Mwan3 second WAN interface not routing traffic

hhhapz · November 6, 2025, 7:33pm

Hey,

I’m setting up dual-WAN on an OpenWrt router using mwan3. The main WAN (wan) works fine, but when I unplug it, my second connection (wan2) doesn’t pass traffic even though it gets an IP and default route.

Here’s the setup:

I have two routers that are on the other sides of my house connected via a single trunk cable.

Router 1 (10.0.0.1/16) is connected to ISP 1 (192.168.18.0/24)
Router 2 (10.0.0.2/16) is connected to ISP 2 (192.168.19.0/24)
Router 1 and Router 2 are connected to each other via lan ports
Here is the vlan setup between the two routers, which shoud all be working no problem:

image1414×822 101 KB

On router 1:

wan: physical port, DHCP from ISP1
wan2: VLAN 20 on br-lan (device br-lan.20), DHCP from ISP2

Symptoms

ping -I br-lan.20 8.8.8.8 fails or drops first few packets, however DOES work after the 4th packet.
curl --interface wan google.com works.
curl --interface br-lan.20 google.com fails to connect.
curl --interface wan2 google.com returns “Invalid argument”.
ip route and ip rule look correct; routes and metrics are in place.

Default Routes

default via 192.168.19.1 dev br-lan.20 proto static src 192.168.19.9 metric 10
default via 192.168.18.1 dev wan proto static src 192.168.18.93 metric 20

ip rule

1001: from all iif wan lookup 1
1003: from all iif br-lan.20 lookup 3
2001: from all fwmark 0x100/0x3f00 lookup 1
2003: from all fwmark 0x300/0x3f00 lookup 3
...

Everything appears properly configured, but packets sent via br-lan.20 never reach the Internet. arp and neigh tables show valid entries for the local gateway.

Firewall config

Here is the full firewall, plus maybe the relevant part below. My hunch is that maybe firewall is the source of problems here? I have absolutely no idea though.

gist.github.com

https://gist.github.com/hhhapz/4c658165ae6792a5fa92e69ae7102fd2

rt-01.firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'

This file has been truncated. show original

rt-01.mwan

config interface 'wan'
	option enabled '1'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '3'

This file has been truncated. show original

rt-01.network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfe:6d27:59cb::/48'
	option packet_steering '1'

This file has been truncated. show original

There are more than three files. show original

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'
    list network 'wan2'

The biggest source of confusion to me is the fact that:

I am able to ping 192.168.18.1 and 192.168.19.1 and use their interfaces (wan and br-lan.20 respectively) to ping e.g. 1.1.1.1, BUT the first 4 packets when I use br-lan.20 always get dropped for some reason:

root@main-rt01:~# ping -c 5 -I wan 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=57 time=3.004 ms
64 bytes from 1.1.1.1: seq=1 ttl=57 time=2.724 ms
64 bytes from 1.1.1.1: seq=2 ttl=57 time=2.674 ms
64 bytes from 1.1.1.1: seq=3 ttl=57 time=2.999 ms
64 bytes from 1.1.1.1: seq=4 ttl=57 time=2.778 ms

--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.674/2.835/3.004 ms

root@main-rt01:~# ping -I br-lan.20 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=4 ttl=58 time=4.069 ms
64 bytes from 1.1.1.1: seq=5 ttl=58 time=3.589 ms
64 bytes from 1.1.1.1: seq=6 ttl=58 time=3.860 ms
64 bytes from 1.1.1.1: seq=7 ttl=58 time=3.784 ms
64 bytes from 1.1.1.1: seq=8 ttl=58 time=3.860 ms
64 bytes from 1.1.1.1: seq=9 ttl=58 time=3.734 ms
^C
--- 1.1.1.1 ping statistics ---
10 packets transmitted, 6 packets received, 40% packet loss
round-trip min/avg/max = 3.589/3.816/4.069 ms
root@main-rt01:~#

curl doesn't work at all on br-lan.20:

root@main-rt01:~# curl --interface wan google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

root@main-rt01:~# curl --interface br-lan.20 google.com
curl: (7) Failed to connect to google.com port 80 after 3093 ms: Error

I feel like I'm very close to getting mwan up and running, but I don't know what's the last thing I need, I would appreciate all help, please let me know if you need any more information.

Thank you in advance!

ncompact · November 6, 2025, 8:51pm

It's an input error:

router 1 “<-->” ISP 1

router 2 “<-->” ISP 2

Or do both routers really have the same ISP?

Can you show us a diagram of the network connecting this router to the Internet?

example imagining ethernet cable:

                                    internet (isp2)
                                         "^"
                                         "|"
                                         "v"
internet (isp1) “<-->” router 1 “<-->” router 2 “<-->” another router "<-->" PC

Since I don't have the gift of foresight,

i read this:

but I couldn't figure out how you currently have the network implemented.

isp1 “<-->” router 1 “<-->” another router “<-->” router 2 "<-->" isp2
                                  "^"
                                  "|"
                                  "v"
                                  PC

can you tell us how the various devices are connected?

