Skip to content

Instantly share code, notes, and snippets.

@braian87b
Last active October 22, 2023 12:33
Show Gist options
  • Star 42 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save braian87b/97a186b2e11b5aa438d8fd17de0eab20 to your computer and use it in GitHub Desktop.
Save braian87b/97a186b2e11b5aa438d8fd17de0eab20 to your computer and use it in GitHub Desktop.
How to get MWAN3 Working Properly on OpenWRT / LEDE

In experience to get a proper working multiple wan configuration using mwan3 starting from scratch you should:

Important: this works well on OpenWRT 15.05.1, on newer versions there was some breaking changes, for example, the wan ifaces have ipv6 capability and now are named with letters ("wan, wanb... , wanc" instead of "wan, wan2... wan3" so wanb6 means 2nd wan ipv6.): https://github.com/openwrt/packages/blob/master/net/mwan3/files/etc/config/mwan3

The official documentation seems to be very detailed and up to date, I recommend reading those first: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3 but I recommend to give a look at my config file below, since my approach for policyes is very nice.

First of all: Activate conntrack, docs says that is important and neccesary to get MWAN3 work properly, and it is needed to reboot:

Ensure the CONNTRACK module is enabled in OpenWrt mwan3 requires that the CONNTRACK module is enabled and active on its WAN interfaces. If the interfaces are in the "wan" firewall zone, and the "Masquerading" option is enabled for the firewall zone, the CONNTRACK module is enabled by default already (this is the default OpenWrt configuration) If masquerading/NAT is not enabled for the WAN interface (for example, if just routing without NAT is being using between the LAN and your different WAN interfaces), you need to add the following rule to the LAN and WAN zone configurations in your /etc/config/firewall:

uci set firewall.@zone[0].conntrack='1'
uci set firewall.@zone[1].conntrack='1'
uci commit
sync
reboot
  1. As you will have multiple wan''s you will need to tell the routing table the metric of each gateway, conventionally wan (first one) will have 10, and 2nd will have 20, and so on...

uci set network.wan.metric='10'

  1. if needed, remove port from switch, add that port to a new vlan in the switch, see vlan (probably if eth0 will be eth0.2 if the vlan is id 2, if you also had eth1 could depending on which tagged cpu, usually 1 or 5 in 4 ports routers, in this case it could be eth1.2), repeat this step as many addional wan's you will have (if you will have 3 wan's total, do it two times)

Sample for Additional VLAN 3 for WAN2: https://gist.github.com/braian87b/ab2dfdef72d507a18b057a5831eb1337

  1. define a new network, set IP (static or DHCP) assign corresponding metric, and ifname (as previous step)

    uci set network.wan2='interface'; uci set network.wan2.proto='dhcp' uci set network.wan2.metric='20' uci set network.wan2.ifname='eth0.2'

repeat this as many additional wan''s you will have.

  1. Assign that new network to wan zone on firewall (or create a new proper one with proper configuration and rules) uci add_list firewall.@zone[1].network='wan2' zone[1] is usually wan

  2. do a /etc/init.d/network restart and test or commit and save changes and reboot using uci commit; sync; reboot

  3. test specific connections using ping, wget or trace, here is how to use ping:

    ping -c 1 -I eth0.1 www.google.com

    ping -c 1 -I eth0.2 www.google.com

    ping -c 1 -I wan www.google.com

    ping -c 1 -I wan2 www.google.com

  4. now install mwan3 and luci-app-mwan3 if needed

  5. config mwan3 as needed, and remember to restart on each test or firewall change using:

/usr/sbin/mwan3 restart

you could use /usr/sbin/mwan3 status to diagnose.

Here is my /etc/config/mwan3 config file: https://gist.github.com/braian87b/126f20a920e7aabdd495afc861c2a22c it has some comments and explanations too.

Please pay attention to how I managed to create which members and which policyes and how I name them: only_1, then_1_2, more_1_2

only_ defines a only one wan

more_1_2 define a load balacing of wan and wan2 but using more wan than wan2...

then_1_2 define a failover using wan and if gets down, then use wan2.

if you need to have an equally balanced wan you could use someting like balanced_1_2 or equal_1_2

in experience 50-50 it is actually not needed in practice, and it is unpractical... and that naming convention is more verbose and easier to use and maintain that the default one too.

it is usefull to use just one letter, example C for Cable, or A for ADSL, F for FiberOptic or similar, or event a letter that relates to your ISP name, in that way you could do something like then_C12_A3 and that will crearly read as load balance Cable connection 1 and 2, and if both are down then use ADSL 3... etc.. (REMEMBER you just have 15 chars long in policy names)

IMPORTANT, to keep the entire OpenWRT/LEDE Enviroment Working you should leave wan as wan and not rename it to something else like wan1 or some things will stop working...

