Dual WAN, selected traffic over second WAN (help needed!)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Mark Rose
DD-WRT Novice


Joined: 07 Nov 2013
Posts: 6

PostPosted: Thu Nov 07, 2013 16:53    Post subject: Dual WAN, selected traffic over second WAN (help needed!) Reply with quote
Hi All,

I've been trying to get this working for a while now. I'm stuck. Basically, I would like to send some traffic over a second cable modem from the same ISP.

I've already configured a vlan, vlan3, for the second WAN connection, wan2, following the guide here. wan2 is up and I can ping the default gateway and ping the Asus remotely. I don't do any automatic failover, however.

I'm using the latest DD-WRT available for the Asus RT-N66U, 21676 mega.

This is my Administration->Commands->Firewall

Code:

# Configure source IP rewriting on vlan3
iptables -t nat -I POSTROUTING -o vlan3 -s 192.168.42.0/24 -j SNAT --to $(nvram get wan2_ipaddr)

# Add default gateway to 900 table
ip route add default via $(nvram get wan2_gateway) table 900

# Anything with this fwmark will use the 900 table
ip rule add fwmark 0x1 table 900

# Mark ReadyTalk
iptables -A OUTPUT -t mangle -o vlan1 -d 66.151.54.0/24 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -o vlan1 -d 63.251.200.0/24 -j MARK --set-mark 1

# Mark PhonePower (we assign specific IPs)
iptables -A OUTPUT -t mangle -o vlan1 --src-range 192.168.42.250-192.168.42.254 -j MARK --set-mark 1

# Mark Google Hangouts
iptables -A OUTPUT -t mangle -o vlan1 -p tcp --dport 19305:19309 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -o vlan1 -p udp --dport 19305:19309 -j MARK --set-mark 1

# And to test with
iptables -A OUTPUT -t mangle -o vlan1 -d 192.0.2.1 -j MARK --set-mark 1

# Flush changes
ip route flush cache


However traffic to 192.0.2.1 (not my real test IP) still comes from the primary WAN. I test this by SSHing to 192.0.2.1 and running `who --ips`.

`iptables -L -t mangle -n` shows the values set above.

Code:

root@gateway:~# iptables -L -t mangle -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
FILTER_IN  0    --  0.0.0.0/0            0.0.0.0/0           
MARK       0    --  0.0.0.0/0            99.232.106.124       MARK or 0x80000000
CONNMARK   0    --  0.0.0.0/0            0.0.0.0/0           CONNMARK save 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
IMQ        0    --  0.0.0.0/0            0.0.0.0/0           IMQ: todev 0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
IMQ        0    --  0.0.0.0/0            0.0.0.0/0           IMQ: todev 0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
MARK       0    --  0.0.0.0/0            66.151.54.0/24       MARK set 0x1
MARK       0    --  0.0.0.0/0            63.251.200.0/24      MARK set 0x1
MARK       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:19305:19309  MARK set 0x1
MARK       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:19305:19309  MARK set 0x1
MARK       0    --  0.0.0.0/0            192.0.2.1            MARK set 0x1

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
FILTER_OUT  0    --  0.0.0.0/0            0.0.0.0/0           

Chain FILTER_IN (1 references)
target     prot opt source               destination         
CONNMARK   0    --  0.0.0.0/0            0.0.0.0/0           CONNMARK restore
SVQOS_SVCS  0    --  0.0.0.0/0            0.0.0.0/0           mark match 0x0/0x7ffc00
CONNMARK   0    --  0.0.0.0/0            0.0.0.0/0           CONNMARK save 
RETURN     0    --  0.0.0.0/0            0.0.0.0/0           

Chain FILTER_OUT (1 references)
target     prot opt source               destination         
CONNMARK   0    --  0.0.0.0/0            0.0.0.0/0           CONNMARK restore
SVQOS_SVCS  0    --  0.0.0.0/0            0.0.0.0/0           mark match 0x0/0x7ffc00
CONNMARK   0    --  0.0.0.0/0            0.0.0.0/0           CONNMARK save 
RETURN     0    --  0.0.0.0/0            0.0.0.0/0           

Chain SVQOS_SVCS (2 references)
target     prot opt source               destination         
MARK       0    --  0.0.0.0/0            0.0.0.0/0           protocol Skype  MARK xset 0x5000/0x7ffc00
RETURN     0    --  0.0.0.0/0            0.0.0.0/0



`iptables -L -t nat -n`

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            99.232.106.124      tcp dpt:8080 to:192.168.42.1:443
DNAT       tcp  --  0.0.0.0/0            99.232.106.124      tcp dpt:22 to:192.168.42.1:22
DNAT       icmp --  0.0.0.0/0            99.232.106.124      to:192.168.42.1
TRIGGER    0    --  0.0.0.0/0            99.232.106.124      TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       0    --  192.168.42.0/24      0.0.0.0/0           to:99.232.36.66
SNAT       0    --  192.168.42.0/24      0.0.0.0/0           to:99.232.106.124
MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000


I try to verify that the rule is configured with `ip rule list` but the command returns blank output. Any of the usual `ip rule` commands don't work. This leads me to believe `ip rule` doesn't work at all.

Code:

root@gateway:~# ip rule list
root@gateway:~#


Help? I'm at a loss as to what to do next at this point.
Sponsor
Mark Rose
DD-WRT Novice


Joined: 07 Nov 2013
Posts: 6

PostPosted: Mon Nov 11, 2013 17:23    Post subject: Reply with quote
Can anyone please offer any insight?
Mark Rose
DD-WRT Novice


Joined: 07 Nov 2013
Posts: 6

PostPosted: Wed Nov 13, 2013 23:30    Post subject: Reply with quote
After digging around, I found build 22118 for the Asus RT-N66U but the `ip rule` command still appears broken Sad
Mark Rose
DD-WRT Novice


Joined: 07 Nov 2013
Posts: 6

PostPosted: Sat Nov 16, 2013 20:13    Post subject: Reply with quote
eibgrad wrote:
What does "which ip" return?


Code:
root@gateway:~# which ip
/usr/sbin/ip
root@gateway:~# ls -l /usr/sbin/ip
-rwxr-xr-x    1 root     root         87367 Jul 24 09:24 /usr/sbin/ip
root@gateway:~#


`help` also does not list `ip` as a BusyBox (v1.21.0 2013-07-24 11:18:37 CEST) built-in command.
darkbeethoven
DD-WRT Novice


Joined: 14 Dec 2013
Posts: 1

PostPosted: Sat Dec 14, 2013 10:41    Post subject: Reply with quote
This is broken for me too. Same router. Same build.

I updated the corresponding bugtracker:

http://svn.dd-wrt.com/ticket/3033#comment:5

I'm not using a script - just want to make sure the default source routing works correctly with one command:
root@router:~# ip rule add from 192.168.1.86 table 10
RTNETLINK answers: Address family not supported by protocol
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum