Hi, can anybody share your ideas about Daul WAN on Kamikaze? Thanks!!

Hi I use dual wan on Kamikaze, and its simple to setup.  The hard part is load balancing them, up to this point, I only have it where all web traffic goes out the cable line, while any work related and certain traffic go out the dsl line.

What exactly are you looking for?

Thanks for you information.
Please give me some tips how to setup dual wan, Thanks!

This is my network:

ADSL ------- Router 1 ---------- (WAN port of) 
                                                                  Router 3 (LAN port of) --------- my laptop
ADSL ------- Router 2 ---------- (wifi0 of )       

The network of Router 1 is : 192.168.1.0/24 and Wan port's IP of router3 is 192.168.1.222
The Network of Router 2 is : 192.168.2.0/24 and wifi0's IP of router3 is 192.168.2.222
The Network of Lan of Router 3: 192.168.18.0/24

1) Right now, telnet to 192.168.18.1 and then ping 192.168.1.1 and 192.168.2.1 both OK.
2) On my laptop, ping 192.168.18.1 OK; ping 192.168.1.1 OK; ping 192.168.2.1, cannot work!

OK, I want my network works like your.
1) All web traffic goes out from Router 1
2) emule and P2P go out the Router 2
How can I do that?
Thanks for your help!!

Well, I setup dual wan on the same router, instead of using multiple routers, I just converted one of the LAN ports into its own vlan so I could use it as a second WAN Port.

Example:
                                Router 1
DSL ----------------WAN PORT
CABLE -------------Port 4
                              Port 1 ---------------------Desktop
                              Port 2 ---------------------Second Desktop

/etc/cronfig/network:
config switch eth0
        option vlan0    "1 2 3 5*"
        option vlan1    "4 5"
        option vlan2    "0 5"

#### Loopback configuration
config interface loopback
        option ifname   lo
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0

#### LAN configuration (vlan0)
config interface lan
        option type     bridge
        option ifname   eth0.0 wl0 wds0.1
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0

#### WAN configuration (vlan1)
config interface        wan
        option ifname   eth0.1
        option macaddr  00:18:39:87:1B:21
        option proto    static
        option ipaddr   128.25.36.58
        option netmask  255.255.255.0
        option gateway 128.25.36.1
        option dns      128.25.36.2 128.25.36.3

#### WAN2 configuration (vlan2)
config interface        wan2
        option ifname   eth0.2
        option proto    dhcp

/etc/init.d/routes:
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

START=40
start() {
        WAN_IPADDR=(WAN IP)
        WAN_GATEWAY=(WAN GATEWAY)
        WAN2_IPADDR= (WAN2 IP)
        WAN2_GATEWAY=(WAN2 GATEWAY)

        echo "deleting routers"
        while route del default gw >&- 2>&- ; do :; done

        echo "adding rules"
        ip rule flush
        ip rule add lookup main prio 32766
        ip rule add lookup default prio 32767
        ip rule add from $WAN_IPADDR table 100 prio 100
        ip rule add fwmark 0x100 table 100 prio 101
        ip rule add from $WAN2_IPADDR table 200 prio 200
        ip rule add fwmark 0x200 table 200 prio 201
        ip route flush table 100
        ip route flush table 200
        for TABLE in 100 200
        do
                ip route | grep link | while read ROUTE
                do
                        ip route add table $TABLE to $ROUTE
                done
        done
        ip route add table 100 default via $WAN_GATEWAY
        ip route add table 200 default via $WAN2_GATEWAY
}

stop() {
        echo "Stopping routes..."
        ip route flush table 100
        ip route flush table 200
}

/etc/init.d/firewall2:
start() {
        WAN_IPADDR=
        WAN_GATEWAY=
        WAN2_IPADDR=
        WAN2_GATEWAY=

        # Use the correct gateway for reply packets from the LAN
#       iptables -t mangle -A PREROUTING -i br-lan -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK  --restore-mark

        # Use the correct gateway for reply packets from local connections
#       iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

        #mask known packets to its source address
        iptables -A POSTROUTING -t nat -m mark --mark 0x100 -j SNAT --to-source $WAN_IPADDR
        iptables -A POSTROUTING -t nat -m mark --mark 0x200 -j SNAT --to-source $WAN2_IPADDR

        #restore-mark is done in PREROUTING. If restored again, will loose the outgoing marks
        iptables -t mangle -D SVQOS_OUT -j CONNMARK --restore-mark 2> /dev/null

        #Special Setup
        iptables -t mangle -I PREROUTING -i br-lan -d (SOMEIP) -j MARK --set-mark 0x100
        iptables -t mangle -I PREROUTING -i br-lan -d (SOMEIP) -j MARK --set-mark 0x100

        #Mangle STMP traffic through the DSL line
        iptables -t mangle -I PREROUTING -i br-lan -d ! 192.168.1.0/24 -p tcp --dport 25 -j MARK --set-mark 0x100

        #All traffic out the CABLE line by default
        iptables -t mangle -I PREROUTING -i br-lan -j MARK --set-mark 0x200
}

stop() {
        echo "Stopping firewall2..."
        iptables -t mangle -F
}

I am guessing on your setup, all you might need to do is configure the routing table, and iptables on router3.  Look at the /etc/init.d/routes script I posted on top, adjust the variables WAN*_IPADDR and WAN*_GATEWAY with the correct information, then you can use the firewall2 script in connection with the original firewall script that comes with Kamikaze to specify through which connection you want to go out from.

To forward all web traffic to the first WAN connection (router 1)
iptables -t mangle -I PREROUTING -i br-lan -p tcp --dport 80 -j MARK --set-mark 0x100

Do the same with the P2P traffic but change the --set-mark 0x100 to --set-mark-0x200, ( i can't remember the actual ports for p2p).

Also, you will need a few ip tables packages.
iptables-mod-conntrack - 1.3.5-1 - connection tracking module
kmod-ipt-conntrack - 2.4.34-brcm-1 - Modules for connection tracking

And make sure you don't have two default lines in your routing table:
default        192.168.1.1         UG    0      0        0 eth0.1
default        192.168.2.1        UG    0      0         0 wifi0

That caused me lots of headeaches at the beginning.

One more note, on the pinging from the laptop to router2 not working, make sure you updated the iptables to allow for that.

[-z "$WAN2" ] || iptables -A FORWARD -i $LAN -o $WAN2 -j ACCEPT
[ -z "$WAN2" ] || iptables -t nat -A POSTROUTING -o $WAN2 -j MASQUERADE

Thanks you so much wcastillo. I will try it when I have time. Thanks!!!

Dual WAN is something I desperately need too.  I am trying to replace a firebrick plus which only has a max throughput of abuot 6.2Mbps  - my two WAN links now exceed that individually...   All I needs are a few conventional static routes, a couple of source based routes, and any other connections allocated a link 50/50.

I tried to set this all up before, on whiterussian, and it sort of worked for a bit then the router would vanish off the network pending a powercycle..  It would be nice if the option could be included by default in openwrt (and x-wrt for config!)

Cheers,

Rob

I'm struggling with this to now.

I've got a DHCP link on the normal WAN interface which is a bridge DSL line and gives me my IP adres from my ISP. On the second, created with the example above, I've got a fixed IP setup to my second i-net connection which his a NAT router. So this gives me fixed 192.168.1.0/24. I've changed the WRT54GL to be 192.168.2.0/24 now.

The same story...

Client can't access 192.168.1.0/24 devices.
Can't get the load balancing, just some networks/hosts need to be forced to wan2, to work.

I've installed the latest snapshot of the WRT54GL kamikaze release today (openwrt-wrt54g-2.4-squashfs.bin - file date 19-May-2007 02:57). Maybe wcastillo is using the 2.6 version? Or more packages are needed / missing in my setup? I've installed also ip because it's not there and used in your scripts. (ip - 2.6.15-060110-1 - iproute2 routing control utility).

edit:

I'm a bit further now, the new ip rules are set nicely. But when both default routs are deleted it doesn't work anymore.

Should both default routes/gw's (route or ip route command) be empty?

I can get to both networks from a client nicely and when I set one default route/gw it works fine both way's (not togehter ofcourse). What I'm I missing here...

Can you post your full /etc/init.d/firewall configuration also? And also the /etc/firewall.user maybe if you changed something?

Can you post your 'iptables -L' here?

(Last edited by bjck on 1 Jun 2007, 07:55)

Hi bjck.  I am using Kamikaze with the 2.4 kernel. 

For the default routes, that is correct, I experienced the same issue when I removed both default routes.  Instead I left one default which is from the static ip line (that is my main line), and removed the "route" entries from the dhcp-client script.

Below is the main routing table:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
66.93.89.0      *               255.255.255.0   U     0      0        0 eth0.1
67.10.201.0     *               255.255.240.0   U     0      0        0 eth0.2
default         er1.dfw1.speake 0.0.0.0         UG    0      0        0 eth0.1

Routing Table 100:
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1
66.93.89.0/24 dev eth0.1  proto kernel  scope link  src 66.93.89.7
67.10.201.0/20 dev eth0.2  proto kernel  scope link  src 67.10.201.119
default via 66.93.89.1 dev eth0.1

Routing Table 200:
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1
66.93.89.0/24 dev eth0.1  proto kernel  scope link  src 66.93.89.7
67.10.201.0/20 dev eth0.2  proto kernel  scope link  src 67.10.201.119
default via 67.10.2011 dev eth0.2

/etc/init.d/firewall:
        include /lib/network
        scan_interfaces

        insmod ip_conntrack_ftp
        insmod ip_nat_ftp
        config_get WAN wan ifname
        config_get WANDEV wan device
        config_get WAN2 wan2 ifname
        config_get WAN2DEV wan2 device
        config_get LAN lan ifname

        ## CLEAR TABLES
        for T in filter nat; do
                iptables -t $T -F
                iptables -t $T -X
        done

        iptables -N input_rule
        iptables -N input_wan
        iptables -N input_wan2
        iptables -N output_rule
        iptables -N forwarding_rule
        iptables -N forwarding_wan
        iptables -N forwarding_wan2

        iptables -t nat -N NEW
        iptables -t nat -N prerouting_rule
        iptables -t nat -N prerouting_wan
        iptables -t nat -N prerouting_wan2
        iptables -t nat -N postrouting_rule

        iptables -N LAN_ACCEPT
        [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
        [ -z "$WAN2" ] || iptables -A LAN_ACCEPT -i "$WAN2" -j RETURN
        [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
        [ -z "$WAN2DEV" -o "$WAN2DEV" = "$WAN2" ] || iptables -A LAN_ACCEPT -i "$WAN2DEV" -j RETURN
        iptables -A LAN_ACCEPT -j ACCEPT

        ### INPUT
        ###  (connections with the router as destination)

        # base case
        iptables -P INPUT DROP
        iptables -A INPUT -i ${WAN} -p tcp -j LOG --log-prefix "log "
        iptables -A INPUT -i ${WAN2} -p tcp -j LOG --log-prefix "log "
        iptables -A INPUT -m state --state INVALID -j DROP
        iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP

        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A INPUT -j input_rule
        [ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
        [ -z "$WAN2" ] || iptables -A INPUT -i $WAN2 -j input_wan2

        # allow
        iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
        iptables -A INPUT -p icmp       -j ACCEPT       # allow ICMP
        iptables -A INPUT -p gre        -j ACCEPT       # allow GRE

        # reject (what to do with anything not allowed earlier)
        iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
        iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