@gaia
Copy link

gaia commented Aug 30, 2018

If masquerading/NAT is not enabled for the WAN interface (for example, if just routing without NAT is being using between the LAN and your different WAN interfaces), you need to add the following rule to the LAN and WAN zone configurations in your /etc/config/firewall:

Does this mean that if WAN has masquerading enabled already, there is no action needed for this section?

@chuc2rk
Copy link

chuc2rk commented Jan 29, 2019

Could you add config for OpenWrt 18.06.1. Thanks!

@Adorfer
Copy link

Adorfer commented Mar 4, 2019

an update for 18.06 would be really appreciated. Or just a statement "still works like described above".

@ShapeShifter499
Copy link

How do metrics work when you have IPv6 and IPv4?
uci set network.wan.metric='10'

@braian87b
Copy link
Author

Sorry for delay,

@gaia exactly.

@hoatienii & @Adorfer
Hi, I will add an update for 17 and 18 versions in a few days with proper comments about it, will mention again you both by then.

@ShapeShifter499: the thing with metrics if you have both IPv4 and IPv6 on iface "wan" then will work as usual, this is the app network level will ask for dns resolution on a domain, will respond with IPv4 and/or IPv6 IP's and depends on their priority will ask to connect to a IPv4 and/or IPv6 IP, but on detail this depends also on how you have your IPv6 configured / autoconfigured inside your network and on your wan interface too.

if you have "wan" with IPv4 and "wan2" with IPv6 then will be according the priority stated on mwan, if you priority a wan, will probably get out using IPv6, and if the remote end does not have IPv6 will use ipv6-to-ipv4 if configured or just deny the connection.

Sorry if I am not very clear, but AFAIK is as I describe it.

@markaroto
Copy link

Thank you for the informations.
I have two internet links
wan = 500Mbps
wanb = 250Mbps.
It looks like I have a maximum speed limitation of 200Mbps.
Do I have limitation of my router: TP-Link Archer C7 v2?
Would it be a limitation of OpenWrt 19.07.7 r11306-c4a6851c72 / LuCI ?
thanks

@markaroto
Copy link

I took the test the result was expected.
All tests were carried out through the network cable.
test 1
I'm running the commands from notebook1 and using notebook2 as a server.
Equipment on the same network and vlan.
both vlan eth1.1 notebook.
PS E:\google_Drive\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.1.173
Connecting to host 192.168.1.173, port 5201
[ 4] local 192.168.1.2 port 62371 connected to 192.168.1.173 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 106 MBytes 891 Mbits/sec
....
[ 4] 9.00-10.00 sec 108 MBytes 907 Mbits/sec


[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 1.05 GBytes 898 Mbits/sec sender
[ 4] 0.00-10.00 sec 1.05 GBytes 898 Mbits/sec receiver

Test 2
I configured the manual ip notebook2 I connect it directly to the wan(eth0.2).
PS E:\google_Drive\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.0.125
Connecting to host 192.168.0.125, port 5201
[ 4] local 192.168.1.2 port 51732 connected to 192.168.0.125 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 20.6 MBytes 172 Mbits/sec
..
[ 4] 9.01-10.01 sec 25.4 MBytes 213 Mbits/sec


[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 211 MBytes 177 Mbits/sec sender
[ 4] 0.00-10.01 sec 211 MBytes 177 Mbits/sec receiver

Test 3
I configured the manual ip notebook2 I connect it directly to wan2(eth1.3).
PS E:\google_Drive\iperf-3.1.3-win64> .\iperf3.exe -c 192.168.100.125
Connecting to host 192.168.100.125, port 5201
[ 4] local 192.168.1.2 port 51732 connected to 192.168.100.125 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 20.1 MBytes 169 Mbits/sec
..
[ 4] 9.01-10.01 sec 23.0 MBytes 193 Mbits/sec


[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 157 MBytes 132 Mbits/sec sender
[ 4] 0.00-10.01 sec 157 MBytes 131 Mbits/sec receiver
Actually I have traffic speed reduction by wan(original) and by wanb(vlan).
Any ideas or suggestions?

@braian87b
Copy link
Author

So if you discarded mwan3 issue you will need to take a look into openwrt forums then. mwan3 does not process anything just relies on routing table and iptables rules... take a look into your iptables rules and try changing conntrack also... find in forums about hardware nat also.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment