OpenWrt Forum Archive

Topic: mwan3; multi-wan policy routing (general topic)

The content of this topic has been archived between 22 May 2013 and 6 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Dear Forum-Experts,

I want to make use of mwan3 to simply offer IP services via openvpn. I upgraded from individual scripts on Attitude Adjustment to mwan3 on Chaos Calmer (TP-Link WDR4300). But unfortunately all I see is that all my traffic simply goes out via the gateway with the lowest metric.

Here is what I'm trying to achieve:
Openwrt is behind an internet router and is getting a private IP. It uses this to establish a connection to an OpenVPN Internet provider where I get a small subnet of public IP's. My clients (and servers) should stick with their private IP's. But if services are accessed from outside then my hope was that via the conntrack mechanism the answer goes out via the route it came in (via conntrack).
Also I tried to set fixed rules but it seems they also have no effect.

Interfaces are up and I can selectively ping to the outside world with each one. Also mwan3 (v 1.6.2) shows no errors or warnings. My specialty is that I don't have WAN interfaces since the router serves in the same subnet as the public internet router. I'm using the LAN interface for getting an internal IP and also for establishing then OpenVPN connection.

Can anybody please help me? I've invested so many hours without solving this, that I'm now so desparate that I would even pay some bucks for help...

Thanks

Hi guys,

I am using mwan3 to set a failover between my two ISPs, one of which is a fixed landline broadband connection, but it is not that reliable; the second one is a 4g mobile connection (in a external modem plugged thru ether), but it has a low data limit.

However, when I access facebook, twitter and whatsapp (except voip) thru this interface, this data do not count against my data usage at all.

I need save this mobile connection data only to use when my first ISP is out of service.

My idea:
I will put all my facebook/whatsapp use in this mobile interface, and save the other connection bandwidth to other services, to accomplish that I enabled the 'dns to syslog' and grepped all the requests into a text file, them summarized this file into a list to configure a ipset like that:

ipset=/facebook.com/facebook.net/fbcdn-creative-a.akamaihd.net/fbcdn-dragon-a.akamaihd.net/fbcdn-photos-a-a.akamaihd.net/fbcdn-photos-b-a.akamaihd.net/fbcdn-photos-c-a.akamaihd.net/fbcdn-photos-d-a.akamaihd.net/fbcdn-photos-e-a.akamaihd.net/fbcdn-photos-f-a.akamaihd.net/fbcdn-photos-g-a.akamaihd.net/fbcdn-photos-h-a.akamaihd.net/fbcdn-profile-a.akamaihd.net/fbcdn-sphotos-a-a.akamaihd.net/fbcdn-sphotos-b-a.akamaihd.net/fbcdn-sphotos-c-a.akamaihd.net/fbcdn-sphotos-d-a.akamaihd.net/fbcdn-sphotos-e-a.akamaihd.net/fbcdn-sphotos-f-a.akamaihd.net/fbcdn-sphotos-g-a.akamaihd.net/fbcdn-sphotos-h-a.akamaihd.net/fbcdn-video-a-a.akamaihd.net/fbcdn-video-b-a.akamaihd.net/fbcdn-video-c-a.akamaihd.net/fbcdn-video-d-a.akamaihd.net/fbcdn-video-e-a.akamaihd.net/fbcdn-video-f-a.akamaihd.net/fbcdn-video-g-a.akamaihd.net/fbcdn-video-h-a.akamaihd.net/fbcdn-video-i-a.akamaihd.net/fbcdn-video-j-a.akamaihd.net/fbcdn-video-k-a.akamaihd.net/fbcdn-video-l-a.akamaihd.net/fbcdn-video-m-a.akamaihd.net/fbcdn-video-n-a.akamaihd.net/fbcdn-video-o-a.akamaihd.net/fbcdn-video-p-a.akamaihd.net/fbcdn-vthumb-a.akamaihd.net/fbcdn.net/fbexternal-a.akamaihd.net/fbstatic-a.akamaihd.net/facebook

Yeah, I got 47 dns entries, but it won't work, my dnsmasq fails miserably to start and my client connections can't get a valid IP anymore.

So what is the maximum number of domains I could add to a single ipset hash?

The right way to get above this limit is dividing the list into a few ipsets (fb1, fb2, fb3 and so on) and replicate it in mwan3 rules?

Is there any way I could grab fbstatic* and/or fbcdn* instead of *.facebook.com?

Do you know if it is secure to get akamaihd.net? I mean it is a cdn provider, and it could provide storage to a lot of other services. How could I select only true facebook trafic to this interface?

(Last edited by rafareino on 24 Mar 2016, 01:38)

Hello guys,

I would like to use mwan3 to load balance between 2 ISPs (DSL and WIFI provider). WIFI provider is connected to the WAN physical interface and it is port 4 in vswitch, interface is called eth1. DSL provider is connected to the PORT4 physical interface and it is port 0 in vswitch, interface is called eth0.2. I named this interface wan2 and I have assigned it to the same FW rules as wan.

I'm connected to both ISPs with static addresses wan2: 192.168.2.2 and wan 10.78.4.152.

My problem is that wan2 is always offline and I don't know why. The IP I'm using is 100% valid because when I test it my laptop I can connect to the Internet.

I'm providing you with output of troubleshooting page bellow.

Any hint would be very helpful.

Thanks Bufo

UPDATE #1 my vlan2 is wrongly configured. I can't ping its default GW 192.168.2.1. I think the interface eth0.2 is badly configured or my router LINKSYS WRT-160NL doesn't support it.

