OpenWrt Forum Archive

Topic: mwan3; multi-wan policy routing (general topic)

The content of this topic has been archived between 22 May 2013 and 6 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Post #976
asergiu
28 Oct 2014, 11:49
Adze wrote:

Then it is in your /etc/config/network...

Sorry - yes it is yet mwan3 does not see it as having a default route.
config interface 'Bouygues4G'
        option proto 'dhcp'
        option metric '15'


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         37-1-168-1.ip.s 0.0.0.0         UG    10     0        0 eth1
default         192.168.8.1     0.0.0.0         UG    15     0        0 wlan1                   - this is its default entry !
default         192.168.1.1     0.0.0.0         UG    100    0        0 eth0.2

Thanks for you fast interaction here !

(Last edited by asergiu on 28 Oct 2014, 11:50)

Post #977
Adze
28 Oct 2014, 11:56

And you also have an interface Bouygues4G configured in mwan3?

Post #978
asergiu
28 Oct 2014, 12:03
Adze wrote:

And you also have an interface Bouygues4G configured in mwan3?

Yeah - sorry for taking your time - I was typing it as bouygues4G and without capital B-  it thought (obvioulsy) it was a different interface (which did not existed). I believe this was the culprit.

Thank you for your quick reaction and sorry again for wasting your time.

Adrian

Post #979
Adze
28 Oct 2014, 12:06
asergiu wrote:

Thank you for your quick reaction and sorry again for wasting your time.

No problem. Nice to hear that you fixed it yourself.

Post #980
qweas2
31 Oct 2014, 14:32
mwan3 and port forwarding

I have an issue with setting port forwarding when mwan3 is installed.

There are two wans:
- wan (eth0.2) - NO external IP available
- wan2 (pppoe-wan2) - external dynamic IP address available

I would like to forward port 8888 to foscam camera available in lan at 192.168.1.111

I did set up following port forward:

IPv4-TCP
From any host in wan
Via any router IP at port 8888
IP 192.168.1.111, port 8888 in lan

But when I try to access external IP (or through dyndns) on port 8888 from different location then no response is send. I'm able to access router interface through ssh or by using GUI so I guess my problem is related to port forwarding.

Any ideas what I am doing wrong?

root@OpenWrt:~# cat /etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '22'
        option name '22'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '80'
        option name '80'
        option dest_ip '192.168.1.1'

config rule
        option name '8888'
        option dest_port '8888'
        option dest_ip '192.168.1.111'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_port '22'
        option name 'ssh'
        option dest_ip '192.168.1.1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_port '80'
        option name 'http'
        option dest_ip '192.168.1.1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option name 'foscam'
        option src_dport '8888'
        option dest_port '8888'
        option dest_ip '192.168.1.111'
        option dest 'lan'
        option proto 'tcp'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option network 'wan wan2'
        option input 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'wan'
        option src 'lan'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'IPv4'
        option reload '1'

Troubleshooting Data

Software versions : 

OpenWrt - OpenWrt Attitude Adjustment 12.09.1
LuCI - 0.11+svn10458

mwan3 - 1.4-20
luci-app-mwan3 - 1.2-19

Output of "cat /etc/config/mwan3" : 

config interface 'wan'
    option enabled '1'
    list track_ip '8.8.4.4'
    list track_ip '8.8.8.8'
    list track_ip '208.67.222.222'
    list track_ip '208.67.220.220'
    option reliability '2'
    option count '1'
    option interval '5'
    option timeout '5'
    option down '10'
    option up '1'

config interface 'wan2'
    list track_ip '8.8.8.8'
    list track_ip '208.67.220.220'
    option reliability '1'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'
    option enabled '1'

config member 'wan_m1_w3'
    option interface 'wan'
    option metric '1'
    option weight '3'

config member 'wan_m2_w3'
    option interface 'wan'
    option metric '2'
    option weight '3'

config member 'wan2_m1_w2'
    option interface 'wan2'
    option metric '1'
    option weight '2'

config member 'wan2_m2_w2'
    option interface 'wan2'
    option metric '2'
    option weight '2'

config policy 'wan_only'
    list use_member 'wan_m1_w3'

config policy 'wan2_only'
    list use_member 'wan2_m1_w2'

config policy 'balanced'
    list use_member 'wan_m1_w3'
    list use_member 'wan2_m1_w2'

