Mwan3 routeback

Installing and Using OpenWrt Network and Wireless Configuration
#1

I have some problems in setting up wireguard and postfix on host with mwan3
It seems that the traffic is coming from one interface and the response is going out on the other one
this is mainly happening on hosts that use the same provider we have a pppoe connection and a static connection
if the connection comes from a static defined to pppoe, the reply will go out on static ip interface (maybe same netmask)
shorewall has an option routeback so that connections coming on one interface will go out on the same one, no matter if the source is in the same subnet.

can this be implemented with mwan3 or some manual iptables rules ?

ip rule show

ip rule show
0: from all lookup local
1001: from all iif eth1 lookup RDS
1003: from all iif pppoe-wanb lookup 3
2001: from all fwmark 0x100/0x3f00 lookup RDS
2003: from all fwmark 0x300/0x3f00 lookup 3
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default

uci show mwan3

uci show mwan3
mwan3.vpn=rule
mwan3.vpn.dest_port='500,4500'
mwan3.vpn.proto='udp'
mwan3.vpn.sticky='1'
mwan3.vpn.timeout='3000'
mwan3.vpn.use_policy='wanb_wan'
mwan3.http192=rule
mwan3.http192.dest_port='80'
mwan3.http192.proto='tcp'
mwan3.http192.sticky='1'
mwan3.http192.src_ip='192.168.0.1'
mwan3.http192.use_policy='wanb_wan'
mwan3.https192=rule
mwan3.https192.src_ip='192.168.0.1'
mwan3.https192.dest_port='443'
mwan3.https192.proto='tcp'
mwan3.https192.sticky='1'
mwan3.https192.use_policy='wanb_wan'
mwan3.des_cnas=rule
mwan3.des_cnas.dest_ip='213.177.24.38'
mwan3.des_cnas.proto='all'
mwan3.des_cnas.sticky='1'
mwan3.des_cnas.use_policy='wan_wanb'
mwan3.http_ext=rule
mwan3.http_ext.dest_port='80'
mwan3.http_ext.proto='tcp'
mwan3.http_ext.sticky='1'
mwan3.http_ext.use_policy='wanb_wan'
mwan3.https_ext=rule
mwan3.https_ext.dest_port='443'
mwan3.https_ext.proto='tcp'
mwan3.https_ext.sticky='1'
mwan3.https_ext.use_policy='wanb_wan'
mwan3.default_rule=rule
mwan3.default_rule.dest_ip='0.0.0.0/0'
mwan3.default_rule.use_policy='balanced'
mwan3.globals=globals
mwan3.globals.mmx_mask='0x3F00'
mwan3.globals.rtmon_interval='5'
mwan3.globals.local_source='none'
mwan3.wan=interface
mwan3.wan.enabled='1'
mwan3.wan.track_ip='8.8.4.4' '8.8.8.8' '208.67.222.222' '208.67.220.220'
mwan3.wan.family='ipv4'
mwan3.wan.reliability='2'
mwan3.wan.count='1'
mwan3.wan.timeout='2'
mwan3.wan.down='3'
mwan3.wan.up='8'
mwan3.wan.initial_state='online'
mwan3.wan.track_method='ping'
mwan3.wan.size='56'
mwan3.wan.check_quality='0'
mwan3.wan.interval='20'
mwan3.wan.failure_interval='5'
mwan3.wan.recovery_interval='5'
mwan3.wan6=interface
mwan3.wan6.enabled='0'
mwan3.wan6.track_ip='2001:4860:4860::8844' '2001:4860:4860::8888' '2620:0:ccd::2' '2620:0:ccc::2'
mwan3.wan6.family='ipv6'
mwan3.wan6.reliability='2'
mwan3.wan6.count='1'
mwan3.wan6.timeout='2'
mwan3.wan6.interval='5'
mwan3.wan6.down='3'
mwan3.wan6.up='8'
mwan3.wanb=interface
mwan3.wanb.track_ip='8.8.8.8' '208.67.220.220'
mwan3.wanb.family='ipv4'
mwan3.wanb.reliability='1'
mwan3.wanb.count='1'
mwan3.wanb.timeout='2'
mwan3.wanb.down='3'
mwan3.wanb.up='8'
mwan3.wanb.enabled='1'
mwan3.wanb.initial_state='online'
mwan3.wanb.track_method='ping'
mwan3.wanb.size='56'
mwan3.wanb.check_quality='0'
mwan3.wanb.failure_interval='5'
mwan3.wanb.recovery_interval='5'
mwan3.wanb.interval='20'
mwan3.wanb6=interface
mwan3.wanb6.enabled='0'
mwan3.wanb6.track_ip='2001:4860:4860::8888' '2620:0:ccc::2'
mwan3.wanb6.family='ipv6'
mwan3.wanb6.reliability='1'
mwan3.wanb6.count='1'
mwan3.wanb6.timeout='2'
mwan3.wanb6.interval='5'
mwan3.wanb6.down='3'
mwan3.wanb6.up='8'
mwan3.wan_m1_w3=member
mwan3.wan_m1_w3.interface='wan'
mwan3.wan_m1_w3.metric='1'
mwan3.wan_m1_w3.weight='2'
mwan3.wan_m2_w3=member
mwan3.wan_m2_w3.interface='wan'
mwan3.wan_m2_w3.metric='2'
mwan3.wan_m2_w3.weight='2'
mwan3.wanb_m1_w2=member
mwan3.wanb_m1_w2.interface='wanb'
mwan3.wanb_m1_w2.metric='1'
mwan3.wanb_m1_w2.weight='4'
mwan3.wanb_m2_w2=member
mwan3.wanb_m2_w2.interface='wanb'
mwan3.wanb_m2_w2.metric='2'
mwan3.wanb_m2_w2.weight='4'
mwan3.wan6_m1_w3=member
mwan3.wan6_m1_w3.interface='wan6'
mwan3.wan6_m1_w3.metric='1'
mwan3.wan6_m1_w3.weight='3'
mwan3.wan6_m2_w3=member
mwan3.wan6_m2_w3.interface='wan6'
mwan3.wan6_m2_w3.metric='2'
mwan3.wan6_m2_w3.weight='3'
mwan3.wanb6_m1_w2=member
mwan3.wanb6_m1_w2.interface='wanb6'
mwan3.wanb6_m1_w2.metric='1'
mwan3.wanb6_m1_w2.weight='2'
mwan3.wanb6_m2_w2=member
mwan3.wanb6_m2_w2.interface='wanb6'
mwan3.wanb6_m2_w2.metric='2'
mwan3.wanb6_m2_w2.weight='2'
mwan3.wan_only=policy
mwan3.wan_only.use_member='wan_m1_w3' 'wan6_m1_w3'
mwan3.wanb_only=policy
mwan3.wanb_only.use_member='wanb_m1_w2' 'wanb6_m1_w2'
mwan3.balanced=policy
mwan3.balanced.use_member='wan_m1_w3' 'wanb_m1_w2' 'wan6_m1_w3' 'wanb6_m1_w2'
mwan3.wan_wanb=policy
mwan3.wan_wanb.use_member='wan_m1_w3' 'wanb_m2_w2' 'wan6_m1_w3' 'wanb6_m2_w2'
mwan3.wanb_wan=policy
mwan3.wanb_wan.use_member='wan_m2_w3' 'wanb_m1_w2' 'wan6_m2_w3' 'wanb6_m1_w2'

