Joined: 06 Apr 2007 Posts: 545 Location: New Hampshire
Posted: Mon Mar 31, 2008 20:57 Post subject:
Jabroni wrote:
Great guide! I just tested it and it worked great.. I just have a question, is there a way to force X tcp port to use just WAN1 ??? Something like its on the wiki
Code:
iptables -t mangle -A PREROUTING -i $(nvram get lan_ifname) -m multiport -p tcp --dport 22,25,80,110,119,143,443,993,3389 -j MARK --set-mark 0x100
Well, I just had expierence trying to figure something like this out.
Joined: 06 Apr 2007 Posts: 545 Location: New Hampshire
Posted: Tue Apr 08, 2008 14:43 Post subject:
Trying this with DHCP soon.
I wrote a script that is in beta, where it uses udhcpc to get a dhcp IP address, and then turns around and puts those values into nvram, which after that, runs the scripts to do the dual wanning.
The only problem is, I am at work right now, not at home, and my WRT is at home. I have also been busy as of late and havent been able to fully test, and fix bugs. I guess buying a new home will do that to you :)
Is anyone able to test with DHCP??? (Preferrably non-ppoe, still working on that). _________________
Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std
Hey I am willing to test this for DHCP I have several cable modems that I can test with for this. But I am going to need a little bit of help. There has been so much different code set all arround could someone sum up what i need to put in for a wrt54g v2? or a 300n v1? I have both. I will test asap as long as I can get a little help sorting out what to put in and where. that may sound silly but I am a hardware guy not a software guy and I am a windows admin just getting into the linux side so I am a bit confused? thanks!
Joined: 06 Apr 2007 Posts: 545 Location: New Hampshire
Posted: Wed Apr 09, 2008 15:39 Post subject:
Alright, I was able to do this @ home, and it is working for me I am doing this on a WRT54GS V2.
For the first WAN, just plug it into the WAN port like normal, and leave alone, setting DD-wrt to do auto config (DHCP).
For the second WAN, first, goto the VLAN page and set port 4 up to VLAN 2. Then, log into the router using telnet/ssh, and set up VLAN2 for port 4:
Code:
nvram set vlan0ports="1 2 3 5*"
nvram set vlan2ports="4 5"
nvram set vlan2hwname=et0
nvram commit
reboot
Then, for the rest of config, I use 3 different scripts that I put into JFFS. (I am unsure at the moment how to get this to work if you dont have room in JFFS). All the scripts are located in /jffs/scripts
First script, I named "udhcpc-vlan2.script"
Code:
#!/bin/sh
# udhcpc script edited by Tim Riker <Tim@Rikers.org>
[ -z "$1" ] && echo "Error: should be called from udhcpc" && exit 1
if [ -n "$router" ] ; then
echo "deleting routers"
# while route del default gw 0.0.0.0 dev $interface ; do
# :
# done
# for i in $router ; do
# route add default gw $i dev $interface
# done
echo "$router"
fi
echo -n > $RESOLV_CONF
[ -n "$domain" ] && echo search $domain >> $RESOLV_CONF
for i in $dns ; do
echo adding dns $i
echo nameserver $i >> $RESOLV_CONF
done
nvram set wan2_ifname=$interface
#nvram set wan2_ifname=vlan3
nvram set wan2_gateway=$router
nvram set wan2_ipaddr=$ip
nvram set wan2_netmask=$subnet
nvram set wan2_broadcast=$broadcast
nvram commit
ifconfig $(nvram get wan2_ifname) $(nvram get wan2_ipaddr) netmask $(nvram get wan2_netmask) up
;;
esac
exit 0
Save the script, and
Code:
chmod 755 udhcpc-vlan2.script
What this does is a DHCP request, gets the IP address, and sets the values in NVRAM (IP, Netmask, gateway) which are needed for the other scripts.
The second script I named "routes.firewall"
Code:
#!/bin/sh
ip rule flush
ip rule add lookup main prio 32766
ip rule add lookup default prio 32767
ip rule add from $(nvram get wan_ipaddr) table 100 prio 100
ip rule add fwmark 0x100 table 100 prio 101
ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200
ip rule add fwmark 0x200 table 200 prio 201
ip route flush table 100
ip route flush table 200
for TABLE in 100 200
do
ip route | grep link | while read ROUTE
do
ip route add table $TABLE to $ROUTE
done
done
ip route add table 100 default via $(nvram get wan_gateway)
ip route add table 200 default via $(nvram get wan2_gateway)
ip route delete default
ip route add default scope global equalize nexthop via $(nvram get wan_gateway) dev $(nvram get wan_ifname) nexthop via $(nvram get wan2_gateway) dev $(nvram get wan2_ifname)
This sets up the routing tables for both interfaces, and throws in the equalize command.
