MWAN3+Warp not working

hai..

couple day i setup warp in my AX6 openwrt not working well, so setup from 0 than i found mwan3 have issue, every time install mwan3 not show cloudflare ip, check conection the warp already connect.
any ide how solve it? or can't work with 1 router? now i setup 2 router, rotuer A with Warp, router B mwan3, don't know is good configuration or not setup 2 router only to use warp + mwan3

thanks

check the warp connection
image

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd89:aaaf:51ea::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.x.1/24'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '10'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option name 'wan'
        option macaddr 'xx:xx:xx:20:75:8B'

config interface 'wanb'
        option proto 'dhcp'
        option device 'lan2'
        option metric '20'

config interface 'zerotier'
        option proto 'dhcp'
        option device 'ztr2qyexzy'

config interface 'cloud'
        option proto 'wireguard'
        option private_key 'xxxxxxxqNlQM4cY132Hille+vCN+oKLl4='
        list addresses '172.16.0.2/32'
        list addresses '2606:4700:110:82b8:b2c9:5992:ac1b:4254/128'
        list dns '1.1.1.1'

config wireguard_cloud
        option description 'Imported peer configuration'
        option public_key 'xxxxxxxxxyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'engage.cloudflareclient.com'
        option endpoint_port '2408'
        option route_allowed_ips '1'type or paste code here
1 Like
  • You should probably post your mwan3 config too - since you're asking for help with that
  • It appears you have not added the 'wanb', 'cloud', nor 'zerotier' interfaces to a Firewall Zone
  • I assume you understand these implications, but you appear to have also removed all other default firewall rules
  • Your screenshot shows you have traffic on your WARP interface
  • What is Router 1 (do you mean wan?)
  • What is Router 2 (do you mean wanb?)

If I understand this sentence, you're asking for WARP to only use wanb. This is possible by making a static route. I actually do this for WARP here, so the IPv6 will not prefer a tunnel over native IPv6.

  • perform an nslookup engage.cloudflareclient.com
  • record the IPv4 and IPv6 address you receive at your locatrion

Assuming you're gonna use the IPv4:

config route
        option interface 'wanb'
        option target 'xxx.xxx.xxx.xxx'
        option gateway 'xxx.xxx.xxx.xxx.'
        option metric 'xxx'
  • :spiral_notepad: Change the Wireguard config to the IP

hi.
since i setup from 0, i will send all config file

below is mwan3

root@OpenWrt:~# vi /etc/config/mwan3
config member 'wanb6_m1_w3'
        option interface 'wanb6'
        option metric '1'
        option weight '3'

config member 'wanb6_m2_w2'
        option interface 'wanb6'
        option metric '2'
        option weight '2'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m1_w3'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m1_w3'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'balanced'

config rule 'default_rule_v4'
        option dest_ip '0.0.0.0/0'
        option use_policy 'balanced'
        option family 'ipv4'

config rule 'default_rule_v6'
        option dest_ip '::/0'
        option use_policy 'balanced'
        option family 'ipv6'
root@OpenWrt:~# vi /etc/config/network
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '10'

config interface 'zerotier'
        option proto 'dhcp'
        option device 'ztr2qyexzy'

config interface 'wanb'
        option proto 'dhcp'
        option device 'lan1'
        option metric '20'

config device
        option name 'wan'
        option macaddr 'xx:xx:C0:20:75:8B'

config interface 'cloud'
        option proto 'wireguard'
        option private_key 'xxxxxxxqNlQM4cY132Hille+vCN+oKLl4='
        list addresses '172.16.0.2/32'
        list addresses '2606:4700:110:82b8:b2c9:5992:ac1b:4254/128'
        list dns '1.1.1.1'

config wireguard_cloud
        option description 'Imported peer configuration'
        option public_key 'xxxxxxxxxyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'engage.cloudflareclient.com'
        option endpoint_port '2408'
        option route_allowed_ips '1'

- /etc/config/network 41/41 100%
root@OpenWrt:~# vi /etc/config/firewall
config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'traefik80'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.5.xx'
        option dest_port '80'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'traefik443'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.5.xx'
        option dest_port '443'
root@OpenWrt:~# wg show
interface: cloud
  public key: RpNZxVkD8aXWKI8HdFHDjdHkbr1oPVHVxQVIhViFT1c=
  private key: (hidden)
  listening port: 47189

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
  endpoint: 162.159.192.1:2408
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 44 seconds ago
  transfer: 92 B received, 276 B sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~#
root@OpenWrt:~# nslookup engage.cloudflareclient.com
Server:         1.1.1.3
Address:        1.1.1.3:53

Non-authoritative answer:
Name:   engage.cloudflareclient.com
Address: 2606:4700:d0::a29f:c001

Non-authoritative answer:
Name:   engage.cloudflareclient.com
Address: 162.159.192.1

below is my home configuration before and after, more easy to understand what is router A / B

It appears you have not added the 'wanb', 'cloud', nor 'zerotier' interfaces to a Firewall Zone

Only mwan package install than ip back to isp, remove mwan change to cloudflare ip. fress setup no zerotier, doh, adblock.

  • I don't see this interface in your network config
  • There is no VPN firewall zone
  • You probably should remove this for security's sake
  • It appears you deleted the WAN firewall zone too
  • In the first image, you have 2 routers listed as "Router B"
  • It's unclear what routers are under your control
  • Since you list WARP in your config, I assume this is Router A's config?

I don't understand what this post means. Hopefully others can look at your posts and configs and offer assistance.

Hope this helps.

I am not sure if this is relevant for your situation, but there is a well-known mwan3 bug with any kind of tunnels. See the related merge request: https://github.com/openwrt/packages/pull/20923

Good link - but at this point, the OP showed 3-4 routers in a diagram; but hasn't explained which device has the configs they posted.

It seems possible that the OP is configuring mwan3, firewall and Wireguard on the incorrect device(s).

@wthubhub

Can you explain which router these configs belong to?

  • I assume the 2rd (bottom) Router b?
  • If that's the case - I don't understand why there's a WARP config, as the diagram shows WARP is configured on Router A (which I assume the OP wants)

Hi, thanks for your feedback

i don't make u confuse i will reset my router to factory default and submit new fresh configuration, forget previous post, let's focus to new. after factory default i just install only mwan3 package with mwan3 default configuration and WG VPN
router AX6 snapshot download from openwrt web.

WG + curl status. WARP+ Connect but showing ISP IP, not Cloudflare IP

root@OpenWrt:~# vi /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda1:d3c0:53c3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'cloud'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxP2qqNlQM4cY132Hille+vCN+oKLl4='
        list dns '1.1.1.3'
        list addresses '172.16.0.2/32'
        list addresses '2606:4700:110:82b8:b2c9:5992:ac1b:4254/128'

config wireguard_cloud
        option description 'Imported peer configuration'
        option public_key 'xxxxxxxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        option endpoint_host 'engage.cloudflareclient.com'
        option endpoint_port '2408'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

config device
        option name 'wan'
        option macaddr 'xx:xx:C0:20:75:8B'

config interface 'wanb'
        option proto 'dhcp'
        option device 'lan1'

root@OpenWrt:~# vi /etc/config/firewall
config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:/etc/config# vi mwan3
        option interface 'wanb'
        option metric '2'
        option weight '2'

config member 'wan6_m1_w3'
        option interface 'wan6'
        option metric '1'
        option weight '3'

config member 'wan6_m2_w3'
        option interface 'wan6'
        option metric '2'
        option weight '3'

config member 'wanb6_m1_w2'
        option interface 'wanb6'
        option metric '1'
        option weight '2'

config member 'wanb6_m1_w3'
        option interface 'wanb6'
        option metric '1'
        option weight '3'

config member 'wanb6_m2_w2'
        option interface 'wanb6'
        option metric '2'
        option weight '2'

config policy 'wan_only'
        list use_member 'wan_m1_w3'
        list use_member 'wan6_m1_w3'

config policy 'wanb_only'
        list use_member 'wanb_m1_w2'
        list use_member 'wanb6_m1_w2'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m1_w3'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m1_w3'

config policy 'wan_wanb'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m2_w2'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m2_w2'

config policy 'wanb_wan'
        list use_member 'wan_m2_w3'
        list use_member 'wanb_m1_w2'
        list use_member 'wan6_m2_w3'
        list use_member 'wanb6_m1_w2'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'balanced'

config rule 'default_rule_v4'
        option dest_ip '0.0.0.0/0'
        option use_policy 'balanced'
        option family 'ipv4'

config rule 'default_rule_v6'
        option dest_ip '::/0'
        option use_policy 'balanced'
        option family 'ipv6'

1 Like