Dual / Triple WAN HowTo | DHCP scripts on Page 5!!!!

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... , 66, 67, 68  Next
Author Message
jbarbieri
DD-WRT Guru


Joined: 06 Apr 2007
Posts: 545
Location: New Hampshire

PostPosted: Fri Oct 14, 2011 15:29    Post subject: Reply with quote
For those having problems,

I found a major error in my firewall.firewall script. I was statically assigning the interface instead of using the nvram variable.

My new script is here: http://www.jbarbieri.net/dd-wrt/scripts/firewall.firewall

--John

_________________


Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std

Behind a Raspberry Pi Dual WAN router
Sponsor
utku
DD-WRT Novice


Joined: 02 Nov 2011
Posts: 1

PostPosted: Wed Nov 02, 2011 20:19    Post subject: Reply with quote
jbarbieri wrote:
For those having problems,

I found a major error in my firewall.firewall script. I was statically assigning the interface instead of using the nvram variable.

My new script is here: http://www.jbarbieri.net/dd-wrt/scripts/firewall.firewall

--John


I installed your scripts on e2000, working quite well, thanks a lot !, but I am also reading them to be able to add some customization for my needs, however following lines confused me a little

isn't there a 25% chance of no marking being done, I there are mean 2 random lines

$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH1
$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH2

what if none of them gets hit ?

maybe something like this would solve that:

$IPTABLES -t mangle -j ETH2
$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH1

I may be completely wrong here, still experimenting.

My aim is to redirect all traffic for web an ssh to en1 and the rest to be balanced between wan2 and wan1

I am adding
$IPTABLES -t mangle -A RANDOM -p tcp --dports 22,80 -j ETH1

line to RANDOM chain but does not seem to have any effect.
jbarbieri
DD-WRT Guru


Joined: 06 Apr 2007
Posts: 545
Location: New Hampshire

PostPosted: Wed Nov 02, 2011 20:31    Post subject: Reply with quote
To be honest, I cannot recall, as the new module is a little different.

One way to tell is to look at the number of packets the are sent to the random chain, and then under the random chain, add up the number of packets for each statement.

If I remember correctly, it was 50% when I ran it.

If you are concerned, change this line:

Code:


$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH1
$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH2


to this:

Code:


$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH1
$IPTABLES -t mangle -A RANDOM -j ETH2


That forces everything else that didn't get matched the first time to goto the second chain.

--John

_________________


Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std

Behind a Raspberry Pi Dual WAN router
khael
DD-WRT User


Joined: 13 Mar 2008
Posts: 101

PostPosted: Sun Dec 11, 2011 15:15    Post subject: Reply with quote
hi
sorry but i have a problem:
i have e320@e2000 (60k nvram).
i enalbe jffs2, enable clean_jffs2 for format.
But i can't enter and create a folder /etc/config

Quote:
Command 'mkdir "New folder"'
failed with return code 1 and error message
.


also with mkdir doesn't work...
can you help me?
thanks!
jbarbieri
DD-WRT Guru


Joined: 06 Apr 2007
Posts: 545
Location: New Hampshire

PostPosted: Mon Dec 12, 2011 15:26    Post subject: Reply with quote
khael wrote:
hi
sorry but i have a problem:
i have e320@e2000 (60k nvram).
i enalbe jffs2, enable clean_jffs2 for format.
But i can't enter and create a folder /etc/config

Quote:
Command 'mkdir "New folder"'
failed with return code 1 and error message
.


also with mkdir doesn't work...
can you help me?
thanks!


You would probably have to mkdir /jffs/etc/config, as that folder is writeable and will also survive reboots.

_________________


Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std

Behind a Raspberry Pi Dual WAN router
bile
DD-WRT Novice


Joined: 03 Feb 2012
Posts: 3

PostPosted: Thu Feb 09, 2012 5:04    Post subject: Reply with quote
Anyone gotten dual wan working on a WHR-HP-AG300H?
hyperangel
DD-WRT Novice


Joined: 16 Mar 2012
Posts: 1

PostPosted: Fri Mar 16, 2012 18:58    Post subject: Reply with quote
Hi, I have wrt610n v1 and got everything install as stated. still having trouble getting the second wan to work. i can only activate 1 wan at the time? if i change to vlan3 in dd-wrt web-gui, i can see my 2nd modem online. but not the 1st. if i change to vlan2 then my 1st modem online but not 2nd. i can't get them both to go on together.
i know i'm getting close. please help.

