2WAN setup

nivuc

New Around Here
I'm trying to make ASUSwrt-merlin's dual WAN setup work in a specific way, and I'm not sure if I even can.

ASUS router with dual wan turned on in active. LAN side is 192.168.30.1/24
WAN 1 goes to a cable modem. The cable modem is in bridge mode and assigns a public IPv4 address to WAN1. It's configuration/status page is also reachable at 192.168.100.1
WAN 2 goes to a 4G modem. This modem is in bridge mode and assigns a public IPv4 address to WAN2. It's configuration/status page is also reachable at 192.168.5.1

When WAN1 is up:
I want traffic leaving the router, from any LAN client, to public IPs exit via WAN1.
I want traffic destined for 192.168.100.1 to exit via WAN1.
I want traffic destined for 192.168.5.1 to exit via WAN2.
I expect inbound request from WAN1 to match the NAT rules and pass through to LAN IPs as appropriate.
I want inbound requests from WAN2 to be dropped.


When WAN1 is down:
I want traffic leaving the router, from specific LAN clients, to public IPs exit via WAN2.
I want traffic leaving the router, from all other LAN clients, to public IPs to be dropped.
I want traffic destined for 192.168.100.1 to exit via WAN1.
I want traffic destined for 192.168.5.1 to exit via WAN2.
I expect inbound request from WAN2 to match the NAT rules and pass through to LAN IPs as appropriate.

To determine If WAN1 is up/down, I don't want to use the built in "ping some IP" check, but rather use a script to periodically connect to http://192.168.100.1 and parse the response.

I think what I need is a script that does the up/down check via cron, and based on the results swaps between 2 different iptables and interface route definitions. As I try to build this out, the issue I think I am running into is an issue with the default WAN management functionality fighting me. Has anyone gotten something like what I describe above working; and if so, can you share your set up?
 

Tech9

Part of the Furniture
Dual WAN doesn't work properly on Asus routers. Here is a script fixing some things:

 

Ranger802004

Very Senior Member
I'm trying to make ASUSwrt-merlin's dual WAN setup work in a specific way, and I'm not sure if I even can.

ASUS router with dual wan turned on in active. LAN side is 192.168.30.1/24
WAN 1 goes to a cable modem. The cable modem is in bridge mode and assigns a public IPv4 address to WAN1. It's configuration/status page is also reachable at 192.168.100.1
WAN 2 goes to a 4G modem. This modem is in bridge mode and assigns a public IPv4 address to WAN2. It's configuration/status page is also reachable at 192.168.5.1

When WAN1 is up:
I want traffic leaving the router, from any LAN client, to public IPs exit via WAN1.
I want traffic destined for 192.168.100.1 to exit via WAN1.
I want traffic destined for 192.168.5.1 to exit via WAN2.
I expect inbound request from WAN1 to match the NAT rules and pass through to LAN IPs as appropriate.
I want inbound requests from WAN2 to be dropped.


When WAN1 is down:
I want traffic leaving the router, from specific LAN clients, to public IPs exit via WAN2.
I want traffic leaving the router, from all other LAN clients, to public IPs to be dropped.
I want traffic destined for 192.168.100.1 to exit via WAN1.
I want traffic destined for 192.168.5.1 to exit via WAN2.
I expect inbound request from WAN2 to match the NAT rules and pass through to LAN IPs as appropriate.

To determine If WAN1 is up/down, I don't want to use the built in "ping some IP" check, but rather use a script to periodically connect to http://192.168.100.1 and parse the response.

I think what I need is a script that does the up/down check via cron, and based on the results swaps between 2 different iptables and interface route definitions. As I try to build this out, the issue I think I am running into is an issue with the default WAN management functionality fighting me. Has anyone gotten something like what I describe above working; and if so, can you share your set up?

For Dual WAN in Failover Mode:
What you'll need to is put the following in a startup script, perhaps wan-event:
Modify IPS List as necessary with 1 IP per line.

