Rules for Specific Device Route to Specific WAN for MWAN3

Hello,
I have two ISP for my home network. I already configured the switch and configured both ISP and they are working fine. Both of my ISP have PPPOE authentication. I put both on the WAN firewall.

What I am trying to do now, ISP-A will be my primary connection, but its uptime is very low so whenever ISP-A is down I like to enable ISP-B.

So far, it is working the way I wanted. Now I am trying to create some rules. When both ISP online, I like to set 192.168.2.101 user to use ISP-B connection while the rest of the users will be using ISP-A connection. (Even after setting up few rules it always using ISP-A)

However, when ISP-B is offline, 192.168.2.101 user will start using the ISP-A connection. The same rules will be rest other users, when ISP-A down, they will start using ISP-B along with 192.168.2.101 user.

I tried with many rules but none of them is working. Added my configuration. Please suggest to me what would be the fix.

Network Configuration:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf8:6210:01f1::/48'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '3 6t'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '48'
	option ipaddr '192.168.2.1'

config interface 'ISP-A'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option macaddr 'XX:XX:XX:XX:XX:XX'
	option username 'user-a'
	option ipv6 'auto'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option peerdns '0'
	option password 'password'
	option metric '13'

config interface 'ISP-B'
	option ifname 'eth0.3'
	option proto 'pppoe'
	option macaddr 'XX:XX:XX:XX:XX:XX'
	option username 'user-b'
	option ipv6 'auto'
	list dns '1.1.1.3'
	list dns '1.0.0.3'
	option peerdns '0'
	option password 'password'
	option metric '14'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '10000'
	option mtu '1320'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses '10.10.10.10/24'
	option auto '0'

config wireguard_wg0
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_port '443'
	option route_allowed_ips '1'
	option endpoint_host '1.2.3.4'
	option public_key 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
	option description 'SG, Server'

Firewall Configuration:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'
	list network 'ISP-A'
	list network 'ISP-B'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'Remote-Access'
	option src_dport '8080'
	option target 'DNAT'
	option dest_ip '192.168.2.1'
	option dest 'lan'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

DHCP Configuration:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option cachesize '0'
	option domain 'we1326.lan'
	option strictorder '1'
	option nonegcache '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan'
	option interface 'lan'
	option limit '150'
	option ra 'server'
	option force '1'
	option leasetime '7d'
	option start '101'
	list dns '6,2606:4700:4700::1111,2606:4700:4700::1001'
	list dhcp_option '6,1.0.0.1,8.8.8.8'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'ISP-A'
	option interface 'ISP-A'
	option ignore '1'

config dhcp 'ISP-B'
	option interface 'ISP'
	option ignore '1'

config host
	option name 'Special-User'
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX'
	option ip '192.168.2.101'
	option leasetime '10d'

MWAN3 Configuration (updated):

config globals 'globals'
	option mmx_mask '0x3F00'
	option rtmon_interval '5'

config interface 'ISP-A'
	option initial_state 'online'
	option family 'ipv4'
	option track_method 'ping'
	option count '1'
	option size '56'
	option max_ttl '60'
	option check_quality '0'
	option timeout '2'
	option interval '5'
	option failure_interval '5'
	option recovery_interval '5'
	option down '3'
	option up '3'
	option enabled '1'
	list track_ip '8.8.8.8'
	list track_ip '1.0.0.1'
	list track_ip '74.82.42.42'
	list track_ip '1.2.3.4'
	option reliability '3'
	list flush_conntrack 'ifup'
	list flush_conntrack 'ifdown'

config interface 'ISP-B'
	option initial_state 'online'
	option family 'ipv4'
	option track_method 'ping'
	option count '1'
	option size '56'
	option max_ttl '60'
	option check_quality '0'
	option timeout '2'
	option interval '5'
	option failure_interval '5'
	option recovery_interval '5'
	option down '3'
	option up '3'
	option enabled '1'
	list track_ip '8.8.8.8'
	list track_ip '1.0.0.1'
	list track_ip '74.82.42.42'
	list track_ip '1.2.3.4'
	option reliability '3'
	list flush_conntrack 'ifup'
	list flush_conntrack 'ifdown'

config member 'ISP-A_m1_w3'
	option interface 'ISP-A'
	option metric '1'
	option weight '3'

config member 'ISP-A_m2_w3'
	option interface 'ISP-A'
	option metric '2'
	option weight '3'

config member 'ISP-B_m1_w2'
	option interface 'ISP-B'
	option metric '1'
	option weight '2'

config member 'ISP-B_m2_w2'
	option interface 'ISP-B'
	option metric '2'
	option weight '2'

config policy 'ISP-A_only'
	option last_resort 'unreachable'
	list use_member 'ISP-A_m1_w3'

config policy 'ISP-B_only'
	option last_resort 'unreachable'
	list use_member 'ISP-B_m1_w2'

config policy 'balanced'
	option last_resort 'unreachable'
	list use_member 'ISP-A_m1_w3'
	list use_member 'ISP-B_m1_w2'

config policy 'ISP-A_ISP-B'
	list use_member 'ISP-A_m1_w3'
	list use_member 'ISP-B_m2_w2'
	option last_resort 'unreachable'

config policy 'ISP-B_ISP-A'
	list use_member 'ISP-A_m2_w3'
	list use_member 'ISP-B_m1_w2'
	option last_resort 'unreachable'

config rule 'Special-User'
	option proto 'all'
	option sticky '0'
	option src_ip '192.168.2.101/32'
	option use_policy 'balanced'

config rule 'IPv4_Traffic'
	option dest_ip '0.0.0.0/0'
	option proto 'all'
	option sticky '0'
	option use_policy 'balanced'

I renamed the original interface name with a dummy name so I'm aware of the naming system on OpenWRT.

