1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato MultiWAN

Discussion in 'Tomato Firmware' started by shibby20, Dec 8, 2015.

  1. shibby20

    shibby20 Network Guru Member

    Hi,

    I just wanted to tell you that i`m working hard and almost finish mutliWAN support. Tomato will support max 4 WANs for routers with 64KB of nvram and probably 2 WANs for 32KB of nvram routers.
    My work is based on TomatoMultiWAN writen by Arctic (https://code.google.com/p/tomato-shibby-arctic-chs/).

    More information soon.

    screencapture1.png

    screencapture2.png


    Best Regards :)
     
  2. Wolfgan

    Wolfgan Serious Server Member

    Thx Shibby. As part of this effort, could you please add the ability to customize labels for the Ethernet ports? (ie instead of WAN, LAN1, LAN2,... have the ability to customize them to LANprinters, WANisp1, Whatever...)
    Thanks, Wolf.
     
  3. Bird333

    Bird333 Network Guru Member

    Awesome! Just so I'm clear, can you use multiple wireless WAN's with wired? Or will you be converting LAN ports to WAN or are both possible?! :)
     
  4. xtacydima

    xtacydima LI Guru Member

    I suspect you are referring to dual WAN or greater based on a load balancing setup from multiple ISP's? If so, is this going to be something similar to the setup we saw some years ago by the Asian dualwan firmware? Although that one was never made public with it's code and was too unstable after like 2 or 3 months.

    It's great to see if you get this working, many people I know have always requested this feature.

    I would truly like to say Thank You for all your hard work. :)
     
  5. shibby20

    shibby20 Network Guru Member

    At the moment i multiWAN fature works great. We can configure 1,2,3 or 4 WAN in load balancing mode with weight between 1 to 256. When we set weight to 0, then selected WAN well be configured as failover interface and will be in standby mode - will be connected but will not be added to the routing table. When all WANs in load balancing mode will failed then all failover WAN will be activated and added to routing table automatically.

    Limitation is that we can configure only one WAN in 3G modem or 4G/LTE mode. I also added watchdog for each WAN iface using traceroute, but probably i also add ping test for better result.

    At the moment i`m testing 3 WAN - 2 cable (DHCP) and one mobile (4G/LTE on E3372). So far so good. Now i have to fix some features like QoS to be compatible with multiWAN feature.
     
  6. rs232

    rs232 Network Guru Member

    Out of curiosity... are you going to have 4x wanin and wanout iptables? This might be a blow for P2Partisan although not a showstopper.
    Also when you refer to weight I suppose that's a round-robin weight, right?
    I suppose a pre-launch feature request is to allow specific traffic to stick to specific connections on a port/IP basis (e.g. P2P on WAN2 everything else WAN1)

    Regardless, well done!
     
  7. leandroong

    leandroong LI Guru Member

    operation maybe similar entware optware "haproxy" (Open source Reliable, High Performance TCP/HTTP Load Balancer. This package is built with SSL support.), round-robin access, I think ....
    This similar also to what i'm experimenting on my win10, utilizing 2 radios, 2.4 & 5Ghz, for more info check here, https://github.com/Morhaus/dispatch-proxy
     
  8. eibgrad

    eibgrad Network Guru Member

    Awesome feature that also sounds like it will be a support nightmare (for everyone). It immediately brings to mind numerous questions.

    What does it mean to support client mode in a multiWAN config? In client mode, you're virtualizing the WAN over the wireless client. Is client mode just not allowed/supported w/ multiWAN? If I have two radios, can I implement client mode over each radio, each to its own WAN?

    What about VPNs? What does it mean to change the default gateway to the VPN in a multiWAN config? How is policy based routing affected? Right now it’s just binary, WAN vs. VPN. But w/ multiple WANs, is policy based routing being extended to *any* public facing network interface?

    What does it mean to port forward in a multiWAN config? Is this not allowed? Is it not guaranteed to work if a failover occurs? Will port forwarding be changed to accommodate multiWAN?

    What happens to a VPN that’s currently running over WAN “x” and a failover occurs? Does it get reinitialized over the next WAN?

    What about static routes? Do they automatically get remapped to the failover WAN? Or do I have to manually apply the same static routes to every WAN? Will the GUI even allow me to do that?

    Basically, anything that interacts w/ the routing system will be affected, including user defined scripts that alter the routing tables.

    That’s why I’m a bit skeptical about this feature. If these routers were ONLY doing basic routing duties, it would be one thing. But we’re PILING ON all kinds of stuff, including proxies, captive portals, VPNs, client mode, torrents, remote access, yada yada, and that vastly complicates moving from single WAN to multiWAN. Heck, most ppl can barely deal w/ all these features on a single WAN!

    Yeah, I know, I’m being a bit of a naysayer here. But I’m just trying to make ppl realize the implications of such a change are far reaching. It has the potential to vastly complicate configuration for a device that tries to be all things for all ppl and not just a plain ol’ simple router.

    I know this is probably reaching beyond what is expected for multiWAN, at least initially, but having done tech support for as long as I have, you just know ppl are going to push the envelope very quickly and the sooner it’s made clear exactly what the limitations of multiWAN are, the better.
     
  9. Bird333

    Bird333 Network Guru Member


    I for one welcome your input. Maybe it brings up somethings Shibby hasn't considered and he can then deal with them.
     
  10. Bird333

    Bird333 Network Guru Member

    Shibby, another question, will we be able to combine the available WAN bandwidth for a faster connection? Is that even possible? Seems like years ago I remember hearing that is was possible.
     
  11. shibby20

    shibby20 Network Guru Member

    I will not do this for now, but when you promote LAN port as new WAN port then label will be automatically changed to WAN(x).

    no, all WANs are in the same wanin/wanout chains.
    yes, it`s round-robin using ip rule and ip route nexthop configuration

    yes, there will be a new page in GUI named "MultiWAN Routing Policy" where you can set policy for output traffic by src, dst, port and source WAN.
     
  12. jerrm

    jerrm Network Guru Member

    Yes it adds a layer of complexity, but 99% of folks only care about is being able to browse uninterrupted.

    I don't see all that many issues as long as a wanup or failover event fires to hook into. Yes, scripts will have to be adjusted, but that's life.

    I've never seen a failover product for SOHO/SMB (including $$$$$$) that is truly 100% transparent. It doesn't have to address every scenario to be useful. Let Shibby get it out the door.
     
    Last edited: Dec 9, 2015
    Toastman, Goggy and AndreDVJ like this.
  13. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    In order to be 100% transparent the public ipv4 address would have to stay the same


    Sent from my iPhone using Tapatalk
     
  14. remlei

    remlei Networkin' Nut Member

    it would be cool if you can port mwan3 on tomato.

    I already had a dual wan tomato router from cdrking that does do the same thing, but I would like to see the 4 WAN option too.

    [​IMG]

    the only bad with this firmware (probably made by some random chinese manufacturers) is I cant do routing policy over GUI but can be done over iptables or ip rule or ip route.

    BTW: the router is a rebranded CDRKING CW 5356/5358 router which is actually a Catchtec CW5356/5358
     
    Last edited: Dec 11, 2015
  15. BikeHelmet

    BikeHelmet Networkin' Nut Member

    There was a TPIA ISP doing that in Canada. They had a VPN going on their servers that would accept your connections from multiple modems, and smoosh it all together. It was pretty neat, but I think they stopped doing that once our laws changed, and they gained access to more than 5mbit from the incumbent networks.

    -BikeHelmet
     
  16. Cloud

    Cloud Reformed Router Member

    thumbs up for shibby for making multi WAN support. great work in deed.
     
  17. dre02

    dre02 New Member Member

    thank u shibby waiting.................................nice work
     
  18. remlei

    remlei Networkin' Nut Member

    this is weird, I actually use a chinese multiwan firmware with Asus RT-N16 with 4 wans without any issue and that router only has 32k nvram.
     
  19. BikeHelmet

    BikeHelmet Networkin' Nut Member

    Shibby likely has other features that take up space. Every feature needs to store its settings somewhere...

    I ran out of NVRAM on my RT-N16 due to QOS rules. Had to upgrade to an RT-N66U.

    -BikeHelmet
     
  20. Bird333

    Bird333 Network Guru Member

    Probably so, but reading up on mwan3 it seems to handle 250 interfaces.
     
