Posted: Mon Jan 28, 2013 3:04 Post subject: Dual Wan Load balancing
OK. I have the ports configured. I can get out on either hte default WAN port or the one I configured, but the load balancing doesn't work. Anyone help?
the default ports were set on vlan1 with the WAN on vlan 2 (4 5) so I created vlan3 (3 5).
I used the following startup script:
#!/bin/ash
IF0=br0
IF1=vlan2
IF2=vlan3
P0_NET=192.168.1.0/24
P1_NET=192.168.2.0/24
P2_NET=192.168.3.0/24
IP1=192.168.2.100
IP2=192.168.3.100
P1=192.168.2.1
P2=192.168.3.1
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
ifconfig vlan3 192.168.3.100 netmask 255.255.255.0 broadcast 192.168.3.255 up
ip route delete default
ip route add $P1_NET dev $IF1 src $IP1 table 10
ip route add default via $P1 table 10
ip route add $P2_NET dev $IF2 src $IP2 table 20
ip route add default via $P2 table 20
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip rule add from $IP1 table 10
ip rule add from $IP2 table 20
ip route add $P0_NET dev $IF0 table 10
ip route add $P2_NET dev $IF2 table 10
ip route add 127.0.0.0/8 dev lo table 10
ip route add $P0_NET dev $IF0 table 20
ip route add $P1_NET dev $IF1 table 20
ip route add 127.0.0.0/8 dev lo table 20
ip route add default scope global nexthop via $P1 dev $IF1 nexthop via $P2 dev $IF2
echo "0"> /proc/sys/net/ipv4/conf/vlan2/rp_filter
echo "0"> /proc/sys/net/ipv4/conf/vlan3/rp_filter
and the following firewall script
IPTABLES="/usr/sbin/iptables"
iptables -I INPUT -i vlan3 -p icmp -j ACCEPT
NET_INT_INT=br0
NET_INT_IP=192.168.1.1
NET_INT_SUB=24
NET_INT_NET=192.168.1.0
NET_EXT_INT1=vlan2
NET_EXT_IP1=192.168.2.100
NET_EXT_GW1=192.168.2.1
NET_EXT_INT2=vlan3
NET_EXT_IP2=192.168.3.100
NET_EXT_GW2=192.168.3.1
ip route add default scope global nexthop via ${NET_EXT_GW1} dev ${NET_EXT_INT1} nexthop via ${NET_EXT_GW2} dev ${NET_EXT_INT2}
$IPTABLES -F POSTROUTING -t nat
$IPTABLES -t mangle -N ETH1
$IPTABLES -t mangle -F ETH1
$IPTABLES -t mangle -A ETH1 -p tcp -j LOG --log-prefix " MANGLE_TCP_ETH1 "
$IPTABLES -t mangle -A ETH1 -p icmp -j LOG --log-prefix " MANGLE_ICMP_ETH1 "
$IPTABLES -t mangle -A ETH1 -j MARK --set-mark 1
$IPTABLES -t mangle -N ETH2
$IPTABLES -t mangle -F ETH2
$IPTABLES -t mangle -A ETH2 -p tcp -j LOG --log-prefix " MANGLE_TCP_ETH2 "
$IPTABLES -t mangle -A ETH2 -p icmp -j LOG --log-prefix " MANGLE_ICMP_ETH2 "
$IPTABLES -t mangle -A ETH2 -j MARK --set-mark 2
$IPTABLES -t nat -N SPOOF_ETH1
$IPTABLES -t nat -F SPOOF_ETH1
$IPTABLES -t nat -A SPOOF_ETH1 -j LOG --log-prefix " SPOOF_ETH1 "
$IPTABLES -t nat -A SPOOF_ETH1 -j SNAT --to ${NET_EXT_IP1}
$IPTABLES -t nat -N SPOOF_ETH2
$IPTABLES -t nat -F SPOOF_ETH2
$IPTABLES -t nat -A SPOOF_ETH2 -j LOG --log-prefix " SPOOF_ETH2 "
$IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to ${NET_EXT_IP2}
$IPTABLES -A INPUT -p icmp -s ${NET_INT_NET}/${NET_INT_SUB} -d ${NET_INT_IP} -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o ! ${NET_INT_INT} -m random --average 50 -j ETH1
$IPTABLES -t mangle -A PREROUTING -i ${NET_INT_INT} -m random --average 50 -j ETH1
$IPTABLES -t mangle -A OUTPUT -o ! ${NET_INT_INT} -m random --average 50 -j ETH2
$IPTABLES -t mangle -A PREROUTING -i ${NET_INT_INT} -m random --average 50 -j ETH2
$IPTABLES -t nat -A POSTROUTING -o ${NET_EXT_INT1} -j SPOOF_ETH1
$IPTABLES -t nat -A POSTROUTING -o ${NET_EXT_INT2} -j SPOOF_ETH2
for RULE in $(nvram get forward_spec)
do
FROM=`echo $RULE | cut -d ">" -f 1`
TO=`echo $RULE | cut -d ">" -f 2`
STATE=`echo $FROM | cut -d ":" -f 2`
PROTO=`echo $FROM | cut -d ":" -f 3`
SPORT=`echo $FROM | cut -d ":" -f 4`
DEST=`echo $TO | cut -d ":" -f 1`
DPORT=`echo $TO | cut -d ":" -f 2`
