Sorry for the long post. And thanks in advance for any help or suggestions.
I am new to OpenWRT and using it for the past 3 months. Have switched to OpenWRT for Multi WAN, Failover and Guest WiFi segregation to separate WAN and LAN.
Goal:
Manage two internet connection (primary, lets say P1 and secondary P2) in one device using Multi WAN (mwan3).
Create failover for all clients.
Create a two networks primary (lets say N1 for known devices, 3 LAN ports and WiFi both 2.4 Ghz and 5 Ghz) and secondary (N2 for guest devices, only WiFi Guest 2.4 Ghz).
Devices in N1 will connect to P1 and failover to P2. Devices in N2 will connect to P2 and failover to P1.
What did I do?
Installed and configured mwan3 by following https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3
Configured additional interface "wanb". Assigned metric 10 to "wan" (P1) and metric 20 to "wanb" (P2).
Configured 4 members wan_1, wan_2, wan_3 and wan_4 with the interfaces wan, wanb, wanb and wan respectively. These had the metric 10, 20, 30 and 40 in the respective order.
Created 2 policies wan_wanb with members wan_1 and wan_2 and another wanb_wan with members wan_3 and wan_4.
Created necessary rules - https, default_rule_v4 and default_rule_v6 for N1 and https_2, default_rule_v4_2 and default_rule_v6_2 for N2 by using different subnet for N1 and N2 and source address filter in the rules.
Created guest LAN by following https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
Created a new wireless configuration for 2.4 Ghz wlan1-1, attached it to a new interface guest and assigned firewall rules.
Problem:
Any help is much appreciated.
trendy
July 17, 2021, 8:42pm
2
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export mwan3; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1 Like
root@HomeRoutr:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; uci export mwan3; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "4.14.221",
"hostname": "HomeRoutr",
"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
"model": "TP-Link Archer C7 v2",
"board_name": "archer-c7",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "ar71xx/generic",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '##MASKED##'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.150.150'
config interface 'wan'
option type 'bridge'
option proto 'dhcp'
option metric '10'
option ifname 'eth0.2'
list dns '8.8.8.8'
list dns '8.8.4.4'
option peerdns '0'
config interface 'wan6'
option proto 'dhcpv6'
option type 'bridge'
option reqprefix 'auto'
option reqaddress 'try'
option ifname 'eth0.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
option vid '2'
config interface 'wwan'
option proto 'dhcp'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.160.160'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '5 6t'
config interface 'wanb'
option ifname 'eth0.3'
option type 'bridge'
option proto 'dhcp'
option metric '20'
list dns '8.8.8.8'
list dns '8.8.4.4'
option peerdns '0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:01/0000:01:00.0'
option htmode 'VHT80'
option legacy_rates '0'
option channel 'auto'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/qca955x_wmac'
option htmode 'HT20'
option legacy_rates '0'
option country 'IN'
option channel 'auto'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option network 'lan'
option macfilter 'allow'
option key '##MASKED##'
option ssid 'Home Main'
list maclist '##MASKED##'
list maclist '##MASKED##'
list maclist '##MASKED##'
option encryption 'psk2+ccmp'
config wifi-iface 'wifinet3'
option network 'guest'
option key '##MASKED##'
option device 'radio1'
option mode 'ap'
option hidden '1'
option ssid 'Home Guest'
option encryption 'psk2+ccmp'
option isolate '1'
config wifi-iface 'wifinet2'
option ssid 'Home Main'
option device 'radio0'
option mode 'ap'
option key '##MASKED##'
option network 'lan'
option encryption 'psk2+ccmp'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option limit '15'