Software versions : 

OpenWrt - OpenWrt Chaos Calmer 15.05
LuCI - git-15.248.30277-3836b45

mwan3 - 1.6-2
mwan3-luci - 1.4-3

Output of "cat /etc/config/mwan3" : 

config interface 'wan'
    option enabled '1'
    option reliability '2'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'
    list track_ip '8.8.8.8'
    list track_ip '8.8.4.4'

config interface 'wan2'
    option reliability '1'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'
    option enabled '1'
    list track_ip '8.8.8.8'
    list track_ip '8.8.4.4'

config member 'wan_m1_w3'
    option interface 'wan'
    option metric '1'
    option weight '3'

config member 'wan_m2_w3'
    option interface 'wan'
    option metric '2'
    option weight '3'

config member 'wan2_m1_w2'
    option interface 'wan2'
    option metric '1'
    option weight '2'

config member 'wan2_m2_w2'
    option interface 'wan2'
    option metric '2'
    option weight '2'

config policy 'wan_only'
    list use_member 'wan_m1_w3'

config policy 'wan2_only'
    list use_member 'wan2_m1_w2'

config policy 'balanced'
    list use_member 'wan_m1_w3'
    list use_member 'wan2_m1_w2'

config policy 'wan_wan2'
    list use_member 'wan_m1_w3'
    list use_member 'wan2_m2_w2'

config policy 'wan2_wan'
    list use_member 'wan_m2_w3'
    list use_member 'wan2_m1_w2'

config rule 'youtube'
    option sticky '1'
    option ipset 'youtube'
    option dest_port '80,443'
    option proto 'tcp'
    option use_policy 'balanced'

config rule 'https'
    option sticky '1'
    option dest_port '443'
    option proto 'tcp'
    option use_policy 'balanced'

config rule 'default_rule'
    option dest_ip '0.0.0.0/0'
    option use_policy 'balanced'

Output of "cat /etc/config/network" : 

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd93:c8ca:ca56::/48'

config interface 'lan'
    option ifname 'eth0'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option delegate '0'
    option dns '8.8.8.8 8.8.4.4'

config interface 'wan'
    option ifname 'eth1'
    option _orig_ifname 'eth1'
    option _orig_bridge 'false'
    option proto 'static'
    option delegate '0'
    option ipaddr '10.78.4.152'
    option netmask '255.255.0.0'
    option gateway '10.78.255.10'
    option broadcast '10.78.255.255'
    option dns '8.8.8.8 8.8.4.4'
    option metric '10'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '4 5t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option vid '2'
    option ports '0 5t'

config interface 'wan2'
    option proto 'static'
    option ifname 'eth0.2'
    option ipaddr '192.168.2.2'
    option netmask '255.255.255.0'
    option gateway '192.168.2.1'
    option dns '8.8.8.8 8.8.4.4'
    option delegate '0'
    option metric '20'

Output of "ifconfig" : 

br-lan    Link encap:Ethernet  HWaddr 00:01:36:22:7E:F1  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::201:36ff:fe22:7ef1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13935 errors:0 dropped:4 overruns:0 frame:0
          TX packets:12985 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5822629 (5.5 MiB)  TX bytes:6847588 (6.5 MiB)

eth0      Link encap:Ethernet  HWaddr 00:01:36:22:7E:F1  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1031 errors:0 dropped:4 overruns:0 frame:0
          TX packets:1357 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:120255 (117.4 KiB)  TX bytes:211988 (207.0 KiB)
          Interrupt:4 

eth0.2    Link encap:Ethernet  HWaddr 00:01:36:22:7E:F1  
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::201:36ff:fe22:7ef1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:382 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:16488 (16.1 KiB)

eth1      Link encap:Ethernet  HWaddr 00:01:36:22:7E:F2  
          inet addr:10.78.4.152  Bcast:10.78.255.255  Mask:255.255.0.0
          inet6 addr: fe80::201:36ff:fe22:7ef2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12991 errors:0 dropped:17 overruns:0 frame:0
          TX packets:12226 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6042861 (5.7 MiB)  TX bytes:5827385 (5.5 MiB)
          Interrupt:5 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:337 errors:0 dropped:0 overruns:0 frame:0
          TX packets:337 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:23279 (22.7 KiB)  TX bytes:23279 (22.7 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:01:36:22:7E:F1  
          inet6 addr: fe80::201:36ff:fe22:7ef1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13567 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6034402 (5.7 MiB)  TX bytes:7117549 (6.7 MiB)

Output of "route -n" : 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.78.255.10    0.0.0.0         UG    10     0        0 eth1
0.0.0.0         192.168.2.1     0.0.0.0         UG    20     0        0 eth0.2
10.78.0.0       0.0.0.0         255.255.0.0     U     10     0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.2.0     0.0.0.0         255.255.255.0   U     20     0        0 eth0.2

Output of "ip rule show" : 

0:    from all lookup 128 
1:    from all lookup local 
1001:    from all iif eth1 lookup main 
1002:    from all iif eth0.2 lookup main 
2001:    from all fwmark 0x100/0xff00 lookup 1 
2002:    from all fwmark 0x200/0xff00 lookup 2 
2253:    from all fwmark 0xfd00/0xff00 blackhole
2254:    from all fwmark 0xfe00/0xff00 unreachable
32766:    from all lookup main 
32767:    from all lookup default

Output of "ip route list table 1-250" : 

1
default via 10.78.255.10 dev eth1 
2
default via 192.168.2.1 dev eth0.2

Firewall default output policy (must be ACCEPT) : 

ACCEPT

Output of "iptables -L -t mangle -v -n" : 