P.S. 1st modem ip: 66.XXX.XXX.XXX
2nd modem ip 98.XXX.XXX.XXX

DD-WRT v24-sp2 (08/12/10) mega
(SVN revision 14929)
----------------------------------------
nvram set vlan1ports="2 3 4 8*"
nvram set vlan3ports="1 8"
nvram set vlan3hwname=et0
nvram commit
reboot

Administration Commands
"Startup"
sleep 10
udhcpc -s /jffs/scripts/udhcpc-wan2.script -i vlan3

"Firewall"
/jffs/scripts/routes.firewall
/jffs/scripts/firewall.firewall

----------------------------------------------
"telnet ifconfig"
----------------------------------------------
br0 Link encap:Ethernet HWaddr 00:21:XX:XX:XX:14
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2640515 errors:0 dropped:0 overruns:0 frame:0
TX packets:4965069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:257514827 (245.5 MiB) TX bytes:2664275262 (2.4 GiB)

br0:0 Link encap:Ethernet HWaddr 00:21:XX:XX:XX:14
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr 00:21:XX:XX:XX:16
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:555 errors:0 dropped:0 overruns:0 frame:1376047
TX packets:5863 errors:1375 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:69367 (67.7 KiB) TX bytes:1636122 (1.5 MiB)
Interrupt:6 Base address:0x4000

eth2 Link encap:Ethernet HWaddr 00:21:XX:XX:XX:14
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7776052 errors:0 dropped:0 overruns:0 frame:0
TX packets:7562806 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2816884377 (2.6 GiB) TX bytes:2940814555 (2.7 GiB)
Interrupt:5 Memory:18010000-18020000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:315 errors:0 dropped:0 overruns:0 frame:0
TX packets:315 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19180 (18.7 KiB) TX bytes:19180 (18.7 KiB)

vlan1 Link encap:Ethernet HWaddr 00:21:XX:XX:XX:14
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2640381 errors:0 dropped:0 overruns:0 frame:0
TX packets:4964657 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:257480601 (245.5 MiB) TX bytes:2663535033 (2.4 GiB)

vlan2 Link encap:Ethernet HWaddr 00:21:XX:XX:XX:15
inet addr:66.XX.XX.240 Bcast:66.255.255.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5036268 errors:0 dropped:0 overruns:0 frame:0
TX packets:2579134 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2512597633 (2.3 GiB) TX bytes:270675120 (258.1 MiB)

vlan3 Link encap:Ethernet HWaddr 48:XX:XX:0A:2A:18 <-PC clone MAC. changed last 2 sets.
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:99541 errors:0 dropped:0 overruns:0 frame:0
TX packets:19145 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:46805997 (44.6 MiB) TX bytes:6604402 (6.2 MiB)

--------------------------
udhcpc-wan2.script:
--------------------------

#!/bin/sh
# udhcpc script edited by Tim Riker <Tim@Rikers.org>
[ -z "$1" ] && echo "Error: should be called from udhcpc" && exit 1

ifconfig $interface up

RESOLV_CONF="/etc/resolv.conf"
[ -n "$broadcast" ] && BROADCAST="broadcast $broadcast"
[ -n "$subnet" ] && NETMASK="netmask $subnet"

case "$1" in
deconfig)
/sbin/ifconfig $interface 0.0.0.0
;;

renew|bound)
# /sbin/ifconfig $interface $ip $BROADCAST $NETMASK
echo "$ip $BROADCAST $NETMASK"

if [ -n "$router" ] ; then
# echo "deleting routers"
# while route del default gw 0.0.0.0 dev $interface ; do
# :
# done

