Secondary wan not working

jetberrocal · May 30, 2026, 12:27am

I created a secondary WAN and install/configure mwan3.

The mwan3 is working fine by detecting port disconnection of each WAN, but the secondary wan is not working correctly.in the sense that it can't ping to external ip's.

Here are my basic config files.

firewall config file -

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name wan
	list network 'wan'
	list network 'wan6'
	option input REJECT
	option output ACCEPT
	option forward REJECT
	option masq 1
	option mtu_fix 1

config forwarding
	option src lan
	option dest wan

config zone
	option name wan2
	list network 'wan2'
	option input REJECT
	option output ACCEPT
	option forward REJECT
	option masq 1
	option mtu_fix 1

config forwarding
	option src lan
	option dest wan2

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

network config file -

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd97:7985:3a6a::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'a0:04:60:1a:c1:da'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option metric '10'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 2 3'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 4'
	option vid '3'

config interface 'wan2'
	option proto 'dhcp'
	option device 'eth0.3'
	option metric '20'

psherman · May 30, 2026, 12:30am

Does your wan2 interface have an IP? If so, what is the output of the ifstatus wan2 | grep address (only post the first two octets -- in bold aaa.bbb.ccc.ddd)

jetberrocal · May 30, 2026, 12:50am

ifstatus wan2 | grep 10.35.126.186
"address": "10.35.126.186",
"source": "10.35.126.186/32"

jetberrocal · May 30, 2026, 12:51am

ifstatus wan2 | grep address
"ipv4-address": [
"address": "10.35.126.186",
"ipv6-address": [
"ipv4-address": [
"ipv6-address": [

jetberrocal · May 30, 2026, 12:54am

Both, wan and wan2 are set to DHCP client

psherman · May 30, 2026, 1:01am

next time, just post the first 2 octets. Fortunately, your IP is not a public IP so it doesn't matter here.

When you try to ping with the first wan disconnected, what happens when you ping 8.8.8.8?

jetberrocal · May 30, 2026, 8:21pm

PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

psherman · May 30, 2026, 8:28pm

What happens if you connect your secondary wan to the primary wan interface? Does that result in a working connection?

(The goal is to determine if the secondary wan connection possibly not working as expected, or if this is purely a mwan3/router config issue.

AndrewZ · May 30, 2026, 8:28pm

Show ip r output.
When ping'ing specify the source IP/interface: ping -I 10.35.126.186 8.8.8.8

jetberrocal · May 30, 2026, 11:29pm

When I disconnect WAN2 ping is successful, when I disconnect WAN ping fails.
But the mwan3 detects each event successfully.

I am using the GUI Menu / Diagnostics to do the ping.
Using a ssh session, when both, wan and wan2 are connected, doing ping -I 10.35.126.186 8.8.8.8 it is successful.

dl12345 · May 31, 2026, 12:28am

The crucial missing piece of diagnostic information is the contents of your /etc/config/mwan3

jetberrocal · June 1, 2026, 1:55am

mwan3

config globals 'globals'
	option mmx_mask '0x3F00'

config interface 'wan'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '4.2.2.1'
	list track_ip '4.2.2.2'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'

config interface 'wan2'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '4.2.2.1'
	list track_ip '4.2.2.2'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'

config member 'wan_member'
	option interface 'wan'
	option metric '1'
	option weight '1'

config member 'wan2_member'
	option interface 'wan2'
	option metric '2'
	option weight '2'

config policy 'wan_to_wan2'
	list use_member 'wan_member'
	list use_member 'wan2_member'
	option last_resort 'unreachable'

config rule 'all'
	option proto 'all'
	option src_ip '192.168.1.1/24'
	option dest_ip '0.0.0.0/0'
	option sticky '0'
	option use_policy 'wan_to_wan2'