[Solved] Setting up multiple gateways efficiently

I have two routers in a single LAN, both connected to their own modems via their WAN ports. One is a dumb AP (192.168.0.2) and the other handles DHCP (192.168.0.1).

My current configuration of the multiple gateways is inefficient: packets always go through 192.168.0.1 unless I manually change the DHCP gateway to 192.168.0.2 (using DHCP option 3).

This is my etc/config/network on 192.168.0.1:

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.0.1/24'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'user'
	option password '****'
	option service 'internet'
	option ipv6 'auto'
	option metric '10'

config interface 'wanb'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option gateway '192.168.0.2'
	option metric '20'

I am verifying that this works by:

root@192.168.0.1# ip route show
default via <PPPoE_PUBLIC_IP> dev pppoe-wan proto static metric 10 
default via 192.168.0.2 dev br-lan proto static metric 20 

As I said above, when the first WAN connection fails, the packets are routed through the second, but traceroute shows that they are first sent to 192.168.0.1, which sends them back to 192.168.0.2 before they go through the second modem.

If I manually change the DHCP gateway to 192.168.0.2
then I see higher speeds on devices connected to 192.168.0.2 (because they don't need to make that extra trip to 192.168.0.1).

My question is: Does there exist a way to make this switching more efficient? I can imagine but don't know how to implement

  • automatically switching the gateway in the DHCP settings (maybe an mwan3 script triggered by some event)
  • changing the network config to have both gateways in the same interface
  • 192.168.0.1 somehow updating routes on 192.168.0.2 for packets meant to go to the internet.

Either you configure two gateways on the clients, or you don't. If you do it, then the clients will decide which gateway to use. If you don't, then all the traffic will go to one router, then the other.

Your lan and wanb interfaces overlap. This seems wrong.

Can you show a system topology diagram, complete with the ip addresses of the infrastructure devices,

Here's a diagram showing the topology

     5G modem
      β”Œβ”€β”€β”€β”€β”                                          
      β”‚    β”‚                                          
      β”‚    β”‚                                          
      β”‚    β”‚                                          
      β”‚    β”‚                                          
      β””β”€β”¬β”€β”€β”˜                                          
        β”‚                                             
        β”‚                                             
        β”‚                                             
        β”‚    (192.168.0.2)                            
        β”‚   Dumb AP router                          
        β”‚    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”                              
        β”‚    β”‚         β”‚                              
        β”‚    β”‚         β”‚                              
        β”‚    β”‚         β”‚                              
        β”‚    β””β”€β”¬β”€β”€β”¬β”€β”¬β”€β”€β”˜                              
        β”‚     WAN   β”‚                                 
        β”‚     port  β”‚                                 
        β”‚      β”‚    └─────┐       β”Œβ”€β”€β”€β”€β”€β”€β”            
        β”‚      β”‚       β”Œβ”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”   β”‚            
        β””β”€β”€β”€β”€β”€β”€β”˜       β”‚ LAN     WAN β”‚   β”‚            
                       β”‚             β”‚   β”‚            
                       β”‚             β”‚   β”‚            
                       β”‚             β”‚   β”‚            
                       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚            
                       DHCP router       β”‚            
                       (192.168.0.1)     β”‚  β”Œβ”€β”€β”€β”€β”€β”   
                                         β”‚  β”‚     β”‚   
                                         └───     β”‚   
                                            β”‚     β”‚   
                                            β”‚     β”‚   
                                            β”‚     β”‚   
                                            β””β”€β”€β”€β”€β”€β”˜   
                                            GPON modem
                                          (192.168.1.1)

How can I avoid the overlapping interfaces?

What router hardware are you using? Can you give us there brand/model of each unit?

Is there a reason that the 5g modem must physically attach to the dumb ap? Is it an option to connect to the main router instead?

Are both routers running OpenWrt?

1 Like

Yes bridge the 5G modem into the main router (.1) so that both WANs terminate in that router. This could be either a direct connection or if that is not physically feasible, a VLAN on the cable. Then mwan3 can operate in conventional failover mode.

With that said, if everything is gigabit and with adequate CPU capacity, making a second hop in your LAN should not be a noticeable performance loss against a 5G connection.

1 Like

@psherman I am using a TP-Link Archer A6v3 on the DHCP router, and TL-WR841ND on the dumb AP. Both are running OpenWRT.

Yes, the 5G modem is logistically easier to connect to the dumb AP. It’s possible to connect to the main router, but will be a huge hassle.

@mk24 I am unable to bridge the 5G modem since it’s owned by the ISP hence I do not have access to it’s config page. Could you please explain or point me to how to set up the VLAN on the cable? I am not familiar with this concept.

So the solution, as @mk24 alluded to, is VLANs + mwan3.

You'll run mwan3 on the A6, and the VLANs will be configured on both devices to send the 5G modem's connection to the A6 for routing.

Keep in mind that the continued use of the WR841ND is a bad idea because it is extremely outdated. With only 4/32, it's incapable of running a modern and secure version of OpenWrt -- it must be running an ancient version and has no possibility of upgrades. So you are putting your network at risk by using it.

For each router, let's see:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

I appreciate you pointing out the risks. I was not aware how serious it is. I’ll try my best to upgrade this router as soon as I can. Until then, I will have to do with what I have on hand.