if [ "$STATE" = "on" ]; then
if [ "$PROTO" = "both" ]; then
#udp
#iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p udp --dport $SPORT:$EPORT -j ACCEPT
iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
#tcp
#iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p tcp --dport $SPORT:$EPORT -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
else
#iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p $PROTO --dport $SPORT:$EPORT -j ACCEPT
iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
fi
fi
done
iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT --to $(nvram get lan_ipaddr)
if [ $(nvram get remote_management) -eq 1 ]; then
iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $(nvram get http_wanport) -j DNAT --to $(nvram get lan_ipaddr):$(nvram get http_lanport)
fi
if [ $(nvram get dmz_enable) -eq 1 ]; then
DMZ_IP=$(nvram get lan_ipaddr | sed -r 's/[0-9]+$//')$(nvram get dmz_ipaddr)
iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT --to $DMZ_IP
fi
iptables -A PREROUTING -t nat --dest $(nvram get wan2_ipaddr) -j TRIGGER --trigger-type dnat
iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER --trigger-type in
#iptables -A PREROUTING -t mangle -i $(nvram get wan2_ifname) -j IMQ --todev 0
iptables -A PREROUTING -t mangle -i $(nvram get wan2_ifname) -j SVQOS_IN
iptables -A POSTROUTING -t mangle -o $(nvram get wan2_ifname) -j SVQOS_OUT
#DD-WRT END
$IPTABLES -F POSTROUTING -t nat
$IPTABLES -t mangle -N ETH1
$IPTABLES -t mangle -F ETH1
#$IPTABLES -t mangle -A ETH1 -p tcp -j LOG --log-prefix " MANGLE_TCP_ETH1 "
#$IPTABLES -t mangle -A ETH1 -p icmp -j LOG --log-prefix " MANGLE_ICMP_ETH1 "
$IPTABLES -t mangle -A ETH1 -j MARK --set-mark 0x100
$IPTABLES -t mangle -N ETH2
$IPTABLES -t mangle -F ETH2
#$IPTABLES -t mangle -A ETH2 -p tcp -j LOG --log-prefix " MANGLE_TCP_ETH2 "
#$IPTABLES -t mangle -A ETH2 -p icmp -j LOG --log-prefix " MANGLE_ICMP_ETH2 "
$IPTABLES -t mangle -A ETH2 -j MARK --set-mark 0x200
$IPTABLES -t nat -N SPOOF_ETH1
$IPTABLES -t nat -F SPOOF_ETH1
#$IPTABLES -t nat -A SPOOF_ETH1 -j LOG --log-prefix " SPOOF_ETH1 "
$IPTABLES -t nat -A SPOOF_ETH1 -j SNAT --to $(nvram get wan_ipaddr)
$IPTABLES -t nat -N SPOOF_ETH2
$IPTABLES -t nat -F SPOOF_ETH2
#$IPTABLES -t nat -A SPOOF_ETH2 -j LOG --log-prefix " SPOOF_ETH2 "
$IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to $(nvram get wan2_ipaddr)
$IPTABLES -t mangle -A OUTPUT -o ! br0 -m random --average 50 -j ETH1
$IPTABLES -t mangle -A PREROUTING -i br0 -m random --average 50 -j ETH1
$IPTABLES -t mangle -A OUTPUT -o ! br0 -m random --average 50 -j ETH2
$IPTABLES -t mangle -A PREROUTING -i br0 -m random --average 50 -j ETH2
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j SPOOF_ETH1
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan2_ifname) -j SPOOF_ETH2
RP_PATH=/proc/sys/net/ipv4/conf
for IFACE in `ls $RP_PATH`; do
echo 0 > $RP_PATH/$IFACE/rp_filter
done
This does the iptables magic, which randomizes the outgoing connections, using SNAT, and sends them out the different interfaces. Dont forget to
Code:
chmod 755 firewall.firewall
The last step, is to set these scripts to run.
In the webgui, goto Administration>Commands, and put the following in for startup:
After all of that, everything *should* work. It did for me, I got rid of my static IPs, and now things are working great. The only problem I still see, and others might too, is if both IPs happen to be in the same network, it breaks the dual wan...unsure why.
Give those scripts a shot. The good thing is, there is no more editing of the scripts to your liking, they should just work.
--John _________________
Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std
Behind a Raspberry Pi Dual WAN router
Last edited by jbarbieri on Tue Apr 22, 2008 13:12; edited 1 time in total
Can you set this up for a PPPoE main WAN and one or two VAP setup as additional WAN's? Does this work on the current firmware or is this still only RC2?