User Tools

Site Tools


doc:howto:mwan3

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:mwan3 [2014/08/21 09:44]
adze
doc:howto:mwan3 [2015/05/29 01:23] (current)
arfett [Latest release]
Line 4: Line 4:
     * [[https://​forum.openwrt.org/​viewtopic.php?​id=39052|OpenWrt Forum: New package: mwan3; multi-wan policy routing; testers wanted]]; much of the content below comes from forum posts by Adze or Arfett on this thread     * [[https://​forum.openwrt.org/​viewtopic.php?​id=39052|OpenWrt Forum: New package: mwan3; multi-wan policy routing; testers wanted]]; much of the content below comes from forum posts by Adze or Arfett on this thread
     * there is documentation available for policy routing on Linux, e.g. [[http://​www.policyrouting.org/​PolicyRoutingBook/​ONLINE/​TOC.html|Policy Routing With Linux - Online Edition by Matthew G. Marsh]]     * there is documentation available for policy routing on Linux, e.g. [[http://​www.policyrouting.org/​PolicyRoutingBook/​ONLINE/​TOC.html|Policy Routing With Linux - Online Edition by Matthew G. Marsh]]
-    * source code and development versions on github.com: [[https://​github.com/​Adze1502/​mwan]]+    * source code on github.com: [[https://​github.com/​openwrt/​packages/​tree/​master/​net/​mwan3]] 
 +    * source code on github.com: [[https://​github.com/​openwrt/​packages/​tree/​master/​net/​mwan3-luci]] 
 +    * old source code and/or development versions on github.com: [[https://​github.com/​Adze1502/​mwan]]
  
   * Related pages:   * Related pages:
Line 11: Line 13:
 ===== Latest release ===== ===== Latest release =====
  
-The mwan3 packages current as of 2014-08-21 are: +The mwan3 packages current as of 2015-03-17 are:
-  * mwan3_1.4-24_all.ipk +
-  * mwan3_1.5-4_all.ipk (OpenWrt CC only) +
-  * luci-app-mwan3_1.3-1_all.ipk+
  
-See below for the download ​procedure.+  * mwan3_1.4-25_all.ipk (for OpenWrt 12.09 "​Attitude Adjustment"​ release only) 
 +  * mwan3_1.5-10_all.ipk (for OpenWrt 14.07 "​Barrier Breaker"​ release only) 
 +  * mwan3_1.6-1_all.ipk (for OpenWrt 15.05 "Chaos Calmer"​ release & trunk only) 
 +  * luci-app-mwan3_1.3-5_all.ipk (for OpenWrt 14.07 "​Barrier Breaker"​ release only) 
 +  * luci-app-mwan3_1.4-2_all.ipk (for OpenWrt 15.05 "Chaos Calmer"​ release & trunk only) 
 + 
 +See below for the download ​and installation procedures.
  
 ===== Description ===== ===== Description =====
Line 127: Line 132:
  
   * As examples, the following specific devices are working well with mwan3:   * As examples, the following specific devices are working well with mwan3:
-    * A TP-LINK TL-WR1043ND hardware version 1.10 router (ar71xx platform) ([[toh/​tp-link/​tl-wr1043nd]]) using OpenWrt 12.09 +    * A TP-LINK TL-WR1043ND hardware version 1.10 router (ar71xx platform) ([[toh/​tp-link/​tl-wr1043nd]]) using OpenWrt 12.09
-    * A NetGear WNDR3800 router (ar71xx platform) ([[toh/​netgear/​wndr3800]]) using OpenWrt 12.09+    * A TP-LINK TL-WR3600 router (ar71xx platform) ([[toh/​tp-link/​tl-wdr3600]]) using OpenWrt 12.09. 
 +    * A openwrt 12.09 mips metarouter over a mikrotik r493g routeros 6.27 ([[inbox/​doc/​mikrotik_metarouter_openwrt]]). 
 +    * A NetGear WNDR3800 router (ar71xx platform) ([[toh/​netgear/​wndr3800]]) using OpenWrt 12.09.
  
