Topic: mwan3; multi-wan policy routing (general topic)

The content of this topic has been archived between 22 May 2013 and 6 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Page 34 of 65

Post #826

arfett

1 Jul 2014, 22:13

Adze wrote:

On a sdie note: I see that you use custom route table 220. This can be a problem as mwan3 might wipe this table when it's stopped. If you use a number higher then 255 you should be fine...

StrongSwan uses route table 220 for VPN routes by default. Perhaps Mwan3 could be made to use higher numbers?

(Last edited by arfett on 1 Jul 2014, 22:14)

Post #827

Adze

2 Jul 2014, 10:07

arfett wrote:

StrongSwan uses route table 220 for VPN routes by default. Perhaps Mwan3 could be made to use higher numbers?

Looking back, i can see that it has only impact if you use 220 or more wan interfaces. I guess it safe to say that this risc is minimal...

Post #828

thiagoc

2 Jul 2014, 14:52

Hi Adze.

Thanks for this package in the first place.

On the wiki page there is the follow statement:

If you have a traffic rule that matches a policy, but all the members (interfaces) for that policy are down, it will not match any mwan3 ip rule. Therefore, it will use the main routing table to determine which interface to use.

I have 2 rules (tcp and udp) for port 53 (DNS) that I want to redirect just to wan2, but when this interface is down it doesn't redirect to the default route. I'm testing with traffic originating from the router. Now I'm using the rule wan2_wan and it's working, but this confused me.

Here's my config: http://pastebin.com/raw.php?i=7Vv12Bvm

Post #829

Adze

2 Jul 2014, 15:11

Hi thiagoc,

I see the confusion. The wiki statement was correct for version 1.3 and earlier. In version 1.4 i replaced this behaviour to unreachable.

So to summarize: if all members in a policy are down, the exit strategy for that policy is "unreachable".

Grtz Adze

Post #830

thiagoc

2 Jul 2014, 20:01

Adze wrote:

I see the confusion. The wiki statement was correct for version 1.3 and earlier. In version 1.4 i replaced this behaviour to unreachable.
So to summarize: if all members in a policy are down, the exit strategy for that policy is "unreachable".

OK Adze, I have updated the wiki if you don't mind.

Thanks.

Post #831

ValdikSS

2 Jul 2014, 21:10

Hello guys.
Thanks for this great script!
I need your help. I have 2 WANs and I need to forward traffic from one IP from WAN1 subnet with masquerading. It works perfectly fine without mwan3 with hand-made policy routing scripts, but when I configure mwan3, it wan't forward traffic from that WAN1 IP anymore.
I don't use any load balancing and even failover, just some policy rules.
All I can see in tcpdump is that some traffic does forward (TCP packets on high ports) but on any ICMP or UDP traffic my router sends ICMP Unreachable. WAN forwarding is configured to be accepted by iptables.

I tried to add WAN subnet to table 1, but that didn't change a thing.
Here is tcpdump log
https://gist.github.com/ValdikSS/fcd5e8c4f4dc564e53cd

Here is troubleshooting data
https://gist.github.com/ValdikSS/d027b596fd3db087e699

My ip is 92.xx.xx.58, IP which I should forward is 92.xx.xx.7

(Last edited by ValdikSS on 2 Jul 2014, 21:44)

Post #832

Adze

3 Jul 2014, 08:32

Hi ValdikSS,

I'm not quit sure what you want to achieve. Maybe you could paste your hand-made routing script, so i can see what you mean?

Thnx

Post #833

ValdikSS

3 Jul 2014, 17:59

Adze, I just need:
1) Proper multiwan routing. I have WAN and VPN connection. I need WAN INPUT replies to go via WAN OUTPUT, and VPN INPUT to VPN OUTPUT. Without policy routing, if I have default gateway via VPN, WAN INPUT replies would go via VPN, which is not what I want.
2) Forward WAN to WAN for one WAN IP address. I want to be a gateway for one client in WAN subnet.