Chain PREROUTING (policy ACCEPT 300 packets, 132K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  367  152K mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  300  132K fwmark     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 85 packets, 7620 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 214 packets, 124K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  214  124K mssfix     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 133 packets, 37011 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  145 37771 mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 347 packets, 161K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fwmark (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain mssfix (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   180 TCPMSS     tcp  --  *      eth1    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU
   13   720 TCPMSS     tcp  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan2 (mtu_fix) */ TCPMSS clamp to PMTU

Chain mwan3_connected (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  151 18648 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected dst MARK or 0xff00

Chain mwan3_hook (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  512  190K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xff00
   38  2181 mwan3_ifaces  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
   35  1897 mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
   29  1468 mwan3_track  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
   13   956 mwan3_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
  512  190K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff00
  343  153K mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xff00/0xff00

Chain mwan3_iface_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   284 MARK       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected src mark match 0x0/0xff00 /* default */ MARK or 0xff00
    0     0 MARK       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan */ MARK xset 0x100/0xff00

Chain mwan3_iface_wan2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected src mark match 0x0/0xff00 /* default */ MARK or 0xff00
    0     0 MARK       all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 */ MARK xset 0x200/0xff00

Chain mwan3_ifaces (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   38  2181 mwan3_iface_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
   33  1833 mwan3_iface_wan2  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00

Chain mwan3_policy_balanced (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   350 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 statistic mode random probability 0.39999999991 /* wan2 2 5 */ MARK xset 0x200/0xff00
    6   442 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00

Chain mwan3_policy_wan2_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 2 2 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan2_wan (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 2 2 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00

Chain mwan3_policy_wan_wan2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00

Chain mwan3_rule_https (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   276 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 MARK xset 0x200/0xff00
    2   112 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set mwan3_sticky_https src,src MARK and 0xffff00ff
    2   112 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 MARK xset 0x100/0xff00
    2   112 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set mwan3_sticky_https src,src MARK and 0xffff00ff
    2   112 mwan3_policy_balanced  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
    5   276 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_https src,src
    5   276 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_https src,src

Chain mwan3_rule_youtube (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 MARK xset 0x200/0xff00
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set mwan3_sticky_youtube src,src MARK and 0xffff00ff
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 MARK xset 0x100/0xff00
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set mwan3_sticky_youtube src,src MARK and 0xffff00ff
    0     0 mwan3_policy_balanced  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
    0     0 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_youtube src,src
    0     0 SET        all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_youtube src,src

Chain mwan3_rules (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 mwan3_rule_youtube  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set youtube dst multiport sports 0:65535 multiport dports 80,443 mark match 0x0/0xff00 /* youtube */
    5   276 mwan3_rule_https  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 0:65535 multiport dports 443 mark match 0x0/0xff00 /* https */
    8   680 mwan3_policy_balanced  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* default_rule */

Chain mwan3_track (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   16   512 MARK       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_track_wan dst icmptype 8 length 32 MARK or 0xff00
   14   448 MARK       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_track_wan2 dst icmptype 8 length 32 MARK or 0xff00

(Last edited by bufooo132 on 26 Mar 2016, 17:05)

mwan3 1.6.3 is perfect! However, run 2.0.2 on Trunk. Found the same configuration on 1.6.3 had different performance (I set ipset for 6,000 net and use ipset as a selection, some of them took un-expected routes). Is there any further development plan for mwan3 on Trunk, or wait until official DD is released?

(Last edited by muronghan on 9 Apr 2016, 04:23)

Hi, does anyone else have problems with youtube not using the correct route? For some reason youtube uses my default route wan1 rather then load balancing it on wan2 and wan3, only way to force it to use wan2 or wan3 is to shutdown the wan1 connection, after that the video loads after 5-10 seconds and start playing. Twitch and other video streaming sites work just fine, is there something hardcoded for youtube on mwan3?

Jaska wrote:

Hi, does anyone else have problems with youtube not using the correct route? For some reason youtube uses my default route wan1 rather then load balancing it on wan2 and wan3, only way to force it to use wan2 or wan3 is to shutdown the wan1 connection, after that the video loads after 5-10 seconds and start playing. Twitch and other video streaming sites work just fine, is there something hardcoded for youtube on mwan3?

Do you use ipset as the screening condition to force youtube.com to go thru wan2 or wan3? And what is the version of mwan3 currently installed?

muronghan wrote:

Do you use ipset as the screening condition to force youtube.com to go thru wan2 or wan3? And what is the version of mwan3 currently installed?

I balance everything on ports 80,443. Using ipset makes no difference, I only use ipset to filter some sites that do not work correctly with load balancing (Session gets reset or log out etc.) I have strong feeling that somehow my wan1 ISP cache servers are responsible for overriding my route, thus forcing it to use wan1 instead of wan2&wan3.

