Hello,
on the latest TurrisOS 3.x I’m struggling to make mwan3 work properly (using eth WAN + an USB LTE modem). At the current time:
- Failover works (between WAN and LTE)
- Routing from the router works (I can ping 8.8.8.8 for example)
- Routing from any LAN client to the WAN does not work (traceroute stops at router itself)
There’s no reason why it should not work, but I can’t figure out why.
Network configuration:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf0:7108:dc43::/48'
config interface 'lan'
option ifname 'eth0 eth2'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
option metric '10'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
option noserverunicast '1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
config interface 'usb0'
option proto 'dhcp'
option ifname 'usb0'
option peerdns '0'
option metric '20'
# config route 'usb_route'
# option interface 'usb0'
# option target '0.0.0.0'
# option gateway '192.168.0.1'
# option netmask '0.0.0.0'
# option metric '50'
Firewall configuration:
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option conntrack '1'
option network 'wan wan6 usb0'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config include
option path '/usr/share/firewall/turris'
option reload '1'
config include
option path '/etc/firewall.d/with_reload/firewall.include.sh'
option reload '1'
config include
option path '/etc/firewall.d/without_reload/firewall.include.sh'
option reload '0'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.10.1'
option name 'Hairpin'
option src_dip 'XXXX' # This is a publicly-accessible IP
Mwan3 configuration:
config globals 'globals'
option enabled '0'
option mmx_mask '0xff00'
option rtmon_interval '5'
config interface 'wan'
option enabled '1'
list track_ip '8.8.4.4'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option failure_latency '1000'
option recovery_latency '500'
option failure_loss '20'
option recovery_loss '5'
option interval '5'
option down '3'
option up '8'
config interface 'usb0'
list track_ip '8.8.8.8'
list track_ip '1.1.1.1'
option enabled '1'
option reliability '1'
option count '1'
option timeout '2'
option interval '5'
option down '5'
option up '10'
config policy 'wan_lte'
list use_member 'wan_m1_w1'
list use_member 'usb_m2_w2'
option last_resort 'unreachable'
config member 'wan_m1_w1'
option interface 'wan'
option metric '1'
option weight '1'
config member 'usb_m2_w2'
option interface 'usb0'
option metric '2'
option weight '2'
config interface 'wan6'
option enabled '0'
list track_ip '2001:4860:4860::8844'
list track_ip '2001:4860:4860::8888'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'
config rule 'default_rule'
option dest_ip '0.0.0.0/0'
option use_policy 'wan_lte'
option proto 'all'
option sticky '0'
LTE uses 192.168.0.0/24 (yes, double NAT…) and WAN uses 192.168.1.0/24 (idem).
mwan3 status:
mwan3 status
Interface status:
interface wan is online and tracking is active
interface usb0 is online and tracking is active
interface wan6 is disabled and tracking is down
Current ipv4 policies:
wan_lte:
wan (100%)
Current ipv6 policies:
wan_lte:
unreachable
Directly connected ipv4 networks:
192.168.1.255
192.168.10.1
192.168.1.0
2.229.233.156
127.0.0.1
224.0.0.0/3
127.255.255.255
127.0.0.0
156.146.34.20
192.168.10.0
176.9.57.179
192.168.1.254
192.168.1.0/24
192.168.0.1
127.0.0.0/8
192.168.0.190
192.168.10.255
192.168.0.0
192.168.0.255
192.168.1.174
192.168.10.0/24
192.168.0.0/24
Directly connected ipv6 networks:
fe80::/64
fdf0:7108:dc43::/64
Active ipv4 user rules:
115 8471 - wan_lte all -- * * 0.0.0.0/0 0.0.0.0/0
Active ipv6 user rules:
0 0 - wan_lte all * * ::/0 ::/0
Routes:
# ip route
default via 192.168.1.254 dev eth1 proto static src 192.168.1.174 metric 10
default via 192.168.0.1 dev usb0 proto static src 192.168.0.190 metric 20
2.229.233.156 via 192.168.0.1 dev usb0 proto static metric 20
156.146.34.20 via 192.168.0.1 dev usb0 proto static metric 20
176.9.57.179 via 192.168.0.1 dev usb0 proto static metric 20
192.168.0.0/24 dev usb0 proto static scope link metric 20
192.168.0.1 dev usb0 proto static scope link src 192.168.0.190 metric 20
192.168.1.0/24 dev eth1 proto static scope link metric 10
192.168.1.254 dev eth1 proto static scope link src 192.168.1.174 metric 10
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
A quick look with tcpdump suggests that packets can’t be routed back. I have no idea why, though (and allowing forward in wan has no effect whatsoever).