Specifying what the ports do individually on the router you provided an image of.

LAN1, LAN2, LAN3, LAN4, WAN

Can you share your configuration files if needed?

hhhapz · November 7, 2025, 2:53am

Hey, sorry, I definitely should have provided more information. Here is the logical diagram of the network:

 ┌───┐                                trunk cable                    ┌─────┐
 │NAS├──────────┐           ┌──────────────────────────┐   ┌─────────┤my pc│
 └───┘          │           │  vlan 10: lan (10.0/16)  │   │         └─────┘
   10.0.0.101/16│           │  vlan 20: isp-02 passthru│   │10.0.0.100/16   
                │           │                          │   │                
                │           │                          │   │                
                │           │                          │   │                
                │           │                          │   │                
            lan2│           │lan3                  lan2│   │lan4            
┌───────────────┴───────────┼────┐                    ┌┴───┴┐     ┌──────┐  
│                rt-01      │    │                    │rt-02│     │isp-02│  
│                     ┌─────┴─┐  │                    └──┬──┘     └──────┘  
│       ┌─────────────┤br-lan │  │                       │           ▲      
│       │             └─┬─────┘  │                       │           │      
│       │               │        │                    wan│           │      
│ br-lan.10       br-lan.20      │  (vlan 20 passthrough)│           │      
│ 10.0.0.1/16     wan2           │                       │           │      
│                 192.168.19.9/24│                       │           │      
│                                │                       │           │      
└─────┬──────────────────────────┘                       └───────────┘      
      │wan                                                                  
      │192.168.18.93/24                                                     
      │                                                                     
      ▼                                                                     
┌──────┐                                                                    
│isp-01│                                                                    
└──────┘

(br-lan isn't really a lan bridge anymore but.. we're a bit late for that now)

Here is some more commentary on it:

rt-01 and rt-02 are intended to share the same lan for devices on it connected via lan ports and via WIFI for a roaming network (so 10.0/16 is for all client devices). Across the trunk its br-lan.10

rt-02 mostly acts like a managed switch right now and rt-02 is basically not touching isp-02 at all other than the vlan configuration forwarding it to rt-01 who becomes a DHCP client of isp-02's router.

rt-01's vlan setup:

rt-02's vlan setup:

And on rt-01 I am now a DHCP client on both of my ISPs:

gist.github.com

https://gist.github.com/hhhapz/4c658165ae6792a5fa92e69ae7102fd2

firewall

root@main-rt01:~# cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'

This file has been truncated. show original

I added the network and firewall config files to my gist link, please let me know if you need any other config files.

Thanks again

hhhapz · November 7, 2025, 5:40am

So it seems like mwan3 was causing some of the issues.

After turning off mwan3, the gateway metric seems to let me prioritize which network is used for traffic and automatically do failover if one of the interfaces goes down!!

That leaves me I guess to figure out where mwan is causing the issues then

ncompact · November 7, 2025, 9:55am

for now I only see a small problem with the configuration of rt1 as wan6 has a metric of 10 and br.lan-20 a metric of 10. https://gist.github.com/hhhapz/4c658165ae6792a5fa92e69ae7102fd2#file-rt-01-network

Here it depends on whether you want IPV6 traffic to have a lower or higher metric:

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '10.2.0.1'
	option metric '20'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
    #option metric '10' # <- current setting
	option metric '11' # <- so that it does not conflict with br.lan-20 metric
    #option metric '5'# <- IPv6 traffic lower metric in relation to br.lan-20
    #option metric '30'# <- IPv6 traffic hight metric in relation to br.lan-20

config interface 'wan2'
	option proto 'dhcp'
	option device 'br-lan.20'
	option metric '10' # <- conflict with wan6 metric

and another little problem with rt2 firewall:

and you need to add "wan" to rt2 firewall configuration file: https://gist.github.com/hhhapz/4c658165ae6792a5fa92e69ae7102fd2#file-rt-02-firewall

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan' # <- this line is missing
    list network 'wan6'

ps: you will also need to show or add the "mwan3" configuration file to rt1 (for further analysis)

I just hope you haven't run into this problem:

github.com/openwrt/openwrt

Openwrt's odhcp6c configuration means that interface metric specification is not used for setup routes