 ==== Package dependencies ==== ==== Package dependencies ====
Line 142: Line 149:
  
   * Users in the forum have reported problems with DNS resolution or being unable to send e-mail after implementing WAN load-balancing or failover using mwan3   * Users in the forum have reported problems with DNS resolution or being unable to send e-mail after implementing WAN load-balancing or failover using mwan3
-  * The usual cause is they are using the DNS servers or a mail (SMTP/​POP/​IMAP) server provided by the ISP of the wan1 (original WAN) interface and when the router starts sending traffic out the wan2 interface, the ISP blocks access to its servers because the traffic is now coming from an address that is not in their own network. This is a common security configuration by ISPs and has nothing to do with mwan3 specifically.+  * The usual cause is they are using the DNS servers or a mail (SMTP/​POP/​IMAP) server provided by the ISP of the wan (original WAN) interface and when the router starts sending traffic out the wan2 interface, the ISP blocks access to its servers because the traffic is now coming from an address that is not in their own network. This is a common security configuration by ISPs and has nothing to do with mwan3 specifically.
   * Option 1: Before implementing any multiple WAN configuration,​ test any ISP-provided services to see if they are reachable from "​foreign"​ IP addresses and ensure that they can still be used from source IPs not on the ISPs network.   * Option 1: Before implementing any multiple WAN configuration,​ test any ISP-provided services to see if they are reachable from "​foreign"​ IP addresses and ensure that they can still be used from source IPs not on the ISPs network.
   * Option 2: Change settings to switch to using servers that are known to be accessible from anywhere   * Option 2: Change settings to switch to using servers that are known to be accessible from anywhere
Line 165: Line 172:
   * Go to Network > Interfaces and add a new interface name for the new eth0.x adapter   * Go to Network > Interfaces and add a new interface name for the new eth0.x adapter
     * name the new VLAN physical interface "​wan2"​     * name the new VLAN physical interface "​wan2"​
-    * **don'​t create a bridge over the specified interface**+    * **:!: don't create a bridge over the specified interface ​:!:**
     * configure the new wan2 interface IP details     * configure the new wan2 interface IP details
     * assign the new wan2 interface to the wan firewall zone     * assign the new wan2 interface to the wan firewall zone
Line 173: Line 180:
 ==== Prepare and the check the default OS routing table for WAN interfaces and test ==== ==== Prepare and the check the default OS routing table for WAN interfaces and test ====
  
-  * **IMPORTANT:​** Before doing anything with mwan3, ensure that each WAN interface is working and that the default OS routing table is correctly configured for multiple WAN connections. Test each interface with a manual ping test before installing mwan3. There have been multiple reports of mwan3 problems on the forum when the problem is actually at the OS level and visible before mwan3 is even installed.+  * :!: **IMPORTANT:​** ​ :​!: ​Before doing anything with mwan3, ensure that each WAN interface is working and that the default OS routing table is correctly configured for multiple WAN connections. Test each interface with a manual ping test before installing mwan3. There have been multiple reports of mwan3 problems on the forum when the problem is actually at the OS level and visible before mwan3 is even installed.
  
 === Step 1: Configure a different metric for each WAN interface === === Step 1: Configure a different metric for each WAN interface ===
Line 265: Line 272:
   * Ensure the single ping is successful on this interface ("1 packets transmitted,​ 1 packets received, 0% packet loss" should be displayed)   * Ensure the single ping is successful on this interface ("1 packets transmitted,​ 1 packets received, 0% packet loss" should be displayed)
  
-=== Test the wan3 connection ​===+=== Test all other WAN connections ​===
  
-  * Repeat as above to ensure every WAN connection is working+  * Repeat as above to ensure every WAN connection ​that has been created ​is working
  
 ===== Ensure the CONNTRACK module is enabled in OpenWrt ===== ===== Ensure the CONNTRACK module is enabled in OpenWrt =====
Line 273: Line 280:
 mwan3 requires that the CONNTRACK module is enabled and active on its WAN interfaces. mwan3 requires that the CONNTRACK module is enabled and active on its WAN interfaces.
  
-  * If the interfaces are in the "​wan"​ firewall zone, and the "​Masquerading"​ option is enabled for the firewall zone, the CONNTRACK module is enabled by default already (this is the usual case)+  * If the interfaces are in the "​wan"​ firewall zone, and the "​Masquerading"​ option is enabled for the firewall zone, the CONNTRACK module is enabled by default already (this is the default OpenWrt configuration)
   * If masquerading/​NAT is **not** enabled for the WAN interface (for example, if just routing without NAT is being using between the LAN and your different WAN interfaces),​ you need to add the following rule to the LAN and WAN zone configurations in your /​etc/​config/​firewall:​   * If masquerading/​NAT is **not** enabled for the WAN interface (for example, if just routing without NAT is being using between the LAN and your different WAN interfaces),​ you need to add the following rule to the LAN and WAN zone configurations in your /​etc/​config/​firewall:​
  
Line 283: Line 290:
   * For more information,​ see [[http://​wiki.openwrt.org/​doc/​uci/​firewall#​note.on.connection.tracking.notrack|OpenWRT conntrack/​notrack]]   * For more information,​ see [[http://​wiki.openwrt.org/​doc/​uci/​firewall#​note.on.connection.tracking.notrack|OpenWRT conntrack/​notrack]]
  
-===== Download ​packages =====+===== Manual download of packages =====
  
-The mwan3 packages ​aren'​t ​in the OpenWrt ​standard package ​repositoryThe two packages need to be separately downloaded ​and installed.+This step is only **required** for OpenWrt 12.09. In OpenWrt 14.07 "​Barrier Breaker"​ and later, the mwan3 packages ​are in the standard package ​repositories and no manual download is required. 
 + 
 +Adze and Arfett keep the OpenWrt package repositories up to date and you are more likely to download the recommended latest "​stable"​ version from there.
  
   * http://​213.136.13.52/​mwan3_latest_all.ipk   * http://​213.136.13.52/​mwan3_latest_all.ipk
Line 302: Line 311:
 </​code>​ </​code>​
  
-The suggested alternative is to download each using a web browser on a PC and then transfer each package using scp.+===== Installation =====
  
-  ​Here is a sample PuTTY pscp command to copy both files from the current directory to the /tmp directory on the OpenWrt ​router using SCP (SSH secure copy). Enter the root password for the router when prompted ​to do so.+==== OpenWrt 14.07 and later ==== 
 + 
 +  ​This is the method when using the mwan3 packages from the standard ​OpenWrt ​package repository 
 + 
 +=== LuCi web interface method === 
 + 
 +  * Go to System > Software 
 +    * click "​Update lists" to get the latest package databases 
 +    * In the "​Download and install package:"​ box, enter "​luci-app-mwan3"​ and click OK to download and install the luci-app-mwan3 package and all related packages, including mwan3 itself and all dependencies 
 + 
 +=== SSH method ===
  
 <​code>​ <​code>​
-"​C:​\Program Files (x86)\PuTTY\pscp.exe" ​-scp *.ipk root@192.168.1.1:​/tmp+# update package list to prepare for package dependency downloads 
 +opkg update 
 + 
 +# back up the current mwan3 configuration file just in case the automatic backup doesn'​t work 
 +cp -/etc/​config/​mwan3 /​etc/​config/​mwan3-tempbackup 
 + 
 +# install luci-app-mwan3,​ mwan3 and all required dependencies 
 +opkg install luci-app-mwan3
 </​code>​ </​code>​
  
-===== Installation =====+==== OpenWrt 12.09 ==== 
 + 
 +  * This is the method when using manually downloaded mwan3 packages (see above)
  
 <​code>​ <​code>​
Line 328: Line 356:
 </​code>​ </​code>​
  
-==== Reboot ​if needed ====+==== Restart LuCI or reboot ​if needed ==== 
 + 
 +To ensure the new menu item for mwan3 appears, restart the web server hosting the LuCI interface (or just reboot the router). 
 + 
 +  * Go to System > Startup 
 +    * click the "​Restart"​ button next to the uhttpd process 
 +    * Re-log into LuCi
  
-  * Check that there is a new tab in LuCI, Network > Load Balancing +new menu entry "Network > Load Balancing" should now be present.
-  * Reboot the router if this tab is not present+
  
 ==== Upgrades ==== ==== Upgrades ====
Line 421: Line 454:
   * If a policy is not referenced by a specific traffic rule, the policy will not do anything, so it is fine to leave unused policies in place in case they are desired in the future.   * If a policy is not referenced by a specific traffic rule, the policy will not do anything, so it is fine to leave unused policies in place in case they are desired in the future.
  
-  * If you have a traffic rule that matches a policy, but all the members (interfaces) for that policy are down, the exit strategy for that policy ​is "​unreachable"​.+  * If you have a traffic rule that matches a policy, but all the members (interfaces) for that policy are down, the exit strategy for that policy ​defaults to "​unreachable"​. This is configurable with the last_resort option. Valid values are: blackhole, unreachable or default.
  
   * A working mwan3 config has at least 1 policy configured.   * A working mwan3 config has at least 1 policy configured.
Line 438: Line 471:
 | ''​dest_ip''​ | ip address | no | any | Match traffic directed to the specified destination ip address | | ''​dest_ip''​ | ip address | no | any | Match traffic directed to the specified destination ip address |
 | ''​dest_port''​ | port or range | no | any | Match traffic directed at the given destination port or port range, if relevant ''​proto''​ is specified | | ''​dest_port''​ | port or range | no | any | Match traffic directed at the given destination port or port range, if relevant ''​proto''​ is specified |
 +| ''​ipset''​ | string | no | //(none)// | Match traffic directed at the given destination ip address to an ipset set |
 +| ''​sticky''​ | boolean | no | 0 | Allow traffic from the same source ip address within the timeout limit to use same wan interface as prior session |
 +| ''​timeout''​ | number | no | 600 | Stickiness timeout value in seconds |
  
   * There are a number of sample rules defined to show how they work. Edit the rules as desired and delete all the rest of the default rules.   * There are a number of sample rules defined to show how they work. Edit the rules as desired and delete all the rest of the default rules.
 +  * The options ipset, sticky and timeout are only available in version 1.6 or higher.
  
 A typical rule section looks like this: A typical rule section looks like this:
Line 447: Line 484:
         option use_policy '​wan_wan2_wan3'​         option use_policy '​wan_wan2_wan3'​
 </​code>​ </​code>​
 +
 +=== Stickiness and ipset ===
 +
 +Mwan3 version 1.6 has sticky and ipset support. Stickiness lets you route new session over the same wan interface as the previous session, as long as the time between the new and the previous session is shorter then the timeout value (default 600s). This can solve some problems with https sites, which don't allow a new source address within the same cookie/​https session. Ipset lets you route traffic over wan interfaces based on set of ip addresses. A set can be created by hand, by dnsmasq based on domain names, or your own script. Mwan3 rules with ipset option will try to match destination ip address to the configured ipset.
 +
 +<​code>​
 +config rule '​youtube'​
 +    option sticky ‘1'
 +    option timeout ‘300'​
 +    option ipset '​youtube'​
 +    option dest_port '​80,​443'​
 +    option proto '​tcp'​
 +    option use_policy '​balanced'​
 +</​code>​
 +
 +With sticky set to 1, this rule has now sticky enabled. When a packet for a new session matches this rule, its source ip address and interface mark are stored in an ipmark set with a timeout of 300 seconds (default 600). When packet for a second new session from the same lan host within the timeout period matches this rule, it will use the same wan interface as the first packet and the timeout counter is reset back to 300 again.
 +
 +**Stickiness is on a per rule basis. With this example, all traffic from lan hosts will use the same wan interface for all youtube hosts, even if the source or destination ip address differs.**
 +
 +The option ipset matches only destination ip addresses. This example will only work if your lan clients use the dnsmasq server as their one and only dns server. Mwan3 will create the ipset set for you if it does not exist already. For this to work you need to configure a rule in your /​etc/​dnsmasq.conf file:
 +
 +<​code>​
 +ipset=/​youtube.com/​youtube
 +</​code>​
 +
  
