I am a little confused as I have had problems with my network since I made the dns changes you suggested. For some reason the ipv4 gateway had disappeared from the LAN settings and I tried to reinstate it as 10.0.0.1 being the default for the router that manages the LAN and the gateway I use on every machine that is added to the network. However Openwrt would not accept it and I have had to change it to 192.168.1.1 (not sure but I assume I could have also used 192.168.0.1?).
However this is where I am confused as I am trying to load balance the two WANs and if I send the LAN packets via 192.168.1.1 how does it then balance and use(share) the 192.168 .0.1 gateway? Are the packets somehow redirected through the mwan3 policies before finally going out to the internet?
Sorry to ask such basic stuff.
Still cannot see 192.168.0.1 from the LAN 10.0.0.0/24.
I have been having all sort of problems since making the changes to the network LAN interface. I have now finally removed all custom DNS entries from the LAN and left the public DNS entries on the two WANs (8.8.8.8 and 8.8.4.4) and that appears to be working again.
However, my policyy page on the OpenVPN is now reporting the following Service Error:
From mwan3 configuration the tun0 is missing.
In the next post you are showing some output from vpn-policy-routing?
You should not be using both, as they are doing the same thing and their operations can conflict.
I thought mwan3 was for load balancing on the WAN side? I am using vpn-policy-routing to direct selected devices to the tun0 interface. Can I do this via mwan3? It seems to work OK as I have it setup so am reluctant to change it.
I think you are saying that I need to add the tun0 into my wan3 setup but then how do I direct individual devices to only use that route?
I have restarted the interfaces a couple of times and now the service error has disappeared so I do not know what was causing it.
Both mwan3 and pbr do the same thing in a slightly different way. Therefore trying to combine them doesn't guarantee to work.
You can add the tun0 interface to mwan3 as well. Make a rule for the individual devices to use the tun0 only policy which will contain the tun0 member interface only.
This is a luci frontend to manage the OpenVPN configuration. It is not dealing with routing in any way other than installing the default or any static routes.
Can we have a look at the whole list? opkg list-installed
VPN and WAN Policy-Based Routing
Service Status [vpn-policy-routing 0.3.4-8]
Service Status
Running
Service Gateways
lan/br-lan/192.168.1.1
tun0/10.8.0.6
wan_free/wan/192.168.1.1 ✓
wan_sfr/lan4/192.168.0.1
The tick refers to the default for the VPN
Under policies (cannot copy and paste them) I have five items listed. Four go to tun0, one is my iMac that is usually pointing at WAN but which I use to check by changing to tun0 then back again.
I have looked at this again (your quote above) but I am sorry to say I do not understand what I have to do to get it to work.
I have removed my entry for my machine (10.0.040) from the VPN Policy Routing listing so it is acting as a normal LAN member.
I have set up a tun0 interface with a metric of 30. The metric is present in /etc/config/network but it does not show up on the MWAN Interfaces listing as shown below:
However, I do not know how to make a rule for the individual devices. I can see I have to insert the source address (which I assume is the device) but what do I enter for the destination address so that it is redirected to go to tun0? You will see below that I have tried to use a default destination and made it the first rule to be applied (I also tried it as the last rule).
Hello and happy new year as well!
For a start the tun interface in mwan3 configuration is not correct. It must have the same name as in network configuration.
BTW I have disabled the VPN policy routing while trying to get mwan3 to work.
Well I deleted the old tun0 reference and added a new one that is correctly named and the metric (30) is now present and correct but it tells me that tun0 has no default route in the main routing table:
but I cannot see how to invoke a gateway for tun0. The interface edit page shows that "use default gateway" is ticked but it is not apparently finding the gateway. I do not think I have ever had to enter a gateway for the tun devices before and I cannot see where to do it on the interface setting (is it because it is listed as unmanaged?).
