Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:wan:multiwan:mwan3 [2023/05/01 13:34] – [Rule configuration] jamesmacwhite | docs:guide-user:network:wan:multiwan:mwan3 [2024/05/17 08:30] – [nft2ipset init script] jamesmacwhite | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== mwan3 (Multi WAN load balancing/ | ====== mwan3 (Multi WAN load balancing/ | ||
| - | * 22.03: Latest release: [[: | + | * 23.05: Latest release: [[: |
| + | * 22.03: Latest release: 2.11.7 | ||
| * 21.02: Latest release: 2.10.13-1 | * 21.02: Latest release: 2.10.13-1 | ||
| - | * 19.07 or older: No longer supported or maintained. | ||
| ==== About mwan3 ==== | ==== About mwan3 ==== | ||
| Line 60: | Line 60: | ||
| ==== OpenWrt version ==== | ==== OpenWrt version ==== | ||
| - | **Using the latest [[:# | + | === 23.05 === |
| - | The 19.07 branch should also work but it has an older version of mwan3 which does not include some newer features and fixes. It was also discovered there were a few 4.14 kernel issues that affect certain network configurations which can cause problems for mwan3. This has been resolved by a specific [[commit>? | + | The mwan3 package |
| - | Older branches before | + | **Known issues:** |
| + | |||
| + | * [[https:// | ||
| + | |||
| + | === 22.03 === | ||
| + | |||
| + | 22.03 switched to firewall4/ | ||
| + | |||
| + | **Known issues:** | ||
| + | |||
| + | There are a few regressions between 2.10 and 2.11 identified with sticky rules and ipset. | ||
| + | An issue with fwmark and tunnel connections can cause traffic to be incorrectly routed e.g. L2TP, 6in4 and IPv6 traffic within the tunnel is also present under certain configurations. | ||
| + | |||
| + | * [[https:// | ||
| + | * < | ||
| + | * < | ||
| + | * [[https:// | ||
| + | |||
| + | === 21.02 === | ||
| + | |||
| + | **No longer supported.** | ||
| + | |||
| + | The version of mwan3 in 21.02 is 2.10.13-1, it has a lot of improvements over the version in 19.07 for both performance and stability. | ||
| + | |||
| + | For those running some form of tunnel based protocol e.g. L2TP, 6in4 and IPv6 traffic within the tunnel may encounter routing issues due to fwmark behaviour that unintentionally marks all incoming traffic which can break routing in many cases. | ||
| + | |||
| + | **Known issues:** | ||
| + | |||
| + | * [[https:// | ||
| + | |||
| + | Older versions beyond the old and current stable | ||
| You can find the current open issues for mwan3 on the [[https:// | You can find the current open issues for mwan3 on the [[https:// | ||
| Line 104: | Line 134: | ||
| opkg install luci-app-mwan3 | opkg install luci-app-mwan3 | ||
| </ | </ | ||
| + | |||
| + | '' | ||
| <WRAP center info 100%> | <WRAP center info 100%> | ||
| - | For routers using 22.03 or snapshot which uses firewall4/ | + | For routers using 22.03 or above the default firewall |
| </ | </ | ||
| Line 115: | Line 147: | ||
| opkg install ip6tables-nft | opkg install ip6tables-nft | ||
| </ | </ | ||
| - | |||
| - | '' | ||
| ==== Web interface (LuCI) === | ==== Web interface (LuCI) === | ||
| Line 149: | Line 179: | ||
| <WRAP center info 100%> | <WRAP center info 100%> | ||
| - | Using mwan3 with routing policies for IPv6 requires additional configuration such as NETMAP, NPTv6 or NAT66. None of these methods are currently implemented in mwan3 directly and requires additional configuration. | + | Using mwan3 with load balancing or failover |
| </ | </ | ||
| - | Newer versions of mwan3 have better IPv6 support, but there are few guidelines you need to follow in order to configure | + | **Using |
| - | - If your IPv6 is using a tunnel type connection such as 6in4 or Wireguard, you are strongly advised to use OpenWrt | + | - Newer versions of mwan3 have better |
| - | - You will need to split your network interfaces, so one interface has your IPv4 uplink | + | - You will need to split your WAN network interfaces, so one interface has your IPv4 WAN and another for the IPv6 WAN. A common example convention is wan and wan6 (default with OpenWrt), along with an additional WAN interfaces such as wanb and wanb6 etc. Your IPv6 interface |
| - | - You will need to implement some form of IPv6 masquerading such as NETMAP or [[docs: | + | - You will likely |
| NETMAP, NPTv6 and NAT66 all are configuration options that can work with mwan3, but it is up to you to implement the IPv6 configuration required. mwan3 does not currently implement any IPv6 masquerading by itself. | NETMAP, NPTv6 and NAT66 all are configuration options that can work with mwan3, but it is up to you to implement the IPv6 configuration required. mwan3 does not currently implement any IPv6 masquerading by itself. | ||
| Line 192: | Line 222: | ||
| === Routers using Distributed Switch Architecture (DSA) === | === Routers using Distributed Switch Architecture (DSA) === | ||
| - | From 21.02 onwards | + | From 21.02 onwards |
| - Go to **Network > Interfaces** and select the Devices tab. Click configure on the br-lan device. | - Go to **Network > Interfaces** and select the Devices tab. Click configure on the br-lan device. | ||
| Line 574: | Line 604: | ||
| For rules that require a large amount of destination IP addresses, it is recommended to use ipset as this more optimised to group large amounts of IP addresses, or CIDR ranges. | For rules that require a large amount of destination IP addresses, it is recommended to use ipset as this more optimised to group large amounts of IP addresses, or CIDR ranges. | ||
| - | === ipset and sticky | + | === Sticky |
