Mwan3 unable to load balance two wan connections

alan665 · April 24, 2025, 7:49am

Hi,

I have had a good search of the forums and are unable to find a solution to my problem. Hopefully the experts here can help! (I'm certainly not one).

I have a GL.iNet GL-MT6000 on OpenWrt 24.10.0.
I have two internet connections that I wish to load balance with mwan3.
I have configured the first lan port on the router to be a second wan by removing it from the 'br-lan' dsa.
Both wan ports have their own unique metric.
Both wan's are DHCP.

My issue is that mwan3 when monitored with bmon doesn't load balance. It will saturate one wan and leave the other idle.

With both modems plugged in, if I unplug one modem, mwan3 it will fail over and use the alternative connection, this works for both wan ports, which is great.
If both modems are plugged in at the same time, and I test outbound connectivity of one wan port, it will be up and working, but the other will be down. This is really strange given the prior test proving that each wan port can work, so long as the other isn't plugged in.

I feel theres something I've missed thats likely obvious to a lot of people here. It's my first time playing with mwan3, so any help would be greatly appreciated!

Thanks so much.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc2:2e56:5346::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr 'removed'

config device
	option name 'lan2'
	option macaddr 'removed'

config device
	option name 'lan3'
	option macaddr 'removed'

config device
	option name 'lan4'
	option macaddr 'removed'

config device
	option name 'lan5'
	option macaddr 'removed'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr 'removed'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	option metric '1'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option metric '3'

config interface 'modem'
	option proto 'static'
	option device 'eth1'
	option ipaddr '192.168.1.10'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'modem2'
	option proto 'static'
	option device 'lan1'
	option ipaddr '192.168.0.10'
	option netmask '255.255.255.0'

config interface 'wg0'
removed

config device
	option name 'wg0'
	option mtu '1280'

config wireguard_wg0
removed

config wireguard_wg0
removed

config wireguard_wg0
removed

config wireguard_wg0
removed

config interface 'wanb'
	option proto 'dhcp'
	option device 'lan1'
	option peerdns '0'
	list dns '1.1.1.1'
	option metric '2'

config interface 'wanb6'
	option proto 'dhcpv6'
	option device 'lan1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option metric '4'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'modem'
	list network 'modem2'
	list network 'wan'
	list network 'wan6'
	list network 'wanb'
	list network 'wanb6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule 'wg'
	option name 'Allow-wg0'
	option src 'wan'
	option dest_port '2000'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Allow-443'
	option src 'wan'
	option src_dport '443'
	option dest_port '443'
	option dest_ip '10.0.0.10'

_bernd · April 24, 2025, 7:56am

Do you look at a single connection or do you have multiple client connections to different destinations?

alan665 · April 24, 2025, 7:58am

I've tried multiple connections to different destinations. At the moment thats basically running a fast.com and speedtest.com test at the same time. The bandwidth shown on both services is always equal to one internet connections speed and in bmon nothing is balanced between connections.

Let me know if theres a better way I should be testing this though

_bernd · April 24, 2025, 8:01am

A single connection can only use a single wan.
If you want to bundle your connections for single connection you need to terminate 2 tunnels on a server in a Datacenter from your router, and from this server a single connection is then established to the destination.

alan665 · April 24, 2025, 8:10am

Ah cool, what constitutes a connection in this context?
For eg if I run two outbound tests on different devices on my network they aren't load balanced but should they be?

_bernd · April 24, 2025, 8:14am

A tcp or udp connection is a tuple with 5 elements.
The protocol, tcp or udp
A source address
A source port
A destination address
And a destination port

Depending on the context and on which layer in the network you are there are different ways how to distribute connections or flows but with i.e. NAT in between you only have these 5 elements to identify a connection.

Does it answer your question?

_bernd · April 24, 2025, 8:19am

If the second interface is never used then it sounds like a mwan3 config issue, but depending on the destination address or even the source address and depending on the load balance algorithms it can happen that the interfaces are not distributed evenly.

alan665 · April 24, 2025, 9:40am

Thanks for that, it actually does help a lot. I had a play with the metrics within mwan3 and managed to have some usage on the second wan, so could have been a preference issue there:

alan665 · April 24, 2025, 9:52am

I wanted to run something else by you, I still think i may have a config issue:

At this link here: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#verify_outbound_traffic_on_each_wan_interface

It's explained that the wan ports ive configured should each individually be able to reach outbound trafic, however my 'eth1' is unable to reach outbound trafic, but 'lan1' is.

I still think ive done something silly here, does this raise any alarms with you?

_bernd · April 24, 2025, 1:29pm

Regarding the DSA switch setup. I'm not quiet sure how big the impact is,,, but I would personally use a single (VLAN aware) bridge with the DSA interfaces, and "just" assign an (internal) VLAN (untagged on the interface) for each WAN interface.

I assume you have a plasic box and not an x86 device (which would have "real" Network Interface Cards and not a chip with an internal switch)?

alan665 · April 25, 2025, 3:56am

Yeah its just a cheap router wireless combo box (GL-MT6000). Openwrt came with the DSA setup out of the box so i didnt mess with it