Traffic broken on second IF when two WAN interfaces

tootai · April 10, 2026, 2:02pm

Hi. My setup: I have 2 ISPs, OpenWRT is running in a VM and I have multiwan setted for outgoing traffic. A VM behind OpenWRT is used as wireguard server on port 38195 ip 192.168.10.254.
When incoming traffic comes to WAN1 everything is working well. If traffic is coming to WAN2, OpenWRT doesn't honor the outgoing interface from answer traffic of the internal VM, please see attached file for a complete pcap capture, ip rules and routes.

Is this due to a wrong setup or is this a bug?

Thanks for any hint

egc · April 10, 2026, 3:35pm

Return traffic will take the default route out so if traffic comes in via a non default route you have to use policy based routing to make sure it will go out the same way.

Research mwan3 and or PBR

tootai · April 11, 2026, 10:24am

Thanks for your answer. I thought about marking packet but from what I read in documentations, I don't know if it had to be done in the GUI or in users rule of nftables.

egc · April 11, 2026, 10:59am

All those solutions will probably work.

I have a hotplug script for this, see:

But as said multiple ways to do it

tootai · April 11, 2026, 12:17pm

OK, I applied the alternative solution of your link, no luck. Here is the configuration I did

/etc/config/network
config route
        option interface  'wan1'
        option target '0.0.0.0/0'
        option table '201'
        option gateway '192.168.136.254'
        
config route
        option interface  'wan2'
        option target '0.0.0.0/0'
        option table '202'
        option gateway 'yyy.zzz.252.177'

config rule
        option src '192.168.136.0/24'
        option lookup '201'

config rule
        option src 'yyy.zzz.252.179/32'
        option lookup '202'

and this is the output of IP rules

root@guava:~# ip rule sh
0:      from all lookup local
1:      from 192.168.136.0/24 lookup 201
2:      from yyy.zzz.252.179 lookup 202
1001:   from all iif bone.1001 lookup 1
1002:   from all iif bone.1002 lookup 2
2001:   from all fwmark 0x100/0x3f00 lookup 1
2002:   from all fwmark 0x200/0x3f00 lookup 2
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
3001:   from all fwmark 0x100/0x3f00 unreachable
3002:   from all fwmark 0x200/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

root@guava:~# cat /etc/iproute2/rt_tables 
#
# reserved values
#
128     prelocal
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep

something is wrong, what? Should table 202 and 202 not be existing in rt_tables?

egc · April 11, 2026, 12:56pm

No only if you added it to it with e.g. a name.

You can simply check with ip route show table 201

The gateway is the next hop unless it is a point to point link (e.g. a VPN) in which case it can be omitted, see for some more explanation:
OpenWRT Policy Based Routing (PBR)

See the paragraph about Create Routing Tables via the wan

tootai · April 11, 2026, 2:08pm

ifstatus [wan|wanb]|grep nexthop shows nothing. Anyway, nexthop is the default gateway, I already know their value. I followed the pdf but now outgoing traffic does not honor anymore load balancer, always going out using wan/bone.1001

egc · April 12, 2026, 6:01am

Yes that is to be expected as this is a fixed route and you cannot load balance that specific traffic as it has to go out the same way it comes in.

tootai · April 12, 2026, 12:56pm

So only possibility is to mark incoming traffic and route using marked packet