Yes metric different
firewall.mwan3-fix added.
Add to maw3 needed rules, but no effect needed ip go to default wan.
My maw3 conf:
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'balanced'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option use_policy 'balanced'
option family 'ipv4'
config globals 'globals'
option mmx_mask '0x3F00'
option logging '1'
option loglevel 'notice'
list rt_table_lookup '220'
config interface 'wan'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '2'
config interface 'wanb'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '1'
option enabled '1'
option initial_state 'online'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '3'
config member 'wan_m2_w3'
option interface 'wan'
option metric '2'
option weight '3'
config member 'wanb_m1_w2'
option interface 'wanb'
option metric '1'
option weight '2'
config member 'wanb_m2_w2'
option interface 'wanb'
option metric '2'
option weight '2'
config policy 'wan_only'
list use_member 'wan_m1_w3'
option last_resort 'unreachable'
config policy 'wanb_only'
list use_member 'wanb_m1_w2'
option last_resort 'unreachable'
config policy 'balanced'
option last_resort 'unreachable'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w2'
config policy 'wan_wanb'
option last_resort 'unreachable'
list use_member 'wan_m1_w3'
list use_member 'wanb_m2_w2'
config policy 'wanb_wan'
option last_resort 'unreachable'
list use_member 'wan_m2_w3'
list use_member 'wanb_m1_w2'
config interface 'wg0'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
option interface 'wg0'
option metric '3'
option weight '4'
list track_ip '8.8.8.8'
list track_ip '0.0.0.0'
option reliability '1'
list use_member 'wg0'
list use_member 'wg0'
option last_resort 'unreachable'
config rule 'server2Win11'
option proto 'all'
option src_ip '192.168.0.193'
option dest_ip '0.0.0.0/0'
option sticky '0'
option use_policy 'wg0_only'
config member 'wg0_m3_w4'
option interface 'wg0'
option metric '3'
option weight '4'
config policy 'wg0_only'
list use_member 'wg0_m3_w4'
option last_resort 'unreachable'
Major finding from the video chat: even after uninstalling pbr, its iptables rules were still there. However the policy still doesn't work - debugging now.
Solved.
It didn't work because the default route through the WireGuard interface was not being created. The "default route" checkbox does not work, but after ticking "Route Allowed IPs" in the WireGuard peer settings everything started working.
1 Like
The problem is mwan3 is using iptables while pbr is configured to use nft.
With the appropriate config (README has details) pbr-iptables and mwan3 should work fine on 21.02 (as the pbr predecessor did), possibly pbr in iptables mode will work with mwan3 on 22.03 as well.
With mwan3 on 22.03 you neet to ensure you have iptables-nft installed and not iptables-zz-legacy. Unfortunately the legacy version is the default that you get when you install mwan3.
3 Likes