I can achieve this by creating new "novpn" routing table, copying everything from main table to novpn, replacing default gateway in novpn table from VPN gateway to WAN gateway and configuring some rules for policy routing and traffic marking.
I did this by writing my own interface hook script. I wanted to get rid of it and to use mwan3, because it has luci plugin, and everything works as good as with my scripts, but WAN-to-WAN forwarding is not working at all.

How to reproduce:
1) Connect switch to WAN interface, plug in it ISP cable and another PC (let's call it PC2) cable
2) Configure router to masquerade traffic to WAN. Enable WAN-to-WAN forwarding in firewall configuration.
3) Configure PC2 to use our router IP on WAN interface as a default gateway

Expected result:
PC2 can access websites.

Actual result:
PC2 can't access websites.

TL;DR: I need not only LAN-to-WAN or LAN-to-VPN forwarding with masquerading, but also WAN-to-WAN forwarding with masquerading, which doesn't work with mwan3 enabled, but works without mwan3.

(Last edited by ValdikSS on 3 Jul 2014, 18:05)

Post #834

ValdikSS

3 Jul 2014, 19:18

Uninstalled mwan3, installed multiwan. Multiwan works as expected, so this may be mwan3 bug, or I misconfigured something, but I can't find what exactly.

Post #835

JoiNNN

3 Jul 2014, 20:23

Hello there,
I have an issue that might not even be related to this great script (thank you btw) but I have to ask. I've been trying connect two wireless connections in repeater mode and then use mwan3 to switch between them if any fail at any time.
So I have created the following WiFi connections, all on separate Interfaces:
SSID: OpenWRT - used to connect to the router
SSID: <RandomSSID1> - running on channel 11 (dunno if it matters whether they run on different channels)
SSID: <RandomSSID2> - running on channel 1
However while mwan3 seems to work just OK after I add the second (RandomSSID2) wireless connection or if both (RandomSSID1 and RandomSSID2) wireless connections are Enabled at the same time the main connection (OpenWRT) disappears and I'm no longer able to connect to it.
So does the router need multi-SSID support for this kind of use or I'm doing something wrong?
The router is an Huawei HG556a.
Thank you for your time.

(Last edited by JoiNNN on 3 Jul 2014, 20:27)

Post #836

Adze

4 Jul 2014, 08:42

ValdikSS wrote:

How to reproduce:
1) Connect switch to WAN interface, plug in it ISP cable and another PC (let's call it PC2) cable
2) Configure router to masquerade traffic to WAN. Enable WAN-to-WAN forwarding in firewall configuration.
3) Configure PC2 to use our router IP on WAN interface as a default gateway
Expected result:
PC2 can access websites.
Actual result:
PC2 can't access websites.
TL;DR: I need not only LAN-to-WAN or LAN-to-VPN forwarding with masquerading, but also WAN-to-WAN forwarding with masquerading, which doesn't work with mwan3 enabled, but works without mwan3.

Ah, i now know what you mean. Short answer is that mwan3 does not support that without some extra ip rules. Mwan3 has a policy that all packets incomming from wan interfaces are routed via the main routing table (ip rules 1001 to 1250). If you want a different routing policy for PC2 you wil have to add a custom ip rule before rule 1000.

(Last edited by Adze on 4 Jul 2014, 08:45)

Post #837

ligf731

4 Jul 2014, 10:15

How should I configure，I need the following rules：
#create a new chain named SHADOWSOCKS
iptables -t nat -N SHADOWSOCKS

#Redirect what you want

#Google
iptables -t nat -A SHADOWSOCKS -p tcp -d 74.125.0.0/16 -j REDIRECT --to-ports 1080
iptables -t nat -A SHADOWSOCKS -p tcp -d 173.194.0.0/16 -j REDIRECT --to-ports 1080

#Youtube
iptables -t nat -A SHADOWSOCKS -p tcp -d 208.117.224.0/19 -j REDIRECT --to-ports 1080
iptables -t nat -A SHADOWSOCKS -p tcp -d 209.85.128.0/17 -j REDIRECT --to-ports 1080

#Twitter
iptables -t nat -A SHADOWSOCKS -p tcp -d 199.59.148.0/22 -j REDIRECT --to-ports 1080

#Shadowsocks.org
iptables -t nat -A SHADOWSOCKS -p tcp -d 199.27.76.133/32 -j REDIRECT --to-ports 1080

#1024
iptables -t nat -A SHADOWSOCKS -p tcp -d 184.154.128.246/32 -j REDIRECT --to-ports 1080

#Anything else should be ignore
iptables -t nat -A SHADOWSOCKS -p tcp -j RETURN

# Apply the rules
iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS

Post #838

Adze

4 Jul 2014, 10:39

ligf731 wrote:

How should I configure，I need the following rules：

Just like you posted... Mwan3 does nothing with/to NAT.

Post #839

JoiNNN

4 Jul 2014, 13:39

Any idea on my issue posted above? Any input is appreciated.

Post #840

Adze

4 Jul 2014, 15:06

JoiNNN wrote:

Any idea on my issue posted above? Any input is appreciated.

I read you want it repeated. With repeated, do you mean bridged? If yes, then this wont work, as mwan3 works at routing layer. If not, could you paste your config etc etc..

(Last edited by Adze on 4 Jul 2014, 15:06)

Post #841

JoiNNN

4 Jul 2014, 16:33

Keep in mind that I can only access the router only via web interface, for whatever reason I can't telnet the router.
I'm only bridging the LAN over OpenWRT, which is shown as being Master since is set as Access Point, the other two are set as Clients and are displayed as such.
If you know another way of doing this or if you are aware whether it's possible or not to do this, please let me know.
Thanks for looking into this.

Here is the output from MWAN3 > Advanced > Troubleshooting

Software versions : 

OpenWrt - OpenWrt Barrier Breaker r40006
LuCI - svn-r9961

mwan3 - 1.4-20
luci-app-mwan3 - 1.2-19

Output of "cat /etc/config/mwan3" : 

config interface 'wan'
    option enabled '1'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'
    list track_ip '208.67.222.222'
    list track_ip '208.67.220.220'
    option reliability '1'

config interface 'wan2'
    list track_ip '8.8.8.8'
    list track_ip '208.67.220.220'
    option reliability '1'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'
    option enabled '1'

config member 'wan_m1_w3'
    option interface 'wan'
    option metric '1'
    option weight '3'

config member 'wan_m2_w3'
    option interface 'wan'
    option metric '2'
    option weight '3'

config member 'wan2_m1_w2'
    option interface 'wan2'
    option metric '1'
    option weight '2'

config member 'wan2_m2_w2'
    option interface 'wan2'
    option metric '2'
    option weight '2'

config policy 'wan_only'
    list use_member 'wan_m1_w3'

config policy 'wan2_only'
    list use_member 'wan2_m1_w2'

config policy 'balanced'
    list use_member 'wan_m1_w3'
    list use_member 'wan2_m1_w2'

config policy 'wan_wan2'
    list use_member 'wan_m1_w3'
    list use_member 'wan2_m2_w2'

config policy 'wan2_wan'
    list use_member 'wan_m2_w3'
    list use_member 'wan2_m1_w2'

config rule 'sticky_even'
    option src_ip '0.0.0.0/0.0.0.1'
    option dest_port '443'
    option proto 'tcp'
    option use_policy 'wan_wan2'

config rule 'sticky_odd'
    option src_ip '0.0.0.1/0.0.0.1'
    option dest_port '443'
    option proto 'tcp'
    option use_policy 'wan2_wan'

config rule 'default_rule'
    option use_policy 'balanced'
    option src_ip '192.168.1.0/24'
    option src_port 'all'
    option dest_ip '192.168.1.0/24'
    option dest_port 'all'
    option proto 'all'

Output of "cat /etc/config/network" : 

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd71:3514:65a8::/48'

config interface 'lan'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.2.1'
    option _orig_ifname 'eth0.1'
    option _orig_bridge 'true'
    option ifname 'eth0.1'

config switch
    option name 'eth0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'eth0'
    option vlan '1'
    option ports '0 1 2 3 4 5t'

config interface 'wan'
    option proto 'dhcp'
    option peerdns '0'
    option metric '1'

config interface 'wan2'
    option proto 'dhcp'
    option metric '2'