Here are the outputs you asked for:

~# ubus call system board
{
        "kernel": "5.4.137",
        "hostname": "",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link Archer A6 v3",
        "board_name": "tplink,archer-a6-v3",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.0-rc4",
                "revision": "r16256-2d5ee43dc6",
                "target": "ramips/mt7621",
                "description": "OpenWrt 21.02.0-rc4 r16256-2d5ee43dc6"
        }
}

~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd4f:539e:7181::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.0.1/24'
        list dns '1.1.1.1'
        list dns '9.9.9.9'
        list dns_search 'local'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username '****'
        option password ''
        option service 'internet'
        option ipv6 'auto'
        option metric '10'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wanbridge'
        option proto 'static'
        option device 'wan'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'

config interface 'wanb'
        option proto 'static'
        option device 'br-lan'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option gateway '192.168.0.2'
        option metric '20'


~# ubus call system board
{
        "kernel": "4.9.243",
        "hostname": "",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "TP-Link TL-WR841N\/ND v11",
        "board_name": "tl-wr841n-v11",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.9",
                "revision": "r8077-7cbbab7246",
                "target": "ar71xx\/tiny",
                "description": "OpenWrt 18.06.9 r8077-7cbbab7246"
        }
}

~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcf:186b:0cae::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ipaddr '192.168.0.2'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option type 'bridge'
        option hostname 'AOT-5221ZY'
        option macaddr '14:33:75:e5:25:dd'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcp'
        option macaddr '14:33:75:e5:25:dd'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option ipaddr '192.168.200.1/24'


You don't have to reconfigure anything in the 5G modem. "Bridge" here means to create the effect that its Ethernet cable is connected directly to the C6 by using the 841 as a layer 2 switch.

Since the ports of the 841 are limited to 100 Mb, the best you can ever expect is 94 Mb actual throughput. It won't be further limited by the CPU or OS though since it does have hardware switching which is capable of full line speed.

1 Like

So this is also ancient -- the firmware here is very old, EOL, and unsupported, too. You should upgrade to 23.05.4 before doing anything else. Direct upgrading while keeping settings is not supported from 21.02 > 23.05, so you'll need to allow the system to reset to defaults as part of the upgrade process (uncheck the Keep settings box).

I'd recommend making a backup of your current config, but do not try to restore that to the upgraded firmware. This backup will only be for your reference as you reconfigure your A6 from scratch. Make note of your ISP's PPPoE credentials so you can easily get back online.

When that's done, post the (near-) default network config from the A6.

2 Likes

I meant to post the link to the firmware selector so you can download the latest:
https://firmware-selector.openwrt.org/?version=23.05.4&target=ramips%2Fmt7621&id=tplink_archer-a6-v3

Thanks for the direct link!

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:1c48:0850::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username '****'
	option password '****'
	option service '****'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

Ok... so, now we can setup bridge-VLANs to transport the wan from the 5G modem.

This gets added to the network config file.... I'm using port lan4 to connect to the AP, but if this is not the desired port, you can change that in the vlan 2 section.

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan4:t'

now we'll edit the lan interface to use br-lan.1

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

And we will add the second wan using br-lan.2.

config interface 'wan2'
	option device 'br-lan.2'
	option proto 'dhco'

Add wan2 to the wan firewall zone, as well.

Now, let's go ahead and reset the AP to defaults so that we have a fresh config to work with. Once it is reset, go ahead and change its IP address to 192.168.0.2 and turn off the DHCP server on the lan interface. You can also enable wifi. But aside from that, leave the rest of the settings default. When that's done, post your network config file from that device and we'll finish the process.

@psherman Just to confirm, do I have to add two sections with the same name bridge-vlan?

Assuming the last line is option proto 'dhcp'

yes, two sections. One of them is for VLAN 1 (lan) and the other is for VLAN 2 (wan2).

1 Like

Added two bridge-vlan sections, a wan2 section, and edited lan to use br-lan.1 instead of br-lan.

Then added wan2 to the red firewall zone containing wan and wan6.

Reset the dumb AP router to defaults, set its IP to 192.168.0.2, turned off DHCP.

root@dumbAP: ~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdda:af3d:f38f::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.2'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

The dumb AP isn't able to reach the internet with this config. I guess that's because I didn't set a gateway with the static IP.

Ok... now, for this very old version of OpenWrt, I honestly don't remember the correct syntax for bridging the wan port with the lan ports, (it's just too old for it to remain in resident memory). So I'm going to recommend that we use 2 of the lan ports instead of the wan port.

The logical port numbers on the switch do not correspond directly to the physical port numbers on the device. I'm going to guess that the v11 follows the same structure as the v9 and v10, but this could be incorrect.

We'll (try to) make physical port 4 the connection to the 5G modem, and physical port 3 the connection to the main router.

We'll take logical port 1 out of VLAN 1 (this may or may not be physical port 4) like this:

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 0t'

Now, we'll create VLAN 2 on the switch with physical port 3 (logical port 2) tagged and physical port 4 (logical port 1) untagged like this:

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 2t'

Now, reboot the AP after these changes are complete. Connect the cable coming from the main router to physical port 3, and connect the 5G modem to physical port 4. You may need to restart the wan2 interface on the main router after this. If all works properly, we'll see the wan2 interface get an IP address via DHCP from the 5G modem.

Report back when you have done this and can tell us if the above was successful or not.

Will this let me plug in other devices to the remaining lan ports of the dumb AP? In case our port numbers our wrong I might also need to connect to it directly instead of through the other router's WiFi

Yes, you can use the other two ports for other devices.

1 Like