if [ "$STATE" = "on" ]; then
if [ "$PROTO" = "both" ]; then
iptables -A PREROUTING -t nat -p udp -d ${NET_EXT_IP2} --dport $SPORT -j DNAT --to $DEST:$DPORT
iptables -A PREROUTING -t nat -p tcp -d ${NET_EXT_IP2} --dport $SPORT -j DNAT --to $DEST:$DPORT
else
iptables -A PREROUTING -t nat -p $PROTO -d ${NET_EXT_IP2} --dport $SPORT -j DNAT --to $DEST:$DPORT
fi
fi
done
#apply range forward rules
for RULE in $(nvram get forward_port)
do
FROM=`echo $RULE | cut -d ">" -f 1`
TO=`echo $RULE | cut -d ">" -f 2`
STATE=`echo $FROM | cut -d ":" -f 2`
PROTO=`echo $FROM | cut -d ":" -f 3`
SPORT=`echo $FROM | cut -d ":" -f 4`
EPORT=`echo $FROM | cut -d ":" -f 5`
if [ "$STATE" = "on" ]; then
if [ "$PROTO" = "both" ]; then
iptables -A PREROUTING -t nat -p udp -d ${NET_EXT_IP2} --dport $SPORT:$EPORT -j DNAT --to $TO
iptables -A PREROUTING -t nat -p tcp -d ${NET_EXT_IP2} --dport $SPORT:$EPORT -j DNAT --to $TO
else
iptables -A PREROUTING -t nat -p $PROTO -d ${NET_EXT_IP2} --dport $SPORT:$EPORT -j DNAT --to $TO
fi
fi
done
echo "0"> /proc/sys/net/ipv4/conf/vlan2/rp_filter
echo "0"> /proc/sys/net/ipv4/conf/vlan3/rp_filter
echo "1"> /proc/sys/net/ipv4/ip_forward
I can ping both of the upstream connections. But I can't get the load balancing to work between them.
Posted: Wed Nov 20, 2013 5:59 Post subject: Please help with the firewall of the dualwan
Hello John,
Thanks for the great scripts.
I installed them on my router and after I ran the scripts,
I saw the second WAN IP was imported to NVRAM and the IP routes
and IP rules seem good too, but there might be problem with the
firewall.
I can not access internet after the change.
Though in the router I could ping internet very fast.
Could you please help me check if there is anything wrong with
the firewall?
I noticed in the firewall.firewall script, it imported rules from
NVRAM at the begining of the script.
But I checked and found the result of the below commands are all blank.
nvram get forward_spec
nvram get forward_port
root@unknown1:~# nvram show|grep forward
sshd_forwarding=0
forward_spec=
forward_entries=0
forward_port=
forwardspec_entries=0
size: 28800 bytes (3968 left)
root@unknown1:~# nvram get dmz_enable
0
root@unknown1:~#
Is that normal?
Please let me know if other information is required.
Thanks & Regards,
Marugao Bozu
dualwan.zip
Description:
Please find the scripts I am using and the results attached.
Posted: Tue Aug 25, 2015 18:06 Post subject: conceptual description?
OK, I know this is a very old topic that hasn't seen any updates in a couple of years, but I'm trying to do this and not getting anywhere.
I have a basic understanding of what the scripts are doing, but as my hardware isn't addressed anywhere in this topic, I'm having some problems implementing it. I have three routers available for this- one Linksys WRT320n and two Linksys E1000s.
Can someone familiar with the scripts provide a conceptual decription of what's going on here? I need to know how the VLANs work together to provide failover/load balancing. It would also be nice to know how the firewall rules address load balancing.
I would also love to know how exactly to make one WAN ethernet and the other WAN a WLAN bridge from the neighbors- this is completely legit; we've paid the neighors for nearly a year for access to their wifi, now we have our own cable (DHCP) service. I'd like to continue to pay the neighbors in order to see increased speeds and disparate connections for ISP failover- we have cable and they have DSL.
Any links/updates/info would be appreciated. Otherwise I'm going to have to spend $75 on a commercial load-balancing router, which I'd rather not do.