Mwan3 - no internet after wan disconnected

kindacute · December 6, 2022, 9:08pm

Have a simple configuration with failover, when I remove cable from wan port there is no internet.

ubus call system board; \
> uci export network; uci export mwan3; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; mwan3 status
{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd70:52fe:ed5c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'br-lan2'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'

config device
	option name 'eth0.2'
	option macaddr '74:da:88:e9:b7:98'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option metric '10'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config interface 'lte'
	option device 'eth1'
	option proto 'dhcp'
	option metric '20'

config device
	option name 'eth1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5'
	option vid '3'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan2'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

package mwan3

config globals 'globals'
	option mmx_mask '0x3F00'

config rule 'https'
	option sticky '1'
	option dest_port '443'
	option proto 'tcp'
	option use_policy 'wan_to_lte'

config rule 'default_rule_v4'
	option dest_ip '0.0.0.0/0'
	option family 'ipv4'
	option proto 'all'
	option sticky '0'
	option use_policy 'wan_to_lte'

config interface 'wan'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'
	option interface 'wan'
	option metric '1'
	option weight '1'

config interface 'lte'
	option enabled '1'
	option family 'ipv4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'
	option interface 'lte'
	option metric '2'
	option weight '2'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option initial_state 'online'

config member 'wan_member'
	option interface 'wan'
	option metric '1'
	option weight '1'

config member 'lte_member'
	option metric '2'
	option weight '2'
	option interface 'lte'

config policy 'wan_to_lte'
	list use_member 'wan_member'
	list use_member 'lte_member'
	option last_resort 'unreachable'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.8.185/24 brd 192.168.8.255 scope global eth1
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
17: br-lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br-lan2
       valid_lft forever preferred_lft forever
19: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.4.107.16/16 brd 10.4.255.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 10.4.0.1 dev eth0.2 table 1 proto static src 10.4.107.16 metric 10
10.4.0.0/16 dev eth0.2 table 1 proto static scope link metric 10
192.168.0.0/24 dev br-lan table 1 proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 table 1 proto kernel scope link src 192.168.4.1
default via 192.168.8.1 dev eth1 table 2 proto static src 192.168.8.185 metric 20
192.168.0.0/24 dev br-lan table 2 proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 table 2 proto kernel scope link src 192.168.4.1
192.168.8.0/24 dev eth1 table 2 proto static scope link metric 20
default via 10.4.0.1 dev eth0.2 proto static src 10.4.107.16 metric 10
default via 192.168.8.1 dev eth1 proto static src 192.168.8.185 metric 20
10.4.0.0/16 dev eth0.2 proto static scope link metric 10
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 proto kernel scope link src 192.168.4.1
192.168.8.0/24 dev eth1 proto static scope link metric 20
broadcast 10.4.0.0 dev eth0.2 table local proto kernel scope link src 10.4.107.16
local 10.4.107.16 dev eth0.2 table local proto kernel scope host src 10.4.107.16
broadcast 10.4.255.255 dev eth0.2 table local proto kernel scope link src 10.4.107.16
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1
broadcast 192.168.4.0 dev br-lan2 table local proto kernel scope link src 192.168.4.1
local 192.168.4.1 dev br-lan2 table local proto kernel scope host src 192.168.4.1
broadcast 192.168.4.255 dev br-lan2 table local proto kernel scope link src 192.168.4.1
broadcast 192.168.8.0 dev eth1 table local proto kernel scope link src 192.168.8.185
local 192.168.8.185 dev eth1 table local proto kernel scope host src 192.168.8.185
broadcast 192.168.8.255 dev eth1 table local proto kernel scope link src 192.168.8.185
0:	from all lookup local
1001:	from all iif eth0.2 lookup 1
1002:	from all iif eth1 lookup 2
2001:	from all fwmark 0x100/0x3f00 lookup 1
2002:	from all fwmark 0x200/0x3f00 lookup 2
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
3002:	from all fwmark 0x200/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default
Interface status:
 interface wan is online 00h:07m:46s, uptime 00h:12m:00s and tracking is active
 interface lte is online 00h:10m:05s, uptime 00h:12m:00s and tracking is active

Current ipv4 policies:
wan_to_lte:
 wan (100%)

Current ipv6 policies:
wan_to_lte:
 unreachable

Directly connected ipv4 networks:
192.168.8.185
192.168.8.0/24
192.168.0.1
10.4.107.16
192.168.4.0/24
10.4.0.0
192.168.0.0/24
192.168.8.0
127.0.0.1
192.168.0.255
192.168.4.0
192.168.0.0
10.4.255.255
192.168.8.255
224.0.0.0/3
10.4.0.0/16
192.168.4.255
127.255.255.255
127.0.0.0/8
127.0.0.0
192.168.4.1

Directly connected ipv6 networks:

Active ipv4 user rules:
 1397 97415 S https  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 443
 1547  384K - wan_to_lte  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Active ipv6 user rules:
    0     0 S https  tcp      *      *       ::/0                 ::/0                 multiport dports 443

Any help will be appreciated

kindacute · December 6, 2022, 9:42pm

After wan disconnected:

ubus call system board; \
> uci export network; uci export mwan3; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; mwan3 status
{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd70:52fe:ed5c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'br-lan2'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'

config device
	option name 'eth0.2'
	option macaddr '74:da:88:e9:b7:98'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option metric '10'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config interface 'lte'
	option device 'eth1'
	option proto 'dhcp'
	option metric '20'

config device
	option name 'eth1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5'
	option vid '3'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan2'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

package mwan3

config globals 'globals'
	option mmx_mask '0x3F00'

config rule 'https'
	option sticky '1'
	option dest_port '443'
	option proto 'tcp'
	option use_policy 'wan_to_lte'

config rule 'default_rule_v4'
	option dest_ip '0.0.0.0/0'
	option family 'ipv4'
	option proto 'all'
	option sticky '0'
	option use_policy 'wan_to_lte'

config interface 'wan'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'
	option interface 'wan'
	option metric '1'
	option weight '1'

config interface 'lte'
	option enabled '1'
	option family 'ipv4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'
	option interface 'lte'
	option metric '2'
	option weight '2'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option initial_state 'online'

config member 'wan_member'
	option interface 'wan'
	option metric '1'
	option weight '1'

config member 'lte_member'
	option metric '2'
	option weight '2'
	option interface 'lte'

config policy 'wan_to_lte'
	list use_member 'wan_member'
	list use_member 'lte_member'
	option last_resort 'unreachable'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.8.185/24 brd 192.168.8.255 scope global eth1
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
17: br-lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br-lan2
       valid_lft forever preferred_lft forever
19: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.4.107.16/16 brd 10.4.255.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 10.4.0.1 dev eth0.2 table 1 proto static src 10.4.107.16 metric 10
10.4.0.0/16 dev eth0.2 table 1 proto static scope link metric 10
192.168.0.0/24 dev br-lan table 1 proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 table 1 proto kernel scope link src 192.168.4.1
default via 192.168.8.1 dev eth1 table 2 proto static src 192.168.8.185 metric 20
192.168.0.0/24 dev br-lan table 2 proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 table 2 proto kernel scope link src 192.168.4.1
192.168.8.0/24 dev eth1 table 2 proto static scope link metric 20
default via 10.4.0.1 dev eth0.2 proto static src 10.4.107.16 metric 10
default via 192.168.8.1 dev eth1 proto static src 192.168.8.185 metric 20
10.4.0.0/16 dev eth0.2 proto static scope link metric 10
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 proto kernel scope link src 192.168.4.1
192.168.8.0/24 dev eth1 proto static scope link metric 20
broadcast 10.4.0.0 dev eth0.2 table local proto kernel scope link src 10.4.107.16
local 10.4.107.16 dev eth0.2 table local proto kernel scope host src 10.4.107.16
broadcast 10.4.255.255 dev eth0.2 table local proto kernel scope link src 10.4.107.16
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1
broadcast 192.168.4.0 dev br-lan2 table local proto kernel scope link src 192.168.4.1
local 192.168.4.1 dev br-lan2 table local proto kernel scope host src 192.168.4.1
broadcast 192.168.4.255 dev br-lan2 table local proto kernel scope link src 192.168.4.1
broadcast 192.168.8.0 dev eth1 table local proto kernel scope link src 192.168.8.185
local 192.168.8.185 dev eth1 table local proto kernel scope host src 192.168.8.185
broadcast 192.168.8.255 dev eth1 table local proto kernel scope link src 192.168.8.185
0:	from all lookup local
1001:	from all iif eth0.2 lookup 1
1002:	from all iif eth1 lookup 2
2001:	from all fwmark 0x100/0x3f00 lookup 1
2002:	from all fwmark 0x200/0x3f00 lookup 2
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
3002:	from all fwmark 0x200/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default
Interface status:
 interface wan is online 00h:40m:54s, uptime 00h:45m:08s and tracking is active
 interface lte is online 00h:43m:13s, uptime 00h:45m:08s and tracking is active

Current ipv4 policies:
wan_to_lte:
 wan (100%)

Current ipv6 policies:
wan_to_lte:
 unreachable

Directly connected ipv4 networks:
192.168.8.185
192.168.8.0/24
192.168.0.1
10.4.107.16
192.168.4.0/24
10.4.0.0
192.168.0.0/24
192.168.8.0
127.0.0.1
192.168.0.255
192.168.4.0
192.168.0.0
10.4.255.255
192.168.8.255
224.0.0.0/3
10.4.0.0/16
192.168.4.255
127.255.255.255
127.0.0.0/8
127.0.0.0
192.168.4.1

Directly connected ipv6 networks:

Active ipv4 user rules:
 2283  155K S https  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 443
 2121  796K - wan_to_lte  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Active ipv6 user rules:
    0     0 S https  tcp      *      *       ::/0                 ::/0                 multiport dports 443

trendy · December 6, 2022, 10:28pm

It looks like the interface remains up when you disconnect the cable. Most likely the switch is keeping the interface up, since it is a vlan of the interface on the router cpu.
Did you wait for the probes to fail so the interface can be declared as not connected?

kindacute · December 6, 2022, 10:36pm

Yes, I did, at least multiwan status reported interface is disabled. Let me retry and wait a bit more.

kindacute · December 6, 2022, 10:44pm

Yes, if to wait a bit more then interface goes offline but there is no internet still

ubus call system board; \
> uci export network; uci export mwan3; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; mwan3 status
{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd70:52fe:ed5c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'br-lan2'
	option type 'bridge'
	list ports 'eth0.3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'

config device
	option name 'eth0.2'
	option macaddr '74:da:88:e9:b7:98'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option metric '10'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config interface 'lte'
	option device 'eth1'
	option proto 'dhcp'
	option metric '20'

config device
	option name 'eth1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5'
	option vid '3'

config interface 'lan2'
	option proto 'static'
	option device 'br-lan2'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

package mwan3

config globals 'globals'
	option mmx_mask '0x3F00'

config rule 'https'
	option sticky '1'
	option dest_port '443'
	option proto 'tcp'
	option use_policy 'wan_to_lte'

config rule 'default_rule_v4'
	option dest_ip '0.0.0.0/0'
	option family 'ipv4'
	option proto 'all'
	option sticky '0'
	option use_policy 'wan_to_lte'

config interface 'wan'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'
	option interface 'wan'
	option metric '1'
	option weight '1'

config interface 'lte'
	option enabled '1'
	option family 'ipv4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'
	option interface 'lte'
	option metric '2'
	option weight '2'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option initial_state 'online'

config member 'wan_member'
	option interface 'wan'
	option metric '1'
	option weight '1'

config member 'lte_member'
	option metric '2'
	option weight '2'
	option interface 'lte'

config policy 'wan_to_lte'
	list use_member 'wan_member'
	list use_member 'lte_member'
	option last_resort 'unreachable'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.8.185/24 brd 192.168.8.255 scope global eth1
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
17: br-lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br-lan2
       valid_lft forever preferred_lft forever
19: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.4.107.16/16 brd 10.4.255.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 10.4.0.1 dev eth0.2 table 1 proto static src 10.4.107.16 metric 10
10.4.0.0/16 dev eth0.2 table 1 proto static scope link metric 10
192.168.0.0/24 dev br-lan table 1 proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 table 1 proto kernel scope link src 192.168.4.1
default via 192.168.8.1 dev eth1 table 2 proto static src 192.168.8.185 metric 20
192.168.0.0/24 dev br-lan table 2 proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 table 2 proto kernel scope link src 192.168.4.1
192.168.8.0/24 dev eth1 table 2 proto static scope link metric 20
default via 10.4.0.1 dev eth0.2 proto static src 10.4.107.16 metric 10
default via 192.168.8.1 dev eth1 proto static src 192.168.8.185 metric 20
10.4.0.0/16 dev eth0.2 proto static scope link metric 10
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.4.0/24 dev br-lan2 proto kernel scope link src 192.168.4.1
192.168.8.0/24 dev eth1 proto static scope link metric 20
broadcast 10.4.0.0 dev eth0.2 table local proto kernel scope link src 10.4.107.16
local 10.4.107.16 dev eth0.2 table local proto kernel scope host src 10.4.107.16
broadcast 10.4.255.255 dev eth0.2 table local proto kernel scope link src 10.4.107.16
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1
broadcast 192.168.4.0 dev br-lan2 table local proto kernel scope link src 192.168.4.1
local 192.168.4.1 dev br-lan2 table local proto kernel scope host src 192.168.4.1
broadcast 192.168.4.255 dev br-lan2 table local proto kernel scope link src 192.168.4.1
broadcast 192.168.8.0 dev eth1 table local proto kernel scope link src 192.168.8.185
local 192.168.8.185 dev eth1 table local proto kernel scope host src 192.168.8.185
broadcast 192.168.8.255 dev eth1 table local proto kernel scope link src 192.168.8.185
0:	from all lookup local
1001:	from all iif eth0.2 lookup 1
1002:	from all iif eth1 lookup 2
2001:	from all fwmark 0x100/0x3f00 lookup 1
2002:	from all fwmark 0x200/0x3f00 lookup 2
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
3002:	from all fwmark 0x200/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default
Interface status:
 interface wan is offline 00h:00m:00s, uptime 01h:46m:01s and tracking is active
 interface lte is online 01h:44m:07s, uptime 01h:46m:01s and tracking is active

Current ipv4 policies:
wan_to_lte:
 lte (100%)

Current ipv6 policies:
wan_to_lte:
 unreachable

Directly connected ipv4 networks:
192.168.8.185
192.168.8.0/24
192.168.0.1
10.4.107.16
192.168.4.0/24
10.4.0.0
192.168.0.0/24
192.168.8.0
127.0.0.1
192.168.0.255
192.168.4.0
192.168.0.0
10.4.255.255
192.168.8.255
224.0.0.0/3
10.4.0.0/16
192.168.4.255
127.255.255.255
127.0.0.0/8
127.0.0.0
192.168.4.1

Directly connected ipv6 networks:

Active ipv4 user rules:
 9900  640K S https  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 443
11315 3451K - wan_to_lte  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Active ipv6 user rules:
    0     0 S https  tcp      *      *       ::/0                 ::/0                 multiport dports 443

trendy · December 6, 2022, 10:52pm

uci export firewall ?

kindacute · December 6, 2022, 11:02pm

uci export firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan2'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'LTE'

config forwarding
	option src 'lan2'
	option dest 'wan'

config rule
	option name 'Block web for lan2'
	option src 'lan2'
	list dest_ip '192.168.0.1'
	list proto 'all'
	option target 'DROP'

config rule
	option name 'Block 443 of router'
	list dest_ip '192.168.4.1'
	option dest_port '443'
	option target 'DROP'
	option src 'lan2'

config rule
	option name 'Block 80 of router'
	option src 'lan2'
	list dest_ip '192.168.4.1'
	option dest_port '80'
	option target 'DROP'

config rule
	option name 'Block 22 port for guests'
	option src 'lan2'
	list dest_ip '192.168.4.1'
	option dest_port '22'
	option target 'DROP'

config rule
	option name 'Block 22 port for guests 2'
	option src 'lan2'
	list dest_ip '192.168.0.1'
	option dest_port '22'
	option target 'DROP'

trendy · December 6, 2022, 11:03pm

Again the interface is in capitals.

kindacute · December 6, 2022, 11:17pm

Ugh! thank you, it was a bad idea to name it with capitals. Now I have different issue, all traffic goes through LTE even if WAN connected

kindacute · December 6, 2022, 11:48pm

Never mind, something wrong is going on here. I will look at this tomorrow.

trendy · December 7, 2022, 8:49am

It needs some time to detect that the connection is up, same for detecting that it went down.

system · December 17, 2022, 8:49am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.