# for i in $router ; do
# route add default gw $i dev $interface
# done
# echo "$router"
fi

echo -n > $RESOLV_CONF
[ -n "$domain" ] && echo search $domain >> $RESOLV_CONF
for i in $dns ; do
# echo adding dns $i
# echo nameserver $i >> $RESOLV_CONF
done
nvram set wan2_ifname=$interface
nvram set wan2_gateway=$router
nvram set wan2_ipaddr=$ip
nvram set wan2_netmask=$subnet
nvram set wan2_broadcast=$broadcast
nvram commit
ifconfig $(nvram get wan2_ifname) $(nvram get wan2_ipaddr) netmask $(nvram get wan2_netmask) up
;;
esac

exit 0

--------------------------
routes.firewall
--------------------------
#!/bin/sh
echo "Flushing rules" >> /var/log/messages
ip rule flush
echo "Rebuilding rules and tables" >> /var/log/messages
ip rule add lookup main prio 32766
ip rule add lookup default prio 32767
ip rule add from $(nvram get wan_ipaddr) table 100 prio 100
ip rule add fwmark 0x100 table 100 prio 101
ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200
ip rule add fwmark 0x200 table 200 prio 201
ip route flush table 100
ip route flush table 200
for TABLE in 100 200
do
ip route | grep link | while read ROUTE
do
ip route add table $TABLE to $ROUTE
done
done
ip route add table 100 default via $(nvram get wan_gateway)
ip route add table 200 default via $(nvram get wan2_gateway)
echo "Deleting default route" >> /var/log/messages
ip route delete default
echo "Adding in equalized route" >> /var/log/messages
ip route add default scope global equalize nexthop via $(nvram get wan_gateway) dev $(nvram get wan_ifname) nexthop via $(nvram get wan2_gateway) dev $(nvram get wan2_ifname)
echo "routes.firewall completed" >> /var/log/messages

--------------------------
firewall.firewall
--------------------------
#!/bin/sh
insmod ipt_CONNMARK
insmod ipt_mark
echo "`date` Flushing and adding new firewall rules" >> /var/log/messages
IPTABLES="/jffs/iptables"
for RULE in $(nvram get forward_spec)
do
FROM=`echo $RULE | cut -d '>' -f 1`
TO=`echo $RULE | cut -d '>' -f 2`
STATE=`echo $FROM | cut -d ':' -f 2`
PROTO=`echo $FROM | cut -d ':' -f 3`
SPORT=`echo $FROM | cut -d ':' -f 4`
DEST=`echo $TO | cut -d ':' -f 1`
DPORT=`echo $TO | cut -d ':' -f 2`

if [ "$STATE" = "on" ]; then
if [ "$PROTO" = "both" ]; then
iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
else
iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
fi
fi
done
for RULE in $(nvram get forward_port)
do
FROM=`echo $RULE | cut -d '>' -f 1`
TO=`echo $RULE | cut -d '>' -f 2`
STATE=`echo $FROM | cut -d ':' -f 2`
PROTO=`echo $FROM | cut -d ':' -f 3`
SPORT=`echo $FROM | cut -d ':' -f 4`
EPORT=`echo $FROM | cut -d ':' -f 5`