        ### OUTPUT
        ### (connections with the router as source)

        # base case
        iptables -P OUTPUT DROP
        iptables -A OUTPUT -m state --state INVALID -j DROP
        iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A OUTPUT -j output_rule

        # allow
        iptables -A OUTPUT -j ACCEPT            #allow everything out

        # reject (what to do with anything not allowed earlier)
        iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
        iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

        ### FORWARDING
        ### (connections routed through the router)

        # base case
        iptables -P FORWARD DROP
        iptables -A FORWARD -m state --state INVALID -j DROP
        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

        #
        # insert accept rule or to jump to new accept-check table here
        #
        iptables -A FORWARD -j forwarding_rule
        [ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
        [ -z "$WAN2" ] || iptables -A FORWARD -i $WAN2 -j forwarding_wan2

        # allow
        iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
        [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
        [ -z "$WAN2" ] || iptables -A FORWARD -i $LAN -o $WAN2 -j ACCEPT

        # reject (what to do with anything not allowed earlier)
        # uses the default -P DROP

        ### MASQ
        iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
        iptables -t nat -A PREROUTING -j prerouting_rule
        [ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
        [ -z "$WAN2" ] || iptables -t nat -A PREROUTING -i "$WAN2" -j prerouting_wan2
        iptables -t nat -A POSTROUTING -j postrouting_rule
        [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
        [ -z "$WAN2" ] || iptables -t nat -A POSTROUTING -o $WAN2 -j MASQUERADE

        iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
                iptables -t nat -A NEW -j DROP

        ## USER RULES
        [ -f /etc/firewall.user ] && . /etc/firewall.user

        /etc/init.d/firewall2 start
}

On the load balancing issue, I have not been succesful in doing that, partly because I haven't had time to really work on it, and also because I don't have much need for it at the moment.

Thx for you elaboration on this.

I can get it to work, with both gateways. But only when I switch over to the other by removing the current and adding the other one in the kernel routing table.

Did you get it to work this way that port 80 traffic is routed to the other interface (not in kernel routing table)? Of just specific traffic to a specific (specified in firewall2) destination IP?

Port 80 is routed by marking the packets.  I have other firewall rules where it routes traffic through a certain interface for specific destinations.

iptables -t mangle -I PREROUTING -i br-lan -p tcp --dport 80 -j MARK --set-mark 0x100

If I misunderstood the question, let me know.

I have exactly the same setup as you, one link through DHCP and one static. Why doesn't it work...

Seems it doesn't mark the packets or it's not routing accordingly to the marking. I can't (or don't know how) check which process fails here.

My rout table is the same for 100 and 200 as you.

In my /etc/init.d/firewall2 I've got:

        iptables -t mangle -I PREROUTING -i br-lan -d 62.69.184.129 -j MARK --set-mark 0x100
        iptables -t mangle -I PREROUTING -i br-lan -d 62.69.184.130 -j MARK --set-mark 0x200

and

        iptables -t mangle -I PREROUTING -i br-lan -p tcp --dport 80 -j MARK --set-mark 0x200

But it keeps routing both IP's through the interface/gateway as specified in the Kernel IP routing table (root@OpenWrt:~# route). If I change the IP in the kernel routing table (delete one, add the other) it works fine through the other gateway. But again _all_ traffic goes through the eth0.2 interface and the rules don't matter it seems.

When there's none in the Kernel IP routing table nothing works. When there are two it seems to pick the top one but still the rules in /firewall2 don't work.

I'm going to install 7.06 version now, seems the first official so everyone will be at that version most likely. Trying things on different routers with different beta versions and looking for the problem alway gives unwanted results. And the client I'm testing from is connected through WiFi, maybe there's a difference or the problem is I had WAN DHCP (eth0.1) and WAN2 (eth0.2) static which is different to your setup. I'll change that now so eth0.1 is static also in my setup and eth0.2 through DHCP.

Any ideas what I'm missing? Or how to debug? I'm I maybe missing modules? Can you also post your 'ipkg list_installed' here?

(Last edited by bjck on 5 Jun 2007, 21:02)

http://tldp.org/HOWTO/Adv-Routing-HOWTO … links.html

Can you please enter the output of the following commands:

ip route show table main
ip rule
ip route show table 100
ip route show table  200
ip route show table default

Also, after you try to visit a website, can you post the last few lines of file "cat /proc/net/ip_conntrack |grep dport=80" so I can see from which interface it went out from (also tell me which one you expected it go out from).

Also the output of ip tables using this command:
iptables -t mangle -L -n -v

Thats all I can think of for now.

Here it is, but fuond the problem allready also.

root@OpenWrt:~# ip route show table default
root@OpenWrt:~# iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 474K packets, 419M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 24278 packets, 3915K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 448K packets, 415M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 13901 packets, 2108K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 462K packets, 417M bytes)
 pkts bytes target     prot opt in     out     source               destination
root@OpenWrt:~#

The 'mangle' stayed empty due to missing lines in /etc/init.d/firewall2 configuration.

I copied yours 1 on 1 and I didn't notice the missing part on top:

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org

START=50

This were the missing lines. Now it works :-)

THX FOR YOUR GREAT HELP! (hope you can also help with my last questions)

I have only two problems left now.

#1

The network on eth0.1 is 192.168.1.0/24 with default gw 192.168.1.254. There are more clients (2 servers) in that network, but they can't reach 192.168.2.0/24 behind the WRT. The other way arround it's reachable when connection is initiated from the client side. The WRT seems to block traffic somehow instead of allowing/routing the packets somehow.

From a 192.168.1.10 client I can reach 192.168.1.200 (eth0.1 interface on WRT) and 192.168.2.1 (WRTs IP), but not 192.168.2.212

The problem is almost the same as heha's (http://forum.openwrt.org/viewtopic.php?pid=48690#p48690), but the other way arround. A server in the same segment as router-1 (router-1 is a NAT router also with a lan segment) can't reach 'my laptop', not even a ping reply. But my laptop can ping the server...

#2

On the box itselve it uses the Kernel routes it seems with traceroute or mtr. Is it posible to get this to work by the same rules?

(Last edited by bjck on 5 Jun 2007, 22:50)

Glad you got it working.  Sorry for the missing lines if I didn't include them, I thought it was a given. 

For problem #1, I think its a matter of the adding a few forward lines in iptables.  From you issue, I can't determine if you have two routers, or just one with seperate "lan" and "wlan'.  If its just one router, I believe all you need to do is:

iptables -A FORWARD -i $LAN -o $WLAN -j ACCEPT   (where $LAN is your "lan" interface, and $WLAN is your "wlan" or what ever wireless interface you have defined.)
iptables -A FORWARD -i $WLAN -o $LAN -j ACCEPT   (where $LAN is your "lan" interface, and $WLAN is your "wlan" or what ever wireless interface you have defined.)
-or-
iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT

If I have misunderstood, a diagram with the router's and ports, and clients would be helpfull.  If you actually have two routers and they both do NAT, then you wont be able to ping the clients behind the router that is doing the natting unless you setup special forward rules.

For problem #2, I am not sure of the what you are asking.... if you mean, can the router it self be setup to use the routing rules that you want like, route all web traffic through the cable line, yes, I believe you can accomplish that by the use of iptables.

iptables -t mangle -I PREROUTING -s 127.0.0.1 -d 62.69.184.129 -j MARK --set-mark 0x100
-or-
iptables -t mangle -I PREROUTING -i lo -d 62.69.184.129 -j MARK --set-mark 0x100

Basically you would want to route by either the source ip of the router "127.0.0.1" or the local interface of the router "lo", the "br-lan" interface is only for the client connected to the router I believe, and not the router itself.

Again, I apologize if I misunderstood your questions.

Thx!

iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT

This did the trick to make 192.168.2.0/24 reachable from a client in 192.168.1.0/24.