I to have problem on version 23.03.3
I have 2 wan with mwan3.
PRB not work.
pbr give error on wan:
root@OpenWrt:~# /etc/init.d/pbr reload verbose=2
Activating traffic killswitch [✓]
Warning: iptables-legacy tables present, use iptables-legacy-save to see them
Setting up routing for 'wan/eth2/192.168.160.1' Error: argument "256
257" is wrong: invalid table ID
[✗]
Setting up routing for 'wanb/eth3/192.168.1.254' [✓]
Setting up routing for 'wg0/10.66.66.12' [✓]
Setting up routing for 'wg1/10.66.66.5' [✓]
Setting up routing for 'WG2/10.7.0.3' [✓]
Creating TOR redirects [✗]
Routing 'server2Win11' via wg0 [✗]
Deactivating traffic killswitch [✓]
pbr 1.0.1-16 monitoring interfaces: wan wanb wg0 wg1 WG2
Command failed: Invalid argument
pbr 1.0.1-16 (nft) started with gateways:
wanb/eth3/192.168.1.254
wg0/10.66.66.12
wg1/10.66.66.5
WG2/10.7.0.3
ERROR: Failed to set up 'wan/eth2/192.168.160.1'!
ERROR: Failed to set up 'tor/53->9053/80,443->9040'!
ERROR:
all
ERROR: Insertion failed for IPv4 for policy server2Win11
ERROR:
nft 'add rule inet fw4 pbr_prerouting ip saddr @pbr_wg0_4_src_ip_cfg066ff5 ip daddr {} tcp sport {0-65535} tcp dport {0-65535} goto pbr_mark_0x030000 comment "server2Win11"'
First of all, please fix the formatting by using preformated text for the console output.
Just make sure you "sandwich" your text between two rows of backtick characters ` (which themselves will be invisible in the preview) looking in something like this in the editor:
```
Your Pasted Text as preformatted text with fixed width font
1
1111 (note with fixed-width fonts the numbers are right-aligned)
```
but looking like this in the rendered forum:
Your Pasted Text as preformatted text with fixed width font
1
1111 (note with fixed-width fonts the numbers are right-aligned)
Then post the output of ubus call system board; opkg list-installed
The problem is that you use two packages with overlapping functionality. They are not even supposed to work together. Please convert your policy rules 100% to mwan3.
Please post your current pbr rules here, and I will try to formulate the equivalent ones for mwan3. So that you can uninstall pbr, and have only mwan3, without any loss of functionality.
Or even better, formulate what you are trying to achieve with mwan3 and pbr, so that I get the full picture and can work from that.
mwan3 distributes the load between 2 wan. I need to be able to assign my gateway to any IP in the network. In version 23.03, I did it using vpn-policy-routing and everything worked.
Maybe it is possible to send the right IP to the right gateway through mwan3?
OK, I understand this - you are using load balancing, not fail-over. This is indeed a valid use case for mwan3.
I need to be able to assign my gateway to any IP in the network.
Please reword, I don't understand this at all. Or maybe provide examples.
In version 23.03, I did it using vpn-policy-routing and everything worked.
This was not supposed to work. Any combination of two packages that provide policy-based routing (and load balancing is a form of policy-based routing) is an unsupported setup.
P.S. It would help if you show your current /etc/config/mwan3 file in full, as we are going to modify it, and modifying it blindly is not a good idea. Also the old configuration from vpn-policy-routing would help.
OK, great, let me reword to confirm my understanding:
You have wan, wanb, their IPv6 counterparts, and wg0 (which is not in mwan3 configuration). You want 192.168.0.111 to use wanb, as if nothing else exists, 192.168.0.112 to go through wg0, and all other IP addresses to be balanced between wan and wanb. Good news - you don't need pbr for this, just some adjustments to mwan3 rules.
Is this correct?
Regarding IPv6 - do you actually use IPv6, or is that just a left-over from the default configuration?
OK, so we need to add wg0 to mwan3 as an interface, and create policies and rules. I also think that we need to create /etc/firewall.user as a workaround for https://github.com/openwrt/packages/issues/19607.
I can either spend 60 minutes and write down a fully tested config for you, or we can have a video chat right now, and I will guide you through this.
Perhaps you need to create a rule that prevents packets created by wireguard from looping back. I.e. direct them, based on the destination IP and port, to wan or wanb.
But, I have already told you: with VPNs, there is a bug in mwan3, that needs to be worked around. Please save this as /etc/firewall.mwan3-fix and make executable:
#!/bin/sh
iptables -t mangle -D PREROUTING -m comment --comment "Do not inherit the mark of encrypted packets" -j MARK --set-xmark 0x0/0x3f00 || echo "Never mind"
iptables -t mangle -I PREROUTING 1 -m comment --comment "Do not inherit the mark of encrypted packets" -j MARK --set-xmark 0x0/0x3f00
And then add this to /etc/config/firewall:
config include
option path '/etc/firewall.mwan3-fix'
option type 'script'
And then /etc/init.d/firewall restart ; /etc/init.d/mwan3 restart.