  21. fuzion

    fuzion Network Newbie Member

    Thank You! Shibby ... eagerly waiting :)
     
  22. shibby20

    shibby20 Network Guru Member

    After weekend i should be ready to release public beta version for ARM routers - it will be a chrismas gift from me to all of you ;)

    Wysłane z mojego myPhone S-Line 16 GB przy użyciu Tapatalka
     
  23. The Master

    The Master Network Guru Member

    Wooohoo :) R7000 is Waiting for the Beta :)
     
  24. remlei

    remlei Networkin' Nut Member

    shibby should use the jffs storage (or extroot storage or usb storage) just like what uci do in OpenWRT, it breaks the limitation of NVRAM by just storing the basic config on NVRAM and everything else in uci.

    I have my R7000 running on OpenWRT (without wireless drivers unfortunately, not that I care since I had ubiquity APs everywhere in my house) and I actually had bunch of custom iptables rules in firewall (if I do the same thing on tomato, NVRAM would be full in no time) with 4 WAN interface in mwan3 with bunch of routing policy in place (more than 50 rules I think). If I do backup my configuration, it size around 170kb compressed format (tarball).

    But ill give tomato a try once it release.

    If tomato able to do this kind of configuration in friendly way (mwan3-luci)

    3 WAN for load balancing
    1 WAN for online gaming (using routing policy)

    * at that my 4th WAN interface should not be utilize by any traffic that is not present on my routing policy, the chinese tomato multiwan wasnt able to do this at all, you can add a static routing thing in there but every traffic that is undefined in static routing utilize all the WAN connections (thanks p2p/torrent), I just want my 4th WAN separated.
     
  25. CBR900

    CBR900 LI Guru Member

    Guys,

    What do you think? will it be possible to get faster connection with this?
     
  26. shibby20

    shibby20 Network Guru Member

    I as promissed i want to give you a christmas gift - Tomato-MutliWAN Beta for ARM routers.

    Few informations about new feature:
    1) You have to erase nvram before and after install new Tomato MutliWAN. You cannot restore settings from file created on older Tomato version. Many variables in nvram has been changed and added. Remember that!

    2) Before you will be able to configure new WAN, you have to add new VLAN (Advanced -> VLAN). Just add new (another one) VID and select WAN(2|3|4) interface. If you want to use new WAN as USB modem or Wireless Client you dont need add LAN port for new VLAN. But if you want use another WAN for cable connection, then you have to unselect one port from LAN (br0) and add to new WAN VLAN. After "save" router will be restarted and then you will be able to configure new WAN.

    3) Weight tell us how after which the number of packets goes trought first WAN router should switch traffic to next WAN. Weight can we set between 1-255 in load balance mode. When we set weight=0 then WAN will be set in failover mode. WAN status will be connected but this WAN will not be used in traffic (will be in standby mode). When router detect that all primary WANs (weight > 0) will be disconnected, then all Failover WANS (weight=0) will be set as primary WANS. When router detected that even one WAN will alive then failover will be switch to standby mode.

    4) There is also a new page under Advanced menu named MultiWAN Routing. You can here force that traffic from/to defined host will be always go trought selecte WAN interface

    5) Advanced users can enable debug mode for MutliWAN feature to see more informations in LOG. Just run command:
    nvram set mwan_debug=9

    Limitations:
    - only one WAN can be used to 3G or LTE connection. There is no way to use 2 or more USB modem under Tomato
    - QoS and BW Limiter works only when we use only one WAN

    Changes between v132 and v132-MultiWAN:
    - added DualWAN (nvram<64KB) or MultiWAN (nvram=64KB) feature
    - fixed PIN support when we use 4G/LTE non-Hilink/QMI modems
    - added option to force Network mode (2G/3G/4G) for non-Hilink modems

    Please remember that this version in a Beta release. It may include some bugs. Huge part of tomato code has beed changed. I recommended to create settings backup if you will have to return to previous Tomato version.

    Feedback Welcome. If you will find some bugs, please write here, include logs etc. I`ll try to fix them before final release of v133.

    Download: http://tomato.groov.pl/download/K26ARM/testing/

    That`s all at the moment. Merry Christmas :)
     
  27. guardian

    guardian Serious Server Member

    There is no multiWAN build for Asus RT-AC3200 for now :( Will it be supported?
     
  28. eibgrad

    eibgrad Network Guru Member

    Gulp.
     
