Simple IP-Forwarding

Installing and Using OpenWrt
1

I have a network 192.168.1.0/24 in which an OpenWrt router (25.12.04-rc4) is accessible at 192.168.1.1 and is intended to serve as the central gateway. Within the same network, I have two potential internet gateways available at 192.168.1.2 and 192.168.1.3. I would like to configure the OpenWrt router at 192.168.1.1 to automatically switch between gateways 192.168.1.2 and 192.168.1.3 if necessary.

The router is running in a virtualized environment, and I would prefer to handle this through a single network interface, but I can add any number of additional network cards.

What is the most efficient way to achieve this?

2

Called mwan....

1 Like
3

Of course, this works if you want to use OpenWRT as a “real” router. However, I would like it considerably simpler.
I would like to somehow replicate Keepalived since most devices don't allow this directly.
Therefore an upstream OpenWRT VM, which can be entered as a standard gateway for hosts and bluntly points to an active GW. No fuss or fancy fat stuff.

4

vrrp carp keepalived etc would help you to put 2 routers for each of those gateways, not balance load in any way.

5

Unfortunately, very few routers support VRRP etc. That's why I'm asking.

6

You dont need openwrt per se, but router is needed to bend connections, like vyos or pfsense to mention few more.

7

In principle, OpenWRT can do far too much for my needs. I just want a kind of switch to change from internet access point A to B.

8

Not tested, but if you do not want to install additional software:
make a default route to gw1.
make a script which pings through gw1 (-I) and, if not successful, insert a default route to gw2 with a lower metric.
if successful again, delete the default route through gw2.

9

Please clarify.
If your question is if you are able to use keepalived with OpenWrt then yes of course. Sry, silly question :sweat_smile:

10

Mwan3 for cable based connection or travel mate for wireless setups, as far as I have followed similar requests here....

11

The problem is "pings" - if you want a simple enterprise router to fail over you need port link to go down. Here you need software pinching the line.

There are different approaches on different firewalls I mentioned.

12

After playing with OpenWRT a lot, my mallet method is virtualization. So just two OpenWRT instances with the simplest setup, which I activate when necessary.
It's a shame, because in my opinion it belongs in a router.
Maybe I'm too stupid to map two different gateways within one subnet without installing additional extensions.

13

Sry but does not compute.
This sentence does not make any sense.

If you want two devices offering high availability then you need at least keepalived which uses the vrrp.
If you need Uplink failover then it's PBR and mwan3 is doing the heavy lifting for you.

1 Like
14

I have two Openwrt VMs with IP 192.168.1.1
A gateway runs at 192.168.1.253 and
another at 192.168.1.254.
Openwrt-1 has .253 as a gateway and
Open-Wrt-2 .254.
A miniscript checks internet availability every 30s using the external IPs of the gateways. If it fails, Openwrt-2 takes the place of Openwrt-1 and vice versa. Only 10 lines of bashscript are added to the already existing virtualization server.
I couldn't find how I could do this simple transfer more elegantly with just an openwrt, without thick and complex extensions. The nicest thing would of course be to be able to specify several gateways, similar to the definition of DNS servers.

15

Please do some research.
Your proposed setup is... Not ideal....

https://www.keepalived.org/manpage.html and if you want to dig a little bit deeper on the theory and background then https://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol

And PBR config is another topic. You need to carefully craft it together and no there is no single or super simple solution to these kind of setups.

17

Even Keepalived is overkill for my purposes. My simple solution involves just two slightly different OpenWrt instances, each with a differently defined gateway. I can even activate them completely transparently by manually switching instances. Even the automatic gateway check is almost overkill. As I mentioned, specifying a failover gateway within OpenWrt would be much more elegant. However, Keepalived/VRRP makes my requirements unnecessarily complex. As soon as I need more than just simple failover, Keepalived is the right tool. Or the mwan3 extension.

18

In OpenWrt, that's usually done with this, but I guess you're implying that's not simple enough.

Glad you solved it, perhaps you'll share your simple script so developers can consider it.

19

Try to find vyos cgnat module for inspiration.

20

Sry for mixing german/english.
Feel free to ask if you have any questions.

Here's my script running on a Proxmox-Host:

#!/bin/bash

MAILTO="mail@company.com"
COMPANY="Umbrella Corporation"
SLEEPTIME=30      # wir prĂĽfen alle 30s.
LINKEDBY="bond0:" # Einzelschnittstelle, vmbr oder bond

EXTERNALMASTERIP=$(nmap -p 22 gw.umbrella.de | grep open | wc -l)
INTERNET=$(nmap -p 53 8.8.8.8 | grep open | wc -l)
MASTERGW=$(nmap -p 53 192.168.1.254 | grep open | wc -l)
FAILOVERGW=$(nmap -p 53 192.168.1.247 | grep open | wc -l)
RUNNINGMASTER=$(qm list | grep 900 | grep running | wc -l)
RUNNINGFAILOVER=$(qm list | grep 901 | grep running | wc -l)
MASTERNAME="OpenWRT Master (VM 900) mit Gateway (192.168.1.254)"
FAILOVERNAME="OpenWRT Failover (VM 901) mit Gateway (192.168.1.247)"
while true; do
  sleep $SLEEPTIME

  LINKED=$(ip link show | grep $LINKEDBY | grep "state UP" | wc -l)      # Sind wir denn selbst im Netzwerk verfĂĽgbar?.
  if [ $LINKED == 1 ]; then             # connection active
    if [ $FAILOVERGW == 1 ]; then       # failover possible
      if [ $INTERNET == 0 ]; then       # inet absent
        if [ $RUNNINGMASTER == 1 ]; then
          MSG="Gateway ĂĽber "$MASTERNAME" ist ausgefallen "$FAILOVERNAME" wird aktiviert."
#          qm start 901
#          qm shutdown 900 
#          echo "FAILOVER $COMPANY: Failover." | mutt -s "FAILOVER $COMPANY $ALIAS ($ID) läuft nun auf $HOSTNAME" -- $MAILTO
        fi
      else
        if [ $EXTERNALMASTERIP == 1 ]; then
          if [ $RUNNINGFAILOVER == 1 ]; then          
            MSG="Master-Gateway ĂĽber "$MASTERNAME" ist wieder verfĂĽgbar. "$FAILOVERNAME" wird deaktiviert."
#            qm start 900
#            qm shutdown 901 
#            echo "FAILOVER $COMPANY: Recover" | mutt -s "$(MSG)" -- $MAILTO
          fi
        fi
      fi
    else
      echo "Failover-Gateway nicht verfĂĽgbar."
    fi
  else
   echo "Wir sind offline und damit nutzlos."
  fi
21

Given the change I start to annoy you...
Please have a look and the already mentioned tool and ask yourself the question if you really wanna miss the opportunity of the existing tools which will ensure proper state handling. Like with vrrp and keepalived, which weights the different factors for you.
How critical is the lose of an interface or of a route? How many failure of a check script are ok or not? Under which conditions is an action triggered and so on.

And with mwan3 you get all the pbr magic and voodoo and chicken bones for free. Just saying.

1 Like