option ra_management '1'
option start '151'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option leasetime '12h'
option interface 'guest'
option limit '10'
option start '161'
config host
option mac '##MASKED##'
option dns '1'
option name 'HomePrinter'
option ip '192.168.150.190'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wwan wanb'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'guest'
option forward 'REJECT'
option name 'guest'
option output 'ACCEPT'
option input 'REJECT'
config rule
option dest_port '67-68'
option src 'guest'
option name 'Guest DHCP'
option target 'ACCEPT'
list proto 'udp'
config rule
option dest_port '53'
option src 'guest'
option name 'Guest DNS'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Guest Block'
option dest 'lan'
option target 'DROP'
list dest_ip '192.168.150.0/24'
list dest_ip '192.168.100.0/24'
list proto 'all'
config forwarding
option dest 'wan'
option src 'guest'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package mwan3
config globals 'globals'
option mmx_mask '0x3F00'
option rtmon_interval '5'
config interface 'wan'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '#MASKED##'
list track_ip '##MASKED##'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option initial_state 'online'
option track_method 'ping'
option size '56'
option max_ttl '60'
option check_quality '0'
option failure_interval '5'
option recovery_interval '5'
option up '3'
list flush_conntrack 'ifup'
list flush_conntrack 'ifdown'
config interface 'wan6'
option enabled '0'
list track_ip '##MASKED##'
list track_ip '##MASKED##'
list track_ip '##MASKED##'
list track_ip '##MASKED##'
option family 'ipv6'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config interface 'wanb'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '##MASKED##'
list track_ip '##MASKED##'
option family 'ipv4'
option reliability '1'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
option initial_state 'online'
option track_method 'ping'
option size '56'
option max_ttl '60'
option check_quality '0'
option failure_interval '5'
option recovery_interval '5'
option enabled '1'
list flush_conntrack 'ifup'
list flush_conntrack 'ifdown'
config interface 'wanb6'
option enabled '0'
list track_ip '##MASKED##'
list track_ip '##MASKED##'
list track_ip '##MASKED##'
list track_ip '##MASKED##'
option family 'ipv6'
option reliability '1'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config policy 'wan_wanb'
option last_resort 'unreachable'
list use_member 'wan_2'
list use_member 'wan_1'
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'wan_wanb'
option src_ip '192.168.150.0/24'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option family 'ipv4'
option proto 'all'
option sticky '0'
option use_policy 'wan_wanb'
option src_ip '192.168.150.0/24'
config rule 'default_rule_v6'
option dest_ip '::/0'
option family 'ipv6'
option proto 'all'
option sticky '0'
option use_policy 'wan_wanb'
option src_ip '192.168.150.0/24'
config member 'wan_1'
option interface 'wan'
option metric '10'
option weight '10'
config member 'wan_2'
option interface 'wanb'
option metric '20'
option weight '20'
config member 'wan_3'
option interface 'wanb'
option metric '30'
option weight '30'
config member 'wan_4'
option interface 'wan'
option metric '40'
option weight '40'
config policy 'wanb_wan'
list use_member 'wan_3'
list use_member 'wan_4'
option last_resort 'unreachable'
config rule 'https_2'
option src_ip '192.168.160.0/24'
option dest_port '443'
option proto 'tcp'
option sticky '1'
option use_policy 'wanb_wan'
config rule 'default_rule_v4_2'
option src_ip '192.168.160.0/24'
option dest_ip '0.0.0.0/0'
option proto 'all'
option sticky '0'
option use_policy 'wanb_wan'
config rule 'default_rule_v6_2'
option src_ip '192.168.160.0/24'
option dest_ip '::/0'
option proto 'all'
option sticky '0'
option use_policy 'wanb_wan'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.150.150/24 brd 192.168.150.255 scope global br-lan