Output of "ifconfig" : 

br-lan    Link encap:Ethernet  HWaddr 4C:54:99:DC:44:85  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::4e54:99ff:fedc:4485/64 Scope:Link
          inet6 addr: fd71:3514:65a8::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3406038 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5630572 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:216456625 (206.4 MiB)  TX bytes:7744936594 (7.2 GiB)

eth0      Link encap:Ethernet  HWaddr 4C:54:99:DC:44:85  
          inet6 addr: fe80::4e54:99ff:fedc:4485/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4366 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:960367 (937.8 KiB)
          Interrupt:14 

eth0.1    Link encap:Ethernet  HWaddr 4C:54:99:DC:44:85  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4359 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:942125 (920.0 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:24577 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24577 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1285848 (1.2 MiB)  TX bytes:1285848 (1.2 MiB)

wlan0     Link encap:Ethernet  HWaddr 4C:54:99:DC:44:86  
          inet addr:192.168.0.198  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::4e54:99ff:fedc:4486/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5638761 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3409058 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3450702779 (3.2 GiB)  TX bytes:332189752 (316.8 MiB)

wlan0-1   Link encap:Ethernet  HWaddr 4E:54:99:DC:44:86  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3406025 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5630900 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:264140897 (251.9 MiB)  TX bytes:3558616708 (3.3 GiB)

Output of "route -n" : 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    2      0        0 wlan0
192.168.0.0     0.0.0.0         255.255.255.0   U     2      0        0 wlan0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

Output of "ip rule show" : 

0:    from all lookup local 
1002:    from all iif wlan0 lookup main 
2002:    from all fwmark 0x200/0xff00 lookup 2 
2254:    from all fwmark 0xfe00/0xff00 unreachable
32766:    from all lookup main 
32767:    from all lookup default

Output of "ip route list table 1-250" : 

2
default via 192.168.0.1 dev wlan0

Firewall default output policy (must be ACCEPT) : 

ACCEPT

Output of "iptables -L -t mangle -v -n" : 

Chain PREROUTING (policy ACCEPT 7491K packets, 6508M bytes)
 pkts bytes target     prot opt in     out     source               destination         
9063K 7884M mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7491K 6508M fwmark     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 32960 packets, 2310K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 7457K packets, 6505M bytes)
 pkts bytes target     prot opt in     out     source               destination         
7457K 6505M mssfix     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 32575 packets, 2780K bytes)
 pkts bytes target     prot opt in     out     source               destination         
39588 3265K mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
39588 3265K mwan3_track_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 7490K packets, 6508M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fwmark (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain mssfix (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9602  491K TCPMSS     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan2 (mtu_fix) */ TCPMSS clamp to PMTU

Chain mwan3_connected (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9852  513K MARK       all  --  *      *       0.0.0.0/0            127.0.0.0/8          mark match 0x0/0xff00 MARK or 0xff00
  818  252K MARK       all  --  *      *       0.0.0.0/0            224.0.0.0/3          mark match 0x0/0xff00 MARK or 0xff00
 2383  155K MARK       all  --  *      *       0.0.0.0/0            192.168.0.0/24       mark match 0x0/0xff00 MARK or 0xff00
  820 58208 MARK       all  --  *      *       0.0.0.0/0            192.168.2.0/24       mark match 0x0/0xff00 MARK or 0xff00

Chain mwan3_hook (2 references)
 pkts bytes target     prot opt in     out     source               destination         
9102K 7887M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xff00
74425 6407K mwan3_ifaces  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
54566 4094K mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
36762 2804K mwan3_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
9102K 7887M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff00

Chain mwan3_iface_wan2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1128  194K MARK       all  --  *      *       192.168.0.0/24       0.0.0.0/0            mark match 0x0/0xff00 /* wan2 */ MARK or 0xff00
16011 1692K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 */ MARK xset 0x200/0xff00

Chain mwan3_ifaces (1 references)
 pkts bytes target     prot opt in     out     source               destination         
17139 1886K mwan3_iface_wan2  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00