config policy 'wan_wan2'
    list use_member 'wan_m1_w3'
    list use_member 'wan2_m2_w2'

config policy 'wan2_wan'
    list use_member 'wan_m2_w3'
    list use_member 'wan2_m1_w2'

config rule 'sticky_even'
    option src_ip '0.0.0.0/0.0.0.1'
    option dest_port '443'
    option proto 'tcp'
    option use_policy 'wan_wan2'

config rule 'sticky_odd'
    option src_ip '0.0.0.1/0.0.0.1'
    option dest_port '443'
    option proto 'tcp'
    option use_policy 'wan2_wan'

config rule 'default_rule'
    option dest_ip '0.0.0.0/0'
    option use_policy 'balanced'

Output of "cat /etc/config/network" : 

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth0.1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ipaddr '192.168.1.1'

config interface 'wan'
    option ifname 'eth0.2'
    option _orig_ifname 'eth0.2'
    option _orig_bridge 'false'
    option proto 'static'
    option ipaddr '192.168.0.85'
    option netmask '255.255.255.0'
    option gateway '192.168.0.1'
    option dns '8.8.8.8 8.8.4.4 208.67.220.220 208.67.222.222'

config interface 'wan2'
    option ifname 'eth0.3'
    option proto 'pppoe'
    USERNAME HIDDEN
    PASSWORD HIDDEN
    option pppd_options 'debug'
    option peerdns '0'
    option keepalive '30 5'
    option dns '208.67.222.222 208.67.220.220 8.8.8.8 8.8.4.4'
    option vpi '0'
    option vci '35'
    option encaps 'vc'
    option metric '1'

config switch
    option name 'eth0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'eth0'
    option vlan '1'
    option ports '0t 3 4 5'

config switch_vlan
    option device 'eth0'
    option vlan '2'
    option ports '0t 1'

config switch_vlan
    option device 'eth0'
    option vlan '3'
    option ports '0t 2'

config route
    option interface 'wan'
    option netmask '255.255.255.0'
    option gateway '192.168.0.1'
    option metric '2'
    option target '192.168.0.85'

Output of "ifconfig" : 

br-lan    Link encap:Ethernet  HWaddr F8:1A:67:7E:AB:28  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2440907 errors:0 dropped:11663 overruns:0 frame:0
          TX packets:1839316 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1170660948 (1.0 GiB)  TX bytes:607887498 (579.7 MiB)

eth0      Link encap:Ethernet  HWaddr F8:1A:67:7E:AB:28  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:29317240 errors:0 dropped:21 overruns:0 frame:0
          TX packets:21496108 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3159175783 (2.9 GiB)  TX bytes:3200317267 (2.9 GiB)
          Interrupt:4 

eth0.1    Link encap:Ethernet  HWaddr F8:1A:67:7E:AB:28  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22684 errors:0 dropped:0 overruns:0 frame:0
          TX packets:485230 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2672425 (2.5 MiB)  TX bytes:103242727 (98.4 MiB)

eth0.2    Link encap:Ethernet  HWaddr F8:1A:67:7E:AB:28  
          inet addr:192.168.0.85  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17830923 errors:0 dropped:48819 overruns:0 frame:0
          TX packets:8674571 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1544842722 (1.4 GiB)  TX bytes:812530120 (774.8 MiB)

eth0.3    Link encap:Ethernet  HWaddr F8:1A:67:7E:AB:28  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:150731 errors:0 dropped:0 overruns:0 frame:0
          TX packets:161235 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:14838660 (14.1 MiB)  TX bytes:17510941 (16.6 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:290109 errors:0 dropped:0 overruns:0 frame:0
          TX packets:290109 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:23254079 (22.1 MiB)  TX bytes:23254079 (22.1 MiB)

pppoe-wan2 Link encap:Point-to-Point Protocol  
          inet addr:178.43.228.146  P-t-P:83.1.4.50  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:12639 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12093 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:1348834 (1.2 MiB)  TX bytes:3505701 (3.3 MiB)

wlan0     Link encap:Ethernet  HWaddr F8:1A:67:7E:AB:29  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2427045 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2236220 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1208241549 (1.1 GiB)  TX bytes:706038619 (673.3 MiB)

wlan1     Link encap:Ethernet  HWaddr F8:1A:67:7E:AB:2A  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:706 errors:0 dropped:0 overruns:0 frame:0
          TX packets:461173 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:106989 (104.4 KiB)  TX bytes:89364183 (85.2 MiB)

Output of "route -n" : 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0.2
0.0.0.0         83.1.4.50       0.0.0.0         UG    1      0        0 pppoe-wan2
83.1.4.50       0.0.0.0         255.255.255.255 UH    0      0        0 pppoe-wan2
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

Output of "ip rule show" : 

0:    from all lookup local 
1001:    from all iif eth0.2 lookup main 
1002:    from all iif pppoe-wan2 lookup main 
2001:    from all fwmark 0x100/0xff00 lookup 1 
2002:    from all fwmark 0x200/0xff00 lookup 2 
2254:    from all fwmark 0xfe00/0xff00 unreachable
32766:    from all lookup main 
32767:    from all lookup default

Output of "ip route list table 1-250" : 

1
default via 192.168.0.1 dev eth0.2 
2
default via 83.1.4.50 dev pppoe-wan2

Firewall default output policy (must be ACCEPT) : 

ACCEPT

Output of "iptables -L -t mangle -v -n" : 

Chain PREROUTING (policy ACCEPT 1190 packets, 148K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  19M 3101M mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1190  148K fwmark     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 1022 packets, 112K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 130 packets, 8053 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  130  8053 mssfix     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 1010 packets, 182K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  17M 1532M mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  17M 1532M mwan3_track_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 1142 packets, 191K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fwmark (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain mssfix (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU 
    2   104 TCPMSS     tcp  --  *      pppoe-wan2  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU 

Chain mwan3_connected (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   593 MARK       all  --  *      *       0.0.0.0/0            127.0.0.0/8         mark match 0x0/0xff00 MARK or 0xff00 
   21  3698 MARK       all  --  *      *       0.0.0.0/0            224.0.0.0/3         mark match 0x0/0xff00 MARK or 0xff00 
    0     0 MARK       all  --  *      *       0.0.0.0/0            83.1.4.50           mark match 0x0/0xff00 MARK or 0xff00 
    0     0 MARK       all  --  *      *       0.0.0.0/0            192.168.0.0/24      mark match 0x0/0xff00 MARK or 0xff00 
    8   877 MARK       all  --  *      *       0.0.0.0/0            192.168.1.0/24      mark match 0x0/0xff00 MARK or 0xff00 

Chain mwan3_hook (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  37M 4633M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff00 
  14M 1098M mwan3_ifaces  all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 
  12M  999M mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 
  11M  874M mwan3_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 
  37M 4633M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK save mask 0xff00 

Chain mwan3_iface_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
51725 8165K MARK       all  --  *      *       192.168.0.0/24       0.0.0.0/0           mark match 0x0/0xff00 /* wan */ MARK or 0xff00 
 2236  167K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 /* wan */ MARK xset 0x100/0xff00 

Chain mwan3_iface_wan2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       83.1.4.50            0.0.0.0/0           mark match 0x0/0xff00 /* wan2 */ MARK or 0xff00 
   97  5096 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 /* wan2 */ MARK xset 0x200/0xff00 

Chain mwan3_ifaces (1 references)
 pkts bytes target     prot opt in     out     source               destination         
53961 8332K mwan3_iface_wan  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 
   97  5096 mwan3_iface_wan2  all  --  pppoe-wan2 *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 

Chain mwan3_policy_balanced (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  130 10796 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 statistic mode random probability 0.400000 /* wan2 2 5 */ MARK xset 0x200/0xff00 
  206 16966 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00 

Chain mwan3_policy_wan2_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 /* wan2 2 2 */ MARK xset 0x200/0xff00 

Chain mwan3_policy_wan2_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 /* wan2 2 2 */ MARK xset 0x200/0xff00 

Chain mwan3_policy_wan_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00 

Chain mwan3_policy_wan_wan2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 /* wan 3 3 */ MARK xset 0x100/0xff00 

Chain mwan3_rules (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 mwan3_policy_wan_wan2  tcp  --  *      *       0.0.0.0/0.0.0.1      0.0.0.0/0           multiport sports 0:65535 multiport dports 443 mark match 0x0/0xff00 /* sticky_even */ 
    0     0 mwan3_policy_wan2_wan  tcp  --  *      *       0.0.0.1/0.0.0.1      0.0.0.0/0           multiport sports 0:65535 multiport dports 443 mark match 0x0/0xff00 /* sticky_odd */ 
  336 27762 mwan3_policy_balanced  all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff00 /* default_rule */ 

Chain mwan3_track_hook (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  17M 1532M mwan3_track_wan2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  17M 1514M mwan3_track_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain mwan3_track_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 849K   71M MARK       icmp --  *      eth0.2  0.0.0.0/0            208.67.220.220      icmp type 8 MARK or 0xff00 
 849K   71M MARK       icmp --  *      eth0.2  0.0.0.0/0            208.67.222.222      icmp type 8 MARK or 0xff00 
 853K   72M MARK       icmp --  *      eth0.2  0.0.0.0/0            8.8.8.8             icmp type 8 MARK or 0xff00 
 849K   71M MARK       icmp --  *      eth0.2  0.0.0.0/0            8.8.4.4             icmp type 8 MARK or 0xff00 

Chain mwan3_track_wan2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   67  5628 MARK       icmp --  *      pppoe-wan2  0.0.0.0/0            208.67.220.220      icmp type 8 MARK or 0xff00 
   67  5628 MARK       icmp --  *      pppoe-wan2  0.0.0.0/0            8.8.8.8             icmp type 8 MARK or 0xff00 

Chain qos_Default (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore mask 0xff 
    0     0 qos_Default_ct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff 
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x1/0xff length 400:65535 MARK and 0xffffff00 
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x2/0xff length 800:65535 MARK and 0xffffff00 
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff length 0:500 MARK xset 0x2/0xff 
    0     0 MARK       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           MARK xset 0x1/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x4/0xff 
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff udp spts:1024:65535 dpts:1024:65535 MARK xset 0x4/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:128 mark match !0x4/0xff tcp flags:0x3F/0x02 MARK xset 0x1/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           length 0:128 mark match !0x4/0xff tcp flags:0x3F/0x10 MARK xset 0x1/0xff 

Chain qos_Default_ct (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff tcp multiport ports 22,53 MARK xset 0x1/0xff 
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff udp multiport ports 22,53 MARK xset 0x1/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff tcp multiport ports 20,21,25,80,110,443,993,995 MARK xset 0x3/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff tcp multiport ports 5190 MARK xset 0x2/0xff 
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x0/0xff udp multiport ports 5190 MARK xset 0x2/0xff 
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK save mask 0xff
Post #981
Adze
31 Oct 2014, 14:55

Hi qweas2,


I think that if you change this

config rule
        option name '8888'
        option dest_port '8888'
        option dest_ip '192.168.1.111'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest 'lan'

to this

config rule
        option name '8888'
        option dest_port '8888'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'

you will get better results. It is not a mwan3 issue though...

Post #982
biatche
5 Nov 2014, 08:45

Hi. I've not updated my mwan v1 or v2 for 2 years probably now and intend to do so now..

I vaguely remember that it's now possible to have 2x pppoe even if the isp provides the same gateway.

Something to do with MAC VLAN or something as I recall..How does this work now?

Post #983
Adze
5 Nov 2014, 08:49
biatche wrote:

I vaguely remember that it's now possible to have 2x pppoe even if the isp provides the same gateway. Something to do with MAC VLAN or something as I recall..How does this work now?

Nothing special is needed for multiple ppp interfaces with same gateway ip. Each ppp interface needs it's own unique ip address and metric and you should be good te go.

Post #984
biatche
5 Nov 2014, 10:10
Adze wrote:
biatche wrote:

I vaguely remember that it's now possible to have 2x pppoe even if the isp provides the same gateway. Something to do with MAC VLAN or something as I recall..How does this work now?

Nothing special is needed for multiple ppp interfaces with same gateway ip. Each ppp interface needs it's own unique ip address and metric and you should be good te go.

Just curious, does it utilize mac vlan? (Long time ago I remembered you posted introducing mac vlan)

Wonder how you solved the ppp-same-gateway riddle...

thanks! smile)

Post #985
Adze
5 Nov 2014, 15:57
biatche wrote:

Just curious, does it utilize mac vlan? (Long time ago I remembered you posted introducing mac vlan)

No. The mac vlan was just a test to see if multiple wan interfaces with the same gateway on an ethernet LAN would work. The trick was to create multiple wan interfaces with multiple mac addresses. This was easy with mac vlan. With ppp you don't have that issue, as you already have individual interfaces.

