Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:wan:multiwan:mwan3 [2022/09/25 07:23] – [Policy configuration] wrong balanced config jamesmacwhite | docs:guide-user:network:wan:multiwan:mwan3 [2024/05/17 08:30] – [nft2ipset init script] jamesmacwhite | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== mwan3 (Load balancing/ | + | ====== mwan3 (Multi WAN load balancing/ |
| - | * 22.03: Latest release: 2.11.1 | + | * 23.05: Latest release: [[: |
| - | * 21.02: Latest release: [[: | + | * 22.03: Latest release: 2.11.7 |
| - | * 19.07: Latest release: 2.8.16-1 | + | * 21.02: Latest release: 2.10.13-1 |
| - | * 18.06 or older: No longer supported or maintained. | + | |
| ==== About mwan3 ==== | ==== About mwan3 ==== | ||
| Line 58: | Line 57: | ||
| Ensure no other multiple WAN or policy routing packages are installed such as '' | Ensure no other multiple WAN or policy routing packages are installed such as '' | ||
| + | |||
| ==== OpenWrt version ==== | ==== OpenWrt version ==== | ||
| - | **Using the latest [[:# | + | === 23.05 === |
| - | The old stable 19.07 branch should also work but it has an older version of mwan3 which does not include some newer features and fixes. It was also discovered there were a few 4.14 kernel issues that affect certain network configurations which can cause problems for mwan3. This has been resolved by a specific [[commit>? | + | The mwan3 package |
| - | Older branches before 19.07 are no longer supported. | + | **Known issues:** |
| - | You can find the current open issues for mwan3 on the [[https:// | + | |
| - | ==== IPv6 support ==== | + | === 22.03 === |
| - | <WRAP center info 100%> | + | 22.03 switched to firewall4/ |
| - | Using mwan3 with IPv6 requires additional configuration such as IPv6 masquerading through methods like NETMAP or NAT6. This is currently not implemented in mwan3 directly | + | |
| - | </ | + | |
| - | mwan3 does support IPv6 interfaces, but there are few guidelines you need to follow in order to configure IPv6 with mwan3. | + | **Known issues:** |
| - | * If your IPv6 is using a tunnel type connection such as 6in4 or Wireguard, you are strongly advised to use OpenWrt 19.07.5 and above which has important kernel patches that fix issues with ping which affects the mwan3track component. | + | There are a few regressions between 2.10 and 2.11 identified with sticky rules and ipset. |
| - | * You will need to split your network interfaces, so one interface has your IPv4 and another for IPv6. i.e. wan and wan6, wanb and wanb6 etc. You can create alias interfaces to achieve this requirement. You would then define each interface in mwan3 with the address family of either '' | + | An issue with fwmark and tunnel connections can cause traffic |
| - | * You will likely need to implement some form of IPv6 masquerading such as NETMAP or [[docs: | + | |
| - | NAT6 is potentially a controversial suggestion for many, but realistically without BGP, it is often required for IPv6 multihoming. Currently | + | * [[https:// |
| + | * < | ||
| + | * < | ||
| + | * [[https:// | ||
| - | The [[# | + | === 21.02 === |
| - | === Preventing IPv6 rules=== | + | **No longer supported.** |
| - | You can prevent | + | The version of mwan3 in 21.02 is 2.10.13-1, it has a lot of improvements over the version in 19.07 for both performance and stability. |
| + | |||
| + | For those running some form of tunnel based protocol e.g. L2TP, 6in4 and IPv6 traffic | ||
| + | |||
| + | **Known issues:** | ||
| + | |||
| + | * [[https:// | ||
| + | |||
| + | Older versions beyond | ||
| + | |||
| + | You can find the current open issues for mwan3 on the [[https:// | ||
| ==== Hardware requirements ==== | ==== Hardware requirements ==== | ||
| Line 115: | Line 125: | ||
| option ifname ' | option ifname ' | ||
| </ | </ | ||
| + | |||
| + | ===== Installation ===== | ||
| + | ==== Command line (SSH) ==== | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install mwan3 | ||
| + | opkg install luci-app-mwan3 | ||
| + | </ | ||
| + | |||
| + | '' | ||
| + | |||
| + | <WRAP center info 100%> | ||
| + | For routers using 22.03 or above the default firewall uses firewall4/ | ||
| + | </ | ||
| + | |||
| + | **For 22.03 or later:** | ||
| + | |||
| + | <code bash> | ||
| + | opkg install iptables-nft | ||
| + | opkg install ip6tables-nft | ||
| + | </ | ||
| + | |||
| + | ==== Web interface (LuCI) === | ||
| + | * Go to System -> Software | ||
