dual wan + client selection + vpn director

Darkje

Regular Contributor
Guys since we al know that dual-wan loadbalancing dont work on any asus router, i wanted to split the network. I have to connections so i my idea was to bind the first 128 ip's to modem 1, and the second batch to modem 2.
This works flawless. But then i want a ip from the first batch to use a vpn with VPN director and that dont work. Some how it will not get any data.

Any idea's ?
 

Ranger802004

Regular Contributor
I have a script that does this based on destinations instead of source IP if you are interested.
Guys since we al know that dual-wan loadbalancing dont work on any asus router, i wanted to split the network. I have to connections so i my idea was to bind the first 128 ip's to modem 1, and the second batch to modem 2.
This works flawless. But then i want a ip from the first batch to use a vpn with VPN director and that dont work. Some how it will not get any data.

Any idea's ?
 

eibgrad

Part of the Furniture
The reason it doesn't work is because dual WAN (in load balancing mode) and the OpenVPN clients are completely incompatible. Each is using policy routing rules to control the routing. In the case of dual WAN, it creates rules for wan0 and wan1. In the case of the OpenVPN clients, it creates rules for ovpnc1 thru ovpnc5. But the former *always* takes precedence over the latter! You can see this for yourself by dumping the RPDB.

Code:
ip rule

So matter what you do wrt the OpenVPN clients, once dual WAN in load balancing mode is enabled, the OpenVPN clients are starved of any traffic.
 

Ranger802004

Regular Contributor
I had to attach it as a file to this post (Too long). This will create ipsets, iptables rules, and ip routes for destinations going to the interface you set in the variables. In my script I'm using tun11, you will need to create the files for HOSTS and HOSTTOIPLISTFILE and make them readable to the script. Under the HOSTS files you will need to list the site addresses you want rules created for by 1 address per line (see attached example). You can leave the HOSTTOIPLISTFILE blank as it will be filled by the script when it is running. Just a further note I have it working with the TMP files mainly to cut down on writes to flash everytime it queries and there is nothing new added, it will removed duplicates queries and check the permanent file for differences and if nothing is different it won't do anything and if a new IP is queried it will add it to the permanent file.
 

Attachments

  • customvpnroute.sh.txt
    14.9 KB · Views: 16
  • customvpnroute_hosts.txt
    41 bytes · Views: 9
Last edited:

Ranger802004

Regular Contributor
I think load balancing can better become 2 connections ... Nothing. Balanced.
It's because it's a basic algorithm to split connections, nothing fancy. If they wanted to make it better they could implement Equal Cost Multipath Routing (ECMP).
 

Darkje

Regular Contributor
So using the second wan ready state seems to do the trick. How ever it would be nice to have double routing policy. But I think it is a fact that Asus simply dont care. Perhaps it cam be done aside from the asus dualwan system as a amtm plugin.
 

Darkje

Regular Contributor
It does seem to be unstable... Maby to be more clear. The openVPN is leaking when dual wan. Since it wil use the second connection any way. Now i want one connections for normal ISP stuff. And the second for the VPN ( job + streaming + adblocking) those are like 10 clients at max.
 

clavas

New Around Here
It does seem to be unstable... Maby to be more clear. The openVPN is leaking when dual wan. Since it wil use the second connection any way. Now i want one connections for normal ISP stuff. And the second for the VPN ( job + streaming + adblocking) those are like 10 clients at max.
I would also love to be able to do this.

I have 2 internet connections and I want a set of clients to always use WAN1 (no VPN) and another set of clients to always use WAN2 (with VPN)
The clients would be selected based on ip address

Is this possible or do I need to look at alternative routers?
 

Darkje

Regular Contributor
Dunno I tryed allot of things but it don't maximize the bandwidth. It maxes out at 1 connection. Although it seems to use the second wan. Within within the next 6 to 9 months I will get 1gb fiber and then there is no need for two connections anymore.
 

L&LD

Part of the Furniture
How low are these ISP speeds? Is one connection used for something like torrents?

Doesn't a script like FlexQoS work to make a single ISP usable?


Seems like even a 10/1 Mbps connection can be effectively controlled, and keep the network responsive.
 

Darkje

Regular Contributor
They are two connections with 150/15.
Load balancing is crap. Since the IP flips.

So I want 0.0.0.0/24 to Wan 1
And I want 0.0.0.128/24 to Wan 2

But then I have wan rules so the VPN rules don't count anymore as it seems
 

chongnt

Senior Member
The reason it doesn't work is because dual WAN (in load balancing mode) and the OpenVPN clients are completely incompatible. Each is using policy routing rules to control the routing. In the case of dual WAN, it creates rules for wan0 and wan1. In the case of the OpenVPN clients, it creates rules for ovpnc1 thru ovpnc5. But the former *always* takes precedence over the latter! You can see this for yourself by dumping the RPDB.

Code:
ip rule

So matter what you do wrt the OpenVPN clients, once dual WAN in load balancing mode is enabled, the OpenVPN clients are starved of any traffic.
Will it works if set ovpnc to have higher priority than say wan1?
 

Martineau

Part of the Furniture
Don't think so
Have you tried?

Couldn't you simply replicate/move the VPN client rules to a higher priority than the Dual-WAN rules each time the VPN client is started? by using the appropriate OVPN event script....assuming VPN Director has already created the VPN Selective Routing rules.

/jffs/scripts/vpnclientX-route-up

i.e. the following two commands should show what the commands should be used to replicate the VPN Director rules (for both VPN clients 1 and 2) to the higher priority.
Code:
ip rule | awk '/ovpnc1/ {print "ip rule add from "$3 " table "$5 " prio 21"}'
ip rule | awk '/ovpnc2/ {print "ip rule add from "$3 " table "$5 " prio 22"}'
etc.
 
Last edited:

Ranger802004

Regular Contributor
They are two connections with 150/15.
Load balancing is crap. Since the IP flips.

So I want 0.0.0.0/24 to Wan 1
And I want 0.0.0.128/24 to Wan 2

But then I have wan rules so the VPN rules don't count anymore as it seems
Technically you need to change the CIDR to “split” the subnet for routing rules. Try this…
X.X.X.0/25
X.X.X.128/25
 

eibgrad

Part of the Furniture
Will it works if set ovpnc to have higher priority than say wan1?

What do you mean by "will it work"? As I said, you have two (2) different routing policies; dual WAN vs. OpenVPN. You can't manage both at the same time. No matter how you order the priority of the ip rules wrt each feature, one takes precedence over (and starves) the other.
 

Ranger802004

Regular Contributor
What do you mean by "will it work"? As I said, you have two (2) different routing policies; dual WAN vs. OpenVPN. You can't manage both at the same time. No matter how you order the priority of the ip rules wrt each feature, one takes precedence over (and starves) the other.
You could make destinations higher priority for VPN and not starve default to WAN traffic. That is what I do and the script I provided earlier does this based on host names you use.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top