opened 04:13AM - 04 Jul 22 UTC

d1b

Seemingly Openwrt's odhcp6c configuration means that interface metric specificat…ion is not used for setup routes. This matters when a primary connection and a fallback connection: * are active at the same time * provide IPv6 connectivity E.g. config in `/etc/config/network` ``` config interface 'wan' option ifname 'eth1' option proto 'dhcp' option ipv6 '1' config interface 'wan6' option ifname '@wan' option proto 'dhcpv6' config interface 'lte' option ifname 'eth2' option proto 'dhcp' option ipv6 1 config interface 'lte6' option ifname '@lte' option proto 'dhcpv6' option metric 1000 ``` ```ip -6 route default from 2001:<un-important-1> via fe80::<unimportant-2> dev eth2 proto static metric 384 pref medium default from 2001:<unimportant-3>:/64 via fe80::<unimportant-2> dev eth2 proto static metric 384 pref medium default from 2403:<unimportant-4>/48 via fe80::<unimportant-5> dev eth1 proto static metric 384 pref medium default from 2403:<unimportant-6> via fe80::<unimportant-5> dev eth1 proto static metric 384 pref medium 2001:<unimportant-3>:/64 dev eth2 proto static metric 256 pref medium unreachable 2001:<unimportant-3>:/64 dev lo proto static metric 2147483647 pref medium 2403:<unimportant-4>/64 dev br-lan proto kernel metric 256 expires 5290sec pref medium 2403:<unimportant-4>/64 dev br-lan proto static metric 1024 pref medium unreachable 2403:<unimportant-4>/48 dev lo proto static metric 2147483647 pref medium fd5b:<unimportant-9>/64 dev br-lan proto kernel metric 256 expires 6103sec pref medium fd5b:<unimportant-9>/64 dev br-lan proto static metric 1024 pref medium unreachable fd5b:<unimportant-9>/56 dev lo proto static metric 2147483647 pref medium fe80::/64 dev eth2 proto kernel metric 256 pref medium fe80::/64 dev eth0 proto kernel metric 256 pref medium fe80::/64 dev br-lan proto kernel metric 256 pref medium fe80::/64 dev eth1 proto kernel metric 256 pref medium fe80::/64 dev wlan0 proto kernel metric 256 pref medium fe80::/64 dev wlan0-1 proto kernel metric 256 pref medium fe80::/64 dev wlan0-2 proto kernel metric 256 pref medium fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium``` ``` ``` route -n -A inet6 Kernel IPv6 routing table Destination Next Hop Flags Metric Ref Use Iface ::/0 fe80::<unimportant-20> UG 384 1 0 eth2 ::/0 fe80::<unimportant-20> UG 384 5 0 eth2 ::/0 fe80::<unimportant-21> UG 384 7 0 eth1 ::/0 fe80::<unimportant-21> UG 384 5 0 eth1 <snip> ``` As far as I can tell the specified metric of `1000` for eth2 - `lte6`, the 2001 ... address, does not get applied. This seems to relate to the `dhcpv6` script openwrt has for `odhcp6c` -> https://github.com/openwrt/openwrt/blob/master/package/network/ipv6/odhcp6c/files/dhcpv6.script .

ps: This scheme was much clearer

┌───┐                      trunk cable                    ┌─────┐
│NAS├──────────┐   ┌────────────────────────┐   ┌─────────┤my pc│
└───┘          │   │vlan 10: lan (10.0/16)  │   │         └─────┘
  10.0.0.101/16│   │vlan 20: isp-02 passthru│   │10.0.0.100/16   
               │   │                        │   │                
               │   │                        │   │                
               │   │                        │   │                
               │   │                        │   │                
           lan2│   │lan3                lan2│   │lan4            
 ┌──────┐     ┌┴───┴┐                      ┌┴───┴┐     ┌──────┐  
 │isp-01│     │rt-01│                      │rt-02│     │isp-02│  
 └──────┘     └──┬──┘                      └──┬──┘     └──────┘  
    ▲            │wan                         │           ▲      
    │            │192.168.18.93/24            │           │      
    │            │                         wan│           │      
    │            │             192.168.19.9/24│           │      
    │            │                            │           │      
    │            │                            │           │      
    │            │                            │           │      
    └────────────┘                            └───────────┘

hhhapz · November 7, 2025, 3:51pm

Thanks for the feedback, you are absolutely right, thanks for helping me fix up those littlle issues in my config file .

Good news, mwan3 is working beautifully. I just had a very broken/incorrect config setup from a while back when I was looking into it before I setup my whole vlan setup. The failover is working with no issues

I've updated all of my config files to their latest versions based on all of your feedback as well as added the mwan file. I think I've got a good handle on most of the setup now.

The next thing I'm currently working towards trying to solve (albeit I'm still figuring things out) is getting my entire config to work properly with ipv6. I addressed the issues you shared, but I'm not certain if my ipv6 traffic is being routed via the correct ISP given that it's using the address given by the wan client.

My guess is that this has something to do with the fact that they both have the same gateway, but my experience here is of course extremely limited.

I've been able to unplug one of my ISP router and have all of my traffic fail over at least.

gist.github.com

https://gist.github.com/hhhapz/4c658165ae6792a5fa92e69ae7102fd2#file-rt-01-mwan

rt-01.firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'

This file has been truncated. show original

rt-01.mwan

config interface 'wan'
	option enabled '1'
	option family 'ipv4'
	option reliability '2'
	option count '1'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '3'

This file has been truncated. show original

rt-01.network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdfe:6d27:59cb::/48'
	option packet_steering '1'

This file has been truncated. show original

There are more than three files. show original

ncompact · November 7, 2025, 8:38pm

It was a pleasure helping you.