Dual WAN route all through Primary WAN except one device - RT-AX89X

goatpanda123

New Around Here
I'd like to route all devices on my network through the primary WAN, and make only my device use both the Primary and Seconary WAN. I'd appreciate if this is possible without changing the subnet of my current network since I have everything on my network already configured.
I currently have each device setup to use Primary WAN by like 10 routing rules, but this of course isn't ideal. If the address changes or new devices are added I'd have to manually go and change this everytime. So I'm looking for a better solution than that.
 

eibgrad

Part of the Furniture
I suppose you could add an ip rule for those purposes.

Code:
ip rule add not from 192.168.1.100 prior 10 table wan0

IOW, given its higher priority among all the ip rules (which you can examine w/ the 'ip rule' command (no quotes)), this says that all but 192.168.1.100 are directed to the primary WAN, while 192.168.1.100 will fall through to the load balancing rules.

You'll probably have to install it as a wan-event script, since anytime the WAN is reinitialized, that rule would probably get wiped out.
 

eibgrad

Part of the Furniture
P.S. Just thought of another possible approach. The load balancing feature uses a user-defined chain called balance in the mangle table, where the choice of wan is decided. Instead of adding an ip rule, you could probably add the following rule to that chain so it didn't consider load balancing AT ALL except for 192.168.1.100.

Code:
iptables -t mangle -I balance ! -s 192.168.1.100 -j RETURN

In this case, you've have to add the rule to the firewall-start script.

It might be slightly more efficient than adding an ip rule after load balancing has already been considered. I'm assuming, of course, that given no consideration for load balancing, it will default to wan0 (the primary).
 
Last edited:

FernandoF

Occasional Visitor
Hello @goatpanda123 and @eibgrad. I'm far from being an expert, but I'd like to offer for your consideration a different suggestion, which should not require running a script:
  1. Set your DHCP IP Pool to, say, Starting Address of 192.168.1.127 and Ending Address of 192.168.1.255
  2. Create a single Manual DHCP Assignment to your device, associating it to 192.168.1.127
  3. Add a single Routing Rule in the Dual WAN tab, indicating Source IP 192.168.1.128/25 to Destination IP all to use Primary WAN
(Adjust all of the above to your existing subnet settings accordingly)

Based on my limited understanding, that would direct virtually all of your LAN (192.168.1.128 to 192.168.1.255) to the Primary WAN. The one exception would be your device (192.168.1.127) which would follow your main Load Balance settings and therefore access both the Primary and Secondary WAN. I believe it should also survive reboots, WAN restarts, DHCP address changes, etc.

What do you guys think? My apologies in advance if this is an embarrassing suggestion.
 
Last edited:

goatpanda123

New Around Here
Hello @goatpanda123 and @eibgrad. I'm far from being an expert, but I'd like to offer for your consideration a different suggestion, which should not require running a script:
  1. Set your DHCP IP Pool to, say, Starting Address of 192.168.1.127 and Ending Address of 192.168.1.255
  2. Create a single Manual DHCP Assignment to your device, associating it to 192.168.1.127
  3. Add a single Routing Rule in the Dual WAN tab, indicating Source IP 192.168.1.128/25 to Destination IP all to use Primary WAN

(Adjust the above to your existing subnet settings accordingly)

Based on my limited understanding, that would direct virtually all of your LAN (192.168.1.128 to 192.168.1.255) to the Primary WAN. The one exception would be your device (192.168.1.127) which would follow your main Load Balance settings and therefore access both the Primary and Secondary WAN. I believe it should also survive reboots, WAN restarts, DHCP address changes, etc.

What do you guys think? My apologies in advance if this is an embarrassing suggestion.
This seems like a much easier solution indeed, I will wait for someone else confirm that this works though.
P.S. Just thought of another possible approach. The load balancing feature uses a user-defined chain called balance in the mangle table, where the choice of wan is decided. Instead of adding an ip rule, you could probably add the following rule to that chain so it didn't consider load balancing AT ALL except for 192.168.1.100.

Code:
iptables -t mangle -I balance ! -s 192.168.1.100 -j RETURN

In this case, you've have to add the rule to the firewall-start script.

It might be slightly more efficient than adding an ip rule after load balancing has already been considered. I'm assuming, of course, that given no consideration for load balancing, it will default to wan0 (the primary).
This is my first time adding a script. I've done some research on the wiki. I've enabled SSH and successfully connected to it. I am however unsure on how to add a script that runs with each event. I don't even have a "scripts" folder in my jffs directory. I probably should not that I have an RT-AX89X router which doesn't support merlin firmware. Is it possible that I can't add scripts at all with the default Asus firmware?

Thank you both for your suggestions!
 

eibgrad

Part of the Furniture
@FernandoF, that will certainly work, just so long as the OP is willing to bind this process to DHCP. I wasn't willing to make that assumption (I have no idea how flexible the OP is regarding this idea), but it's certainly another valid approach.
 

goatpanda123

New Around Here
@FernandoF, that will certainly work, just so long as the OP is willing to bind this process to DHCP. I wasn't willing to make that assumption, but it's certainly another valid approach.
Maybe a dumb question, but I would still be able to access all the other devices on the network? The fact I'm under another subnet wouldn't change anything?
 

eibgrad

Part of the Furniture
Maybe a dumb question, but I would still be able to access all the other devices on the network? The fact I'm under another subnet wouldn't change anything?

You're NOT on another subnet. You're simply changing what gets assigned on your current subnet via DHCP. This allows you to create *one* rule for policy routing on the WAN.
 

goatpanda123

New Around Here
You're NOT on another subnet. You're simply changing what gets assigned on your current subnet via DHCP. This allows you to create *one* rule for policy routing on the WAN.
That is great! This is exactly what I needed. It seems to be working so far. Thank you!
Hello @goatpanda123 and @eibgrad. I'm far from being an expert, but I'd like to offer for your consideration a different suggestion, which should not require running a script:
  1. Set your DHCP IP Pool to, say, Starting Address of 192.168.1.127 and Ending Address of 192.168.1.255
  2. Create a single Manual DHCP Assignment to your device, associating it to 192.168.1.127
  3. Add a single Routing Rule in the Dual WAN tab, indicating Source IP 192.168.1.128/25 to Destination IP all to use Primary WAN
(Adjust all of the above to your existing subnet settings accordingly)

Based on my limited understanding, that would direct virtually all of your LAN (192.168.1.128 to 192.168.1.255) to the Primary WAN. The one exception would be your device (192.168.1.127) which would follow your main Load Balance settings and therefore access both the Primary and Secondary WAN. I believe it should also survive reboots, WAN restarts, DHCP address changes, etc.

What do you guys think? My apologies in advance if this is an embarrassing suggestion.
Thank you once again!
 

FernandoF

Occasional Visitor
I'm glad to hear it, thank you both!
 
Last edited:

Wistuplu

Regular Contributor
Hello,

I'm possibly the least expert at this, but I would suggest a minor change: start the dhcp pool at 128. And keep the manual assignment at 127.

I'm not sure if the automatic assignment would properly take into account the manual assignments so as not to reassign the 127. If you start the pool at 128, you will be safe for sure.

Anyway, thank you for the ideas. I wasn't even aware this could be done at all.

Regards
 

FernandoF

Occasional Visitor
I'm not sure if the automatic assignment would properly take into account the manual assignments so as not to reassign the 127.
Hi @Wistuplu,

Thanks for your comments. What you're concerned with is addressed by step #2 from my proposal (Create a single Manual DHCP Assignment to your device, associating it to 192.168.1.127). It ensures 192.168.1.127 will be reserved for that device's MAC Address, so I don't see how any other device could get the .127 IP address.

In addition, it is also my understanding that Manual DHCP Assignments should only be done within the valid DHCP IP Pool, hence the recommendation to start with 127. Hopefully others will chime in and confirm or clarify this particular point.

Regards.
 
Last edited:

Wistuplu

Regular Contributor
It ensures 192.168.1.127 will be reserved for that device's MAC Address, so I don't see how any other device could get the .127 IP address.

In addition, it is also my understanding that Manual DHCP Assignments should only be done within the valid DHCP IP Pool, hence the recommendation to start with 127. Hopefully others will chime in and confirm or clarify this particular point.

Dear FernandoF,

"should only be done within the valid DHCP IP Pool".

Actually, on my AC-86U with Merlin, I do the exact opposite. All my manually assigned IPs are outside the pool. I do this, so that automatically assigned IPs would be more noticeable if/when I look at connected devices.

For instance, MAC XXX is manually assigned to 192.168.17.11 (and other manually assigned IPs are between this and 192.168.17.199), the pool being defined as
IP Pool Starting Address: 192.168.17.200, and
IP Pool Ending Address: 192.168.17.254

Anyway, you're most probably right that the automatic assignment will be smart enough to avoid the manually assigned IPs. I was probably being overcautious there.
Thank you again for the solution you had provided, and the exchange of views

Best regards
W
 

FernandoF

Occasional Visitor
Thanks @Wistuplu for the additional context. I guess the key element is to understand the difference between a static IP (which is set at the device's connection settings) and a DHCP lease reservation (which is set at the router). You may be interested in the following thread:


And from that thread, this is the part I've been using as a guideline:

From RMerlin in a previous thread,

"The real problem is, a lot of users got used to allocating static leases outside of the scope, which is wrong. People are mixing up reservations with static IPs.

A static IP is something you configure on the computer's network interface, and which must be outside of the DHCP range.

A DHCP reservation is an IP you reserve within your DHCP scope, so the DHCP server will always allocate the same IP.

In other words: any IP allocated by the DHCP server *must* be within the DHCP range, regardless of whether it's static or dynamic. The fact that the DHCP server can allocate an IP from outside its defined scope is a quirk/bug in itself.

Sadly, a lot of routers (including Asuswrt) allow the definition of a reservation outside the defined scope, which leads to issues such as encountered here.

The correct fix is to either enlarge your DHCP scope to include your reservations, or change your reservations to be within the defined scope. And if your goal is for an IP to be outside of the DHCP range, then you must configure it manually and not rely on the DHCP server to allocate an IP from outside its defined range."

Nevertheless, your example shows that, in practice, either approach will work...

Great discussion, I hope this helps!
 
Last edited:

Wistuplu

Regular Contributor
Very helpful input, and that 2015 thread was also somehow entertaining. Great pick.
Wish you a great year.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top