1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Dual WAN Connected to Secondary WAN but Offline [Faulty Dongle]

Discussion in 'Asuswrt-Merlin' started by amplatfus, May 26, 2019.

  1. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    Hi,

    I am trying to configure secondary WAN. My setup is with Load balanced option.
    I have both WAN connected. As soon as I disconnect the WAN from WAN port (PPPoE) I loose the access to the internet.

    The USB Stick WAN is connected and I can still bing the Gateway and the USB 3 WAN IP.
    I am on Merlin Firmware 380.70 in AC88U.

    I think it must be something to a firewall routing or something. Maybe because I have the local ip with 172.16. Of could be related to DNSCRYPT.

    Please share here what do you think. I tested the SIM in my phone and it is working
    Most grateful for any ideas on where I went wrong.

    Thank you so much!
     
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,418
    Location:
    Canada
    Load Balanced is not intended for failure handling, it's intended for balancing the load between both connections as the name imply.
     
    amplatfus likes this.
  3. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    Thank you. I ended to try this because I was not sure that the dongle is connecting.

    What I need is to use USB 3 with internet as failover of WAN.

    So, even I have IP, DNS on dongle, the internet is not working when I remove the cable from WAN port with failover as setup (WAN port main, failover to dongle in USB3 port).

    Anyone know how to fix this?
    Thank you so much!

    Sent from my ONE A2003 using Tapatalk
     
  4. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,404
    Did you try to test in Fail Over mode? That mode is most suited to your needs. ;)
     
    amplatfus likes this.
  5. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    Yes, that was the first thing tried. And because it was not working, I balanced mode.
    Please, were I should take a look to make failover working?
    I have connection even in failover on USB as secondary WAN, but I have no internet when remove the cable from main WAN port.
    Thank you. All the best!
     
  6. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,404
    For something as fundamental as this to fail, there is a deeper issue.

    What scripts, features or other options do you have enabled or using beyond the defaults? What firmware are you using right now?

    When was the last time you did a full reset to factory defaults followed by a minimal and manual config to secure the router and connect to your ISP?

    It does not seem to me that your router is in a good/known state right now. I would recommend a full M&M Config on your router without any additional scripts, options or other features enabled past defaults. To verify that the failover function works at all.

    After that point, you can begin to add additional features one by one, testing between each one, including doing a reboot of the router, to make sure everything stays working as you need it to. You may find that you can enable all the features eventually without any failures. That would prove that the M&M Config was what was needed.

    https://www.snbforums.com/threads/faq-nvram-and-factory-default-reset.22822/

    The link above shows why a reset may be required.
     
    amplatfus likes this.
  7. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    Thank you. I am on Merlin Firmware 380.70 in AC88U. I think it must be something to a firewall routing or something. Maybe because I have the local ip with 172.16. Of could be related to DNSCRYPT 1.1.1.1.

    It is a option to do a factory reset, but before I want to be sure that I have tried all before and without success.

    DNSCRYPT DoH, Entware with NZBGet, Transmission, PHP, lighttpd server, VPN Server, VPN Client, IPSET_Block (HackerPorts), SWAP.
    That will be all main services on the router.

    Edit!: With WAN port empty and secondary USB as WAN on I have ping only to IP obtained and to DNS.

    Thank you,
    amplatfus
     
    Last edited: May 26, 2019
  8. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,404
    Firmware v380.70? My friend, you need to flash to a newer, more secure, more robust, more tested and more feature-rich version. :)

    I recommend at least RMerlin 384.11_2. (Note that there is a very stable alpha release 384.12 Alpha1 too).

    DNSCrypt will certainly not be needed on the latest RMerlin firmware (he was never a fan and it seems rightly so).

    You should also look into the amtm script and the scripts it supports too. All very useful and working very well together.

    I would also recommend you install Entware via amtm (and, if you decide to use Diversion, via Diversion instead) rather than NZBGet.

    Below are some of the links you should find useful to get your router to a modern firmware release and update and streamline many of the other services you have too (note; I am not familiar at all with Transmission).

    I have tried to put them in the order you will need them. :)

    M&M Config https://www.snbforums.com/threads/n...l-and-manual-configuration.27115/#post-205573

    WPS NVRAM Erase
    https://www.snbforums.com/threads/b...eta-is-now-available.55520/page-9#post-473141

    Sanitize Network
    https://www.snbforums.com/threads/rt-ac66u-slow-wan-to-lan.12973/page-3#post-269410

    Control Channel Set up
    https://www.snbforums.com/threads/a...details-in-the-description.55582/#post-472051

    amtm Step-by-Step
    https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421
     
    amplatfus likes this.
  9. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    Thank you so much for your post. I was waiting for User NVRAM Save/Restore Utility (R26.2) to be available for newer versions of Merlin.
    I like that DNSCrypt is included, but after entering all settings on newer firmware I would like to save those settings with a utility like I mention.

    I will save you post for later. Thank you again! All the best!
     
  10. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,404
    You will be waiting for a very long time. That project has been effectively abandoned for the latest firmware and routers.

    You also misread what I wrote about DNSCrypt. It is not included. DoT has effectively replaced it. :)
     
    amplatfus likes this.
  11. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    In the meantime I did a factory reset, updated to 384.11_2 and then again factory reset. I inserted the stick and set it as fail-over.
    And I have same problem. I have I without internet. Please take a look at screenshots attashed.
    Could you please share your ideas to try?

    Edit1: I tried again with factory default, because at the moment of screenshots I changed the default IP. So is not working with default 192.168 too.
    Thank you so much!
     

    Attached Files:

    Last edited: May 31, 2019
  12. Bamsefar

    Bamsefar Senior Member

    Joined:
    Oct 11, 2014
    Messages:
    242
    FWIW: a couple of weeks ago someone decided to upgrade my fiber connection, however the SFP in my fiber converter decided to fail at the same time, so I lost internet connection. First I got a USB stick and SIM card, 4G to be more precise, and I never got it working at all. I think it is only a very few USB sticks that might work and they more or less has to have a web server inside that controls the USB stick modem properties...

    I ended up with a Netgear MR1100, which is a battery operated mobile router which happens to have, among other features, an ethernet port which I connected to my AC88 router. Funny thing though, only lower ports works (1-4). Anyway after this everything have worked like a charm! Expensive solution though, but it works, and well the mobile router can be a good thing to have in the future. Btw the Netgear MR1100 is well not future proof at all, but it is realy fast device, I got great speeds for download.
     
    Last edited: Jun 1, 2019
    amplatfus likes this.
  13. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    1,147
    This one is nice to,
    https://www.netgear.com/home/products/mobile-broadband/lte-modems/LB1120.aspx
    https://www.netgear.com/home/products/mobile-broadband/lte-modems/LB2120.aspx
     
    Bamsefar likes this.
  14. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    Thanks. What is funny is that I have IP at WAN and I have DNS too, and ping to them working. Only internet is not working, ping to those IP is working.
     
  15. ^Tripper^

    ^Tripper^ Regular Contributor

    Joined:
    Aug 16, 2014
    Messages:
    118
    Location:
    Disneyland with the death penalty
    Try disabling ipv6. Use only IPv4 and check if it works.
     
    amplatfus likes this.
  16. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    It is already disabled. I think I need a route/ tunnel, But I don't know how to do it. I say that because network manager see that the dongle is connected to the internet so is not a incompatibility with the dongle.
     
  17. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,203
    Location:
    UK
    Thanks for the unsolicited PM.

    You should be able to check that the Dual-WAN RPDB rules and the Dual-WAN fwmark rules are correct.

    I have just plugged in my USB modem to my development unit RT-AC86U with Dual-WAN Load-Balance 9:1 ratio and traffic is correctly flowing over both WAN0 and WAN1 without the need for additional routing rules.
    Code:
    ip rule
    
    0: from all lookup local
    100: from 192.168.1.1/24 to 212.58.249.211 lookup wan1
    100: from 192.168.1.1/24 to 212.58.244.69 lookup wan1
    150: from all fwmark 0x80000000/0xf0000000 lookup wan0
    150: from all fwmark 0x90000000/0xf0000000 lookup wan1
    200: from 192.168.0.31 lookup wan0
    200: from 10.10.125.209 lookup wan1
    200: from 192.168.0.1 lookup wan0
    200: from 172.30.139.16 lookup wan1
    200: from 172.31.139.16 lookup wan1
    400: from all to 10.64.64.64 lookup wan1
    400: from all to 192.168.0.1 lookup wan0
    400: from all to 172.30.139.16 lookup wan1
    400: from all to 172.31.139.16 lookup wan1
    32766: from all lookup main
    32767: from all lookup default
    
    iptables --line -t mangle -nvL
    
    Chain PREROUTING (policy ACCEPT 1721 packets, 350K bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0 MARK       all  --  tun22  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
    2        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
    3        0     0 MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
    4    23892 3730K balance    all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
    5    18649 2813K CONNMARK   all  --  br0    *       0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000 CONNMARK restore mask 0xf0000000
    6     454K  181M CONNMARK   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW CONNMARK xset 0x80000000/0xf0000000
    7       44 31578 CONNMARK   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            state NEW CONNMARK xset 0x90000000/0xf0000000
    
    Chain INPUT (policy ACCEPT 1335 packets, 243K bytes)
    num   pkts bytes target     prot opt in     out     source               destination     
        
    Chain FORWARD (policy ACCEPT 120 packets, 12607 bytes)
    num   pkts bytes target     prot opt in     out     source               destination  
           
    Chain OUTPUT (policy ACCEPT 1516 packets, 302K bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1      200 18213 CONNMARK   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000 CONNMARK restore mask 0xf0000000
    2       22  2015 CONNMARK   all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000 CONNMARK restore mask 0xf0000000
    
    Chain POSTROUTING (policy ACCEPT 1624 packets, 314K bytes)
    num   pkts bytes target     prot opt in     out     source               destination   
          
    Chain balance (1 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    1     8992  756K RETURN     all  --  *      *       0.0.0.0/0            192.168.1.0/24     
    2       94  4888 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/24     
    3        0     0 RETURN     all  --  *      *       0.0.0.0/0            10.64.64.64        
    4     4158  424K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    5        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    6      236  310K RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443
    7        0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80
    8     6916 1786K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000
    9        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    10    3177  410K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            statistic mode random probability 0.89999999991 CONNMARK xset 0x80000000/0xf0000000
    11     319 38257 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            connmark match  0x0 CONNMARK xset 0x90000000/0xf0000000
     
    amplatfus likes this.
  18. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    @Martineau, please accept my apologies for the unsolicited PM. I will not do this again.
    And thank you for post.

    I hanged to 9:1 load balance, and I have the both WAN connected, but when I remove the WAN I have no internet on USB.

    Below is my output:

    Code:
    ip rule
    0:   from all lookup local
    150:   from all fwmark 0x80000000/0xf0000000 lookup wan0
    150:   from all fwmark 0x90000000/0xf0000000 lookup wan1
    200:   from 188.25.184.236 lookup wan0
    200:   from 192.168.9.100 lookup wan1
    200:   from 1.1.1.1 lookup wan0
    200:   from 1.0.0.1 lookup wan0
    200:   from 192.168.9.1 lookup wan1
    400:   from all to 10.0.0.1 lookup wan0
    400:   from all to 1.1.1.1 lookup wan0
    400:   from all to 1.0.0.1 lookup wan0
    400:   from all to 192.168.9.1 lookup wan1
    10101:   from 172.16.0.10 lookup ovpnc1
    32766:   from all lookup main
    32767:   from all lookup default
    iptables --line -t mangle -nvL
    Chain PREROUTING (policy ACCEPT 9470 packets, 1259K bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1       52  7665 MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
    2        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
    3      719 54794 balance    all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
    4       42  7576 CONNMARK   all  --  br0    *       0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000 CONNMARK restore mask 0xf0000000
    5       33  9459 CONNMARK   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            state NEW CONNMARK xset 0x80000000/0xf0000000
    6       56 19446 CONNMARK   all  --  eth3   *       0.0.0.0/0            0.0.0.0/0            state NEW CONNMARK xset 0x90000000/0xf0000000
    
    Chain INPUT (policy ACCEPT 9029 packets, 1206K bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    
    Chain FORWARD (policy ACCEPT 370 packets, 31092 bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0 MARK       all  --  *      br0     172.16.0.0/24        172.16.0.0/24        MARK xset 0x1/0x7
    
    Chain OUTPUT (policy ACCEPT 8333 packets, 4016K bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1        0     0 CONNMARK   all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000 CONNMARK restore mask 0xf0000000
    2        0     0 CONNMARK   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000 CONNMARK restore mask 0xf0000000
    3        0     0 CONNMARK   all  --  *      eth3    0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000 CONNMARK restore mask 0xf0000000
    
    Chain POSTROUTING (policy ACCEPT 8636 packets, 4044K bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    
    Chain balance (1 references)
    num   pkts bytes target     prot opt in     out     source               destination        
    1      605 38754 RETURN     all  --  *      *       0.0.0.0/0            172.16.0.0/24      
    2        0     0 RETURN     all  --  *      *       0.0.0.0/0            10.0.0.1          
    3        0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.9.0/24    
    4       76  4926 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    5        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    6        3  4134 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443
    7        0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80
    8       17  4132 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000
    9        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    10      15  2248 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            statistic mode random probability 0.89999999991 CONNMARK xset 0x80000000/0xf0000000
    11       3   600 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            connmark match  0x0 CONNMARK xset 0x90000000/0xf0000000
    
    Thank you and sorry again!
     

    Attached Files:

  19. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,203
    Location:
    UK
    I'm not sure why there appears to be three interfaces in your OUTPUT chain, yet apparently there are no hits?

    However, you should be able to check if data retrieval is possible via both WAN interfaces:
    Code:
    curl --interface eth3 --connect-timeout 5 -s "http://ipecho.net/plain";echo
    
    curl --interface ppp0 --connect-timeout 5 -s "http://ipecho.net/plain";echo
    
    As per post #2 for the current firmware, if say WAN0 is DOWN, then the firmware (v384.12_Alpha) will revert to a single WAN configuration i.e. the RPDB rules are removed, along with the 9:1 ratio.

    So if you don't get similar messages in Syslog
    Code:
    RT-AC86U kernel: eth0 (Int switch port: 3) (Logical Port: 3) Link DOWN.
    RT-AC86U kernel: ===> Activate Deep Green Mode
    RT-AC86U WAN(0)_Connection: Ethernet link down.
    RT-AC86U rc_service: wanduck 821:notify_rc restart_wan_if 0
    RT-AC86U rc_service: wanduck 821:notify_rc restart_wan_line 1
    RT-AC86U custom_script: Running /jffs/scripts/service-event (args: restart wan_if)
    RT-AC86U rc_service: waitting "restart_wan_if 0" via wanduck ...
    RT-AC86U (service-event): 8569 Script not defined for service event: restart-wan_if
    RT-AC86U wan: finish adding multi routes
    RT-AC86U custom_script: Running /jffs/scripts/service-event-end (args: restart wan_if)
    RT-AC86U (service-event-end): 8700 Script not defined for service event: restart-wan_if-end
    RT-AC86U wan: finish adding multi routes
    RT-AC86U custom_script: Running /jffs/scripts/service-event (args: restart wan_line)
    RT-AC86U (service-event): 8726 Script not defined for service event: restart-wan_line
    RT-AC86U nat: apply nat rules (/tmp/nat_rules_1_ppp0__dev_ttyUSB0)
    RT-AC86U custom_script: Running /jffs/scripts/nat-start
    RT-AC86U custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
    RT-AC86U wan: finish adding multi routes
    then I suggest you upgrade from v380.70
     
    amplatfus likes this.
  20. amplatfus

    amplatfus Regular Contributor

    Joined:
    Nov 25, 2016
    Messages:
    185
    Location:
    RO
    Thank you Martineau.
    Long story short: I started this thread when I was on 380.79. I received suggestion to upgrade to 384. I did a factory reset then update to 384.11_2, again factory reset.

    And, o this new environment I set up the PPPoE, admin password, WiFi and inserted only the stick with internet. Then I tried with failover (this is what I need) and, after, with load balance.

    The result was the same: I can see the USB WAN connected, but I can ping only it's WAN IP or DNS. Internet is still offline.

    Now I finished setup customizations. One of them is a bind IP of my LAN as one of interfaces.

    Code:
    ASUSWRT-Merlin RT-AC88U 384.11-2 Sat May 18 03:33:22 UTC 2019
    [email protected]:/tmp/home/root# curl --interface eth3 --connect-timeout 5 -s "http://ipecho.net/plain";echo
    
    [email protected]:/tmp/home/root# curl --interface ppp0 --connect-timeout 5 -s "http://ipecho.net/plain";echo
    188.25.179.215
    [email protected]:/tmp/home/root#
    
    And in failover mode here is my sys log with warnings level mode, after removing the main WAN:

    Code:
    Jun  3 00:50:44 ovpn-client1[22106]: Connection reset, restarting [0]
    Jun  3 00:51:00 kernel: cdc_ether 1-1:1.0: eth3: kevent 12 may have been dropped
    Jun  3 00:51:34 pppd[30362]: Timeout waiting for PADO packets
    
    Even in connection it displays as connected, no internet.

    Thank you for help!

    Sent from my ONE A2003 using Tapatalk