Currently using mwan3 - 1.6-2
Chaos Calmer

Hi everybody
I used mwan3 with wan (wired) and wan2(repeater from wifi). I check " mwan3 status was okay".
On my router i had some SSID as AP and a repeater wifi(sta). If there is wifi for router then router work ok, if wifi lost and router can not broadcat wifi(led wifi turn on but search nothing)
Then i have to remove repeater wifi then router boradcat wifi as nomal.
Does router can not find wifi as a wan2 then this happen?
Is there the way make router broad wifi even no wifi for router joint
For example:
wireless file:
config wifi-device 'radio0'
    option type 'mac80211'
    option hwmode '11g'
    option path 'platform/ar933x_wmac'
    option htmode 'HT20'
    option disabled '0'
    option country 'US'
    option channel '1'
    option txpower '18'

config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option encryption 'none'
    option ssid 'QW'
    option network 'QW'

config wifi-iface
    option network 'wan2'
    option ssid 'ensure'
    option encryption 'psk2'
    option device 'radio0'
    option mode 'sta'
    option bssid 'C4:6E:1F:A1:1C:EC'
    option key '7536912345@02s'

then:
If ssid "ensure" not present (no wifi name "ensure")
router start with no wifi(search nothing).
to wifi apear i have to have turn on wifi has name "ensure" or have wireless file like tthis:
config wifi-device 'radio0'
    option type 'mac80211'
    option hwmode '11g'
    option path 'platform/ar933x_wmac'
    option htmode 'HT20'
    option disabled '0'
    option country 'US'
    option channel '1'
    option txpower '18'

config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option encryption 'none'
    option ssid 'QW'
    option network 'QW'

(Last edited by dktn on 22 Apr 2016, 14:47)

Hi

Could you tell me how to find out the local network IP of my two modems?  The openwrt router has IP: http://192.168.1.1.

mwan diagnostics:

ping -c 3 -W 2 -I l2tp-l2tp 10.10.10.1

PING 10.10.10.1 (10.10.10.1): 56 data bytes

--- 10.10.10.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

but if i run ping -c 3 -W 2 10.10.10.1from console then i get replies from 10.10.10.1

Hi,

I'm stuggling with the setup for my openvpn connection. I want all IP addresses with 192.168.1.128 and higher to use the VPN connection, and all below to use my normal ISP.

So I setup an interface for the vpn and a firewall zone. Still even tough I can ping through the tun0 interface created by the openvpn connection, I am unable to send data through it. Do you have any ideas for me?

root@OpenWrt:~# ping -I tun0 www.google.com
PING www.google.com (217.175.200.123): 56 data bytes
64 bytes from 217.175.200.123: seq=0 ttl=53 time=92.861 ms
64 bytes from 217.175.200.123: seq=1 ttl=53 time=115.204 ms
64 bytes from 217.175.200.123: seq=2 ttl=53 time=90.738 ms
64 bytes from 217.175.200.123: seq=3 ttl=53 time=97.583 ms
64 bytes from 217.175.200.123: seq=4 ttl=53 time=86.359 ms
^C
--- www.google.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 86.359/96.549/115.204 ms
root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.8.1     0.0.0.0         UG    0      0        0 eth0
default         172.16.32.1     0.0.0.0         UG    20     0        0 tun0
172.16.32.0     *               255.255.240.0   U     0      0        0 tun0
192.168.1.0     *               255.255.255.240 U     10     0        0 br-lan
192.168.1.128   *               255.255.255.240 U     20     0        0 br-vpn_2
192.168.8.0     *               255.255.255.0   U     0      0        0 eth0
192.168.8.1     *               255.255.255.255 UH    0      0        0 eth0
root@OpenWrt:~# cat /etc/config/mwan3 

config multiwan 'config'
    option default_route 'wan'
    option enabled '1'

config interface 'wan'       
        option enabled '1'     
        list track_ip '8.8.4.4'       
        list track_ip '8.8.8.8'       
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option reliability '2'
        option count '1'   
        option timeout '2' 
        option interval '5'
        option down '3'
        option up '8' 

config interface 'wan6'       
        option enabled '1'     
        list track_ip '8.8.4.4'       
        list track_ip '8.8.8.8'       
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option reliability '2'
        option count '1'   
        option timeout '2' 
        option interval '5'
        option down '3'
        option up '8' 

config interface 'vpn_2'
    option enabled '1'
    list track_ip '8.8.4.4'
    list track_ip '8.8.8.8'
    list track_ip '208.67.222.222'
    list track_ip '208.67.220.220'
    option reliability '2'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option dns '8.8.8.8 8.8.4.4'
    option up '8'

config member 'wanm'
    option interface 'wan'
    option metric '10'
    option weight '1'

config member 'wan6m'
    option interface 'wan6'
    option metric '10'
    option weight '1'

config member 'vpn_2m'
    option interface 'vpn_2'
    option metric '20'
    option weight '3'

config policy 'vpn_only'
    list use_member 'vpn_2m'

config policy 'novpn_only'
    list use_member 'wanm'
    list use_member 'wan6m'

config rule 'vpn_rule2'
    option src_ip '192.168.1.128/28'
    option use_policy 'vpn_only'

config rule 'novpn_rule'
    option src_ip '192.168.1.1/28'
    option use_policy 'novpn_only'

config rule 'default_vpn'
    option dest_ip '0.0.0.0/0'
    option use_policy 'vpn_only'

config rule 'default_rule'
    option dest_ip '0.0.0.0/0'
    option use_policy 'novpn_only'

Do I need these two last default rules? I don't or?