Chain mwan3_policy_balanced (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 2 2 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan2_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 2 2 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan2_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 2 2 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* unreachable */ MARK xset 0xfe00/0xff00

Chain mwan3_policy_wan_wan2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  487 25712 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 2 2 */ MARK xset 0x200/0xff00

Chain mwan3_rules (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  487 25712 mwan3_policy_wan_wan2  tcp  --  *      *       0.0.0.0/0.0.0.1      0.0.0.0/0            multiport sports 0:65535 multiport dports 443 mark match 0x0/0xff00 /* sticky_even */
    0     0 mwan3_policy_wan2_wan  tcp  --  *      *       0.0.0.1/0.0.0.1      0.0.0.0/0            multiport sports 0:65535 multiport dports 443 mark match 0x0/0xff00 /* sticky_odd */
    0     0 mwan3_policy_balanced  all  --  *      *       192.168.1.0/24       192.168.1.0/24       mark match 0x0/0xff00 /* default_rule */

Chain mwan3_track_hook (1 references)
 pkts bytes target     prot opt in     out     source               destination         
39588 3265K mwan3_track_wan2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain mwan3_track_wan2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1535  129K MARK       icmp --  *      wlan0   0.0.0.0/0            208.67.220.220       icmptype 8 MARK or 0xff00
 1535  129K MARK       icmp --  *      wlan0   0.0.0.0/0            8.8.8.8              icmptype 8 MARK or 0xff00

Chain qos_Default (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xff
    0     0 qos_Default_ct  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1/0xff length 400:65535 MARK and 0xffffff00
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2/0xff length 800:65535 MARK and 0xffffff00
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff length 0:500 MARK xset 0x2/0xff
    0     0 MARK       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x4/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff udp spts:1024:65535 dpts:1024:65535 MARK xset 0x4/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 0:128 mark match ! 0x4/0xff tcp flags:0x3F/0x02 MARK xset 0x1/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 0:128 mark match ! 0x4/0xff tcp flags:0x3F/0x10 MARK xset 0x1/0xff

Chain qos_Default_ct (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff tcp multiport ports 22,53 MARK xset 0x1/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff udp multiport ports 22,53 MARK xset 0x1/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff tcp multiport ports 20,21,25,80,110,443,993,995 MARK xset 0x3/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff tcp multiport ports 5190 MARK xset 0x2/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff udp multiport ports 5190 MARK xset 0x2/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff

(Last edited by JoiNNN on 4 Jul 2014, 16:34)

Post #842

Adze

4 Jul 2014, 19:43

Hi JoiNNN

When you have set a password for root, you should be able to access the router through ssh. Telnet will not work after that.

Looking at your output i see only one default route. There should be two in your case.

Also looking at the wlan interfaces, i see interfaces wlan0 and wlan0-1. I would expect there would be a third. One bridge and two WAN interfaces. Only wlan0 has an ip address.

Did you check your WAN interfaces are indeed correctly working?

(Last edited by Adze on 4 Jul 2014, 19:44)

Post #843

JoiNNN

4 Jul 2014, 21:01

Oh well, guess what as suspected in the initial post, both WiFi connections MUST run on the same channel. After that I've added another route as you suggested and everything just works.
Thank you for your assistance and keep up this great project.

Post #844

ValdikSS

5 Jul 2014, 17:54

Adze wrote:

Ah, i now know what you mean. Short answer is that mwan3 does not support that without some extra ip rules. Mwan3 has a policy that all packets incomming from wan interfaces are routed via the main routing table (ip rules 1001 to 1250). If you want a different routing policy for PC2 you wil have to add a custom ip rule before rule 1000.

Thanks for the reply, but I'm not sure why it doesn't work then. If input packet is going into main routing table, then it should route just fine to the default gateway, but it doesn't.
What rules should I add and where?

Post #845

arfett

5 Jul 2014, 17:55

JoiNNN wrote:

Oh well, guess what as suspected in the initial post, both WiFi connections MUST run on the same channel. After that I've added another route as you suggested and everything just works.
Thank you for your assistance and keep up this great project.

