Suggestion Mwan3: use ipset for source of rules not destination

Hi every one,

First of all thanks for all your efforts bringing us OpenWRT and Mwan3.

In my home setup I have 3 internet connections(cheap but slow, fast but expensive, backup 4g) and 2 VPNs(work and other stuff). I successfully have created all the needed rules to distribute traffic based on different criteria.

As a remote worker, I have two type of devices, the work devices that use fast internet and others. I use source IP of the machine to distinguish them in a rule. Occasionally I need to move one device from one type of device to another. This cause Mwan3 to restart, that takes about a minuet or so on my Archer C5 device. This time is two much for me and normally I need to do this kind of stuff when I have a meeting or I'm in a hurry. To solve this problem I suggest to use ipset in source parts of rules. I already have used ipset and dnsmasq to route some wesites dynamically without need to restart Mwan3.

I have two questions:
1- Is it possible or not?
2- In source code, where I need to change to make this happen? I have some experience in Linux that I think I can contribute to Mwan3


Hi Yazdan,

code for destination rules is in mwan3 script
row (908) creates syntax for ipset matching as destination in iptables rule.
row (984) and (997) is using it.

I think is posible to just replace

ipset="-m set --match-set $ipset dst"


ipset="-m set --match-set $ipset src"

But you will lost ipset list for destination.

In luci webpage for rule configuration is not clear that ipset is destination, but I have no idea where are webpages for luci stored to change them.

1 Like

Hi @g.L.77,

Sorry for my late response, I am busy these days. I've added source ipset to the package, and I don't know how to submit the changes to the uptream packages, so I send the patch here for you to see.

---	2021-04-07 10:11:43.706717500 +0430
+++	2021-04-07 10:09:45.556113500 +0430
@@ -870,6 +870,7 @@
 	config_get sticky "$1" sticky 0
 	config_get timeout "$1" timeout 600
 	config_get ipset "$1" ipset
+	config_get ipset_src "$1" ipset_src
 	config_get proto "$1" proto all
 	config_get src_ip "$1" src_ip
 	config_get src_iface "$1" src_iface
@@ -883,6 +884,7 @@
 	[ -z "$dest_ip" ] && unset dest_ip
 	[ -z "$src_ip" ] && unset src_ip
 	[ -z "$ipset" ] && unset ipset
+	[ -z "$ipset_src" ] && unset ipset_src
 	[ -z "$src_port" ]  && unset src_port
 	[ -z "$dest_port" ]  && unset dest_port
 	[ "$proto"  != 'tcp' ]  && [ "$proto" != 'udp' ] && {
@@ -908,6 +910,10 @@
 		ipset="-m set --match-set $ipset dst"
+	if [ -n "$ipset_src" ]; then
+		ipset_src="-m set --match-set $ipset_src src"
+	fi
 	if [ -n "$use_policy" ]; then
 		if [ "$use_policy" = "default" ]; then
 			policy="MARK --set-xmark $MMX_DEFAULT/$MMX_MASK"
@@ -982,6 +988,7 @@
 				     ${src_dev:+-i} $src_dev \
 				     ${dest_ip:+-d} $dest_ip \
 				     $ipset \
+					 $ipset_src \
 				     ${src_port:+-m} ${src_port:+multiport} ${src_port:+--sports} $src_port \
 				     ${dest_port:+-m} ${dest_port:+multiport} ${dest_port:+--dports} $dest_port \
 				     -m mark --mark 0/$MMX_MASK \
@@ -995,6 +1002,7 @@
 			     ${src_dev:+-i} $src_dev \
 			     ${dest_ip:+-d} $dest_ip \
 			     $ipset \
+				 $ipset_src \
 			     ${src_port:+-m} ${src_port:+multiport} ${src_port:+--sports} $src_port \
 			     ${dest_port:+-m} ${dest_port:+multiport} ${dest_port:+--dports} $dest_port \
 			     -m mark --mark 0/$MMX_MASK \


--- ruleconfig.lua.orig	2021-04-07 10:17:02.046926600 +0430
+++ ruleconfig.lua	2021-04-07 10:15:50.746383200 +0430
@@ -60,6 +60,13 @@
+ipset_src = mwan_rule:option(Value, "ipset_src", translate("IPset SRC"),
+        translate("Name of IPset source rule."))
+ipset_src:value("", translate("-- Please choose --"))
+for _, z in ipairs(ipsets) do
+        ipset_src:value(z)
 logging = mwan_rule:option(Flag, "logging", translate("Logging"),
 	translate("Enables firewall rule logging (global mwan3 logging must also be enabled)"))


Hi @yazdan.

Might be worth highlighting this to @feckert and @aaronjg. You can submit a PR to the mwan3 package directly here:

1 Like