If you want to use multiple wan interfaces with the same gateway ip on the same ethernet (v)lan, then you still need the mac vlan trick.

biatche wrote:

Wonder how you solved the ppp-same-gateway riddle...

Differentiate on interfaces instead of ip and create multiple routing tables.

(Last edited by Adze on 5 Nov 2014, 16:00)

Post #986
ValdikSS
9 Nov 2014, 16:17

Hello!
Can someone suggest me any application/script/daemon for policy routing in usual (not OpenWRT) Linux?
I need it only for IPv6, so I don't need any connmarks, NAT or anything. I also don't need any balancing or failover.
Is there any?

Post #987
arfett
11 Nov 2014, 23:45

Both Barrier_Breaker and trunk package repositories have luci-app-mwan3 1.3-5 as of now.

Post #988
JohnV
13 Nov 2014, 00:35

I am trying to get nodogsplash captive portal running with mwan3.

However, there seems to be a conflict.

When I run mwan3, and then start nodogsplash, the captive portal is not working correctly.

If I stop mwan3, and then start nodogsplash, the captive portal is working ok.

Is this a known issue?

I am not an iptable expert so digging into the code fo nodogsplash makes me a bit nervous, but if someone can point me in the right direction, or ask me to post some info that might help, that would be great.

(Last edited by JohnV on 13 Nov 2014, 00:35)

Post #989
Adze
13 Nov 2014, 10:53

Hi JohnV,


I have never tried mwan3 running with nodogsplash. Lets see if we can make things work.. Could you paste output of the follwing, when nodogsplash is running and mwan3 is not:

- ip route
- ip rule
- iptables -L -t mangle -v -n

Thnx!

Post #990
JohnV
13 Nov 2014, 18:12

I have QOS installed, but it is not enabled below.

Below is without any users authenticated on the Guest WLAN (which is where nodogsplash is running), which means they cannot get to the internet, only to the splash screen.

Only other item to point out, is the config files has a value for "External Interface".  I am leaving it at default, but maybe that is where the issue is also.  I am inlcuding the info for that param here also:

# Parameter: ExternalInterface
# Default: Autodetected from /proc/net/route
#
# This should be autodetected on a OpenWRT system, but if not:
# Set ExtrnalInterface to the 'external' interface on your router,
# i.e. the one which provides the default route to the internet.
# Typically vlan1 for OpenWRT.
#
# ExternalInterface vlan1



ip route:

default via 10.64.64.64 dev 3g-wan2  proto static  metric 10
default via 10.10.20.1 dev eth0  proto static  metric 20
10.10.10.0/24 dev br-lan  proto kernel  scope link  src 10.10.10.1
10.10.20.0/24 dev eth0  proto static  scope link  metric 20
10.10.30.0/24 dev wlan0-1  proto kernel  scope link  src 10.10.30.1
10.64.64.64 dev 3g-wan2  proto kernel  scope link  src 10.136.27.221

ip rule:

0:    from all lookup local
32766:    from all lookup main
32767:    from all lookup default

iptables:

Chain PREROUTING (policy ACCEPT 1874 packets, 571K bytes)
pkts bytes target     prot opt in     out     source               destination         
   16  1798 ndsOUT     all  --  wlan0-1 *       0.0.0.0/0            0.0.0.0/0           
   16  1798 ndsBLK     all  --  wlan0-1 *       0.0.0.0/0            0.0.0.0/0           
   16  1798 ndsTRU     all  --  wlan0-1 *       0.0.0.0/0            0.0.0.0/0           
9104 3006K fwmark     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 200 packets, 19712 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1670 packets, 551K bytes)
pkts bytes target     prot opt in     out     source               destination         
8171 2913K mssfix     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 195 packets, 32762 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1865 packets, 583K bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 ndsINC     all  --  *      wlan0-1  0.0.0.0/0            0.0.0.0/0           

Chain fwmark (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain mssfix (1 references)
pkts bytes target     prot opt in     out     source               destination         
  263 13676 TCPMSS     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU
  103  5388 TCPMSS     tcp  --  *      3g-wan2  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU

Chain ndsBLK (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain ndsINC (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain ndsOUT (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain ndsTRU (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain qos_Default (0 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xf
    0     0 qos_Default_ct  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1/0xf length 400:65535 MARK and 0xffffff00
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2/0xf length 800:65535 MARK and 0xffffff00
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 length 0:500 MARK xset 0x22/0xff
    0     0 MARK       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 udp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 0:128 mark match ! 0x4/0xf tcp flags:0x3F/0x02 MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 0:128 mark match ! 0x4/0xf tcp flags:0x3F/0x10 MARK xset 0x11/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xf0

Chain qos_Default_ct (1 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 22,53 MARK xset 0x11/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 22,53 MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 MARK xset 0x33/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 5190 MARK xset 0x22/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 5190 MARK xset 0x22/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 22,53 MARK xset 0x11/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 22,53 MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 MARK xset 0x33/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 5190 MARK xset 0x22/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 5190 MARK xset 0x22/0xff

Post #991
Adze
13 Nov 2014, 18:58

Hi JohnV,

In the output you pasted there is nothing that could collide with man3, which is good, but doesn't explain anything yet. Please could you try and give me the same output when at least one client is authenticated?

And could you also try and to run nodog and mwan3 together, but have only one mwan3 rule configured. A rule which states that everything should be routed according to main (default) routing table?

config rule 'default_rule'
        option dest_ip '0.0.0.0/0'
        option use_policy 'default'

Thnx

Post #992
kpv
13 Nov 2014, 19:53

Adze, you can find more at https://github.com/nodogsplash/nodogsplash

I did look at it some time ago and iirc it needed some work to cooperate gracefully with other apps (qos and mwan).

Post #993
Adze
13 Nov 2014, 20:01

Hi JohnV,


I have looked up some info on the workings of nodogsplash and i think i have an idea what's going wrong. I have no openwrt router at the moment i can play with, so it is just a hunch. Maybe you could test it.

What is happening is that an unauthenticated client wants to access a webpage. A packet is sent from client to internet. This is first picked up by iptables PREROUTING mangle table. There it will be marked according mwan3 rules. In this example it is marked for interface wan2.

Then the packet handled by iptables PREROUTING nat table. The destination address of the packet from the unauthenticated client gets natted to the webpage nodog is listening on.

The last step is to actually route the packet. But here comes the crux. As it is marked for wan2 interface, it will lookup the routing table of wan2 and will be routed out wan2. Never will the packet reach the nodog splash page.

In order to fix this we have to overrule the packet mark and use the default routing table instead. This has to be done after PREROUTING nat table. There is only one place left where we can do this, the mangle FORWARD table.

To test if my assumption is correct. Could you try and run nodog and mwan3 and the following command:

iptables -t mangle -w -A FORWARD -j mwan3_connected

and let me know if this works?

(Last edited by Adze on 13 Nov 2014, 20:05)

Post #994
JohnV
14 Nov 2014, 04:09

Unfortunately the extra iptables command didnt seem to help.

Here are some more strange behaviours:

When WAN2 is down and WAN is up, when I try to access the internet the page just hangs.  I do not get a splash screen nor does the page load.  When I try to access local admin pages on router, I get the nsd splash sceen.  If I stop nsd, I can access the interent OK.

I then put WAN2 online: when WAN2 and WAN both up, I can access the internet without authenticating with nsd.  When I try to access the router itself, I get the splash screen.

If I then shut down WAN2, nsd (via /usr/bin/ndsctl status) shows the client as authenticated, however when I try to access a local device, I get prompted with the splash screen again, even though I have already authenticated when both WAN2 and WAN were both online.

Here is the info from the router, with WAN and WAN2 both online, both nsd and mwan3 and the iptables command you requested.  The guest device also was authenticated at this time.

default via 10.64.64.64 dev 3g-wan2  proto static  metric 10
default via 10.10.20.1 dev eth0  proto static  metric 20
10.10.10.0/24 dev br-lan  proto kernel  scope link  src 10.10.10.1
10.10.20.0/24 dev eth0  proto static  scope link  metric 20
10.10.30.0/24 dev wlan0-1  proto kernel  scope link  src 10.10.30.1
10.64.64.64 dev 3g-wan2  proto kernel  scope link  src 10.136.25.75


0:    from all lookup local
1001:    from all iif eth0 lookup main
1002:    from all iif 3g-wan2 lookup main
2001:    from all fwmark 0x100/0xff00 lookup 1
2002:    from all fwmark 0x200/0xff00 lookup 2
2253:    from all fwmark 0xfd00/0xff00 blackhole
2254:    from all fwmark 0xfe00/0xff00 unreachable
32766:    from all lookup main
32767:    from all lookup default




