Mwan3 vpn policy based routing with multiple wan connections raspberry pi 4


I'll try to be clear as possible but I have a pretty weird setup.

I am trying to setup a separate subnet/lan/wifi ssid to have all traffic directed through a wireguard vpn/VPS. I have set up the wireguard interface and setup a separate vlan interface and that works fine. I know the wifi works because it can get a dhcp address from the router. The issue is I can't access the tunneled internet on this separate subnet. What makes it more complicated is I am currently using mwan3 to have failover betweeen 2 wan connections. I've tried setting up a separate mwan3 policy where any source address from this separate subnet goes through the wireguard vpn. Is there something I am doing wrong? Should the traffic be passing through my wan instead?


Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export mwan3; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1 Like

I have a similar use case in that I selectively route certain traffic over a wireguard tunnel.

I'm talking from memory here, but you need to make sure that there is a default route configured for each of the interfaces, otherwise the mwan3 scripts won't work properly. Your WAN connections will have one, but your wg0 may not....

The output of a ip route show on my router looks as follows

ip route show
default via [wan ip] dev eth0 proto static src [wan ip] metric 10
default via [wan2 ip] dev eth1 proto static src [wan2 ip] metric 20
default dev wg0 proto static scope link metric 40
1 Like