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd19:0eef:8ebd::/48'

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option ip6assign '60'
    option _orig_ifname 'eth1 wlan0 wlan1-1'
    option _orig_bridge 'true'
    option metric '10'
    option dns '8.8.8.8'
    option ifname 'eth1'
    option netmask '255.255.255.240'

config interface 'wan'
    option ifname 'eth0'
    option proto 'dhcp'

config interface 'wan6'
    option ifname 'eth0'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '1 6'

config interface 'vpn_2'
    option _orig_ifname 'wlan1'
    option _orig_bridge 'false'
    option proto 'static'
    option type 'bridge'
    option ipaddr '192.168.1.128'
    option metric '20'
    option macaddr '60:E3:27:2F:9E:45'
    option dns '8.8.8.8'
    option netmask '255.255.255.240'
root@OpenWrt:~# cat /etc/config/firewall 

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan vpn_5 novpn_2 novpn_5'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'
    option forward 'REJECT'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config zone
    option name 'vpn_zone'
    option masq '1'
    option output 'ACCEPT'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option network 'vpn_2'

config forwarding
    option dest 'lan'
    option src 'vpn_zone'

config forwarding
    option dest 'vpn_zone'
    option src 'lan'

I can connect to the vpn_2 interface, however I'm unable to browse the web, as the traffic seems not to be routed through. I just don't get why hmm

I also tried to forward the packages via iptables custom rules.

iptables -I FORWARD -i br-lan -o tun0 -j REJECT
iptables -I FORWARD -s 192.168.1.128/28 -o tun0 -j ACCEPT
iptables -t nat -I POSTROUTING -o tun0  -j MASQUERADE

Without success. Can someone give me hint there pls?

Hi Everyone,
I have openwrt router with mwan3 and openvpn

My LAN IP 194.176.77.xx and with openvn I can reach network 192.176.77.xx
but my problem is I have to redirect all traffic destination to 192.168.32.8 through gateway 192.176.77.245
anyone can help how to do that??
on iptables or use port forwarding or something else??
thank you for helping smile

marco_silva85 wrote:

Hi Adze, first thanks for developing mwan3.
I have installed it (1.6-2) on my TL-WR842ND which has two service providers: wan and wan2 each capable of 8Mbps. I am also in control of both of these providers (they also run openwrt). Network metric is set to 10 and 20 respectivelly, and mwan3 is working with both, I tested with ping on each interface, checking that I have two different public IPs (refreshing a http page) and also by unplugging (fail test).

The problem: Balancing policy (60%,40%) or my weightFair (50%,50%) only send traffic mostly to just one wan, the other remains underused, and I can only flow traffic up to 8Mbps instead of double - I've tested with bittorrent. I did check that yes, both wan members of balancing policies have the same mwan3 metric of 1 (although network metric is 10 and 20).

Here are my configurations:
http://imgur.com/a/9G5UR
Results of the traffic distribution are in the last two images, captured from inside my service providers.

mwan3 configuration file:
http://pastebin.com/raw/8hTeU5c1

TL-WR842ND
Thanks

An update: more testing came to the same results: OpenWRT CC 15.05.1 with the TL-WR842ND, and also in a TL-WDR3600, one of the most popular here in the forums.

Some strange issue is going on. Still need to try in trunk / Lede and with mwan3 version 2.0, but really feels like there's something wrong with mwan3 1.6, and that it's not just me, most of the people using mwan3 may have this results and aren't even aware.

Hi.
Just finished configuring mwan3 on my 1043nd v2, using a cable and a pppoe vdsl connections as wan & wan2.
I've thought about maybe using the Hotplug Script to force a ddns update when a fail-over occurs, but have no idea where to start.
Any help will be appreciated.

Hi there, i have broken my brain with this issue. I have a router TPLINK842 (White with 2 removable antenas). My configuration is:

1) WLAN (Default)
2) Guest (A wireless lan with firewall configuration that denied packages to the default WLAN)
3) WAN1 (The default WAN port of my router connected to a cable modem-bridged)
4) WAN2 (Its a vlan one of the ports switch of the router that connected to other router with OpenWRT connected as client to the router of my Neighbour).

The connection runs perfectly when in LOAD BALANCE have 2 conection (WAN1 and WAN2) run in GREEN COLOR, but when i down de wan2 (Via the second router run in client modem connected to my Neighbour) i cant go out via WAN1 and not recognice any DNS so i have a DNS issue here.

So in Load Balance. Wan1 is green, wan2 is red i test:

1) PING www.google.com.ar (In my laptop) i cant reach.
2) PING www.google.com.ar (In router via ssh) i cant reach that inform BAD ADDRESS.

But i edit /etc/resolv.conf i see 2 configuration I add 8.8.8.8 and 8.8.4.4 and i test:

1) PING www.google.com.ar (In my laptop) i cant reach.
2) PING www.google.com.ar (In router via ssh) i reach any IP

But i still have this problem. SO in BALANCE MODE works great, but when i use to FAILOVER its doesnt work i cant get DNS.

Can you help me?.

----

I think a solve this issue setting Google DNS manually. I will post my configuration. Thanks you wink

(Last edited by johnnyrampage on 29 Jun 2016, 15:08)

I'm trying to load balance certain sites (facebook, windows update, etc) over a slower (unlimited) 3G internet connection, to save space on my limited 4G data plan. But somehow I can't get ipset to work in combination with mwan3. What am I missing.

I added the following line to /etc/dnsmasq.conf

ipset=/whatsmyip.org/whatismyipaddress.com/wan2 

And this is on top of my mwan3.conf

config rule 'wan2'
    option proto 'all'
    option sticky '0'
    option use_policy 'wan2_only'
    option ipset 'wan2'

If I add a IP-range to the rules it works flawless.

Hope someone can enlighten me in what I'm doing wrong.

(Last edited by ErwinH on 4 Jul 2016, 14:48)

Hi, i am trying to use this between wan and 3g modem.When i manually removing interfaces with ifup / ifdown everything works. But if i remove wan cable its not working. Interfaces wont update but output of "mwan status" command Is updated as it should. Is this a problem of hotplug. Should i use a daemon like ifplugd ?

(Last edited by sevenseas on 19 Jul 2016, 10:18)

^ this is more like a openwrt flaw in general, if you go to switches, you can see that if you can see each port status if its either plugged or unplugged and their speeds. of course hotplug event doesnt trigger anything when it regard to switch activities, something like it was always up all the time, although if I use a USB Ethernet adapter or PCI/PCIe ethernet card, hotplug and even the kernel knows that you plugged and unplugged a cable.

This is why there's a thing called tracking, if it fails to ping the tracking ip's, then it will make the interface down.

I have one more question.  With the following configuration

root@Sevenseas:/etc# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.1.254      0.0.0.0         UG    10     0        0 br-wan
0.0.0.0         10.46.36.177    0.0.0.0         UG    20     0        0 3g-ppp
10.1.1.0        0.0.0.0         255.255.255.0   U     10     0        0 br-wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan


config policy 'wan_over_ppp'
        list use_member 'wan1_m1_w1'
        list use_member 'wan2_m10_w1'

config policy 'ppp_over_wan'
        list use_member 'wan2_m1_w1'
        list use_member 'wan1_m10_w1'

config rule 'default_rule'
        option use_policy 'wan_over_ppp'

This works as expected. But when change default rule "ppp_over_wan" and restart mwan3 , the communication is still goes over wan interface. But again mwan3 status outputs the expected results.


Active ipv4 user rules:
    0     0 - ppp_before_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0

It only start working after i change the metrics of both wan and ppp interfaces in network configuration and restart both of these interfaces.

Is this how it suppose to work or multiwan should organize these things on its own, without manually modifying network configuration etc ?

ErwinH wrote:

I'm trying to load balance certain sites (facebook, windows update, etc) over a slower (unlimited) 3G internet connection, to save space on my limited 4G data plan. But somehow I can't get ipset to work in combination with mwan3. What am I missing.

I added the following line to /etc/dnsmasq.conf

ipset=/whatsmyip.org/whatismyipaddress.com/wan2 

And this is on top of my mwan3.conf

config rule 'wan2'
    option proto 'all'
    option sticky '0'
    option use_policy 'wan2_only'
    option ipset 'wan2'

If I add a IP-range to the rules it works flawless.

Hope someone can enlighten me in what I'm doing wrong.

First of all that is the "default" rule that overrides every other rule below it.
You should add ipset to dnsmasq.conf "ipset=/facebook.com/windowsupdate.microsoft.com/special" or just microsoft.com to catch all subdomains.
Then add it above the default rule

config rule '3G_unlimited'
    option proto 'tcp'
    option sticky '0'
    option dest_port '80,443,8530,8531'
    option use_policy 'wan2_only'
    option ipset 'special'

config rule 'default_rule'
    option dest_ip '0.0.0.0/0'
    option proto 'all'
    option sticky '0'
    option use_policy 'wan_only'

Other way to go is just add wan2 as default route and add any other special sites you want to use 4G_limited with, into ipset and make rule as example on above config rule '3GUnlimited', ps. ports "8530,8531" are special ones that windows update uses.

ALSO AS A SIDENOTE. ipset is not compiled into dnsmasq as default. You need to compile the firmware yourself and add dnsmasq-full from base system/dnsmasq-full and remove the dnsmasq. You'll get errors in System log about this after starting dnsmasq if it's not compiled into it (also it will crash and stop working.)

E: also you need to restart dnsmasq every time you change the ipsets.

(Last edited by Jaska on 5 Aug 2016, 19:05)

Hi All,

I am new to mwan3 feature and using mwan3 version 1.6. I was trying to configure mwan3 with two wans in equal load balanced mode. Following are my configuration details,

1. Added two WAN connections under multiwan
2. Assigned same metric(1) to both the wans
3. Assigned same weight(1) to both the wans

In system, "mwan3 status" shows both the wans as online and sharing 50% of the load.

By reading through the forum I understand that mwan3 works based on sessions. From that I am in an impression that if I start two wget sessions from lan host pc, 2 wget session should go through two different wan interfaces as each sharing 50% of the load. Is my assumption valid?

Following are my observation while testing with wget sessions:
1. With only two wget sessions, not everytime both the wans are being used. Though "mwan3 status" showing wans as online at the point of testing.
2. If I keep on starting wget sessions on the LAN pc I can see that some is going through one wan and some other through the other wan.

From above two observations, my impression is load balancing is working but it is not always 50% for me.

Now regarding this following are my questions,
1. The weight based load balancing is noticable for small amount sessions (e.g. only 2 wget session for the above example)?
Or this will be noticiable only if sufficient amount of sessions has been ran? (As I saw that mwan3 is using xt_statistics in random probability mode for load balancing).
2. For the very first wget session how is it selecting the wan through which the traffic should go? Is this random?

I will highly grateful if any one can give any idea on this topic.

Thanks in advance.

I have been using mwan3 version 1.5-10 for a while now, one problem that it I find consistently happening is


That every time my first wan interface goes down, while interface wan2 is up

The clients see DNS errors and are not able to resolve domain names,

Even though they can ping specific internet IPS which are going through wan2 as expected.

The DNS request still try to resolve the IP via first wan even if it is down, this should go though wan2 because wan2 is the only online interface, but it is not happening..

In the Dnsmasq I have specified 8.8.8.8 and 8.8.4.4 as forwardings but the issue is consistently reproducible. I am not sure perhaps this is resolved in new version of mwan3 but on my router I have OpenWrt Barrier Breaker 14.07 which only allows for the mwan 1.5-10

(Last edited by code.compile.link on 9 Aug 2016, 11:54)

Hi Im new here but long user of openwrt and mwan3... I have some question about mwan3, I configure mwan3 on my TP-Link TL-WDR4300 v1 with OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530) using 3 fiber line @ 20mbps each, i load balance it 33% each link. doing bandwidth test, I get nearly 60mbps, but recently I upgraded the 3 fiber lines to 100mbps each, so I'm expecting to get 300mbps during bandwidth test, but sadly i only get 100mbps, I cant go beyond 100mbps, I test the link individually directly to my compute and I can get 100mbps for each fiber line... upon checking the realtime graph on my openwrt the traffic graph for each link is @ 33mbps or less, maybe because of the load balance value of 33%. I wonder why before when my link is  @ 20mbps each, I can utilize the full bandwidth of each 20mbps fiber, while now that I'm @ 100mbps, I only get 33% of the 100mbps of each link. It seems that mwan3 is really limited to 100mbps, Please help how I can utilize all my 3 100mbps lnk, thank you...

code.compile.link wrote:

I have been using mwan3 version 1.5-10 for a while now, one problem that it I find consistently happening is


That every time my first wan interface goes down, while interface wan2 is up

The clients see DNS errors and are not able to resolve domain names,

Even though they can ping specific internet IPS which are going through wan2 as expected.

The DNS request still try to resolve the IP via first wan even if it is down, this should go though wan2 because wan2 is the only online interface, but it is not happening..

In the Dnsmasq I have specified 8.8.8.8 and 8.8.4.4 as forwardings but the issue is consistently reproducible. I am not sure perhaps this is resolved in new version of mwan3 but on my router I have OpenWrt Barrier Breaker 14.07 which only allows for the mwan 1.5-10

Old versions of mwan3 are mostly unsupported by Adze or myself.

Adze mentioned many months ago he'd be working with me at some point to update mwan3 and the GUI to better support IPv6. Not sure if he's still planning on doing that or not.

Can anyone help me, i have two wans and two vlans..i want that the vlan1 use the internet connection of wan1 and vlan2 use the internet connection of wan2
and i want no load balancer

like this:
(vlan1 in my case PRIVAT) get (100% of the wan1 internet connection)
(vlan2 in my case GEASTE) get (100% of the wan2 internet connection)

but always vlan1 is working, on vlan2 is written always no Internet Connection, anyone can find the error?


Software versions

OpenWrt - OpenWrt Chaos Calmer 15.05.1
LuCI - git-15.363.78009-956be55
mwan3 - 1.6-2
mwan3-luci - 1.4-3

/etc/config/mwan3

config interface 'wan1'
    option enabled '1'
    list track_ip '8.8.8.8'
    list track_ip '8.8.4.4'
    option reliability '1'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'

config interface 'wan2'
    option enabled '1'
    list track_ip '8.8.8.8'
    list track_ip '8.8.4.4'
    option reliability '1'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'

config member 'wan1_m10_w1'
    option interface 'wan1'
    option metric '10'
    option weight '1'

config member 'wan2_m20_w1'
    option interface 'wan2'
    option weight '1'
    option metric '20'

config policy 'wan1_only'
    list use_member 'wan1_m10_w1'
    option last_resort 'default'

config policy 'wan2_only'
    list use_member 'wan2_m20_w1'
    option last_resort 'default'

config rule 'PRIVAT'
    option dest_ip '0.0.0.0/0'
    option use_policy 'wan1_only'

config rule 'GEASTE'
    option dest_ip '0.0.0.0/0'
    option use_policy 'wan2_only'

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth0.1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'

config interface 'wan1'
    option ifname 'eth0.2'
    option proto 'pppoe'
    option peerdns '0'
    option dns '8.8.8.8 8.8.4.4'
    USERNAME HIDDEN
    PASSWORD HIDDEN
    option metric '10'

config interface 'wan2'
    option proto 'pppoe'
    option ifname 'eth0.3'
    option peerdns '0'
    option dns '8.8.8.8 8.8.4.4'
    USERNAME HIDDEN
    PASSWORD HIDDEN
    option metric '20'

config switch
    option reset '1'
    option enable_vlan '1'
    option enable_vlan4k '1'
    option name 'switch0'

config switch_vlan
    option vlan '1'
    option ports '0t 3 4 5t'
    option device 'switch0'

config switch_vlan
    option vlan '2'
    option ports '1 5t'
    option device 'switch0'

config switch_vlan
    option vlan '3'
    option ports '2 5t'
    option device 'switch0'

config switch_vlan
    option vlan '22'
    option ports '0t 5t'
    option device 'switch0'

config switch_vlan
    option vlan '23'
    option ports '0t 5t'
    option device 'switch0'

config interface 'PRIVAT'
    option proto 'static'
    option ifname 'eth0.22'
    option ipaddr '192.168.22.1'
    option netmask '255.255.255.0'

config interface 'GAESTE'
    option proto 'static'
    option ifname 'eth0.23'
    option ipaddr '192.168.23.1'
    option netmask '255.255.255.0'

/etc/config/firewall

config rule
    option name 'Allow-DHCP-Renew WAN1'
    option src 'wan1'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping WAN1'
    option src 'wan1'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6 WAN1'
    option src 'wan1'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input WAN1'
    option src 'wan1'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward WAN1'
    option src 'wan1'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCP-Renew WAN2'
    option src 'wan2'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping WAN2'
    option src 'wan2'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6 WAN2'
    option src 'wan2'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input WAN2'
    option src 'wan2'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward WAN2'
    option src 'wan2'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '67-68'
    option src 'GAESTE'
    option name 'Allow-DHCP-Renew GAESTE'

config rule
    option target 'ACCEPT'
    option proto 'tcp udp'
    option src 'GAESTE'
    option dest_port '53'
    option name 'Allow-DNS GAESTE'

config redirect
    option target 'DNAT'
    option proto 'tcp'
    option dest_ip '192.168.1.1'
    option dest_port '80'
    option src_dport '81'
    option dest 'lan'
    option name 'Firewall'
    option src 'wan2'

config redirect
    option target 'DNAT'
    option proto 'tcp'
    option src_dport '21'
    option dest_port '21'
    option dest 'PRIVAT'
    option name 'DM800 Ftp'
    option dest_ip '192.168.22.31'
    option src 'wan2'

config defaults
    option syn_flood '1'
    option output 'ACCEPT'
    option input 'REJECT'
    option forward 'REJECT'

config include
    option path '/etc/firewall.user'

config zone
    option name 'lan'
    option network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option input 'REJECT'
    option name 'wan1'
    option network 'wan1'

config zone
    option input 'REJECT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option name 'wan2'
    option masq '1'
    option mtu_fix '1'
    option network 'wan2'

config zone
    option name 'PRIVAT'
    option output 'ACCEPT'
    option network 'PRIVAT'
    option input 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'GAESTE'
    option output 'ACCEPT'
    option forward 'REJECT'
    option input 'REJECT'
    option network 'GAESTE'

config forwarding
    option dest 'wan1'
    option src 'lan'

config forwarding
    option dest 'wan1'
    option src 'PRIVAT'

config forwarding
    option dest 'wan2'
    option src 'GAESTE'

root@Firewall:~# ifconfig

br-lan    Link encap:Ethernet  HWaddr 10:FE:ED:7F:37:7C
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::12fe:edff:fe7f:377c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:236 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:20688 (20.2 KiB)

eth0      Link encap:Ethernet  HWaddr 10:FE:ED:7F:37:7C
          inet6 addr: fe80::12fe:edff:fe7f:377c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:325528 errors:0 dropped:0 overruns:0 frame:0
          TX packets:327680 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:208410255 (198.7 MiB)  TX bytes:210109019 (200.3 MiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr 10:FE:ED:7F:37:7C
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:161 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:11158 (10.8 KiB)

eth0.2    Link encap:Ethernet  HWaddr 10:FE:ED:7F:37:7C
          inet6 addr: fe80::12fe:edff:fe7f:377c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:155802 errors:0 dropped:0 overruns:0 frame:0
          TX packets:149266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:122885687 (117.1 MiB)  TX bytes:80980174 (77.2 MiB)

eth0.22   Link encap:Ethernet  HWaddr 10:FE:ED:7F:37:7C
          inet addr:192.168.22.1  Bcast:192.168.22.255  Mask:255.255.255.0
          inet6 addr: fe80::12fe:edff:fe7f:377c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:140441 errors:0 dropped:0 overruns:0 frame:0
          TX packets:149511 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:78052309 (74.4 MiB)  TX bytes:126308813 (120.4 MiB)

eth0.23   Link encap:Ethernet  HWaddr 10:FE:ED:7F:37:7C
          inet addr:192.168.23.1  Bcast:192.168.23.255  Mask:255.255.255.0
          inet6 addr: fe80::12fe:edff:fe7f:377c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15716 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15578 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:982362 (959.3 KiB)  TX bytes:1006674 (983.0 KiB)

eth0.3    Link encap:Ethernet  HWaddr 10:FE:ED:7F:37:7C
          inet6 addr: fe80::12fe:edff:fe7f:377c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:536 errors:0 dropped:0 overruns:0 frame:0
          TX packets:517 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:25170 (24.5 KiB)  TX bytes:19794 (19.3 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:38 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3335 (3.2 KiB)  TX bytes:3335 (3.2 KiB)

pppoe-wan1 Link encap:Point-to-Point Protocol
          inet addr:95.237.108.36  P-t-P:192.168.100.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:146232 errors:0 dropped:0 overruns:0 frame:0
          TX packets:139741 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:121177546 (115.5 MiB)  TX bytes:77619534 (74.0 MiB)

pppoe-wan2 Link encap:Point-to-Point Protocol
          inet addr:88.149.166.191  P-t-P:81.174.0.21  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:158 errors:0 dropped:0 overruns:0 frame:0
          TX packets:151 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:5662 (5.5 KiB)  TX bytes:4922 (4.8 KiB)

root@Firewall:~# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.1   0.0.0.0         UG    10     0        0 pppoe-wan1
0.0.0.0         81.174.0.21     0.0.0.0         UG    20     0        0 pppoe-wan2
81.174.0.21     0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.22.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0.22
192.168.23.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0.23
192.168.100.1   0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan1

MWAN Detailed Status

Interface status:
 interface wan1 is online (tracking active)
 interface wan2 is online (tracking active)

Policy wan1_only:
 wan1 (100%)

Policy wan2_only:
 wan2 (100%)

Known networks:
 127.0.0.0/8
 127.255.255.255
 127.0.0.1
 192.168.23.0
 192.168.1.1
 88.149.166.191
 224.0.0.0/3
 192.168.22.255
 192.168.100.1
 192.168.23.255
 192.168.22.0
 81.174.0.21
 192.168.1.0
 95.237.108.36
 192.168.1.0/24
 192.168.23.0/24
 192.168.1.255
 192.168.23.1
 192.168.22.1
 192.168.22.0/24
 127.0.0.0

Active rules:
   83  5106 - wan1_only  all  --  *      *       0.0.0.0/0            0.0.0.0/0            
    0     0 - wan2_only  all  --  *      *       0.0.0.0/0            0.0.0.0/0

(Last edited by darkstar91 on 8 Sep 2016, 05:04)