This is the same as ISP-A_to_ISP-B
There is a reason the metrics and weights are part of the member names, to distinguish the priorities.
If you follow the default configuration example and have the wanb_wan policy using members wanb_m1_w1 and wan_m2_w2 it will work as expected.
The wireguard traffic rule is not need as it falls under the default rule.

Just changed the configuration to this also remove WireGuard rule

config member 'ISP-A_m1_w3'
	option interface 'ISP-A'
	option metric '1'
	option weight '3'

config member 'ISP-A_m2_w3'
	option interface 'ISP-A'
	option metric '2'
	option weight '3'

config member 'ISP-B_m1_w2'
	option interface 'ISP-B'
	option metric '1'
	option weight '2'

config member 'ISP-B_m2_w2'
	option interface 'ISP-B'
	option metric '2'
	option weight '2'

config policy 'ISP-A_only'
	option last_resort 'unreachable'
	list use_member 'ISP-A_m1_w3'

config policy 'ISP-B_only'
	option last_resort 'unreachable'
	list use_member 'ISP-B_m1_w2'

config policy 'balanced'
	option last_resort 'unreachable'
	list use_member 'ISP-A_m1_w3'
	list use_member 'ISP-B_m1_w2'

config policy 'ISP-A_ISP-B'
	list use_member 'ISP-A_m1_w3'
	list use_member 'ISP-B_m2_w2'
	option last_resort 'unreachable'

config policy 'ISP-B_ISP-A'
	list use_member 'ISP-A_m2_w3'
	list use_member 'ISP-B_m1_w2'
	option last_resort 'unreachable'

However I don't understand m1_w1 concept, Could please explain more about that?
Thanks

|metric|number|no|1|Members within one policy with a lower metric have precedence over higher metric members|
|weight|number|no|1|Members with same metric will distribute load based on this weight value|

Still confusing. I guess I have to change this rule

config rule 'Special-User'
	option proto 'all'
	option sticky '0'
	option src_ip '192.168.2.101/32'
	option use_policy 'balanced'

Can you update that rules with my requirements? That would be easier for me to understand I believe.

Change the policy of the special user to ISP-B_ISP-A. Now you got it right.

It seems not working. Now all device using ISP-B.

config rule 'Special-User'
	option src_ip '192.168.2.101/32'
	option proto 'all'
	option sticky '0'
	option use_policy 'ISP-B_ISP-A'

config rule 'IPv4_Traffic'
	option dest_ip '0.0.0.0/0'
	option proto 'all'
	option sticky '0'
	option use_policy 'balanced'

config globals 'globals'
	option mmx_mask '0x3F00'
	option rtmon_interval '5'

config interface 'ISP-A'
	option initial_state 'online'
	option family 'ipv4'
	option track_method 'ping'
	option count '1'
	option size '56'
	option max_ttl '60'
	option check_quality '0'
	option timeout '2'
	option interval '5'
	option failure_interval '5'
	option recovery_interval '5'
	option down '3'
	option up '3'
	option enabled '1'
	list track_ip '8.8.8.8'
	list track_ip '1.0.0.1'
	list track_ip '74.82.42.42'
	list track_ip '1.2.3.4'
	option reliability '3'
	list flush_conntrack 'ifup'
	list flush_conntrack 'ifdown'

config interface 'ISP-B'
	option initial_state 'online'
	option family 'ipv4'
	option track_method 'ping'
	option count '1'
	option size '56'
	option max_ttl '60'
	option check_quality '0'
	option timeout '2'
	option interval '5'
	option failure_interval '5'
	option recovery_interval '5'
	option down '3'
	option up '3'
	option enabled '1'
	list track_ip '8.8.8.8'
	list track_ip '1.0.0.1'
	list track_ip '74.82.42.42'
	list track_ip '1.2.3.4'
	option reliability '3'
	list flush_conntrack 'ifup'
	list flush_conntrack 'ifdown'

config member 'ISP-A_m1_w3'
	option interface 'ISP-A'
	option metric '1'
	option weight '3'

config member 'ISP-A_m2_w3'
	option interface 'ISP-A'
	option metric '2'
	option weight '3'

config member 'ISP-B_m1_w2'
	option interface 'ISP-B'
	option metric '1'
	option weight '2'

config member 'ISP-B_m2_w2'
	option interface 'ISP-B'
	option metric '2'
	option weight '2'

config policy 'ISP-A_only'
	option last_resort 'unreachable'
	list use_member 'ISP-A_m1_w3'

config policy 'ISP-B_only'
	option last_resort 'unreachable'
	list use_member 'ISP-B_m1_w2'

config policy 'balanced'
	option last_resort 'unreachable'
	list use_member 'ISP-A_m1_w3'
	list use_member 'ISP-B_m1_w2'

config policy 'ISP-A_ISP-B'
	list use_member 'ISP-A_m1_w3'
	list use_member 'ISP-B_m2_w2'
	option last_resort 'unreachable'

config policy 'ISP-B_ISP-A'
	list use_member 'ISP-A_m2_w3'
	list use_member 'ISP-B_m1_w2'
	option last_resort 'unreachable'

Fix the policy used in the rule...

Just changed it to

config rule 'IPv4_Traffic'
	option dest_ip '0.0.0.0/0'
	option proto 'all'
	option sticky '0'
	option use_policy 'ISP-A_ISP-B'

Working great now. Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.