Thank you for your reply.I really need the mwan3 work with the ipset,it is the esaiest way to get through gfw with vpn.I'll get back the mwan3 to 1.6.3 version.Thank you for your works,it's amazing!

Hello. I'm having a problem with mwan3.
I have 2 WAN, 1 is WAN port, 1 is Wireless WAN. I'm using mwan3 default config.
In MWAN Detailed Status, Policy balanced is only have 1 wan. WAN2 is missing in policy balanced. I need 2 wan in policy balanced (60/40). Could you help me?
My MWAN Detailed Status

Interface status:
Interface wan is online (tracking active)
Interface wan2 is online (tracking active)

Policy balanced:
 wan (100%)

Policy wan2_only:
 wan2 (100%)

Policy wan2_wan:
 wan2 (100%)

Policy wan_only:
 wan (100%)

Policy wan_wan2:
 wan (100%)

Known networks:
destination        policy             hits     
-----------------------------------------------
127.0.0.0/8        default            0        
224.0.0.0/3        default            81       
192.168.1.0/24     default            195      
192.168.2.0/24     default            1606     
192.168.254.0/24   default            4777     
127.0.0.0          default            0        
127.0.0.0/8        default            0        
127.0.0.1          default            0        
127.255.255.255    default            0        
192.168.1.0        default            0        
192.168.1.2        default            176      
192.168.1.255      default            17       
192.168.2.0        default            0        
192.168.2.1        default            515      
192.168.2.255      default            0        
192.168.254.0      default            0        
192.168.254.241    default            4777     
192.168.254.255    default            0        

Active rules:
source             destination        proto  src-port      dest-port     policy          hits     
--------------------------------------------------------------------------------------------------
0.0.0.0/0.0.0.1    0.0.0.0/0          tcp    0:65535       443           wan_wan2        403      
0.0.0.1/0.0.0.1    0.0.0.0/0          tcp    0:65535       443           wan2_wan        0        
0.0.0.0/0          0.0.0.0/0          all                                wan_wan2        10344
 

And MWAN config:

config rule 'sticky_even'
    option src_ip '0.0.0.0/0.0.0.1'
    option dest_port '443'
    option proto 'tcp'
    option use_policy 'wan_wan2'

config rule 'sticky_odd'
    option src_ip '0.0.0.1/0.0.0.1'
    option dest_port '443'
    option proto 'tcp'
    option use_policy 'wan2_wan'

config policy 'wan2_wan'
    list use_member 'wan_m2_w3'
    list use_member 'wan2_m1_w2'

config policy 'balanced'
    list use_member 'wan_m1_w3'
    list use_member 'wan2_m1_w2'

config policy 'wan2_only'
    list use_member 'wan2_m1_w2'

config policy 'wan_wan2'
    list use_member 'wan_m1_w3'
    list use_member 'wan2_m2_w2'

config policy 'wan_only'
    list use_member 'wan_m1_w3'

config interface 'wan'
    option enabled '1'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'
    list track_ip '8.8.8.8'
    list track_ip '208.67.220.220'
    option reliability '1'

config interface 'wan2'
    list track_ip '8.8.8.8'
    list track_ip '208.67.220.220'
    option reliability '1'
    option count '1'
    option timeout '2'
    option interval '5'
    option down '3'
    option up '8'
    option enabled '1'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan_m2_w3'
        option interface 'wan'
        option metric '2'
        option weight '3'

config member 'wan2_m1_w2'
        option interface 'wan2'
        option metric '1'
        option weight '2'

config member 'wan2_m2_w2'
        option interface 'wan2'
        option metric '2'
        option weight '2'

config policy 'wan_only'
        list use_member 'wan_m1_w3'

config policy 'wan2_only'
        list use_member 'wan2_m1_w2'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wan2_m1_w2'

config policy 'wan_wan2'
        list use_member 'wan_m1_w3'
        list use_member 'wan2_m2_w2'

config policy 'wan2_wan'
        list use_member 'wan_m2_w3'
        list use_member 'wan2_m1_w2'

config rule 'default_rule'
        option dest_ip '0.0.0.0/0'
        option use_policy 'wan_wan2'

Thanks!

Hi phineasmax,

Your mwan3 config has some duplicate policy statements. For example the policy balanced is defined twice. Please cleanup your config and try again.

Thanks Adze! It's works!

Hi Wache, do you deploy shadowsocks in your openwrt router? Can shadowsocks co-exist with mwan3? I found when I turn mwan3 on, shadowsocks stoped, while shadowsocks on mwan would not work.

Hi muronghan,

Mayby it is the same problem as with privoxy? https://wiki.openwrt.org/doc/howto/mwan … http_proxy

Hi, Adze, I think Shadowsocks might be something like transparent proxy. Please refer to https://github.com/shadowsocks/shadowso … ced-usage. esp. for "Advanced usage" part.

I do not have too much knowledge about Shadowsocks. It seems to nominate a local port e.g. 1080 to listen. And to avoid DNS pollution, e.g. www.google.com is blocked., set "server=/google.com/127.0.0.1#5300(or any other port)" in /etc/dnsmasq.conf. Using UDP forwarding port 5300 thru ss-tunnel towards 8.8.8.8. etc.

In my country, VPN almost dies due to the censorship (only a few works at windows client using cheating technologies). Shadowsocks is now the most popular weapon for freedom. Although the author was arrested a few months ago and released after promising to cease this project, luckily still some brave people continue its development and maintenance. Adze, I know you hate censorship so please do help here. I read the wiki about the fix of transparent proxy on mwan3 but still have no further idea so I need you advice.

Taking this opportunity, I wish you a Merry Christmas and a Happy New Year!

Hi muronghan,

Looking at the link you posted, i think it is possible, but it requires some changes in config of mwan3 as well in shadowsocks. Maybe you could try it and report back?

Iptables mangle table is handled before nat table. So in layman's terms mwan3 comes before shadowsocks. So we have to tell mwan3 which traffic to load-balance and which traffic you wish to have tunneled by shadowsocks. Traffic with policy default will be handled by shadowsocks.

The Mwan3 config would look something like this:

#Create a rule that traffic from router itself can be loadbalanced by a user defined policy.
config 'rule' 'rule1'
    option 'src_ip' '10.0.2.1'
    option 'dest_ip' '0.0.0.0/0'
    option 'use_policy' 'loadbalanced'

#Create a rule that all other traffic should NOT be handled by mwan3 (use policy default) as shadowsocks will then pick this up.
config 'rule' 'rule2'
    option 'dest_ip' '0.0.0.0/0'
    option 'use_policy' 'default'

And the Shadowsocks something like this (only changed the fwmark part, rest is default as copied form their site):

# Create new chain
root@Wrt:~# iptables -t nat -N SHADOWSOCKS
root@Wrt:~# iptables -t mangle -N SHADOWSOCKS

# Ignore your shadowsocks server's addresses. It's very IMPORTANT, just be careful.
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN

# Ignore LANs and any other addresses you'd like to bypass the proxy
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN

# Anything else should be redirected to shadowsocks's local port
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345

# Add any UDP rules (use fwmark 0x010000 to avoid conflict with mwan3 or QoS)
root@Wrt:~# ip rule add fwmark 0x010000/0x010000 table 10000
root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 10000
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x010000/0x010000

# Apply the rules
root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS

# Start the shadowsocks-redir
root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid

As to see if shadowserver works at all with mwan3 running, try first with only rule 2 (policy default) enabled. If this works add more mwan3 rules. Good luck!

(Last edited by Adze on 24 Dec 2015, 09:40)

What exactly is the interface "gateway metric"?

The only thing I found are recommendations that wan should default to value 10, wan2 to 20, wan3 to 30 etc.

Does it matter if I set them to 5, 15, 25 or 0,1,2 respectively?  Is it just a unique id number?  Does it carry some weight value and wan1 with gateway metric of 10 is preferred over wan2 with gateway metric 20?

Yes it is just to make the interfaces unique to mwan3.

Thank you for your answer.

So I could setup 3-4 wan interfaces with the same name, but different "gateway metric"?  And mwan3 would work?

They can't have the same name with or without mwan3.

(Last edited by arfett on 26 Dec 2015, 01:22)

I'm using shadowvpn not shadowsocks,mabe shadowsocks using ipset(conflicted with mwan3)

Why then the manual (https://wiki.openwrt.org/doc/howto/mwan3) stresses that the primary wan should have the lowest value?
"...This metric will only have an effect on the default routing table...
The default (primary) WAN interface should have the lowest metric (e.g. 10) and each additional WAN interface a higher metric (e.g. 20, 30, etc.). Values are not important, but should always be unique."

So I think that the wan with the lowest metric is preferred, through the rules in the default routing table (although my knowledge is limited and I do not know how the routing table works).

(Last edited by bobptz on 27 Dec 2015, 11:57)

Guys,
any idea what to do if mwan3 do not print any output on Command line (two days old trunk), I mean totally nothing...
I decided to update 4/5 months old trunk and it don't work now, if anyone can point out potential issue, would be great.
Not posting config, currently not at the router.

Thank you.

Hi sharkys,

Please try this:

https://forum.openwrt.org/viewtopic.php … 45#p301445
https://forum.openwrt.org/viewtopic.php … 06#p301506

Thank you @Adze, really appreciate such quick help, didn't expect that.

I did :
mwan3 status
echo $?

And got code 7 - because I don't have ip6tables compiled in the trunk...didn't know it is mandatory pre-requisite.

Thank you.

It's sort of a bug, as ip6tables should not be mandatory. Without though it will generate a lot of errors atm. I will update mwan3 in the near future, with a more intelligent way of checking if ip6tables is available.

I want to create a rule (work-rule) that will give top priority to a specific pc (let's name it work-pc) in the LAN.  For this purpose I assigned it a static IP (ie 192.168.1.5).  I assigned to this rule (very high in the rules table) with some policies with low metric and high weight values and source address 192.168.1.5.

Is this a correct setup?

My worry is that all other rules lower will be ignored.  Like the HTTPS, if I put this lower, then I will be kicked out from https sites, right?  So what is the correct way to do this? 

I could put work-rule lower than the https rule.  But I also want my work-pc to have higher precedence over other pcs when visiting https sites.

So how do I do this?

PS: for some strange reason my pc behaves today as if no rules exist.  Like I disabled a specific sticky forum rule, but the forum does not kick me out today, as it did 2 days ago, before I did the rule. 

Is there a way to see where the traffic goes, what rule is used etc?  Is wireshark the only way to investigate network traffic?

(Last edited by bobptz on 28 Dec 2015, 21:26)

I found out what caused this erratic behaviour.  SQM-scripts (for QoS).

Somehow sqm-scripts FIXES things and I can browse forums and edit posts without the need for sticky rules (which force the same wan to be used on the same forum session).  When I disabled SQM, I had to bring back the mwan3 rules, or the forums would kick me off.

Now I need to find someone who knows both SQM and MWAN3, to explain this.

(Last edited by bobptz on 28 Dec 2015, 22:15)

Hi Adze, I just tried to change the fwmark value in some files of shadowsocks to your instruction, but there was no luck so far. If you are still interested in this problem, I could pm you some configuration files for further debugging.

I purchased a VPS (Virtual Private Server) so I could setup OpenVPN server on VPS in parallel. Currently I have two ISP physical lines and I could treat openvpn client as the third one on the openwrt router, thanks to mwan3. I searched how-to under this thread. There are quite some discussions however, I am still confused.

Should I add the following in /etc/config/network:

    config interface 'VPN'
        option ifname 'tun0'
        option defaultroute '1'

    config 'route' 'default_VPN'
        option 'interface' 'VPN'
        option 'target' '0.0.0.0'
        option 'netmask' '0.0.0.0'
        option 'gateway' '172.20.24.1'
        option 'metric' '30'

And then add the following in /etc/config/openvpn.conf ?

        route-nopull
        route 0.0.0.0 0.0.0.0 172.20.24.1 30

(Last edited by muronghan on 29 Dec 2015, 03:12)

Is this function added now?

Hi Bobptz,

        Let me assure you SQM does not FIX anything here; most likely you see an unwanted interaction between the two packages, I believe both strive to be transparent to others... It might be related to the sequence of the interfaces (did you set-up mwan3 on both eth0.3 and pppoe-wan?) or the iptables mark bits bot packages use. SQM switched to a iptables mask of "0xff" which might not be enough to not step on mwan3's feet...

        Since whatever is happening does not seem to be intentional, I would not recommend to rely on this "side-effect" of sqm-scripts, but, as long as that works as well, keep the rules in place (I assume those rules are recommended by mwan3, and do work even with sqm-scriptis in place and that without sqm-scripts the rules are required).

I have the strange feeling that you (at least currently) are the person at the intersection of mwan3 and sqm-scripts, so I will wait for the explaining you will (hopefully) come up with . I am curious about the root cause, but I only have one link available (and only one router running pitifully obsolete cerowrt) so I will not be able/willing to help here, but good luck nevertheless.

Best Regards
        M.

Yes

I will try and see if i can find some time to help you with shadowsocks. But i'm rather busy the next couple of coming days.. You are on the right track i guess.