I have a TL-MR3420 with OpenWrt version 19.07.2.
I have 2 interfaces: wlan0 which is connected to Wi-Fi and eth0.2 is bound to the physical blue WAN port (VLAN 2)
I recently installed mwan3 to provide a backup in case wlan0 disconnects or eth0.2 disconnects (eth0.2 is connected to another another router which acts as a Wi-Fi bridge, since MR3420 cannot handle 2 Wi-Fi connections simultaneously).
In order to test mwan3, I disconnected the wlan0 interface
ifconfig wlan0 down
Internet kept flowing from the eth0.2 interface.
Then I disconnected the eth0.2 interface from the blue port, but then I could not connect from the wlan0 interface, for example ping 8.8.8.8 gave me the error:
ping: sendto: Network unreachable
It only got back when I connected eth0.2 back again.
Here are my configurations:
Routing table when eth2.0 got disconnected (Everything seems fine)
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.138 0.0.0.0 UG 30 0 0 wlan0
10.0.0.0 0.0.0.0 255.255.255.0 U 30 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
I could even ping 10.0.0.138 and get replies back.
eth0.2 and wlan0 are behind 2 different firewall zones, each assigned its own default gateway metric
Looks like it solved the problem of pinging from wlan0 when I set eth0.2 down
ifconfig eth0.2 down
The problem is that it seems that no automatic load balancing takes place.
For example pinging 8.8.8.8 from a connected computer does not forward the packets
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.1.1: Destination port unreachable.
Reply from 192.168.1.1: Destination port unreachable.
Reply from 192.168.1.1: Destination port unreachable.
Reply from 192.168.1.1: Destination port unreachable.
Here is a log of previous data requested, updated after the interface name change
root@OpenWrt:~# uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; uci export mwan3; \
> ip -4 addr ; ip -4 ru; ip -4 ro ls tab all
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd26:c75e:2be2::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '50:d4:f7:c8:5d:08'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option metric '40'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '50:d4:f7:c8:5d:09'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'wan2'
option proto 'dhcp'
option metric '30'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/10300000.wmac'
option htmode 'HT20'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option network 'lan'
option key 'password2'
option ssid 'HomeWifi2'
option encryption 'psk2'
config wifi-iface 'wifinet1'
option ssid 'HomeWifi'
option device 'radio0'
option mode 'sta'
option key 'password'
option network 'wan2'
option encryption 'psk2'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option name 'wan2'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
config forwarding
option dest 'wan2'
option src 'wawa'
config forwarding
option dest 'wan2'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package mwan3
config globals 'globals'
option mmx_mask '0x3F00'
option rtmon_interval '5'
config interface 'wan'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option failure_latency '1000'
option recovery_latency '500'
option failure_loss '20'
option recovery_loss '5'
option interval '5'
option down '3'
option up '8'
config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '3'
config member 'wan_m2_w3'
option interface 'wan'
option metric '2'
option weight '3'
config member 'wanb_m1_w2'
option metric '1'
option weight '2'
option interface 'wan2'
config member 'wanb_m2_w2'
option metric '2'
option weight '2'
option interface 'wan2'
config policy 'wan_only'
list use_member 'wan_m1_w3'
list use_member 'wan6_m1_w3'
config policy 'wanb_only'
list use_member 'wanb_m1_w2'
list use_member 'wanb6_m1_w2'
config policy 'balanced'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w2'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m1_w2'
config policy 'wan_wanb'
list use_member 'wan_m1_w3'
list use_member 'wanb_m2_w2'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m2_w2'
config policy 'wanb_wan'
list use_member 'wan_m2_w3'
list use_member 'wanb_m1_w2'
list use_member 'wan6_m2_w3'
list use_member 'wanb6_m1_w2'
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'balanced'
config rule 'default_rule'
option dest_ip '0.0.0.0/0'
option use_policy 'balanced'
config interface 'wan2'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
list track_ip '8.8.8.8'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option timeout '2'
option interval '5'
option failure_interval '5'
option recovery_interval '5'
option down '3'
option up '3'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.100/24 brd 192.168.2.255 scope global eth0.2
valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.0.0.25/24 brd 10.0.0.255 scope global wlan0
valid_lft forever preferred_lft forever
0: from all lookup local
1001: from all iif eth0.2 lookup 1
1002: from all iif wlan0 lookup 2
2001: from all fwmark 0x100/0x3f00 lookup 1
2002: from all fwmark 0x200/0x3f00 lookup 2
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
default via 192.168.2.1 dev eth0.2 table 1 metric 40
10.0.0.0/24 dev wlan0 table 1 proto static scope link metric 30
192.168.1.0/24 dev br-lan table 1 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.2 table 1 proto static scope link metric 40
default via 10.0.0.138 dev wlan0 table 2 metric 30
10.0.0.0/24 dev wlan0 table 2 proto static scope link metric 30
192.168.1.0/24 dev br-lan table 2 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.2 table 2 proto static scope link metric 40
default via 10.0.0.138 dev wlan0 proto static src 10.0.0.25 metric 30
default via 192.168.2.1 dev eth0.2 proto static src 192.168.2.100 metric 40
10.0.0.0/24 dev wlan0 proto static scope link metric 30
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.2 proto static scope link metric 40
broadcast 10.0.0.0 dev wlan0 table local proto kernel scope link src 10.0.0.25
local 10.0.0.25 dev wlan0 table local proto kernel scope host src 10.0.0.25
broadcast 10.0.0.255 dev wlan0 table local proto kernel scope link src 10.0.0.25
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev eth0.2 table local proto kernel scope link src 192.168.2.100
local 192.168.2.100 dev eth0.2 table local proto kernel scope host src 192.168.2.100
broadcast 192.168.2.255 dev eth0.2 table local proto kernel scope link src 192.168.2.100
root@OpenWrt:~#
Does ping work when wan is down? ping -c 1 -I wlan0 8.8.8.8
If no, back to square one as it should be pinging before the installation of mwan3.
If yes, check that classification is correct: iptables -t mangle -L -vn
Here is the output of the mangle table, I'd appreciate help in that
root@OpenWrt:~# iptables -t mangle -L -vn
Chain PREROUTING (policy ACCEPT 4200 packets, 888K bytes)
pkts bytes target prot opt in out source destination
225K 54M mwan3_hook all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 660 packets, 57476 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 2640 packets, 664K bytes)
pkts bytes target prot opt in out source destination
24 1248 TCPMSS tcp -- * eth0.2 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 2266 packets, 144K bytes)
pkts bytes target prot opt in out source destination
143K 15M mwan3_hook all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 3095 packets, 657K bytes)
pkts bytes target prot opt in out source destination
Chain mwan3_connected (2 references)
pkts bytes target prot opt in out source destination
115K 12M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected dst MARK or 0x3f00
Chain mwan3_hook (2 references)
pkts bytes target prot opt in out source destination
367K 70M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore mask 0x3f00
186K 46M mwan3_ifaces_in all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
92050 7254K mwan3_connected all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
82708 6590K mwan3_rules all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
367K 70M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0x3f00
192K 19M mwan3_connected all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x3f00/0x3f00
Chain mwan3_iface_in_wan (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan */ MARK xset 0x100/0x3f00
Chain mwan3_iface_in_wan2 (1 references)
pkts bytes target prot opt in out source destination
13654 5827K MARK all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
1 84 MARK all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan2 */ MARK xset 0x200/0x3f00
Chain mwan3_ifaces_in (1 references)
pkts bytes target prot opt in out source destination
28115 7176K mwan3_iface_in_wan2 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
2850 314K mwan3_iface_in_wan all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
Chain mwan3_policy_balanced (2 references)
pkts bytes target prot opt in out source destination
157 70554 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 statistic mode random probability 0.39999999991 /* wan2 2 5 */ MARK xset 0x200/0x3f00
206 87838 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_policy_wan_only (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_policy_wan_wanb (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_policy_wanb_only (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan2 2 2 */ MARK xset 0x200/0x3f00
Chain mwan3_policy_wanb_wan (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan2 2 2 */ MARK xset 0x200/0x3f00
Chain mwan3_rule_https (1 references)
pkts bytes target prot opt in out source destination
1736 90261 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 MARK xset 0x200/0x3f00
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x200/0x3f00 ! match-set mwan3_sticky_https src,src MARK and 0xffffc0ff
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 MARK xset 0x100/0x3f00
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x100/0x3f00 ! match-set mwan3_sticky_https src,src MARK and 0xffffc0ff
0 0 mwan3_policy_balanced all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
1736 90261 SET all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_https src,src
1736 90261 SET all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_https src,src
Chain mwan3_rules (1 references)
pkts bytes target prot opt in out source destination
1736 90261 mwan3_rule_https tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 0:65535 multiport dports 443 mark match 0x0/0x3f00 /* https */
362 157K mwan3_policy_balanced all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* default_rule */
I did some testing on my own mwan3. It seems that changes are not properly propagated when I select the Save&Apply in Luci. I had to run the /etc/init.d/mwan3 restart
Do the same if that is the case with you.
That still did not seem to solve the problem.
However, restoring to a previous configuration before installing mwan3 did solve it (partially, because I still don't have mwan3)
Desperately I'm thinking of building my own mwan script which changes the routing table default gateway's metric according to which interface is up. What do you think?
Are you running something else that could manipulate routing or add marks? VPN-policy routing, QoS, SQM etc.
You don't need to do that. If an interface is down, all routes known from that will be removed from the routing table. The metric only matters to give precedence when you have 2 identical routes.
I think I finally solved the issue. br.lan subnet IP was 192.168.1.x, while eth0.2 had the same subnet IP, once I changed eth0.2's IP to 192.168.2.x it all worked either interfaces works when the other one is down.
My whole purpose was to have a backup interface if the other one fails. If so, why would I need mwan3 at all?
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
6: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.100/24 brd 192.168.2.255 scope global eth0.2
valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.0.0.25/24 brd 10.0.0.255 scope global wlan0
Because you might not have internet even though the interface is up.
Because you cannot load balance or apply any other policy with just different metrics.
Because you need to have a smoother transition back to the primary line.