valid_lft forever preferred_lft forever
8: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.50.10/24 brd 192.168.50.255 scope global br-wan
valid_lft forever preferred_lft forever
11: br-wanb: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.100.10/24 brd 192.168.100.255 scope global br-wanb
valid_lft forever preferred_lft forever
16: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.160.160/24 brd 192.168.160.255 scope global wlan1-1
valid_lft forever preferred_lft forever
default via 192.168.50.1 dev br-wan table 1 metric 10
192.168.50.0/24 dev br-wan table 1 proto static scope link metric 10
192.168.100.0/24 dev br-wanb table 1 proto static scope link metric 20
192.168.150.0/24 dev br-lan table 1 proto kernel scope link src 192.168.150.150
192.168.160.0/24 dev wlan1-1 table 1 proto kernel scope link src 192.168.160.160
default via 192.168.100.1 dev br-wanb table 3 metric 20
192.168.50.0/24 dev br-wan table 3 proto static scope link metric 10
192.168.100.0/24 dev br-wanb table 3 proto static scope link metric 20
192.168.150.0/24 dev br-lan table 3 proto kernel scope link src 192.168.150.150
192.168.160.0/24 dev wlan1-1 table 3 proto kernel scope link src 192.168.160.160
default via 192.168.50.1 dev br-wan proto static src 192.168.50.10 metric 10
default via 192.168.100.1 dev br-wanb proto static src 192.168.100.10 metric 20
192.168.50.0/24 dev br-wan proto static scope link metric 10
192.168.100.0/24 dev br-wanb proto static scope link metric 20
192.168.150.0/24 dev br-lan proto kernel scope link src 192.168.150.150
192.168.160.0/24 dev wlan1-1 proto kernel scope link src 192.168.160.160
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.50.0 dev br-wan table local proto kernel scope link src 192.168.50.10
local 192.168.50.10 dev br-wan table local proto kernel scope host src 192.168.50.10
broadcast 192.168.50.255 dev br-wan table local proto kernel scope link src 192.168.50.10
broadcast 192.168.100.0 dev br-wanb table local proto kernel scope link src 192.168.100.10
local 192.168.100.10 dev br-wanb table local proto kernel scope host src 192.168.100.10
broadcast 192.168.100.255 dev br-wanb table local proto kernel scope link src 192.168.100.10
broadcast 192.168.150.0 dev br-lan table local proto kernel scope link src 192.168.150.150
local 192.168.150.150 dev br-lan table local proto kernel scope host src 192.168.150.150
broadcast 192.168.150.255 dev br-lan table local proto kernel scope link src 192.168.150.150
broadcast 192.168.160.0 dev wlan1-1 table local proto kernel scope link src 192.168.160.160
local 192.168.160.160 dev wlan1-1 table local proto kernel scope host src 192.168.160.160
broadcast 192.168.160.255 dev wlan1-1 table local proto kernel scope link src 192.168.160.160
0: from all lookup local
1001: from all iif br-wan lookup 1
1003: from all iif br-wanb lookup 3
2001: from all fwmark 0x100/0x3f00 lookup 1
2003: from all fwmark 0x300/0x3f00 lookup 3
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
root@HomeRoutr:~#
trendy
July 18, 2021, 10:43pm
4
Remove bridge from wan, wan6, and wanb interfaces.mwan3 status; iptables-save -c
1 Like
trendy:
Remove bridge from wan, wan6, and wanb interfaces. Done. Worked magic on the configurations. Everything seems to work, failover works on N1 and N2 as expected and N2 goes through P2 as expected. Only thing is that tracert and ping still seems to go through P1 both in N1 and N2 and if P1 is down ping and tracert fails. But browsing still works on failsafe. Not sure how this is happening. Done. But I do not understand the significance. Not done, this was the default configuration. Please confirm if this is required. Hope this can be ignored for now. mwan3 status; iptables-save -c Let me know if this is still required.
Please find my response in bold italics.
trendy
July 19, 2021, 8:02pm
6
Better use quotes.
mwan3 status; iptables-save -c
It's not needed and you add extra load to cpu.
68 is dhcp client port. tcp is used to transfer dns zones.