Also on reading up I saw that someone had generated two VPN tun interfaces, one for each WAN interface. Is this what I have to do and then balance the two to get a balanced VPN?
root@OpenWrt:~# ip -4 ro list table all
default via 192.168.1.1 dev wan table 1 proto static metric 10
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1
192.168.1.0/24 dev wan table 1 proto static scope link metric 10
default via 192.168.0.1 dev lan4 table 2 proto static metric 20
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1
192.168.0.0/24 dev lan4 table 2 proto kernel scope link src 192.168.0.20
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20
10.0.0.0/24 dev br-lan table 3 proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 table 3 proto kernel scope link src 10.8.0.6
default via 10.8.0.6 dev tun0 table tun0
default via 192.168.1.1 dev wan table wan_free
default via 192.168.0.1 dev lan4 table wan_sfr
default via 192.168.1.1 dev wan proto static metric 10
default via 192.168.0.1 dev lan4 proto static metric 20
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6
192.168.0.0/24 dev lan4 proto static scope link metric 20
192.168.1.0/24 dev wan proto static scope link metric 10
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20
root@OpenWrt:~#
First thing I notice is that the tun0 metric (30) is not listed. The rest is out of my scope!
I forgot I had the VPN policy routing running as we were using the VPN on the TV.
I have disabled it again and here is the revised output.
G
root@OpenWrt:~# ip -4 ro list table all
default via 192.168.1.1 dev wan table 1 proto static metric 10
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1
192.168.1.0/24 dev wan table 1 proto kernel scope link src 192.168.1.20
192.168.1.0/24 dev wan table 1 proto static scope link metric 10
default via 192.168.0.1 dev lan4 table 2 proto static metric 20
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20
10.0.0.0/24 dev br-lan table 3 proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 table 3 proto kernel scope link src 10.8.0.6
unreachable default table tun0
default via 192.168.1.1 dev wan table wan_free
default via 192.168.0.1 dev lan4 table wan_sfr
default via 192.168.1.1 dev wan proto static metric 10
default via 192.168.0.1 dev lan4 proto static metric 20
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6
192.168.0.0/24 dev lan4 proto static scope link metric 20
192.168.1.0/24 dev wan proto static scope link metric 10
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20
root@OpenWrt:~#
No idea what I have done but my iMac is simply not connecting to the internet. I was rebooting the opnwrt server (which restarted the VPN pbr) to get it going again but now, no matter what I do the machine will not connect to the internet. I have rebooted and restarted everything in the chain but it is the same. I must have accidentally changed something but no idea what. I am using a portable at the moment to respond to you.
Despite disabling in luci service vpn-policy-routing status shows it is still running so I have used the stop command to close it off. Disabled it then rebooted. Here is the requested output. I have also appended the "service vpn-policy-routing status" output for your information.
I have then stopped the VPN server and run the command again and that is at the end of the listing with no tun entries.
My apologies for wasting your time.
Geoff
OpenWrt 21.02.2, r16495-bf0c965af0
-----------------------------------------------------
root@OpenWrt:~# ip -4 ro list table all
default via 192.168.1.1 dev wan table 1 proto static metric 10
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1
192.168.1.0/24 dev wan table 1 proto kernel scope link src 192.168.1.20
192.168.1.0/24 dev wan table 1 proto static scope link metric 10
default via 192.168.0.1 dev lan4 table 2 proto static metric 20
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20
10.0.0.0/24 dev br-lan table 3 proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 table 3 proto kernel scope link src 10.8.0.6
default via 192.168.1.1 dev wan proto static metric 10
default via 192.168.0.1 dev lan4 proto static metric 20
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6
192.168.0.0/24 dev lan4 proto static scope link metric 20
192.168.1.0/24 dev wan proto static scope link metric 10
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20
root@OpenWrt:~# service vpn-policy-routing status
vpn-policy-routing 0.3.4-8 running on OpenWrt 21.02.2.
============================================================
Dnsmasq version 2.85 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.1.1 0.0.0.0 UG 10 0 0 wan
default 192.168.0.1 0.0.0.0 UG 20 0 0 lan4
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 201:
IPv4 Table 201 Rules:
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 202:
IPv4 Table 202 Rules:
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 203:
IPv4 Table 203 Rules:
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 204:
IPv4 Table 204 Rules:
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 205:
IPv4 Table 205 Rules:
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 206:
IPv4 Table 206 Rules:
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 207:
IPv4 Table 207 Rules:
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 Table 208:
IPv4 Table 208 Rules:
============================================================
Current ipsets
create mwan3_dynamic_v4 hash:net family inet hashsize 1024 maxelem 65536
create mwan3_dynamic_v6 hash:net family inet6 hashsize 1024 maxelem 65536
create mwan3_custom_v4 hash:net family inet hashsize 1024 maxelem 65536
create mwan3_custom_v6 hash:net family inet6 hashsize 1024 maxelem 65536
create mwan3_sticky_v4_https hash:ip,mark family inet markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600
add mwan3_sticky_v4_https 10.0.0.50,0x00000100 timeout 427
add mwan3_sticky_v4_https 10.0.0.158,0x00000200 timeout 420
add mwan3_sticky_v4_https 10.0.0.153,0x00000100 timeout 462
add mwan3_sticky_v4_https 10.0.0.163,0x00000200 timeout 478
add mwan3_sticky_v4_https 10.0.0.169,0x00000100 timeout 409
add mwan3_sticky_v4_https 10.0.0.170,0x00000200 timeout 423
add mwan3_sticky_v4_https 10.0.0.201,0x00000100 timeout 404
add mwan3_sticky_v4_https 10.0.0.152,0x00000200 timeout 476
add mwan3_sticky_v4_https 10.0.0.202,0x00000100 timeout 442
add mwan3_sticky_v4_https 192.168.1.20,0x00000200 timeout 459
add mwan3_sticky_v4_https 192.168.1.20,0x00000100 timeout 483
add mwan3_sticky_v4_https 10.0.0.158,0x00000100 timeout 463
add mwan3_sticky_v4_https 192.168.0.20,0x00000100 timeout 514
add mwan3_sticky_v4_https 192.168.0.20,0x00000200 timeout 407
add mwan3_sticky_v4_https 10.0.0.201,0x00000200 timeout 511
add mwan3_sticky_v4_https 10.0.0.50,0x00000200 timeout 419
create mwan3_sticky_v6_https hash:ip,mark family inet6 markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600
create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536
add mwan3_connected_v4 192.168.0.0/24
add mwan3_connected_v4 127.0.0.0/8
add mwan3_connected_v4 10.8.0.0/24
add mwan3_connected_v4 192.168.1.0/24
add mwan3_connected_v4 224.0.0.0/3
add mwan3_connected_v4 10.0.0.0/24
create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536
add mwan3_connected_v6 fe80::/64
add mwan3_connected_v6 fd33:1ec6:a8::/64
create mwan3_connected list:set size 8
add mwan3_connected mwan3_dynamic_v4
add mwan3_connected mwan3_dynamic_v6
add mwan3_connected mwan3_custom_v4
add mwan3_connected mwan3_custom_v6
add mwan3_connected mwan3_connected_v6
add mwan3_connected mwan3_connected_v4
create mwan3_sticky_https list:set size 8
add mwan3_sticky_https mwan3_sticky_v4_https
add mwan3_sticky_https mwan3_sticky_v6_https
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~#
root@OpenWrt:~# ip -4 ro list table all
default via 192.168.1.1 dev wan table 1 proto static metric 10
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1
192.168.1.0/24 dev wan table 1 proto kernel scope link src 192.168.1.20
192.168.1.0/24 dev wan table 1 proto static scope link metric 10
default via 192.168.0.1 dev lan4 table 2 proto static metric 20
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20
default via 192.168.1.1 dev wan proto static metric 10
default via 192.168.0.1 dev lan4 proto static metric 20
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
192.168.0.0/24 dev lan4 proto static scope link metric 20
192.168.1.0/24 dev wan proto static scope link metric 10
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20
root@OpenWrt:~#