| + | * click " | ||
| + | * In the " | ||
| + | * For 22.03: Install the '' | ||
| + | |||
| + | === Restart LuCI or reboot if needed === | ||
| + | |||
| + | To ensure the new menu item for mwan3 appears, logout of your existing session and restart the service hosting the LuCI interface i.e. uhttpd or just reboot the router. | ||
| + | |||
| + | * Go to System > Startup | ||
| + | * click the " | ||
| + | * Login into the web interface again. | ||
| + | |||
| + | A new menu entry " | ||
| + | |||
| + | ==== Upgrading ==== | ||
| + | |||
| + | If there is a newer version of mwan3 available, you can upgrade mwan3 through either opkg or LuCI. | ||
| + | |||
| + | < | ||
| + | opkg upgrade mwan3 | ||
| + | </ | ||
| + | |||
| + | Or through LuCI: **System** -> **Software** -> **Updates** | ||
| + | |||
| + | Your existing configuration will not be modified and instead if there any changes from the default, these will be able to be viewed in a '' | ||
| + | |||
| + | ==== IPv6 support ==== | ||
| + | |||
| + | <WRAP center info 100%> | ||
| + | Using mwan3 with load balancing or failover routing policies for IPv6 requires additional configuration such as NETMAP, NPTv6 or NAT66. None of these methods are currently implemented in mwan3 directly and hence requires additional configuration. | ||
| + | </ | ||
| + | |||
| + | **Using IPv6 with mwan3:** | ||
| + | |||
| + | - Newer versions of mwan3 have better IPv6 support, ensure you are running a supported OpenWrt version, as various IPv6 related areas have been addressed in recent versions. | ||
| + | - You will need to split your WAN network interfaces, so one interface has your IPv4 WAN and another for the IPv6 WAN. A common example convention is wan and wan6 (default with OpenWrt), along with an additional WAN interfaces such as wanb and wanb6 etc. Your IPv6 interface can be an alias interface in most cases. You then define each interface in mwan3 with the address family of either '' | ||
| + | - You will likely need to implement some form of IPv6 masquerading such as NETMAP or NPTv6 or [[docs: | ||
| + | |||
| + | NETMAP, NPTv6 and NAT66 all are configuration options that can work with mwan3, but it is up to you to implement the IPv6 configuration required. mwan3 does not currently implement any IPv6 masquerading by itself. | ||
| + | |||
| + | The [[# | ||
| + | |||
| + | === Disable mwan3 from routing IPv6 traffic === | ||
| + | |||
| + | You can prevent mwan3 from routing IPv6 traffic by declaring '' | ||
| ===== Pre-configuration ===== | ===== Pre-configuration ===== | ||
| Line 142: | Line 222: | ||
| === Routers using Distributed Switch Architecture (DSA) === | === Routers using Distributed Switch Architecture (DSA) === | ||
| - | From 21.02 onwards | + | From 21.02 onwards |
| - Go to **Network > Interfaces** and select the Devices tab. Click configure on the br-lan device. | - Go to **Network > Interfaces** and select the Devices tab. Click configure on the br-lan device. | ||
| Line 163: | Line 243: | ||
| <WRAP center info 100%> | <WRAP center info 100%> | ||
| - | If you are using a newer release branch build of OpenWrt after 18.06, this step is **not necessary anymore**. Router initiated traffic | + | **If you are using 19.07 or newer this part is not required**. Router initiated traffic |
| A new service [[https:// | A new service [[https:// | ||
| </ | </ | ||
| Line 207: | Line 287: | ||
| Extra advantage is that configuring mwan3 rules for router only traffic is much easier. | Extra advantage is that configuring mwan3 rules for router only traffic is much easier. | ||
| - | ==== Prepare and the check the default routing table for the WAN interfaces ==== | + | ==== Prepare and verify |
| - | <WRAP left important | + | <WRAP left info 100%> |
| Before doing anything with mwan3 (installing or configuring), | Before doing anything with mwan3 (installing or configuring), | ||
| </ | </ | ||
| Line 215: | Line 295: | ||
| === Configure a different metric for each WAN interface === | === Configure a different metric for each WAN interface === | ||
| - | This is an important | + | <WRAP left important 100%> |
| + | Ensure that every WAN interface has a gateway IP and metric defined! | ||
| + | </ | ||
| * You must configure each WAN interface with a **different** routing metric. This metric will only have an effect on the default routing table, not on the mwan3 routing tables. | * You must configure each WAN interface with a **different** routing metric. This metric will only have an effect on the default routing table, not on the mwan3 routing tables. | ||
| Line 254: | Line 336: | ||
| default via 10.0.4.2 dev eth2 proto static | default via 10.0.4.2 dev eth2 proto static | ||
| </ | </ | ||
| - | |||
| - | <WRAP left important 100%> | ||
| - | Ensure that every WAN interface has a gateway IP and metric defined! This is very important as otherwise mwan3 will likely not work! | ||
| - | </ | ||
| ==== Verify outbound traffic on each WAN interface ==== | ==== Verify outbound traffic on each WAN interface ==== | ||
| Line 325: | Line 403: | ||
| This is the IP of // | This is the IP of // | ||
| - | |||
| - | |||
| - | ===== Installation ===== | ||
| - | === On the command line (SSH)=== | ||
| - | |||
| - | <code bash> | ||
| - | opkg update | ||
| - | opkg install mwan3 | ||
| - | opkg install luci-app-mwan3 | ||
| - | </ | ||
| - | |||
| - | '' | ||
| - | |||
| - | === On the web interface (LuCI) === | ||
| - | * Go to System -> Software | ||
| - | * click " | ||
| - | * In the " | ||
| - | |||
| - | ==== Restart LuCI or reboot if needed ==== | ||
| - | |||
| - | To ensure the new menu item for mwan3 appears, logout of your existing session and restart the service hosting the LuCI interface i.e. uhttpd or just reboot the router. | ||
| - | |||
| - | * Go to System > Startup | ||
| - | * click the " | ||
| - | * Login into the web interface again. | ||
| - | |||
| - | A new menu entry " | ||
| - | |||
| - | ==== Upgrading ==== | ||
| - | |||
| - | If there is a newer version of mwan3 available, you can upgrade mwan3 through either opkg or LuCI. | ||
| - | |||
| - | < | ||
| - | opkg upgrade mwan3 | ||
| - | </ | ||
| - | |||
| - | Or through LuCI: **System** -> **Software** -> **Updates** | ||
| - | |||
| - | Your existing configuration will not be modified and instead if there any changes from the default, these will be able to be viewed in a '' | ||
| ===== mwan3 configuration ===== | ===== mwan3 configuration ===== | ||
| - | The mwan3 configuration consists of five section elements, namely: | + | The mwan3 configuration consists of five main sections: |
| - | + | ||
| - | * Globals | + | |
| - | * Interfaces | + | |
| - | * Members | + | |
| - | * Policies | + | |
| - | * Rules | + | |
| - | + | ||
| - | Essentially the configuration can be summarised to the following. Globals are settings that apply to all of mwan3, interfaces are configured in mwan3 to be tracked and relate to the interface names present in your network configuration. For routing rules, one or more members must be defined targeting a specific interface, which in turn are assigned to a policy and a policy is assigned to one or more rules. | + | |
| - | + | ||
| + | * Globals - Global settings that apply to mwan3 overall. | ||
| + | * Interfaces - Network interfaces to be used/ | ||
| + | * Members - For a network interface to be used in mwan3, it must be defined as a member, which can then be used in policies. | ||
| + | * Policies - How the traffic should be routed according to the metric value and weight set in the member configuration. This allows you to define configurations like load balancing/ | ||
| + | * Rules - Defining one or more specific routing rules according to the defined policy set. A variety of rules can be configured using source/ | ||
| ==== Globals configuration ===== | ==== Globals configuration ===== | ||
| Line 421: | Line 455: | ||
| In most cases the default values should work for most configurations. The primary reason to change the default settings is to shorten the time before an interface is failed-over (by reducing the ping interval and number of pings before the interface is down) or lengthen the time to avoid a false link failure report. Please note that if you change the timeout value on low bandwidth interfaces (e.g. 3G) or busy interfaces, that false positives of marking a WAN down can occur. A timeout value of less then 2 seconds is not recommended. | In most cases the default values should work for most configurations. The primary reason to change the default settings is to shorten the time before an interface is failed-over (by reducing the ping interval and number of pings before the interface is down) or lengthen the time to avoid a false link failure report. Please note that if you change the timeout value on low bandwidth interfaces (e.g. 3G) or busy interfaces, that false positives of marking a WAN down can occur. A timeout value of less then 2 seconds is not recommended. | ||
| - | A typical interface section looks like this, mostly using the default values of all options described above: | + | A typical interface section |
| <code bash> | <code bash> | ||
| config interface ' | config interface ' | ||
| option enabled ' | option enabled ' | ||
| - | list track_ip '8.8.4.4' | + | list track_ip '1.0.0.1' |
| - | list track_ip '8.8.8.8' | + | list track_ip '1.1.1.1' |
| list track_ip ' | list track_ip ' | ||
| list track_ip ' | list track_ip ' | ||
| Line 434: | Line 468: | ||
| === Reliable public IP addresses to ping === | === Reliable public IP addresses to ping === | ||
| + | |||
| Below are a collection of public IPv4 and IPv6 endpoints that accept ICMP and can be used with mwan3track for tracking the connection state of interfaces if using the ping tracking method. These are [[wp> | Below are a collection of public IPv4 and IPv6 endpoints that accept ICMP and can be used with mwan3track for tracking the connection state of interfaces if using the ping tracking method. These are [[wp> | ||
| Line 521: | Line 556: | ||
| **Key points about rules:** | **Key points about rules:** | ||
| - | * Rules specify which traffic will use a particular policy | + | * Rules specify which traffic will use a particular policy. |
| - | * Rules are based on IP address, port or protocol | + | * Rules are based on IP address, port or protocol. |
| - | * Rules are matched from top to bottom | + | * Rules are matched from top to bottom. |
| - | * Rules below a matching rule are ignored | + | * Rules below a matching rule are ignored. |
| - | * Traffic not matching any rule is routed using the main routing table | + | * Traffic not matching any defined |
| - | * Traffic destined for known (other than default) networks is handled by the main routing table | + | * Traffic destined for known (other than default) networks is handled by the main routing table. |
| - | * Traffic matching a rule where all interfaces for that policy are down will be blackholed | + | * Traffic matching a rule where all interfaces for that policy are down will be blackholed. |
| - | * Rule names may contain characters A-Z, a-z, 0-9, _ and no spaces | + | * Rule names may contain characters A-Z, a-z, 0-9, _ and no spaces. |
| - | * Rules may not share the same name as configured interfaces, members or policies | + | * Rules may not share the same name as configured interfaces, members or policies. |
| ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ^ Name ^ Type ^ Required ^ Default ^ Description ^ | ||
| Line 569: | Line 604: | ||
| For rules that require a large amount of destination IP addresses, it is recommended to use ipset as this more optimised to group large amounts of IP addresses, or CIDR ranges. | For rules that require a large amount of destination IP addresses, it is recommended to use ipset as this more optimised to group large amounts of IP addresses, or CIDR ranges. | ||
| - | === ipset and sticky | + | === Sticky |
| - | Stickiness | + | Sticky (or sticky sessions) can be enabled on a per-rule basis and lets you route a new session over the same WAN interface as the previous session, as long as the time between the new and the previous session is shorter then the specified |
| + | |||
| + | By default mwan3 treats all https traffic with a sticky rule. | ||
| <code bash> | <code bash> | ||
| - | config rule 'youtube' | + | config rule 'https' |
| option sticky ' | option sticky ' | ||
| - | option timeout '300' | + | option |
| + | option proto ' | ||
| + | option use_policy ' | ||
| + | </ | ||
| + | |||
| + | With sticky set to 1, this rule now uses sticky sessions. When a packet for a new session matches this rule, its source IP address and interface mark are stored in an ipmark. When a packet for a second new session from the same LAN host within the timeout | ||
| + | |||
| + | === ipset support === | ||
| + | |||
| + | <WRAP center important 100%> | ||
| + | ipset functionality is broken in 23.05 due to the '' | ||
| + | </ | ||
| + | |||
| + | ipset is designed to store multiple IP addresses in a single collection, while being performant and easier to maintain. Common usages of ipset include storing large amounts of IP addresses or ranges in a single set as well as conditional routing by domain. As routing ultimately works at the IP layer, being able to use ipset with domain based policies is useful for many websites or services which use multiple IP addresses or large Content Delivery Networks which means the IP address of that domain is constantly changing, individually adding these IP addresses would become unmanageable very quickly, ipset can help maintain this for you. | ||
| + | |||
| + | A set can be populated manually, by a DNS resolver (triggered by a DNS lookup), or your own script. Rules enabled with ipset option will check for the existence of the destination address in the ipset chain defined in the rule to determine what routing needs to take place. If the destination address is found, the packet will be routed according to the policy, otherwise the ipset policy will not apply. | ||
| + | |||
| + | <code bash> | ||
| + | config rule 'youtube' | ||
| option ipset ' | option ipset ' | ||
| + | option sticky ' | ||
| option dest_port ' | option dest_port ' | ||
| option proto ' | option proto ' | ||
| Line 583: | Line 639: | ||
| </ | </ | ||
| - | With sticky | + | **Tip:** ipset rules also support |
| - | **Stickiness is on a per rule basis. With this example, all traffic from LAN hosts will use the same WAN interface | + | The example creates an ipset rule for a collection called youtube, with an additional |
| - | The option | + | For having |
| - | If the ipset chain does not already exist, mwan3 will create the ipset set for you. For this to work you need to configure a rule for dnsmasq in your ''/ | + | **dnsmasq: |
| + | |||
| + | **Note:** dnsmasq-full is required for ipset functionality. | ||
| <code bash> | <code bash> | ||
| Line 603: | Line 661: | ||
| </ | </ | ||
| - | You will then need to restart dnsmasq | + | Add more domains by separating each domain with a ''/'' |
| + | |||
| + | **AdGuard Home:** | ||
| + | |||
| + | Add to ''/ | ||
| + | |||
| + | <code yaml> | ||
| + | dns: | ||
| + | | ||
| + | - youtube.com/ | ||
| + | ... | ||
| + | </ | ||
| + | |||
| + | Add more domains by separating each domain with a '','' | ||
| + | |||
| + | Restart your DNS resolver and make a DNS lookup | ||
| + | |||
| + | <code bash> | ||
| + | ipset -L youtube | ||
| + | </ | ||
| + | |||
| + | If all is working correctly, you should see the resolved IP address or addresses in the ipset collection. | ||
| + | |||
| + | Be aware if the domain has been recently resolved by your DNS resolver, it may return a cache response which may not hit the ipset collection, clear the DNS cache and confirm your lookup is not a cached result. | ||
| ==== Default configuration example ==== | ==== Default configuration example ==== | ||
| - | This is an example configuration | + | This is a copy of the example configuration |
| <code bash / | <code bash / | ||
| Line 614: | Line 695: | ||
| config interface ' | config interface ' | ||
| option enabled ' | option enabled ' | ||
| - | list track_ip '8.8.4.4' | + | list track_ip '1.0.0.1' |
| - | list track_ip '8.8.8.8' | + | list track_ip '1.1.1.1' |
| list track_ip ' | list track_ip ' | ||
| list track_ip ' | list track_ip ' | ||
| Line 623: | Line 704: | ||
| config interface ' | config interface ' | ||
| option enabled ' | option enabled ' | ||
| - | list track_ip '2001:4860:4860::8844' | + | list track_ip '2606:4700:4700::1001' |
| - | list track_ip '2001:4860:4860::8888' | + | list track_ip '2606:4700:4700::1111' |
| list track_ip ' | list track_ip ' | ||
| list track_ip ' | list track_ip ' | ||
| Line 632: | Line 713: | ||
| config interface ' | config interface ' | ||
| option enabled ' | option enabled ' | ||
| - | list track_ip '8.8.4.4' | + | list track_ip '1.0.0.1' |
| - | list track_ip '8.8.8.8' | + | list track_ip '1.1.1.1' |
| list track_ip ' | list track_ip ' | ||
| list track_ip ' | list track_ip ' | ||
| Line 641: | Line 722: | ||
| config interface ' | config interface ' | ||
| option enabled ' | option enabled ' | ||
| - | list track_ip '2001:4860:4860::8844' | + | list track_ip '2606:4700:4700::1001' |
| - | list track_ip '2001:4860:4860::8888' | + | list track_ip '2606:4700:4700::1111' |
| list track_ip ' | list track_ip ' | ||
| list track_ip ' | list track_ip ' | ||
| Line 741: | Line 822: | ||
| </ | </ | ||
| - | ===== Verification of basic operation | + | ===== Testing/ |
| + | Once mwan3 has been configured and is enabled you will want to verify that mwan3 is working and correctly routing traffic according to your policies and rules. | ||
| + | |||
| + | ==== Interface status ==== | ||
| - | ==== Check status in the MWAN3 overview page ==== | ||
| * Network > MultiWAN Manager | * Network > MultiWAN Manager | ||
| * Overview | * Overview | ||
| * MWAN3 Multi-WAN Interface Live Status | * MWAN3 Multi-WAN Interface Live Status | ||
| * this area should show all WAN interfaces as " | * this area should show all WAN interfaces as " | ||
| - | * MWAN3 Multi-WAN Interface | + | * MWAN3 Multi-WAN Interface |
| * this area will show recent mwan3 log messages | * this area will show recent mwan3 log messages | ||
| - | **Note:** Older versions of mwan3 will use the label " | + | **Note:** Older versions of mwan3 will use the label " |
| - | ==== Check kernel routing | + | ==== Routing |
| - | * "ip route show table x" | + | |
| + | * '' | ||
| + | |||
| + | ==== Verification of WAN interface load balancing ==== | ||
| - | ===== Verification of WAN interface load-balancing ===== | ||
| * Go to Network > Interfaces | * Go to Network > Interfaces | ||
| * Send traffic from a test inside PC | * Send traffic from a test inside PC | ||
| Line 764: | Line 849: | ||
| * Verify that traffic is going out all expected WAN interfaces | * Verify that traffic is going out all expected WAN interfaces | ||
| - | ===== Verification of WAN interface failover ===== | + | ==== Verification of WAN interface failover ===== |
| - | ==== Test interface failover ==== | + | |
| * Go to Network > Load Balancing > Overview | * Go to Network > Load Balancing > Overview | ||
| * Manually disconnect a WAN connection | * Manually disconnect a WAN connection | ||
| * Wait for interface failure detection to happen -- the mwan3 status display should update | * Wait for interface failure detection to happen -- the mwan3 status display should update | ||
| + | |||
| * Go to Network > Interfaces | * Go to Network > Interfaces | ||
| * Send traffic from a test inside PC and observe the interface packet counts to ensure traffic is now going out the alternate WAN port (counters are updated automatically) | * Send traffic from a test inside PC and observe the interface packet counts to ensure traffic is now going out the alternate WAN port (counters are updated automatically) | ||
| * Check that the external IP address has changed to the wanb interface (such as by going to [[http:// | * Check that the external IP address has changed to the wanb interface (such as by going to [[http:// | ||
| - | ==== Test interface | + | === Test WAN interface |
| * Restore the primary WAN connection | * Restore the primary WAN connection | ||
| * Wait for detection that the WAN link is back up | * Wait for detection that the WAN link is back up | ||
| Line 804: | Line 891: | ||
| **Changes in version 2.10.0:** | **Changes in version 2.10.0:** | ||
| - | '' | + | '' |
| + | |||
| + | <code bash> | ||
| + | mwan3 use < | ||
| + | </ | ||
| + | |||
| + | **Ping using the primary WAN interface: | ||
| + | |||
| + | <code bash> | ||
| + | mwan3 use wan ping -4 google.co.uk | ||
| + | </ | ||
| + | |||
| + | **iperf3 using the secondary WAN interface: | ||
| + | |||
| + | <code bash> | ||
| + | mwan3 use wanb iperf3 -4 -c speed.nimag.net -R | ||
| + | </ | ||
| **Changes in version 2.8.11:** | **Changes in version 2.8.11:** | ||
| Line 1248: | Line 1352: | ||
| option family ' | option family ' | ||
| option use_policy ' | option use_policy ' | ||
| + | </ | ||
| + | |||
| + | ==== nft2ipset init script ==== | ||
| + | |||
| + | Due to the default firewall (fw4) now being based on nftables (rather than iptables), the ipset functionality commonly used in conjunction with dnsmasq and mwan3 no longer works in 23.05 releases. This is due to mwan3 not being fully compatible with nftables and requiring iptables compatibility/ | ||
| + | |||
| + | You will need to use nfset with dnsmasq for ipset polices to be created, which mwan3 only supports at this time. mwan3 currently does not support nfset in rules directly, hence the need to create ipset policies. | ||
| + | |||
| + | For help with this init script, please message @Kishi on the forum thread and also thank them if you found this useful! | ||
| + | |||
| + | The script is [[https:// | ||
| + | |||
| + | Installation instructions: | ||
| + | |||
| + | < | ||
| + | wget -O / | ||
| + | chmod +x / | ||
| + | service nft2ipset enable | ||
| + | service nft2ipset start | ||
| </ | </ | ||