if [ "$STATE" = "on" ]; then
if [ "$PROTO" = "both" ]; then
iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
else
iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
fi
fi
done
iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT --to $(nvram get lan_ipaddr)
if [ $(nvram get remote_management) -eq 1 ]; then
iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $(nvram get http_wanport) -j DNAT --to $(nvram get lan_ipaddr):$(nvram get http_lanport)
fi
if [ $(nvram get dmz_enable) -eq 1 ]; then
DMZ_IP=$(nvram get lan_ipaddr | sed -r 's/[0-9]+$//')$(nvram get dmz_ipaddr)
iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT --to $DMZ_IP
fi
iptables -A PREROUTING -t nat --dest $(nvram get wan2_ipaddr) -j TRIGGER --trigger-type dnat
iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER --trigger-type in
$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -F POSTROUTING -t nat
$IPTABLES -t mangle -N ETH1
$IPTABLES -t mangle -F ETH1
$IPTABLES -t mangle -A ETH1 -j MARK --set-mark 0x100
$IPTABLES -t mangle -A ETH1 -j CONNMARK --save-mark
$IPTABLES -t mangle -N ETH2
$IPTABLES -t mangle -F ETH2
$IPTABLES -t mangle -A ETH2 -j MARK --set-mark 0x200
$IPTABLES -t mangle -A ETH2 -j CONNMARK --save-mark
$IPTABLES -t mangle -N RANDOM
$IPTABLES -t mangle -F RANDOM
$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH1
$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH2
$IPTABLES -t nat -N SPOOF_ETH1
$IPTABLES -t nat -F SPOOF_ETH1
$IPTABLES -t nat -A SPOOF_ETH1 -j SNAT --to $(nvram get wan_ipaddr)
$IPTABLES -t nat -N SPOOF_ETH2
$IPTABLES -t nat -F SPOOF_ETH2
$IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to $(nvram get wan2_ipaddr)
$IPTABLES -t filter -N keep_state
$IPTABLES -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A keep_state -j RETURN
$IPTABLES -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A keep_state -j RETURN
$IPTABLES -t nat -I PREROUTING -j keep_state
$IPTABLES -t nat -I OUTPUT -j keep_state
$IPTABLES -t filter -I INPUT -j keep_state
$IPTABLES -t filter -I FORWARD -j keep_state
$IPTABLES -t filter -I OUTPUT -j keep_state
$IPTABLES -t nat -I POSTROUTING -j keep_state
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j SPOOF_ETH1
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan2_ifname) -j SPOOF_ETH2
$IPTABLES -t mangle -A FORWARD -j CONNMARK --restore-mark
$IPTABLES -t mangle -A FORWARD -i $(nvram get wan_ifname) -j ETH1
$IPTABLES -t mangle -A FORWARD -i $(nvram get wan2_ifname) -j ETH2
$IPTABLES -t mangle -A PREROUTING -i br0 -m state --state NEW -j RANDOM
$IPTABLES -t mangle -A PREROUTING -m mark --mark 0x100 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -m mark --mark 0x200 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $(nvram get wan_ifname) -j ETH1
$IPTABLES -t mangle -A PREROUTING -i $(nvram get wan2_ifname) -j ETH2
# Rate Limit
$IPTABLES -N rate_limit
$IPTABLES -F rate_limit
$IPTABLES -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPTABLES -A rate_limit -p ICMP --icmp-type echo-request -m limit --limit 3/sec -j ACCEPT
$IPTABLES -A rate_limit -p ! ICMP -j LOG --log-prefix " Connection dropped!! "
$IPTABLES -A rate_limit -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A rate_limit -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A rate_limit -j DROP
# Add Limits
$IPTABLES -I INPUT -p ICMP --icmp-type echo-request -j rate_limit
$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -j rate_limit
RP_PATH=/proc/sys/net/ipv4/conf
for IFACE in `ls $RP_PATH`; do
echo 0 > $RP_PATH/$IFACE/rp_filter
done
echo "`date` firewall.firewall is now completed" >> /var/log/messages
bohemus
DD-WRT Novice


Joined: 13 Apr 2012
Posts: 11

PostPosted: Fri Apr 20, 2012 20:35    Post subject: Reply with quote
black6spdz wrote:
mstombs wrote:
black6spdz wrote:
gave up on dd-wrt, found Tomato DualWAN EN version, flashed it and it works right out of the box!


Is that my GUI mod of the Chinese DualWAN buggy code - with possible backdoors as no source-code ever released?


Why is it buggy? It works absolutely flawless with my two 6Mb DSL lines load balanced and with line test / failover. QoS works perfect too and very easy to setup. Have you ran a portscan on a box or observed any traffic besides NTP or ICMP coming out to substantiate a claim of backdoors? I'm a long time fan of DD-WRT and I still run it on my main RSPro router but for anyoneone not wanting to fumble with scripts and whatnot the Tomato DualWan is a dream come true.. why dont they build a preconfigured dual/multiwan dd-wrt with a gui? Couple that with a highpower unit such as a 610N or 16N router and the peplink/Cisco small business dualwan routers have some serious competition.


I'm planning to use Tomato DualWAN on a wrt160n. Would like to use the WLAN configured in client mode as one of the WAN's and a cable modem connected to the WAN port as the other WAN. Is this possible with this firmware?
h-cross
DD-WRT Novice


Joined: 22 Aug 2011
Posts: 16
Location: Thessaloniki

PostPosted: Fri Apr 20, 2012 21:22    Post subject: Reply with quote
bohemus wrote:
I'm planning to use Tomato DualWAN on a wrt160n. Would like to use the WLAN configured in client mode as one of the WAN's and a cable modem connected to the WAN port as the other WAN. Is this possible with this firmware?


Why use Tomato? DDWRT does the job.

Check my current setup:

    WRT54G v2.2 in Repeater Mode (using ddwrt v23 SP2 svn 3932 mini due to broken iptables), the Dual Wan router
    WRT54GL v1.1 in Repeater Mode (this feeds the second WAN)


and its working just fine!

_________________
2 x Linksys WRT54GL v1.1
1 x Linksys WRT54G v2.2 [Dual WAN]
1 x Linksys E2500
bohemus
DD-WRT Novice


Joined: 13 Apr 2012
Posts: 11

PostPosted: Fri Apr 20, 2012 21:27    Post subject: Reply with quote
Seems a lot easier than having to deal with all these scripts. Unless this functionality works in the GUI, its just too much hassle for a simple user like me.
rsriram22
DD-WRT Novice


Joined: 24 Apr 2012
Posts: 30

PostPosted: Wed Jul 04, 2012 23:46    Post subject: works on WNR2500L (v1) Reply with quote
great post.. after a long google search, i landed here. i am trying to enable dual WAN (both ISPs give me DHCP address) on my WNR3500L(v1) using the scripts here.

Will post my experience once I get 'there'. Anyone here tried this on WNR3500L already?

UPDATE: I was able to get these scripts to work on my WNR3500L. Thanks OP!

Three tips I need to mention to make it to work:

1) The logical and physical ports are mapped in reverse order - 1,2,3,4 physical ports are 4,3,2,1 for vlans

2) The dhcp script command had to be changed to remove the 'routes.firewall' and

3) The firewall commands had to be given 1 per line (in the UI) for the firewall.firewall script to run; otherwise it was not working.

Lastly, this works only if both the WAN ports are connected. If one of them is not connected (or) loses it's IP, all the clients lose internet connectivity...
mnour.tamer
DD-WRT Novice


Joined: 18 May 2012
Posts: 45

PostPosted: Wed Aug 15, 2012 15:53    Post subject: Reply with quote
Hello

I have Asus N-16 I am using the latest firmware of DD-WRT mega 19519 .

I am testing dual wan using two ports
The first one is a DHCP client to other device which is directly connected to the Modem.
The Second one is connected though RG-45 to a router that has 3G USB stick connected.

I am using this Tutorial
http://www.darkhawk.net/dd-wrt/scripts/_readme-first.txt

of course there is some differences , lets go step by step .

-----------------------------------------------------

1. Make sure nothing is connected to port 4 on the router (will hook 2nd WAN device here later).

2. Log into router gui and goto Setup > VLANS and change port 4 to vlan 3, click save and then apply settings.

3. Make sure your sshd or telnet and jffs is enabled and you have at least 180k free space.

4. Log into router using your favorite ssh or telnet client (I use Putty).

5. type mkdir /jffs/scripts if it doesn't complain it worked.

6. type cd /jffs and hit enter then type wget http://www.darkhawk.net/dd-wrt/scripts/iptables and enter.
(This downloads iptables to jffs folder).

7. Type cd scripts and enter then type the following:
wget http://www.darkhawk.net/dd-wrt/scripts/firewall.firewall
wget http://www.darkhawk.net/dd-wrt/scripts/routes.firewall
wget http://www.darkhawk.net/dd-wrt/scripts/udhcpc-wan2.script

8. Type chmod -R a+x /jffs and enter.

9. Next type the following:

nvram set vlan1ports="3 2 1 8*"
nvram set vlan3ports="4 8"
nvram set vlan3hwname=et0
nvram set rc_startup="udhcpc -s /jffs/scripts/udhcpc-wan2.scripts -i vlan3 /jffs/scripts/routes.firewall"
nvram set rc_firewall="/jffs/scripts/routes.firewall /jffs/scripts/firewall.firewall"
nvram commit
reboot

-----------------------------------------------------

until now everything is OK.

10. Router should reboot now and come back up calling the scripts. Plug 2nd WAN device into port 4.

11. Log into router via ssh or telnet and type ifconfig. You should see vlan1 and vlan2 and both should have an ip address.

--- there is no IP address for the Wan2

-----------------------------------------------------

12. If you don't see vlan2 you didn't do something right so start over. If vlan2 doesn't have an ip address run:
udhcpc -s /jffs/scripts/udhcpc-wan2.script -i vlan2 and see what happens. (If it throws an error or hangs
something is wrong with the file maybe. If it shows an ip then you are golden.

---- Done after changing vlan2 to vlan3 so

udhcpc -s /jffs/scripts/udhcpc-wan2.script -i vlan3

-----------------------------------------------------

Next run
/jffs/scripts/routes.firewall and then /jffs/scripts/firewall.firewall and if neither show errors then you are good to go.

---- it throw me an error

-sh: /jffs/scripts/routes.firewall: not found

and by the way I changed vlan1 to vlan2 and vlan2 to vlan3 in the file firewall.firewall


so any Help please???



b.JPG
 Description:
 Filesize:  11.46 KB
 Viewed:  29744 Time(s)

b.JPG



a.JPG
 Description:
 Filesize:  13.46 KB
 Viewed:  29744 Time(s)

a.JPG


wtf911
DD-WRT Novice


Joined: 01 May 2012
Posts: 9

PostPosted: Mon Nov 12, 2012 7:43    Post subject: Reply with quote
e1000 v1 running:
DD-WRT v24-sp2 (04/07/12) mini
(SVN revision 18946M NEWD-2 K2.6 Eko)
-----------------------------------------------------------------------------
vlans in the vlan web gui page = uncheck port 4 from vlan1 and change it to vlan3
-----------------------------------------------------------------------------
vlans in nvram telnet after setting =

root@DD-WRT:~# nvram show | grep vlan.*ports
vlan2ports=0 5
vlan0ports=1 2 3 5*
vlan3ports=4 5
vlan1ports=4 3 2 5*
size: 20057 bytes (12711 left)
-----------------------------------------------------------------------------
to change vlan ports in nvram in telnet =

nvram set vlan0ports="1 2 3 5*"
nvram set vlan1ports="4 3 2 5*"
nvram set vlan3ports="4 5"
nvram commit
reboot

-----------------------------------------------------------------------------
under administration in the web gui under commands =

startup:
udhcpc -i vlan3 -s /jffs/scripts/udhcpc-wan2.script

firewall:
/jffs/scripts/routes.firewall
sleep 2
/jffs/scripts/firewall.firewall

----------------------------------------------------------------------------------------------------------------------

#!/bin/sh
# udhcpc script edited by Tim Riker <Tim@Rikers.org>
[ -z "$1" ] && echo "Error: should be called from udhcpc" && exit 1

ifconfig $interface up

RESOLV_CONF="/etc/resolv.conf"
[ -n "$broadcast" ] && BROADCAST="broadcast $broadcast"
[ -n "$subnet" ] && NETMASK="netmask $subnet"

case "$1" in
deconfig)
/sbin/ifconfig $interface 0.0.0.0
;;

renew|bound)
# /sbin/ifconfig $interface $ip $BROADCAST $NETMASK
echo "$ip $BROADCAST $NETMASK"

# echo "deleting routers"
# while route del default gw 0.0.0.0 dev $interface ; do
# :
# done

# for i in $router ; do
# route add default gw $i dev $interface
# done
# echo "$router"

echo -n > $RESOLV_CONF
[ -n "$domain" ] && echo search $domain >> $RESOLV_CONF
for i in $dns ; do
# echo adding dns $i
# echo nameserver $i >> $RESOLV_CONF
done
nvram set wan2_ifname=$interface
nvram set wan2_gateway=$router
nvram set wan2_ipaddr=$ip
nvram set wan2_netmask=$subnet
nvram set wan2_broadcast=$broadcast
nvram commit
ifconfig $(nvram get wan2_ifname) $(nvram get wan2_ipaddr) netmask $(nvram get wan2_netmask) up
;;
esac

exit 0

^ udhcpc-wan2.script
----------------------------------------------------------------------------------------------------------------------

#!/bin/sh

ip rule flush

ip rule add lookup main prio 32766
ip rule add lookup default prio 32767

ip rule add from $(nvram get wan_ipaddr) table 100 prio 100
ip rule add fwmark 0x100 table 100 prio 101

ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200
ip rule add fwmark 0x200 table 200 prio 201

ip route flush table 100
ip route flush table 200

for TABLE in 100 200
do
ip route | grep link | while read ROUTE
do
ip route add table $TABLE to $ROUTE
done
done

ip route add table 100 default via $(nvram get wan_gateway)
ip route add table 200 default via $(nvram get wan2_gateway)
ip route delete default
ip route add default scope global equalize nexthop via $(nvram get wan_gateway) dev $(nvram get wan_ifname) nexthop via $(nvram get wan2_gateway) dev $(nvram get wan2_ifname)

^ routes.firewall
----------------------------------------------------------------------------------------------------------------------

#!/bin/sh
insmod ipt_CONNMARK
IPTABLES="/usr/sbin/iptables"

#DD-WRT firewall rules #BEGIN

#apply simple forward rules

for RULE in $(nvram get forward_spec)
do
FROM=`echo $RULE | cut -d '>' -f 1`
TO=`echo $RULE | cut -d '>' -f 2`
STATE=`echo $FROM | cut -d ':' -f 2`
PROTO=`echo $FROM | cut -d ':' -f 3`
SPORT=`echo $FROM | cut -d ':' -f 4`
DEST=`echo $TO | cut -d ':' -f 1`
DPORT=`echo $TO | cut -d ':' -f 2`

if [ "$STATE" = "on" ]; then
if [ "$PROTO" = "both" ]; then
iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
else
iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
fi
fi
done

#apply range forward rules
for RULE in $(nvram get forward_port)
do
FROM=`echo $RULE | cut -d '>' -f 1`
TO=`echo $RULE | cut -d '>' -f 2`
STATE=`echo $FROM | cut -d ':' -f 2`
PROTO=`echo $FROM | cut -d ':' -f 3`
SPORT=`echo $FROM | cut -d ':' -f 4`
EPORT=`echo $FROM | cut -d ':' -f 5`

if [ "$STATE" = "on" ]; then
if [ "$PROTO" = "both" ]; then
iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
else
iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
fi
fi
done

iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT --to $(nvram get lan_ipaddr)

if [ $(nvram get remote_management) -eq 1 ]; then
iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $(nvram get http_wanport) -j DNAT --to $(nvram get lan_ipaddr):$(nvram get http_lanport)
fi

if [ $(nvram get dmz_enable) -eq 1 ]; then
DMZ_IP=$(nvram get lan_ipaddr | sed -r 's/[0-9]+$//')$(nvram get dmz_ipaddr)
iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT --to $DMZ_IP
fi

iptables -A PREROUTING -t nat --dest $(nvram get wan2_ipaddr) -j TRIGGER --trigger-type dnat
iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER --trigger-type in

#DD-WRT END

$IPTABLES -F POSTROUTING -t nat
$IPTABLES -t mangle -N ETH1
$IPTABLES -t mangle -F ETH1
$IPTABLES -t mangle -A ETH1 -j MARK --set-mark 0x100
$IPTABLES -t mangle -N ETH2
$IPTABLES -t mangle -F ETH2
$IPTABLES -t mangle -A ETH2 -j MARK --set-mark 0x200
$IPTABLES -t nat -N SPOOF_ETH1
$IPTABLES -t nat -F SPOOF_ETH1
$IPTABLES -t nat -A SPOOF_ETH1 -j LOG --log-prefix " SPOOF_ETH1 "
$IPTABLES -t nat -A SPOOF_ETH1 -j SNAT --to $(nvram get wan_ipaddr)
$IPTABLES -t nat -N SPOOF_ETH2
$IPTABLES -t nat -F SPOOF_ETH2
$IPTABLES -t nat -A SPOOF_ETH2 -j LOG --log-prefix " SPOOF_ETH2 "
$IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to $(nvram get wan2_ipaddr)
#Save the gateway in the connection mark for new incoming connections
$IPTABLES -I FORWARD -t mangle -i $(nvram get wan_ifname) -j MARK --set-mark 0x100
$IPTABLES -I FORWARD -t mangle -o $(nvram get wan_ifname) -j MARK --set-mark 0x100
$IPTABLES -I FORWARD -t mangle -o $(nvram get wan2_ifname) -j MARK --set-mark 0x200
$IPTABLES -I FORWARD -t mangle -i $(nvram get wan2_ifname) -j MARK --set-mark 0x200
$IPTABLES -A FORWARD -t mangle -j CONNMARK --save-mark
$IPTABLES -I INPUT -t mangle -i $(nvram get wan_ifname) -j MARK --set-mark 0x100
$IPTABLES -I INPUT -t mangle -i $(nvram get wan2_ifname) -j MARK --set-mark 0x200
$IPTABLES -A INPUT -t mangle -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -i $(nvram get wan_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $(nvram get wan2_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x200
$IPTABLES -A POSTROUTING -t mangle -o $(nvram get wan_ifname) -j MARK --set-mark 0x100
$IPTABLES -A POSTROUTING -t mangle -o $(nvram get wan2_ifname) -j MARK --set-mark 0x200
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j SPOOF_ETH1
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan2_ifname) -j SPOOF_ETH2
$IPTABLES -t mangle -A POSTROUTING -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -i br0 -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark
# Use the correct gateway for reply packets from local connections
$IPTABLES -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

RP_PATH=/proc/sys/net/ipv4/conf
for IFACE in `ls $RP_PATH`; do
echo 0 > $RP_PATH/$IFACE/rp_filter
done

^ firewall.firewall
----------------------------------------------------------------------------------------------------------------------

notes =

1. follow http://www.dd-wrt.com/wiki/index.php/JFFS to enable jffs
2. under the setup mac clone web gui page change the WAN mac
3. try a combination of rebooting the modem and router to make sure you are getting 2 ip addresses
4. telnet or ssh into the router and run ifconfig to make sure both vlan2 and vlan3 are getting an ip
5. obviously in my case i put the scripts in /jffs/scripts which you need to make
6. the way i chose to get the scripts on my router was by hosting them and running wget
7. after the scripts are in place you need to give them proper permissions by running chmod a+x /jffs/scripts/*

this worked for me using 2 modems with roadrunner cable internet

----------------------------------------------------------------------------------------------------------------------
-wtf911-
mlapaglia
DD-WRT Novice


Joined: 22 Nov 2007
Posts: 17

PostPosted: Wed Nov 14, 2012 0:30    Post subject: Reply with quote
I am embarking on my dual wan setup, but I have a quick question.

Is there a way to make this setup work with only one port?

I need everything to run through one WAN, and this one port to be in the round robin with the first and second WAN.
wtf911
DD-WRT Novice


Joined: 01 May 2012
Posts: 9

PostPosted: Sun Nov 18, 2012 4:07    Post subject: Reply with quote
mlapaglia wrote:
I am embarking on my dual wan setup, but I have a quick question.

Is there a way to make this setup work with only one port?

I need everything to run through one WAN, and this one port to be in the round robin with the first and second WAN.


no?
Goto page Previous  1, 2, 3 ... , 66, 67, 68  Next Display posts from previous:    Page 67 of 68
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum