.1.0
192.168.8.0
192.168.8.255
224.0.0.0/3
192.168.8.0/24
127.0.0.1
100.64.77.28
192.168.1.1

Directly connected ipv6 networks:
fe80::/64
fdc5:46b6:6734::/64

Active ipv4 user rules:
   53  3871 - wan_lte  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Active ipv6 user rules:
    3   697 - wan_lte  all      *      *       ::/0                 ::/0

default via 193.25.0.10 dev pppoe-wan table 1 metric 10
default via 192.168.8.1 dev eth2 table 2 metric 50
default via 193.25.0.10 dev pppoe-wan proto static metric 10
default via 192.168.8.1 dev eth2 proto static src 192.168.8.100 metric 50
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.8.0/24 dev eth2 proto static scope link metric 50
193.25.0.10 dev pppoe-wan proto kernel scope link src 100.64.77.28
local 100.64.77.28 dev pppoe-wan table local proto kernel scope host src 100.64.77.28
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.8.0 dev eth2 table local proto kernel scope link src 192.168.8.100
local 192.168.8.100 dev eth2 table local proto kernel scope host src 192.168.8.100
broadcast 192.168.8.255 dev eth2 table local proto kernel scope link src 192.168.8.100

trendy · July 5, 2019, 10:06am

So far I don't see any issue.
How about these?

ip -4 addr ; ip -4 ro ; ip -4 ru; iptables-save