root@HomeRoutr:~# mwan3 status; iptables-save -c
Interface status:
interface wan is online 12h:11m:33s, uptime 12h:11m:36s and tracking is active
interface wan6 is disabled and tracking is down
interface wanb is online 12h:07m:55s, uptime 12h:13m:08s and tracking is active
interface wanb6 is offline and tracking is down
Current ipv4 policies:
wan_wanb:
wan (100%)
wanb_wan:
wanb (100%)
Current ipv6 policies:
wan_wanb:
unreachable
wanb_wan:
unreachable
Directly connected ipv4 networks:
127.0.0.0/8
192.168.100.0/24
192.168.160.0/24
224.0.0.0/3
192.168.50.0/24
192.168.150.0/24
Directly connected ipv6 networks:
##MASKED##/64
##MASKED##/64
##MASKED##/64
Active ipv4 user rules:
3855 279K S https tcp -- * * 192.168.150.0/24 0.0.0.0/0 multiport dports 443
11966 1824K - wan_wanb all -- * * 192.168.150.0/24 0.0.0.0/0
2139 109K S https_2 tcp -- * * 192.168.160.0/24 0.0.0.0/0 multiport dports 443
Active ipv6 user rules:
# Generated by iptables-save v1.8.3 on Wed Jul 21 01:12:13 2021
*nat
:PREROUTING ACCEPT [68460:16994103]
:INPUT ACCEPT [4380:322059]
:OUTPUT ACCEPT [30945:2544695]
:POSTROUTING ACCEPT [23:7884]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[68460:16994103] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[39905:7948438] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[22228:8357584] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_wan_prerouting
[6327:688081] -A PREROUTING -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_prerouting
[55983:5447668] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[22:7536] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[45350:4609871] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[10610:829913] -A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_wan_postrouting
[1:348] -A POSTROUTING -o wlan1-1 -m comment --comment "!fw3" -j zone_guest_postrouting
[1:348] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[6327:688081] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[22:7536] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[39905:7948438] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[55960:5439784] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[55960:5439784] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[22228:8357584] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Jul 21 01:12:13 2021
# Generated by iptables-save v1.8.3 on Wed Jul 21 01:12:13 2021
*raw
:PREROUTING ACCEPT [5937388:5329195017]
:OUTPUT ACCEPT [43462:4218919]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
[959022:331839016] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[238209:40870049] -A PREROUTING -i wlan1-1 -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
COMMIT
# Completed on Wed Jul 21 01:12:13 2021
# Generated by iptables-save v1.8.3 on Wed Jul 21 01:12:13 2021
*mangle
:PREROUTING ACCEPT [5937398:5329198753]
:INPUT ACCEPT [57778:4968480]
:FORWARD ACCEPT [5841337:5310502520]
:OUTPUT ACCEPT [43464:4219943]
:POSTROUTING ACCEPT [5884066:5314677769]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_in_wanb - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_wan_wanb - [0:0]
:mwan3_policy_wanb_wan - [0:0]
:mwan3_rule_https - [0:0]
:mwan3_rule_https_2 - [0:0]
:mwan3_rules - [0:0]
[6298671:5557868669] -A PREROUTING -j mwan3_hook
[11283:658596] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[4424:242632] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1953:101556] -A FORWARD -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1953:101200] -A FORWARD -i eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[45515:4397107] -A OUTPUT -j mwan3_hook
[5004581:5118066697] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[6344186:5562265776] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[138320:23440253] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[83859:11720144] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[55225:5474496] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[6344186:5562265776] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[6259556:5544967275] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[22344:8404008] -A mwan3_iface_in_wan -i eth0.2 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[23314:2574371] -A mwan3_iface_in_wan -i eth0.2 -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
[0:0] -A mwan3_iface_in_wanb -i eth0.3 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[8676:728784] -A mwan3_iface_in_wanb -i eth0.3 -m mark --mark 0x0/0x3f00 -m comment --comment wanb -j MARK --set-xmark 0x300/0x3f00
[136583:23298479] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
[90069:12214366] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wanb
[11983:1825203] -A mwan3_policy_wan_wanb -m mark --mark 0x0/0x3f00 -m comment --comment "wan 10 10" -j MARK --set-xmark 0x100/0x3f00
[1:52] -A mwan3_policy_wanb_wan -m mark --mark 0x0/0x3f00 -m comment --comment "wanb 30 30" -j MARK --set-xmark 0x300/0x3f00
[3855:279492] -A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j MARK --set-xmark 0x100/0x3f00
[17:1426] -A mwan3_rule_https -m mark --mark 0x100/0x3f00 -m set ! --match-set mwan3_sticky_https src,src -j MARK --set-xmark 0x0/0x3f00
[17:1426] -A mwan3_rule_https -m mark --mark 0x0/0x3f00 -j mwan3_policy_wan_wanb
[3855:279492] -A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https src,src
[3855:279492] -A mwan3_rule_https -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https src,src
[2139:108849] -A mwan3_rule_https_2 -m mark --mark 0x0/0x3f00 -j MARK --set-xmark 0x300/0x3f00
[1:52] -A mwan3_rule_https_2 -m mark --mark 0x300/0x3f00 -m set ! --match-set mwan3_sticky_https_2 src,src -j MARK --set-xmark 0x0/0x3f00
[1:52] -A mwan3_rule_https_2 -m mark --mark 0x0/0x3f00 -j mwan3_policy_wanb_wan
[2139:108849] -A mwan3_rule_https_2 -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_https_2 src,src
[2139:108849] -A mwan3_rule_https_2 -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_https_2 src,src
[3855:279492] -A mwan3_rules -s 192.168.150.0/24 -p tcp -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -j mwan3_rule_https
[11966:1823777] -A mwan3_rules -s 192.168.150.0/24 -m mark --mark 0x0/0x3f00 -j mwan3_policy_wan_wanb
[2139:108849] -A mwan3_rules -s 192.168.160.0/24 -p tcp -m multiport --dports 443 -m mark --mark 0x0/0x3f00 -j mwan3_rule_https_2
COMMIT
# Completed on Wed Jul 21 01:12:13 2021
# Generated by iptables-save v1.8.3 on Wed Jul 21 01:12:13 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[57790:4969120] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[33294:3321251] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[20:1184] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[18146:1276885] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2771:97562] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_wan_input
[3579:273422] -A INPUT -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_input
[5841341:5310504062] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[5812824:5306838153] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[25261:3207622] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_wan_forward
[3256:458287] -A FORWARD -i wlan1-1 -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[43484:4227143] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[9208:1445912] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[27:9176] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[25571:2042595] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[8677:729112] -A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_wan_output
[1:348] -A OUTPUT -o wlan1-1 -m comment --comment "!fw3" -j zone_guest_output
[59:3682] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[768:41396] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[20:1184] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:348] -A zone_guest_dest_ACCEPT -o wlan1-1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o wlan1-1 -m comment --comment "!fw3" -j reject
[3256:458287] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -d 192.168.150.0/24 -m comment --comment "!fw3: Guest Block" -j zone_lan_dest_DROP
[0:0] -A zone_guest_forward -d 192.168.100.0/24 -m comment --comment "!fw3: Guest Block" -j zone_lan_dest_DROP
[3256:458287] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[3579:273422] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[1:370] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[5:260] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[3341:246940] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[232:25852] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[1:348] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[1:348] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[232:25852] -A zone_guest_src_REJECT -i wlan1-1 -m comment --comment "!fw3" -j reject
[27:9176] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[25261:3207622] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[25261:3207622] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[18146:1276885] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[18146:1276885] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[27:9176] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[27:9176] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[18146:1276885] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[513:35814] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[51370:5560589] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[222:8880] -A zone_wan_dest_ACCEPT -o eth0.3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[10660:832333] -A zone_wan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2771:97562] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[2176:78336] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[595:19226] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[34248:2771707] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[34248:2771707] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[595:19226] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Jul 21 01:12:13 2021
root@HomeRoutr:~#
trendy
July 21, 2021, 8:35am
8
Add option family 'ipv4'default_rule_v4_2 and restart mwan3. Verify with mwan3 status that under Active ipv4 user rules: there are 4 lines and there is a wanb_wan
1 Like
I think you nailed the problem, the rule default_rule_v4_2 is not active even after I add option family 'ipv4'. If I change the rule default_rule_v4 to use the policy wanb_wan, it works correctly. So, there is no issue with the policy but the issue is with the rule not being active. Let me know your input, I will also search for rule not being active and report back.
Got it working. It was the name that was the problem. As per mwan3 manual, rule names cannot be more than 15 characters. After I changed the rule name to 15 characters, the rule is active and everything works fine.
Appreciate the time spent @trendy . Amazing. Keep up the good work.
Kudos to the OpenWRT community as well.
1 Like
system
July 31, 2021, 10:51am
11
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
