Difference between revisions of "Mwan3 On Openwrt"
| (11 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | Here | + | <small>Here are tips for setting up mwan3 via terminal / uci configs for Openwrt (last tested 19.07). |
| + | |||
| + | |||
==Tips/Troubleshooting== | ==Tips/Troubleshooting== | ||
| Line 36: | Line 38: | ||
See why? | See why? | ||
| + | |||
| + | (What happens is that DNS will fail on the second wan only (port 53 ICMP unreachable is one such error tcpdump may report), but only from clients on the lan. Not from the router itself. It's not easy to track via the multi-layered iptables, although you can see the rejects increasing with iptables -L -v) | ||
note that the latter is 19.07, and the former 17 | note that the latter is 19.07, and the former 17 | ||
So instead of option network in 17, we have list network in 19. | So instead of option network in 17, we have list network in 19. | ||
| − | conntrack should also be enabled. | + | conntrack should also be enabled. Rest is default. |
| + | |||
| + | ===Conntrack should be enabled=== | ||
| + | See above. | ||
| + | |||
| + | ===Masquerade may need to be enabled=== | ||
| + | See above. | ||
| + | |||
| + | ===Be consistent, whether wan2 or wanb. Label must match /etc/config/network=== | ||
| + | If you set the label of the new /etc/config/network wan interface to be wan2 instead of wanb | ||
| + | then you should change the below rules and policies accordingly in /etc/config/mwan3. Or, just | ||
| + | keep wanb. | ||
| + | <pre> | ||
| + | config rule 'https' | ||
| + | option sticky '1' | ||
| + | option dest_port '443' | ||
| + | option proto 'tcp' | ||
| + | option use_policy 'wan_wan2' | ||
| + | |||
| + | config rule 'default_rule_v4' | ||
| + | option dest_ip '0.0.0.0/0' | ||
| + | option use_policy 'wan_wan2' | ||
| + | option family 'ipv4' | ||
| + | |||
| + | config rule 'default_rule_v6' | ||
| + | option dest_ip '::/0' | ||
| + | option use_policy 'wan_wan2' | ||
| + | option family 'ipv6' | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | The wan2 is read from /etc/config/network, e.g. | ||
| + | <pre> | ||
| + | config interface 'wan2' # ISP2 | ||
| + | option ifname 'eth2' | ||
| + | option proto 'static' | ||
| + | option ipaddr 'staticiphere' | ||
| + | option netmask '255.255.255.0' | ||
| + | option gateway 'staticgatewayhere' | ||
| + | option dns 'yourfavoritedns' | ||
| + | option metric '20' | ||
| + | #make sure that firewall has both wans in its list networks or option networks | ||
| + | #also add a metric for each wan. | ||
| + | </pre> | ||
| + | |||
| + | That "config interface 'wan2'" is what is important. | ||
| + | |||
| + | ===Balanced Policy Internet Errors=== | ||
| + | I've seen issues with the default balanced policy only. Either, some manual troubleshooting / investigation is needed into the services breaking or you can try by setting the 'stickiness' on port 443, and 80. Perhaps 443 and 80 alone is not enough. With just balanced, it may not work 100%. | ||
| + | |||
| + | However, simply setting a wan2_wan or wan_wan2 policy (where one is failover only), will work out of the box. | ||
| + | |||
| + | </small> | ||
| + | |||
| + | {{GNU\Linux}} | ||
Latest revision as of 20:32, 28 October 2020
Here are tips for setting up mwan3 via terminal / uci configs for Openwrt (last tested 19.07).
Tips/Troubleshooting
Firewall zones must include wan2/wanb in addition to wan
In /etc/config/firewall
see this:
config zone option conntrack '1' option name wan option input REJECT option output ACCEPT option forward REJECT option masq 1 option mtu_fix 1 option network 'wan wan6 wan2'
the above is a working mwan3 firewall config (17)(zone only, other items omitted).
see this:
config zone
option conntrack '1'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
This one only works with wan, not wan2 (19)
See why?
(What happens is that DNS will fail on the second wan only (port 53 ICMP unreachable is one such error tcpdump may report), but only from clients on the lan. Not from the router itself. It's not easy to track via the multi-layered iptables, although you can see the rejects increasing with iptables -L -v)
note that the latter is 19.07, and the former 17 So instead of option network in 17, we have list network in 19. conntrack should also be enabled. Rest is default.
Conntrack should be enabled
See above.
Masquerade may need to be enabled
See above.
Be consistent, whether wan2 or wanb. Label must match /etc/config/network
If you set the label of the new /etc/config/network wan interface to be wan2 instead of wanb then you should change the below rules and policies accordingly in /etc/config/mwan3. Or, just keep wanb.
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'wan_wan2'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option use_policy 'wan_wan2'
option family 'ipv4'
config rule 'default_rule_v6'
option dest_ip '::/0'
option use_policy 'wan_wan2'
option family 'ipv6'
The wan2 is read from /etc/config/network, e.g.
config interface 'wan2' # ISP2
option ifname 'eth2'
option proto 'static'
option ipaddr 'staticiphere'
option netmask '255.255.255.0'
option gateway 'staticgatewayhere'
option dns 'yourfavoritedns'
option metric '20'
#make sure that firewall has both wans in its list networks or option networks
#also add a metric for each wan.
That "config interface 'wan2'" is what is important.
Balanced Policy Internet Errors
I've seen issues with the default balanced policy only. Either, some manual troubleshooting / investigation is needed into the services breaking or you can try by setting the 'stickiness' on port 443, and 80. Perhaps 443 and 80 alone is not enough. With just balanced, it may not work 100%.
However, simply setting a wan2_wan or wan_wan2 policy (where one is failover only), will work out of the box.
| ||||||||||||||||||
