Please can any one help me out with this request. I am trying to use MWAN rule to allow traffic say example -
WAN - allow only Facebook.com
WAN2 - Allow only yahoo.com
WAN must be primary and WAN2 be secondary ; thus if both interface are up, rule should only allow WAN to be active.
Please help
You need version 1.6 and above to support ipset.
Then you need to define an ipset for the sites you want to access.
Add in /etc/dnsmasq.conf:
ipset=/facebook.com/facebook
ipset=/yahoo.com/yahoo
Then you need something like this:
config rule 'facebook'
option ipset 'facebook'
option dest_port '80,443'
option proto 'tcp'
option use_policy 'wan_wan2'
config rule 'yahoo'
option ipset 'yahoo'
option dest_port '80,443'
option proto 'tcp'
option use_policy 'wan2_wan'
config policy 'wan_wan2'
list use_member 'wan_m1_w3'
list use_member 'wan2_m2_w2'
config policy 'wan2_wan'
list use_member 'wan_m2_w3'
list use_member 'wan2_m1_w2'
Thanks so much for your response
I have applied with ipset
Looking at the policy and member list you defined, wan_wan2 if a user is connected and try to access yahoo won’t the member name allow him since both members applies to both wan;
Am not sure if i make my point clearly, in nutshell if WAN & WAN2 are both active, users should be allowed only on WAN and not permit yahoo.com; from the rule you drafted, if both Links are up i assumed list use_member 'wan2_m2_w2' this will permit yahoo.com otherwise please help me clarify.
yahoo rule will use wan2_wan policy.
wan2_wan policy has wan2 with metric 1 and wan with metric 2.
So wan2 is preferred, unless it goes down. Then wan will be used.
Isn't that what you described?
Thanks Trendy,
I will configure with this MWAN3 and see the outcome.
The point is WAN will be primary always except it goes down and saying that if both WAN & WAN2 are up WAN2 should never be used.
This is the wan_wan2 policy.
@trendy I implemented as per the rule you shared, it didnt work out. I could open yahoo when WAN was only available.
If you want yahoo to use only wan2 and never ever wan, then use the wan2_only policy.
config policy 'wan2_only'
list use_member 'wan2_m1_w2'
Then that brings me back to the request. The failover won’t happen if I use wan2 only.
You cannot have failover if you use the wan2_only. Moreover this is what you said
So decide if you want or not failover.
The expectation as I described initially remains the same
Wan - only Facebook ipset
Wan2 - only yahoo ipset
Both interface will failover if one of them is unavailable keeping the ipset restriction on the respective wan
So means in the same mwan3 each interface will keep to his ipset definition.
Lastly wan will be the primary if both are up at any time and still only permits it’s ipset.
I see it impossible right from onset but open to any idea if possible.
You are making it really hard to explain what you want.
If I decode properly what you are saying:
Facebook - Only wan
Yahoo - Only wan2
anything else - wan primary , wan2 failover
Is that correct?
Correct but at the same time , they will allow only there respective allowed domains (ipset)
What does that mean?
WAN will never allow yahoo except Facebook likewise wan2 will never allow facebook except yahoo
I covered these conditions here, don't add more confusion.
You can use this:
config rule 'facebook'
option ipset 'facebook'
option dest_port '80,443'
option proto 'tcp'
option use_policy 'wan_only'
config rule 'yahoo'
option ipset 'yahoo'
option dest_port '80,443'
option proto 'tcp'
option use_policy 'wan2_only'
config rule 'default_rule'
option dest_ip '0.0.0.0/0'
option use_policy 'balanced'
You can use the rest of the configs from the example.
This will not work for the requirements
If i have both interfaces active then both would be used.
You seem not to understand the requirements closely
Change the balanced policy in default rule to wan_wan2.
There you are, not so difficult to think it by yourself huh?
@trendy when you apply the rule like you said, any user connected to the router will access the facebook & yahoo once the WAN & WAN2 interface is up.