#2

mwan3 has an option called sticky,which is associated with a timeout value. Setting sticky to 1 will cause packets from the same lan host within the timeout period to use the same wan interface, resetting the timeout counter back to it's original value again.

Not sure if this is what you're looking for? If your timeout value is sufficiently long, it should lock the connection onto a specific interface

From the docs

config rule 'youtube'
    option sticky ‘1'
    option timeout ‘300'
    option ipset 'youtube'
    option dest_port '80,443'
    option proto 'tcp'
    option use_policy 'balanced'

With sticky set to 1, this rule has now sticky enabled. When a packet for a new 
session matches this rule, its source ip address and interface mark are stored 
in an ipmark set with a timeout of 300 seconds (default 600). When packet for 
a second new session from the same lan host within the timeout period matches 
this rule, it will use the same wan interface as the first packet and the timeout 
counter is reset back to 300 again.

Stickiness is on a per rule basis. With this example, all traffic from lan hosts 
will  use the same wan interface for all youtube hosts, even if the source or 
destination ip address differs.
#3

hi, thanks for reply, I know about the sticky rule, but it is working from external ?
the traffic is coming from wanA and wanB so no lan as source

#4

note to self
custom firewall rule
iptables -t nat -A POSTROUTING -d <ip> -o <eth_dev> -j MASQUERADE
fixed this

#5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.