Chain PREROUTING (policy ACCEPT 386 packets, 63307 bytes)
pkts bytes target     prot opt in     out     source               destination         
  472 67784 ndsOUT     all  --  wlan0-1 *       0.0.0.0/0            0.0.0.0/0           
  472 67784 ndsBLK     all  --  wlan0-1 *       0.0.0.0/0            0.0.0.0/0           
  472 67784 ndsTRU     all  --  wlan0-1 *       0.0.0.0/0            0.0.0.0/0           
7988 1742K mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
6760 1566K fwmark     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 102 packets, 9646 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 284 packets, 53661 bytes)
pkts bytes target     prot opt in     out     source               destination         
5701 1453K mssfix     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1342  471K mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 101 packets, 13371 bytes)
pkts bytes target     prot opt in     out     source               destination         
1173  305K mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1173  305K mwan3_output_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 379 packets, 66376 bytes)
pkts bytes target     prot opt in     out     source               destination         
  375  330K ndsINC     all  --  *      wlan0-1  0.0.0.0/0            0.0.0.0/0           

Chain fwmark (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain mssfix (1 references)
pkts bytes target     prot opt in     out     source               destination         
  258 13812 TCPMSS     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU
   53  3284 TCPMSS     tcp  --  *      3g-wan2  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* wan (mtu_fix) */ TCPMSS clamp to PMTU

Chain mwan3_connected (3 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            127.0.0.0/8          MARK or 0xff00
   27  4717 MARK       all  --  *      *       0.0.0.0/0            224.0.0.0/3          MARK or 0xff00
  354 75456 MARK       all  --  *      *       0.0.0.0/0            10.10.10.0/24        MARK or 0xff00
  761 66039 MARK       all  --  *      *       0.0.0.0/0            10.10.20.0/24        MARK or 0xff00
  316  306K MARK       all  --  *      *       0.0.0.0/0            10.10.30.0/24        MARK or 0xff00
    0     0 MARK       all  --  *      *       0.0.0.0/0            10.64.64.64          MARK or 0xff00

Chain mwan3_hook (2 references)
pkts bytes target     prot opt in     out     source               destination         
9161 2047K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xff00
  827 68731 mwan3_ifaces  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
  807 67554 mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
  423 42134 mwan3_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
9161 2047K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff00
3536 1038K mwan3_connected  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0xff00/0xff00

Chain mwan3_iface_wan (1 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  eth0   *       10.10.20.0/24        0.0.0.0/0            mark match 0x0/0xff00 /* default */ MARK or 0xff00
   14   943 MARK       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan */ MARK xset 0x100/0xff00

Chain mwan3_iface_wan2 (1 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  3g-wan2 *       10.64.64.64          0.0.0.0/0            mark match 0x0/0xff00 /* default */ MARK or 0xff00
    6   234 MARK       all  --  3g-wan2 *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 */ MARK xset 0x200/0xff00

Chain mwan3_ifaces (1 references)
pkts bytes target     prot opt in     out     source               destination         
  824 68619 mwan3_iface_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00
  571 43386 mwan3_iface_wan2  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00

Chain mwan3_output_hook (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain mwan3_policy_wan2_only (0 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 10 10 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan2_wan (1 references)
pkts bytes target     prot opt in     out     source               destination         
  216 20372 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan2 10 10 */ MARK xset 0x200/0xff00

Chain mwan3_policy_wan_only (0 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan 10 10 */ MARK xset 0x100/0xff00

Chain mwan3_policy_wan_wan2 (0 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* wan 10 10 */ MARK xset 0x100/0xff00

Chain mwan3_rules (1 references)
pkts bytes target     prot opt in     out     source               destination         
  216 20372 mwan3_policy_wan2_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xff00 /* default_rule */

Chain ndsBLK (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain ndsINC (1 references)
pkts bytes target     prot opt in     out     source               destination         
    6   656 MARK       all  --  *      *       0.0.0.0/0            10.10.30.122         MARK or 0xa400
  322  312K MARK       all  --  *      *       0.0.0.0/0            10.10.30.122         MARK or 0xa400
    6   656 ACCEPT     all  --  *      *       0.0.0.0/0            10.10.30.122       

Chain ndsOUT (1 references)
pkts bytes target     prot opt in     out     source               destination         
    8  3000 MARK       all  --  *      *       10.10.30.122         0.0.0.0/0            MAC 54:E4:3A:9B:C5:A0 MARK or 0xa400

Chain ndsTRU (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain qos_Default (0 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore mask 0xf
    0     0 qos_Default_ct  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1/0xf length 400:65535 MARK and 0xffffff00
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2/0xf length 800:65535 MARK and 0xffffff00
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 length 0:500 MARK xset 0x22/0xff
    0     0 MARK       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf0 udp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 0:128 mark match ! 0x4/0xf tcp flags:0x3F/0x02 MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            length 0:128 mark match ! 0x4/0xf tcp flags:0x3F/0x10 MARK xset 0x11/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xf0

Chain qos_Default_ct (1 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 22,53 MARK xset 0x11/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 22,53 MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 MARK xset 0x33/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 5190 MARK xset 0x22/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 5190 MARK xset 0x22/0xff
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 22,53 MARK xset 0x11/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 22,53 MARK xset 0x11/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 MARK xset 0x33/0xff
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf tcp multiport ports 5190 MARK xset 0x22/0xff
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0xf udp multiport ports 5190 MARK xset 0x22/0xff

(Last edited by JohnV on 14 Nov 2014, 04:12)

Post #995
Adze
14 Nov 2014, 08:14

Hi JohnV,


Looking at your output, i see the problem:

Chain ndsINC (1 references)
pkts bytes target     prot opt in     out     source               destination         
    6   656 MARK       all  --  *      *       0.0.0.0/0            10.10.30.122         MARK or 0xa400
  322  312K MARK       all  --  *      *       0.0.0.0/0            10.10.30.122         MARK or 0xa400
    6   656 ACCEPT     all  --  *      *       0.0.0.0/0            10.10.30.122       
Chain ndsOUT (1 references)
pkts bytes target     prot opt in     out     source               destination         
    8  3000 MARK       all  --  *      *       10.10.30.122         0.0.0.0/0            MAC 54:E4:3A:9B:C5:A0 MARK or 0xa400

Nodog uses exactly the same bits to mark traffic as mwan3 uses. There is no simpel solution. Either mwan3 or nodog has to change to at least give it a change to work.

Post #996
JohnV
14 Nov 2014, 18:06

Well, I am glad you found the (first) issue.

Thanks for spending the time with me on this, and hopefully others will find this issue as well, and perhaps someone will be willing to work with nds to make some changes to it.

They do have a mailing list, but I only send one email and did not get any response back.  I will try to contact again and point them to this thread and your info.

Post #997
JohnV
14 Nov 2014, 21:25

I received this message from the nds developers.  Not knowing what bits I should use that would be OK, if you can provide what would be safe to use I will test it.

------------------------------------------------------------------------------------------------------------------------

Reading the thread Adze comes to the conclusion that mwan3 and nodogsplash uses the same marking values for iptables.

You can choose the values for marking in the nodogsplash.conf configuration file:
FW_MARK_AUTHENTICATED 14
FW_MARK_TRUSTED 15
FW_MARK_BLOCKED 16

Let us know if this works! smile

(Last edited by JohnV on 14 Nov 2014, 21:25)

Post #998
Adze
14 Nov 2014, 21:50

That sounds promising. QoS script uses the first 8 bits, mwan3 the second 8 bits. So values 17, 18 and 19 could work.

Although.. Looking at the output you posted earlier, it had a mark of 0xa400. This equals 1010 0100 0000 0000. This would suggest that at least bits 11, 14 and 16 are used.

(Last edited by Adze on 14 Nov 2014, 22:06)

Post #999
JohnV
15 Nov 2014, 04:20

I found this in the source:

#define DEFAULT_FW_MARK_AUTHENTICATED 0x400
#define DEFAULT_FW_MARK_TRUSTED 0x200
#define DEFAULT_FW_MARK_BLOCKED 0x100

Perhaps their email was an example of what to change them to......

I will try overriding the values in the config file and see what happens.  I will post results once I have a moment to do the test.

Post #1000
JohnV
15 Nov 2014, 19:18

Quick update, the changes seem to work at first testing.  I am doing more work with it so will post an update shortly.