   * **Order is important.** Rules are evaluated in top-to-bottom order, with the first matching rule applying. The rule name is just descriptive and has no operational impact. If no match is found, routing lookup is done via the default routing table. ​   * **Order is important.** Rules are evaluated in top-to-bottom order, with the first matching rule applying. The rule name is just descriptive and has no operational impact. If no match is found, routing lookup is done via the default routing table. ​
  
   * A working mwan3 config has at least 1 rule configured.   * A working mwan3 config has at least 1 rule configured.
- 
 ==== Example configuration ==== ==== Example configuration ====
  
Line 536: Line 597:
 ===== Further configuration tips ===== ===== Further configuration tips =====
  
-==== OpenWrt hotplug script fix ====+==== OpenWrt hotplug script fix (OpenWrt 12.09 only) ==== 
 + 
 +**This is for OpenWrt 12.09 only. The OpenWrt 14.07 hotplug scripts were substantially re-written and there is no evidence yet that the workaround below is needed on OpenWrt 14.07.**
  
   * Forum member tcherenato found that adding a 1 second pause to the OpenWrt hotplug launch script helps prevent occasional segmentation faults when mwan3 performs hotplug operations. It is not known currently what the root issue is (or even if it is in mwan3 at all) but the change is recommended.   * Forum member tcherenato found that adding a 1 second pause to the OpenWrt hotplug launch script helps prevent occasional segmentation faults when mwan3 performs hotplug operations. It is not known currently what the root issue is (or even if it is in mwan3 at all) but the change is recommended.
Line 659: Line 722:
 === LuCI === === LuCI ===
  
-  * System ​Startup +  * Network ​Load Balancing > Advanced > Diagnostics 
-    * mwan3 > click "​Stop" ​in the "​Stop"​ column ​to stop the service+    * MWAN Service Control ​> click "​Stop ​MWAN" to stop the service
  
 === SSH === === SSH ===
Line 674: Line 737:
 === LuCI === === LuCI ===
  
-  * System ​Startup +  * Network ​Load Balancing > Advanced > Diagnostics 
-    * mwan3 > click "​Start" ​in the "​Start"​ column ​to start the service+    * MWAN Service Control ​> click "​Start ​MWAN" to start the service
  
 === SSH === === SSH ===
Line 688: Line 751:
  
   * Network > Load Balancing   * Network > Load Balancing
-    * Overview > MWAN3 Multi-WAN ​Interface Live Status +    * Overview > MWAN Interface Live Status 
-      * verify all interfaces show "ONLINE" status+      * verify all interfaces show "Online" status
  
 ==== Automated status check ==== ==== Automated status check ====
Line 704: Line 767:
 It would be good for mwan3 to send some kind of alert (e.g. e-mail, SNMP trap) if it detects a failed interface and performs a failover, or if it performs a fail-back. It would be good for mwan3 to send some kind of alert (e.g. e-mail, SNMP trap) if it detects a failed interface and performs a failover, or if it performs a fail-back.
  
-  * FIXME +If you install the luci-app-mwan3 (mwan3-luci) package it comes with /​etc/​hotplug.d/​iface/​16-mwancustom hotplug shell script which may be modified to perform custom actions on interface ifup/ifdown events. It is already filled with a basic template for gathering information on the current state of WAN connections and just needs your changes in the send_alert() function as well as uncommenting the case statement at the bottom. The mwan3 LuCI package provides a page for editing this hotplug shell script or you may edit via command line.
 ===== Controlling the mapping between internal IP sources and external IPs and interfaces ===== ===== Controlling the mapping between internal IP sources and external IPs and interfaces =====
  
Line 830: Line 892:
     * [[doc/​howto/​vpn.openvpn]]     * [[doc/​howto/​vpn.openvpn]]
  
-=== Example 1: Have OpenVPN Server be accessible through multiple WAN interfaces ===+=== Possible problems === 
 +If the openwrt system is an openvpn client 
 +and a zone '​vpn'​ is defined on the vpn interface 
 +and this zone has the masquerading active, for 
 +reasons (yet) unknown the traffic from the internal lan 
 +to the vpn will be able to reach the destination and 
 +go back to the router but then will be not dispatched back to the 
 +lan clients. Disabling mwan3, instead, let the traffic be dispatched 
 +properly. 
 + 
 +It could be a misconfiguration,​ more testing is needed. 
 + 
 +=== Example 1: Have OpenVPN Server be accessible through multiple WAN interfaces ​(server mode) ===
  
 If load-balancing between multiple WAN interfaces, it is desirable to have OpenVPN clients be able to connect through all active WAN interfaces. If load-balancing between multiple WAN interfaces, it is desirable to have OpenVPN clients be able to connect through all active WAN interfaces.
Line 877: Line 951:
   * If load-balancing between multiple active WAN interfaces, the suggested approach is to register multiple DNS A records for the same DNS name. Clients will use just one of the IPs. As per the OpenVPN man page description of the --remote client parameter, "If host is a DNS name which resolves to multiple IP addresses, one will be randomly chosen, providing a sort of basic load-balancing and failover capability."​   * If load-balancing between multiple active WAN interfaces, the suggested approach is to register multiple DNS A records for the same DNS name. Clients will use just one of the IPs. As per the OpenVPN man page description of the --remote client parameter, "If host is a DNS name which resolves to multiple IP addresses, one will be randomly chosen, providing a sort of basic load-balancing and failover capability."​
   * If failing over from a primary to a secondary WAN interface, one approach is to use ddns-scripts to update the IP of the DNS name used by OpenVPN clients   * If failing over from a primary to a secondary WAN interface, one approach is to use ddns-scripts to update the IP of the DNS name used by OpenVPN clients
 +
 +=== Example 2: Use OpenVPN tunnels as virtual wan(s) (client mode) ===
 +
 +If you want to use your OpenVPN client tunnels as virtual wan interfaces in mwan3, you have to make sure that you set a default route with different metric for each tunnel interface. Also most commercial VPN solutions push two static routes to override the standard default gateway. In most cases you don't want this override when using OpenVPN client tunnels in conjunction with mwan3.
 +
 +As a solution you can add the following lines to your OpenVPN client config:
 +
 +<​code>​
 +route-nopull
 +route 0.0.0.0 0.0.0.0 vpn_gateway 20
 +</​code>​
 +
 +This example will ignore the routes pushed from the OpenVPN server and will add a default route with metric 20 over the OpenVPN tunnel interface.
  
 ==== privoxy transparent HTTP proxy ==== ==== privoxy transparent HTTP proxy ====
Line 931: Line 1018:
  
 The policy "​wan1_wan2_loadbalanced"​ is just an example. Change it to whatever policy you like. The policy "​wan1_wan2_loadbalanced"​ is just an example. Change it to whatever policy you like.
 +
 +
 +==== nodogsplash ====
 +
 +Out of the box, mwan3 does not work with nodogsplash. The problem is that both mwan3 and nodogsplash use the same iptables mark bits. A common symptom of this is the nodogsplash splash page appearing for every page even as an authenticated client. ​
 +
 +However, it is possible to fix this with a minor change! Fortunately,​ it is simple to change the mark bits that nodogsplash uses. Simply add the following lines to '/​etc/​nodogsplash/​nodogsplash.conf'​ to override the marking bits.
 +
 +<​code>​
 +# Change the default marking flags to work with mwan3 and qos-scripts
 +FW_MARK_AUTHENTICATED 262144
 +FW_MARK_TRUSTED 131072
 +FW_MARK_BLOCKED 65536
 +</​code>​
 +
 +These values let nodogsplash work together with mwan3 and also work with standard Openwrt qos-scipts.
 +
 +
 +
 +===== Usage reports =====
 +==== 12.09, tplink wdr3600, mwan3 - 1.4-24, two wan connections ====
 +Premise: very nice piece of work given to the internet community, congrats to the contributors.
 +We, users, can only give back a bit of experience and documentation,​ still somehow useful.
 +
 +In a simulated test environment described as follows:
 +<​file>​
 +external network ​ <---> (ip a.b.c.118) router1 (ip 192.0.2.1) ​ <---> (ip 192.0.2.166 - wan) tplink (ip 192.168.1.1) ​ <---> (ip 192.168.1.50) pcA
 +                  <---> (ip a.b.c.224) router2 (ip 192.0.10.1) <---> (ip 192.0.10.166 - wan2)       (ip 192.168.10.1) <---> (ip 192.168.10.101)pcB
 +</​file>​
 +
 +The mwan3 was installed on the tplink with the following configuration (apart from wan and wan2) in ''/​etc/​config/​mwan3'':​
 +<​file>​
 +...lines....
 +
 +config member '​wan_m10'​
 +        option interface '​wan'​
 +        option metric '​10'​
 +
 +config member '​wan_m20'​
 +        option interface '​wan'​
 +        option metric '​20'​
 +
 +config member '​wan2_m10'​
 +        option interface '​wan2'​
 +        option metric '​10'​
 +
 +config member '​wan2_m20'​
 +        option interface '​wan2'​
 +        option metric '​20'​
 +
 +config policy '​wan_wan2'​
 +        list use_member '​wan_m10'​
 +        list use_member '​wan2_m20'​
 +
 +config policy '​wan2_wan'​
 +        list use_member '​wan_m20'​
 +        list use_member '​wan2_m10'​
 +
 +config rule '​rule1'​
 +        list comment ​   'from 192.168.1.50 to wan_wan2'​
 +        option src_ip ​  '​192.168.1.0/​24'​
 +        option dest_ip ​ '​0.0.0.0/​0'​
 +        option use_policy '​wan_wan2'​
 +
 +config rule '​rule2'​
 +        list comment ​   'from 192.168.10.101 to wan2_wan'​
 +        option src_ip ​  '​192.168.10.0/​24'​
 +        option dest_ip ​ '​0.0.0.0/​0'​
 +        option use_policy '​wan2_wan'​
 +</​file>​
 +
 +=== Using different wan connections from different Pc-s ===
 +Then with the pcA and pcB two different download were started, and every pc used a different connection. Great.
 +
 +=== Line fail ===
 +When one wan connection was physically disconnected,​ one pc lost the tcp active connections,​
 +but after '​restarting'​ them no problem, the pc was using the other wan connection configured as
 +line backup. Great.
 +
 +=== Line recovered ===
 +If a wan line recovers (let's say A), then the pc that was using the other wan line (configured as backup, let'S say B) is
 +switched back to the wan line A, and this cause another disruption of tcp connections.
 +
 +//Edit: On recovery, connections already established over backup links will not be terminated and continue to traverse over backup wan. Only new connections will be routed over preferred wan.//
 +
 +=== Incoming connections routed behind the router ===
 +Rdp connections to the pc behind the tplink are stable, this means that a service behind the tplink with
 +mwan3 is reachable in a reliable way.
 +
 +Therefore does not happen that an external request coming on one wan connection gets the replies
 +through the other wan connection (at least for failover policies)
 +
 +=== Incoming connections to services on the router ===
 +At least testing with ssh, does not happen that one connection through a wan line is router on the other wan line 
 +in case of line failover. Therefore ssh is stable.
 +
 +==== Reliable public ip addresses to ping ====
 +After some weeks of continous pinging to opendns Ips (208.67.222.222) and (208.67.220.220),​ seems that opendns does not like this and interrupt the icmp replies for a while, therefore the mwan3 thinks that the lines are down. Could be useful to collect stable internet ip addresses? (possibly from backbone providers).
 +
 +Some possible choices:
 +<​file>​
 +# Level3 communications (large network carrier)
 +4.2.2.2
 +
 +# google dnses
 +8.8.4.4
 +8.8.8.8
 +
 +# facebook.com
 +173.252.120.6
 +
 +# Opendns (with limits after a certain amount of days?)
 +208.67.220.220
 +208.67.222.222
 +
 +</​file>​
 +
 +=== Possible work arounds to test connection not only by ping ? ===
 +Could be possible to implement other ways to test connections,​ maybe through testing ip/ports (with additional packages, of course), like: ''​netcat -z -w 2 208.67.222.222 53 ; echo $?''​
doc/howto/mwan3.1408607066.txt.bz2 · Last modified: 2014/08/21 09:44 by adze