Mwan3 traffic on port 80 blocked

linlinas · January 7, 2019, 11:21pm

Hi All,

I'm having an strange issue with mwan3 and outgoing traffic from LAN to the internet via openwrt with mwan3 running.
While trying to initialize a connection from LAN to the internet on port 80, the connection is being block. The weirdest thing is that all other ports and protocol (inc. icmp) are working well.
I was trying to debug connection via tcpdump and I see that connection is reset.
After I stop mwan3 everything is back to normal.

Please find my configuration below.
OpenWrt 18.06.1 r7258-5eb055306f
luci-app-mwan3 git-19.002.70508-04d60f2-1
mwan3 2.6.18-1

tcpdump log

23:42:43.483910 IP ns3005800.ip-151-80-100.eu.80 > 192.168.13.94.64020: Flags [R.], seq 0, ack 2689019202, win 0, length 0
23:42:43.733206 IP 192.168.13.94.64017 > ns3005800.ip-151-80-100.eu.80: Flags [S], seq 267921187, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:42:43.733499 IP ns3005800.ip-151-80-100.eu.80 > 192.168.13.94.64017: Flags [R.], seq 0, ack 1, win 0, length 0

mwan config

# mwan3 status
Interface status:
 interface wan is online and tracking is active
 interface wan2 is online and tracking is active

Current ipv4 policies:
balanced:
 wan2 (40%)
 wan (60%)

wan_only:
 wan (100%)

wan_wanb:
 wan (100%)

wanb_only:
 wan2 (100%)

wanb_wan:
 wan2 (100%)


Current ipv6 policies:
balanced:
 unreachable

wan_only:
 unreachable

wan_wanb:
 unreachable

wanb_only:
 unreachable

wanb_wan:
 unreachable


Directly connected ipv4 networks:
 192.168.130.255
 169.254.70.145
 169.254.204.128
 127.255.255.255
 192.168.13.1
 192.168.13.0
 169.254.81.8
 192.168.8.0
 84.x,x,x/30
 84.x.x.x
 224.0.0.0/3
 192.168.13.0/24
 169.254.0.0/16
 192.168.8.255
 169.254.0.0
 192.168.130.1
 127.0.0.1
 84.x.x.x
 192.168.8.102
 127.0.0.0
 169.254.255.255
 192.168.13.255
 192.168.130.0
 84.x.x.x
 192.168.8.0/24
 192.168.130.0/24
 127.0.0.0/8

Directly connected ipv6 networks:
 fe80::/64

Active ipv4 user rules:
   24  1558 S https  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 0:65535 multiport dports 443
  107 10209 - balanced  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Active ipv6 user rules:
    0     0 S https  tcp      *      *       ::/0                 ::/0                 multiport sports 0:65535 multiport dports 443
    9  1070 - balanced  all      *      *       ::/0                 ::/0

Sparks · January 7, 2019, 11:34pm

What firewall zone is mwan3 assigned to? Is it unassigned or assigned to both wan and lan zones?

Compare the routing table with mwan3 up and again when down. Any differences?

linlinas · January 8, 2019, 5:35pm

Hello,

I'm not sure how mwan3 can be assign to a firewall zone?
It is using 'lan' as a source interface therefore as I understand it is assigned to lan fw zone.

the route table is exactly the same, the only differences is when mwan3 is started router local IP is add to default route.

root@OpenWrt:~# mwan3 stop
root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         84.x.x.x  0.0.0.0         UG    10     0        0 eth0.2
0.0.0.0         192.168.8.1     0.0.0.0         UG    203    0        0 eth1
84.10.43.60     0.0.0.0         255.255.255.252 U     10     0        0 eth0.2
169.254.0.0     0.0.0.0         255.255.0.0     U     202    0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     206    0        0 br-lan
169.254.0.0     0.0.0.0         255.255.0.0     U     207    0        0 eth0.1
169.254.0.0     0.0.0.0         255.255.0.0     U     208    0        0 eth0.10
169.254.0.0     0.0.0.0         255.255.0.0     U     209    0        0 eth0.2
169.254.0.0     0.0.0.0         255.255.0.0     U     310    0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     311    0        0 wlan1
192.168.8.0     0.0.0.0         255.255.255.0   U     203    0        0 eth1
192.168.13.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.130.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0.10
root@OpenWrt:~# mwan3 start
root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.13.1    0.0.0.0         UG    0      0        0 lo
0.0.0.0         84.x.x.x     0.0.0.0         UG    10     0        0 eth0.2
0.0.0.0         192.168.8.1     0.0.0.0         UG    203    0        0 eth1
84.x.x.x     0.0.0.0         255.255.255.252 U     10     0        0 eth0.2
169.254.0.0     0.0.0.0         255.255.0.0     U     202    0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     206    0        0 br-lan
169.254.0.0     0.0.0.0         255.255.0.0     U     207    0        0 eth0.1
169.254.0.0     0.0.0.0         255.255.0.0     U     208    0        0 eth0.10
169.254.0.0     0.0.0.0         255.255.0.0     U     209    0        0 eth0.2
169.254.0.0     0.0.0.0         255.255.0.0     U     310    0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     311    0        0 wlan1
192.168.8.0     0.0.0.0         255.255.255.0   U     203    0        0 eth1
192.168.13.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.130.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0.10

Below you can find my mwan3 config

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'balanced'

config rule 'default_rule'
        option dest_ip '0.0.0.0/0'
        option use_policy 'balanced'

config globals 'globals'
        option mmx_mask '0x3F00'
        option local_source 'lan'

config interface 'wan'
        option enabled '1'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '2'
        option count '1'
        option timeout '2'
        option interval '5'
        option down '3'
        option up '8'
        option initial_state 'online'
        option track_method 'ping'
        option size '56'
        option check_quality '0'
        option failure_interval '5'
        option recovery_interval '5'
        option flush_conntrack 'never'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan_m2_w3'
        option interface 'wan'
        option metric '2'
        option weight '3'

config member 'wanb_m1_w2'
        option metric '1'
        option weight '2'
        option interface 'wan2'

config member 'wanb_m2_w2'
        option metric '2'
        option weight '2'
        option interface 'wan2'

config policy 'wan_only'
        option last_resort 'unreachable'
        list use_member 'wan_m1_w3'

config policy 'wanb_only'
        list use_member 'wanb_m1_w2'
        option last_resort 'unreachable'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m1_w2'
        option last_resort 'unreachable'

config policy 'wan_wanb'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m2_w2'
        option last_resort 'unreachable'

config policy 'wanb_wan'
        list use_member 'wan_m2_w3'
        list use_member 'wanb_m1_w2'
        option last_resort 'unreachable'

config interface 'wan2'
        option enabled '1'
        option initial_state 'online'
        option family 'ipv4'
        list track_ip '8.8.8.8'
        option track_method 'ping'
        option reliability '1'
        option count '1'
        option size '56'
        option check_quality '0'
        option timeout '2'
        option interval '5'
        option failure_interval '5'
        option recovery_interval '5'
        option down '3'
        option up '3'
        option flush_conntrack 'never'