Code:
# Default route for WAN0 Routing Table
if [ -z "$(ip route list default table 100 | grep -e "$(nvram get wan0_gw_ifname)")" ] >/dev/null;then
  ip route add default via $(nvram get wan0_gateway) dev $(nvram get wan0_gw_ifname) table 100
fi
# Default route for WAN1 Routing Table
if [ -z "$(ip route list default table 200 | grep -e "$(nvram get wan1_gw_ifname)")" ] >/dev/null;then
  ip route add default via $(nvram get wan1_gateway) dev $(nvram get wan1_gw_ifname) table 200
fi
# IP Rule for Traffic destined to 192.168.100.1
if [ ! -z "$(ip rule list from all to 192.168.100.1 lookup wan0 priority 100)"
  ip rule add from all to 192.168.100.1 lookup wan0 priority 100
fi
# IP Rule for Traffic destined to 192.168.5.1
if [ ! -z "$(ip rule list from all to 192.168.5.1 lookup wan1 priority 100)"
  ip rule add from all to 192.168.5.1 lookup wan1 priority 100
fi

# Delete/Create Blackhole rule based on Primary WAN
if [[ "$(nvram get wan0_primary)" == "1" ]] >/dev/null;then
  if [ ! -z "$(ip rule list from all priority 200 | grep -w "blackhole")"
    ip rule del blackhole from all priority 200
  fi
elif [[ "$(nvram get wan1_primary)" == "1" ]] >/dev/null;then
  if [ -z "$(ip rule list from all priority 200 | grep -w "blackhole")"
    ip rule add blackhole from all priority 200
  fi
fi

# Create IP Rules for IPs to be rerouted when WAN0 is down.
# Array of IPs to failover when WAN0 is down.
IPS='
192.168.1.2
192.168.1.3
192.168.1.4
'
for $IP in ${IPS};do
  if [[ "$(nvram get wan0_primary)" == "1" ]] >/dev/null;then
    if [ ! -z "$(ip rule list from $IP to all lookup 200 priority 100)"
      ip rule del from $IP to all lookup 200 priority 100
    fi
  elif [[ "$(nvram get wan1_primary)" == "1" ]] >/dev/null;then
    if [ -z "$(ip rule list from $IP to all lookup 200 priority 100)"
      ip rule add from $IP to all lookup 200 priority 100
    fi
  fi
done

Put these in the nat-start script:
Code:
# Masquerade Rule for WAN0
if [ -z "$(iptables -t nat -L POSTROUTING -v -n | awk '{ if( /MASQUERADE/ && /'$(nvram get wan0_gw_ifname)'/ && /'$(nvram get wan0_ipaddr)'/ ) print $3 }')" ] >/dev/null;then
  iptables -t nat -A POSTROUTING -o $(nvram get wan0_gw_ifname) ! -s $(nvram get wan0_ipaddr) -j MASQUERADE
fi
# Masquerade Rule for WAN1
if [ -z "$(iptables -t nat -L POSTROUTING -v -n | awk '{ if( /MASQUERADE/ && /'$(nvram get wan1_gw_ifname)'/ && /'$(nvram get wan1_ipaddr)'/ ) print $3 }')" ] >/dev/null;then
  iptables -t nat -A POSTROUTING -o $(nvram get wan1_gw_ifname) ! -s $(nvram get wan1_ipaddr) -j MASQUERADE
fi
# Masquerade Rule for 192.168.100.1
if [ -z "$(iptables -t nat -L POSTROUTING -v -n | awk '{ if( /MASQUERADE/ && /'$(nvram get wan0_gw_ifname)'/ && /192.168.100.1/ ) print $3 }')" ] >/dev/null;then
  iptables -t nat -A POSTROUTING -o $(nvram get wan0_gw_ifname) -d 192.168.100.1 -j MASQUERADE
fi
# Masquerade Rule for 192.168.5.1
if [ -z "$(iptables -t nat -L POSTROUTING -v -n | awk '{ if( /MASQUERADE/ && /'$(nvram get wan1_gw_ifname)'/ && /192.168.5.1/ ) print $3 }')" ] >/dev/null;then
  iptables -t nat -A POSTROUTING -o $(nvram get wan1_gw_ifname) -d 192.168.5.1 -j MASQUERADE
fi

The only thing I did not cover is your custom request for curl to 192.168.100.1 for output.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top