| - | Stickiness | + | Sticky (or sticky sessions) can be enabled on a per-rule basis and lets you route a new session over the same WAN interface as the previous session, as long as the time between the new and the previous session is shorter then the specified |
| + | |||
| + | By default mwan3 treats all https traffic with a sticky rule. | ||
| <code bash> | <code bash> | ||
| - | config rule 'youtube' | + | config rule 'https' |
| option sticky ' | option sticky ' | ||
| - | option timeout '300' | + | option |
| + | option proto ' | ||
| + | option use_policy ' | ||
| + | </ | ||
| + | |||
| + | With sticky set to 1, this rule now uses sticky sessions. When a packet for a new session matches this rule, its source IP address and interface mark are stored in an ipmark. When a packet for a second new session from the same LAN host within the timeout | ||
| + | |||
| + | === ipset support === | ||
| + | |||
| + | <WRAP center important 100%> | ||
| + | ipset functionality is broken in 23.05 due to the '' | ||
| + | </ | ||
| + | |||
| + | ipset is designed to store multiple IP addresses in a single collection, while being performant and easier to maintain. Common usages of ipset include storing large amounts of IP addresses or ranges in a single set as well as conditional routing by domain. As routing ultimately works at the IP layer, being able to use ipset with domain based policies is useful for many websites or services which use multiple IP addresses or large Content Delivery Networks which means the IP address of that domain is constantly changing, individually adding these IP addresses would become unmanageable very quickly, ipset can help maintain this for you. | ||
| + | |||
| + | A set can be populated manually, by a DNS resolver (triggered by a DNS lookup), or your own script. Rules enabled with ipset option will check for the existence of the destination address in the ipset chain defined in the rule to determine what routing needs to take place. If the destination address is found, the packet will be routed according to the policy, otherwise the ipset policy will not apply. | ||
| + | |||
| + | <code bash> | ||
| + | config rule 'youtube' | ||
| option ipset ' | option ipset ' | ||
| + | option sticky ' | ||
| option dest_port ' | option dest_port ' | ||
| option proto ' | option proto ' | ||
| Line 588: | Line 639: | ||
| </ | </ | ||
| - | With sticky | + | **Tip:** ipset rules also support |
| - | **Stickiness is on a per rule basis. With this example, all traffic from LAN hosts will use the same WAN interface | + | The example creates an ipset rule for a collection called youtube, with an additional |
| - | The option | + | For having |
| - | If the ipset chain does not already exist, mwan3 will create the ipset set for you. For this to work you need to configure a rule for dnsmasq in your ''/ | + | **dnsmasq: |
| + | |||
| + | **Note:** dnsmasq-full is required for ipset functionality. | ||
| <code bash> | <code bash> | ||
| Line 608: | Line 661: | ||
| </ | </ | ||
| - | You will then need to restart dnsmasq | + | Add more domains by separating each domain with a ''/'' |
| + | |||
| + | **AdGuard Home:** | ||
| + | |||
| + | Add to ''/ | ||
| + | |||
| + | <code yaml> | ||
| + | dns: | ||
| + | | ||
| + | - youtube.com/ | ||
| + | ... | ||
| + | </ | ||
| + | |||
| + | Add more domains by separating each domain with a '','' | ||
| + | |||
| + | Restart your DNS resolver and make a DNS lookup | ||
| + | |||
| + | <code bash> | ||
| + | ipset -L youtube | ||
| + | </ | ||
| + | |||
| + | If all is working correctly, you should see the resolved IP address or addresses in the ipset collection. | ||
| + | |||
| + | Be aware if the domain has been recently resolved by your DNS resolver, it may return a cache response which may not hit the ipset collection, clear the DNS cache and confirm your lookup is not a cached result. | ||
| ==== Default configuration example ==== | ==== Default configuration example ==== | ||
| Line 815: | Line 891: | ||
| **Changes in version 2.10.0:** | **Changes in version 2.10.0:** | ||
| - | '' | + | '' |
| + | |||
| + | <code bash> | ||
| + | mwan3 use < | ||
| + | </ | ||
| + | |||
| + | **Ping using the primary WAN interface: | ||
| + | |||
| + | <code bash> | ||
| + | mwan3 use wan ping -4 google.co.uk | ||
| + | </ | ||
| + | |||
| + | **iperf3 using the secondary WAN interface: | ||
| + | |||
| + | <code bash> | ||
| + | mwan3 use wanb iperf3 -4 -c speed.nimag.net -R | ||
| + | </ | ||
| **Changes in version 2.8.11:** | **Changes in version 2.8.11:** | ||
| Line 1259: | Line 1352: | ||
| option family ' | option family ' | ||
| option use_policy ' | option use_policy ' | ||
| + | </ | ||
| + | |||
| + | ==== nft2ipset init script ==== | ||
| + | |||
| + | Due to the default firewall (fw4) now being based on nftables (rather than iptables), the ipset functionality commonly used in conjunction with dnsmasq and mwan3 no longer works in 23.05 releases. This is due to mwan3 not being fully compatible with nftables and requiring iptables compatibility/ | ||
| + | |||
| + | You will need to use nfset with dnsmasq for ipset polices to be created, which mwan3 only supports at this time. mwan3 currently does not support nfset in rules directly, hence the need to create ipset policies. | ||
| + | |||
| + | For help with this init script, please message @Kishi on the forum thread and also thank them if you found this useful! | ||
| + | |||
| + | The script is [[https:// | ||
| + | |||
| + | Installation instructions: | ||
| + | |||
| + | < | ||
| + | wget -O / | ||
| + | chmod +x / | ||
| + | service nft2ipset enable | ||
| + | service nft2ipset start | ||
| </ | </ | ||