That is correct. AFAIK all physical radio interfaces can only use one channel at a time regardless of how many SSID are configured. You can always upgrade to a router with two radios and then use two different channels if necessary. WiFi would be better on a dual radio router as well.

Post #846

gh0st

8 Jul 2014, 10:32

Adze wrote:

Hi Ghost,

Please try and add this rule to your mwan3 config. Place it on top of all other rules:
config rule 'ipsec'
    option dest_ip '{remote subnet}'
    option use_policy 'default'
On a sdie note: I see that you use custom route table 220. This can be a problem as mwan3 might wipe this table when it's stopped. If you use a number higher then 255 you should be fine...

Hi Adze,

sorry for late reply, just _needed_ to get some distance between me and all this kernel hacking stuff (not only related to mwan3)...

This was the right pointer!!
Additionally i added another rule for the ipsec tunnel itself:

config rule 'ipsec-gateway'
    option dest_ip '{remote gateway}'
    option use_policy 'default'

as i had some connection problems when putting it through mwan3, no good idea why, need to test some more i think.
But so far it is working and thats a good thing

As for the routing table 220, as mentioned, it is the default for strongswan, i am not sure if it can be changed by config, it can be on compilation.... But anyway, the chance that someone with 220 wan interfaces wants to use strongswan with wan3 is _extremely_ low

Post #847

gh0st

17 Jul 2014, 08:21

Hi Adze,

i still have some strange behavior with strongswan, it seems to just noch respect the mwan3 rules.
For the remote subnet, it's all good, selecting policy to just MARK and let the strongswan rules properly handle the traffic.

But for the connection itself, strongswan seems to just go with the lowest metric interface. This is problematic when wan is via some other network by dhcp, if this has no connectivity, the route is still there but internet is not reacheable.

It could be possible to change the metrics dynamically on mwan ifdown events, but this would bypass the whole idea of the system a bit i think.

current config:

config rule 'ipsec_gate'
    option use_policy 'balanced'
    option dest_ip '{remote gateway}'
    option proto 'all'

config rule 'ipsec'
    option dest_ip '{remote subnet}'
    option use_policy 'default'

config rule 'default_rule'
    option dest_ip '0.0.0.0/0'
    option proto 'all'
    option use_policy 'balanced'

The rule in question is the first one, set do 'default' only the metric decides, set to 'balanced' seems to be the same...

Post #848

kpv

17 Jul 2014, 16:23

gh0st wrote:

But for the connection itself, strongswan seems to just go with the lowest metric interface. This is problematic when wan is via some other network by dhcp, if this has no connectivity, the route is still there but internet is not reacheable.

Is the remote IPsec VPN peer IP (the one specified in option dest_ip '{remote gateway}') on a directly connected network (i.e. is it listed among the "Known networks:" subsection, when you run "mwan3 status") ?

In that case, afaik mwan will indeed use the lowest metric interface to connect to it.

(Last edited by kpv on 17 Jul 2014, 17:09)

Post #849

arfett

18 Jul 2014, 01:16

gh0st wrote:

But for the connection itself, strongswan seems to just go with the lowest metric interface. This is problematic when wan is via some other network by dhcp, if this has no connectivity, the route is still there but internet is not reacheable.

Strongswan was once a pain in the ass when multiple WAN interfaces existed on the same router. Since version 5.0.1 there are now configurable whitelists and blacklists for interfaces in the Strongswan configuration.

Use the charon.interfaces_ignore or charon.interfaces_use commands in /etc/strongswan.conf to tell Strongswan what interfaces it is allowed to use. Both take a comma-separated list of interface names to either ignore or use exclusively. Please note these are the device names (eth0, eth0.1, etc.)

https://wiki.strongswan.org/issues/185

(Last edited by arfett on 18 Jul 2014, 16:52)

Post #850

glaze83

20 Jul 2014, 00:36

Adze,

Love your plugin -- it works great.

I just have one minor problem with setting the vpn gateway; rules in mwan3 do not seem to affect what interface the tunnel is brought up on.

I'm looking to bring the tunnel up on wan2, and bring it up on wan if wan2 is down.

Sorry, posts 851 to 850 are missing from our archive.

Page 34 of 65