| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:network:wan:multiwan:mwan3 [2023/10/22 07:36] – [Rule configuration] ipset warning jamesmacwhite | docs:guide-user:network:wan:multiwan:mwan3 [2024/05/17 08:30] – [nft2ipset init script] jamesmacwhite |
|---|
| **Known issues:** | **Known issues:** |
| |
| * [[https://github.com/openwrt/packages/issues/22474|mwan3: ipset functionality broken on 23.05]] | * [[https://github.com/openwrt/packages/issues/22474|mwan3: ipset functionality broken on 23.05]]. [[docs:guide-user:network:wan:multiwan:mwan3#nft2ipset_init_script|Workaround init script available]]. |
| |
| === 22.03 === | === 22.03 === |
| |
| <WRAP center important 100%> | <WRAP center important 100%> |
| ipset functionality is broken in 23.05 due to the ''dnsmasq-full'' package no longer being compiled with ipset support in favour of nftables. As mwan3 does not currently support nftables natively, this functionality no longer works. [[https://forum.openwrt.org/t/23-05-dnsmasq-ipsets-and-mwan3-incompatibility/174926|More information and further discussion]]. | ipset functionality is broken in 23.05 due to the ''dnsmasq-full'' package no longer being compiled with ipset support in favour of nftables. As mwan3 does not currently support nftables natively, this functionality no longer works. [[https://forum.openwrt.org/t/23-05-dnsmasq-ipsets-and-mwan3-incompatibility/174926|More information and further discussion]]. A [[docs:guide-user:network:wan:multiwan:mwan3#nft2ipset init script|workaround init script that converts nfset to ipset is available]] to use until mwan3 is updated to natively support nfset. |
| </WRAP> | </WRAP> |
| |
| option family 'ipv4' | option family 'ipv4' |
| option use_policy 'wanb_only' | option use_policy 'wanb_only' |
| | </code> |
| | |
| | ==== nft2ipset init script ==== |
| | |
| | Due to the default firewall (fw4) now being based on nftables (rather than iptables), the ipset functionality commonly used in conjunction with dnsmasq and mwan3 no longer works in 23.05 releases. This is due to mwan3 not being fully compatible with nftables and requiring iptables compatibility/translation packages (see installation steps). While ipset functionality works in 23.02 without any changes, since the 23.05 release an important dnsmasq compile flag was changed to remove all ipset support in favour of nfset. To restore near like for like functionality a custom init script can be used, [[https://forum.openwrt.org/t/23-05-dnsmasq-ipsets-and-mwan3-incompatibility/174926/40|credit @Kishi on the OpenWrt community forum]]. This script monitors changes to nftables/nfset and creates or updates ipset equivalents, essentially replicating the behaviour of what dnsmasq would do with ipset support enabled. |
| | |
| | You will need to use nfset with dnsmasq for ipset polices to be created, which mwan3 only supports at this time. mwan3 currently does not support nfset in rules directly, hence the need to create ipset policies. |
| | |
| | For help with this init script, please message @Kishi on the forum thread and also thank them if you found this useful! |
| | |
| | The script is [[https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab|published as gist on GitHub]] so the full code can be inspected and reviewed before installing. |
| | |
| | Installation instructions: |
| | |
| | <code> |
| | wget -O /etc/init.d/nft2ipset https://gist.github.com/Kishi85/b7f379f9aa19f4878af28b8e1a8887ab/raw/ |
| | chmod +x /etc/init.d/nft2ipset |
| | service nft2ipset enable |
| | service nft2ipset start |
| </code> | </code> |
| |