Mwan3 PBR rules help

openwrt20 · January 13, 2024, 9:51am

Hi hope everyone is well,

I've got 2 WAN interfaces and 1 WG interface (VPN provider) setup with mwan3 running 23.05. I have setup load balancing using some tips from this post Wireguard tunnel over mwan3
All devices now connect with the public IP of the WG interface. However, when testing with bmon I can see that traffic only passes through 1 WAN connection. Is it possible to load balance the traffic going through WG over the 2 WAN connections?

Also, I previously used PBR with a single WAN connection but that no longer works. Can someone please help me with creating mwan3 rules to allow certain IP addresses in my LAN network (landevice1) to bypass WG and use the WAN connection/s instead. I've tried creating rules as per the wiki guide and searched the forums for any tips but I am stuck!

package mwan3

config globals 'globals'
option mmx_mask '0x3F00'

config interface 'wan'
option enabled '1'
option family 'ipv4'
option reliability '1'
option initial_state 'online'
list track_ip '1.0.0.1'
list track_ip '1.1.1.1'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
list flush_conntrack 'connected'
list flush_conntrack 'disconnected'

config interface 'wan6'
option enabled '1'
option family 'ipv6'
option reliability '1'
option initial_state 'online'
list track_ip '2606:4700:4700::1001'
list track_ip '2606:4700:4700::1111'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'

config interface 'wanb'
option enabled '1'
option family 'ipv4'
option reliability '1'
option initial_state 'online'
list track_ip '1.0.0.1'
list track_ip '1.1.1.1'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
list flush_conntrack 'connected'
list flush_conntrack 'disconnected'

config interface 'wanb6'
option family 'ipv6'
option reliability '1'
option initial_state 'online'
list track_ip '2606:4700:4700::1001'
list track_ip '2606:4700:4700::1111'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
option enabled '1'

config member 'wan_m1_w3'
option interface 'wan'
option metric '2'
option weight '3'

config policy 'balanced'
option last_resort 'unreachable'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w3'
list use_member 'wg0_m1_w3'

config rule 'https'
option sticky '1'
option proto 'all'
option use_policy 'balanced'
option dest_ip '194.xx.xxx.xxx'(vpn provider)

config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option use_policy 'balanced'
option family 'ipv4'
option proto 'all'
option sticky '0'

config rule 'default_rule_v6'
option dest_ip '::/0'
option use_policy 'balanced'
option family 'ipv6'

config rule 'landevice1'
option proto 'all'
option dest_ip '192.168.xx.x'
option sticky '0'
option use_policy 'wan_only'

config member 'wanb_m1_w3'
option interface 'wanb'
option metric '2'
option weight '3'

config interface 'wg0'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
list track_ip '1.0.0.1'
list track_ip '1.1.1.1'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'

config member 'wg0_m1_w3'
option interface 'wg0'
option metric '1'
option weight '3'

config policy 'wireguard'
list use_member 'wg0_m1_w3'
option last_resort 'unreachable'

config policy 'wan_only'
option last_resort 'unreachable'
list use_member 'wan_m1_w3'

config policy 'wanb_only'
option last_resort 'unreachable'
list use_member 'wanb_m1_w3'

pavelgl · January 13, 2024, 3:46pm

openwrt20:

config policy 'balanced'
	option last_resort 'unreachable'
	list use_member 'wan_m1_w3'
	list use_member 'wanb_m1_w3'
	list use_member 'wg0_m1_w3'

config member 'wanb_m1_w3'
	option interface 'wanb'
	option metric '2'
	option weight '3'

config member 'wan_m1_w3'
	option interface 'wan'
	option metric '2'
	option weight '3'
	
config member 'wg0_m1_w3'
	option interface 'wg0'
	option metric '1'
	option weight '3'

For a balanced policy, all members must have the same metric (as in the names used). With these settings, all traffic will go through the wireguard interface (because it has a lower metric), unless that interface goes down.

To make this rule work, you'll need:

Move it before (above) the "default_rule_v4" rule.
Change option dest_ip '192.168.xx.153' to option src_ip '192.168.xx.153'.

I don't know what the idea behind this rule is, but it is no longer related to https traffic and you will get the same result with or without it (except for the "sticky" option).

I'm afraid it's not possible. The router will use the wan interface with the lower metric to connect to the vpn provider. Even if you set the balanced policy correctly, about 66% of the traffic will go through the primary wan interface (33% wan + 33% wg0).

openwrt20 · January 14, 2024, 1:03am

This worked! Thank you so much.

config policy 'wan_only'

option last_resort 'unreachable'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w3'

I've also tweaked the policy as above and this appears to load balance correctly.

How would I set the balanced policy in order to achieve this? I'd still like all traffic to go through the WG interface.
Also, in PBR there is an option to create custom user scripts to whitelist Netflix/Disney IP addresses. Is there a way to create a similar policy in mwan3?

pavelgl · January 14, 2024, 9:45am

If I understand you correctly, you want the clients to use the wireguard interface, but the traffic to the vpn provider should be balanced across the two wan interfaces. As I said before, it's not possible. You can only use one of the wan interfaces to connect to the provider and all traffic will go through that interface.

In mwan3 the closest option is the ipset support. Since version 23.05 the automatic population of an ipset using dnsmasq-full is no longer supported. You can still populate the sets manually (using scripts), but this is not a trivial task.

For example, if you want to access Netflix only through the main wan interface, you need to create an ipset and a corresponding mwan3 rule.

ipset create netflix hash:net
ipset add netflix 108.175.32.0/20
ipset add netflix 185.2.220.0/22
ipset add netflix 185.9.188.0/22
ipset add netflix 192.173.100.0/24
ipset add netflix 192.173.101.0/24
ipset add netflix 192.173.102.0/24
ipset add netflix 192.173.104.0/24
ipset add netflix 192.173.105.0/24
ipset add netflix 192.173.108.0/24
ipset add netflix 192.173.109.0/24

# /etc/config/mwan3

config rule 'netflix'
       option family 'ipv4'
       option sticky '1'
       option ipset 'netflix'
       option proto 'all'
       option use_policy 'wan_only'

Hope this helps.

openwrt20 · January 16, 2024, 11:14pm

Ah I get it now, point taken thank you!

This works perfectly! Do you know if this can also be done with website domain names instead of IP addresses?
Really appreciate the advice, thank you kindly!

pavelgl · January 17, 2024, 7:28am

This option was based on automatic population of ipset(s) by dnsmasq-full and (as already stated) is no longer supported.

system · January 27, 2024, 7:28am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.