Port Forwarding on Load Balancing LAN Setup - Routing / Firewall Problems

Installing and Using OpenWrt Network and Wireless Configuration
1

I currently have a exotic setup, because I can't add additional wires to my setup.

Basicly I have a dsl isp router and a cable isp router. Both are connected to my LAN and DHCP is shut off. My OpenWRT Router is also in the same LAN (and subnet) with DHCP on.
Then the OpenWRT load balances the isps with mwan3.

network

config interface 'lan'
option type 'bridge'
option _orig_ifname 'eth0 radio0.network1 radio1.network1 radio2.network1'
option _orig_bridge 'true'
option proto 'static'
option stp '1'
option broadcast '192.168.1.255'
option metric '1'
option ifname 'eth0.1 eth1.1'
option dns '192.168.1.251'
option gateway '192.168.1.251'
option ipaddr '192.168.1.251'
option netmask '255.255.255.0'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 1 2 3 5t 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '4 5t 6t'

config interface 'wan_dsl'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option broadcast '192.168.1.255'
option metric '20'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option ifname 'eth0.2'
option macaddr '01:23:45:B8:E8:12'
option delegate '0'
option gateway '192.168.1.254'
option dns '192.168.1.254'

config interface 'wan_cable'
option proto 'static'
option ipaddr '192.168.1.3'
option netmask '255.255.255.0'
option broadcast '192.168.1.255'
option _orig_ifname 'eth0.3'
option _orig_bridge 'false'
option macaddr '01:23:45:B8:E8:13'
option delegate '0'
option gateway '192.168.1.1'
option ifname 'eth1.2'
option dns '192.168.1.1'
option metric '10'

There is a cable between LAN1 and WAN to connect the VLANs (It was the only way to get it work)

Now I have installed an openvpn server on my openwrt.

Now I have following problem:
When I open a port on both isp routers, the forwarding doesn't work as it should. With UDP there was any way. With TCP it work a bit:
If I forward to the OpenWRT Gateway 192.168.1.251, the router doesn't know how to answer. It only worked to forward the packets to the wan_dsl interface 192.168.1.2 from the dsl router 192.168.1.254 and the also forward from the wan to lan on that port on the openwrt.
If I try the same with the wan_cable interface 192.168.1.3 from the cable router 192.168.1.1 but then it doesn't work.
In wireshark I see that the TCP SYN ACK can't be sent pack, because of "ICMP Destination unreachable".

Maybe I need to fix the general setup first, but maybe there is an easy way to fix that.

2

The OpenWrt device is connected to "the same" network on three different interfaces, I wonder how anything works at all in that set-up.

I would start by configuring a different IP range on each zone in your installation. If possible, the modems should be configured as "transparent", so the router gets two public IP addresses.

1 Like
3

A transparent mode is not possible, sadly. I may play around with different subnets.

But: It seems to be a mwan3 problem.
The forwarding works only on the device with the alphabetical lower name (if I just switch the names, the other device works.

The implementation of my network configuration is derived from that idea.
https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#the_second_wan_interface_wan2

4

You can only do inbound services via the ISP that is currently active as the Internet gateway.

5

No, that is true. If I change the names / orders the other ISP works. All the time just the dsl isp worked for vpn. After renaming / changing the orders in the config files it worked for the cable connection, which is sufficent currently, as it is the isp with the better upload rate.

Also there is no single active isp in my configuration. It is load balanced to both, depending on the target ip / protocols.