  29. somms

    somms Network Guru Member

    Kudos to Shibby!:D


    Should we be looking forward to v133 build containing updated OpenVPN 2.3.9 next year!?;)
     
  30. remlei

    remlei Networkin' Nut Member

    my quick test for now

    - issues with google server with multiple wan interface, the sites begin to freaking slow down a lot. Solution well I dont know, if I use OpenWRT with mwan3, all I do is set a sticky on that policy (eg entire google subnet) with amount of delay in seconds.
    - no gateway grouping on GUI(not a bug but, well I just override it anyway :p)
    - failover is kind-of-a-fail. You have to wait literally hours to failover the connection as soon as the connection went down (eg expired DHCP lease etc) fail-over will only work, of course in mwan3, its automagically done on the fly.
    - last but not the least, I get a lot of kernel panics, tcp assertion errors for only just a few hours of heavy operation (I just test it and bombard it with p2p downloads, this crash test I done is working just fine on mwan3 openWRT), then the router just literally hang.

    Done my tests... moving back to mwan3.

    xD forgot to do some loggings, sorry.
     
    Last edited: Dec 25, 2015
  31. ierwin

    ierwin Serious Server Member

    Question:
    For IPv6 (Native or tunnel), which WAN will be using?
     
  32. Elfew

    Elfew LI Guru Member

    +1
     
  33. Elfew

    Elfew LI Guru Member

    Merry Christmas! Thank you very much for your hard work. Could you please in v133 update all modules and add fixes mentoned in your thread about shibby fw? I also posted a PM with bugs and issues some time ago

    Thank you!
     
  34. Lorenceo

    Lorenceo Networkin' Nut Member

    Looks really interesting. Maybe I will get a second internet connection! :eek:

    Are there plans to support MLPPPoE?
     
  35. Cold Winter

    Cold Winter Reformed Router Member

    A really nice gift there sir!

    What I didn't see mentioned, is if the WiFi channels
    can be used as WAN ports? Ability to use 3-4 SSIDs
    as WAN channels would be pretty neat. Potential for
    OpenMesh support there. That would be a
    X-Mas gift to most
    of the 3rd world.

    Great Work there.
     
  36. LyleJenson

    LyleJenson New Member Member

    Wrong Thread....
     
    Last edited: Jan 5, 2016
  37. Bird333

    Bird333 Network Guru Member

    You might want to put this in the main thread. This thread is just about the multi-wan function.
     
  38. RichtigFalsch

    RichtigFalsch Networkin' Nut Member

    Hello!

    It's great to see you keep adding features to Tomato!
    Would it be possible to have two concurrent PPPoE sessions over one WAN-port connected to an DSL modem by not adding another VLAN and just enabling the WAN port for two WANs at once?
     
  39. remlei

    remlei Networkin' Nut Member

  40. RichtigFalsch

    RichtigFalsch Networkin' Nut Member

    It's because some german ISPs use a 2nd PPPoE session with different login data for transferring VOIP calls, so they get guaranteed reserved bandwidth. So you can only use internet and VOIP with special routers able for establilshing two PPPoE sessions on one WAN port. So far that's only the ISPs' OEM hardware and some AVM "Fritz!" devices.
     
  41. remlei

    remlei Networkin' Nut Member

    ^I see, I dont know why your ISP is not utilizing VLAN/PVC for VOIP. Im subscribed to my ISP's triple-play plan, which is a VoIP, Internet and IPTV all three of them has their own VLAN. For xDSL, all services can be separated on its own PVC setting.
     
  42. typhoe

    typhoe Network Newbie Member

    Hi,

    thank you for this firmware!

    A few questions:

    + Is it possible to specify the different WAN IP for the DDNS configuration?
    Ex: Dynamic DNS 1 would use WAN IP Address x.x.x.x
    and Dynamic DNS 2 would use WAN 2 IP Address y.y.y.y

    My country various ISPs required options to be passed to allow me to replace their "box" with my routeur.
    + Is it possible to specify different options for the "DHCPC Option" for the different WAN?
    Usually, I have to specify the vendor -V "Livebox-xxx" / -V "byteliad_data" / -V "neufbox-xxx" (yes, I'm from France ;-))
    + Is it possible to change the MAC ADDRESS used by the WANx?
    I have to use the MAC ADDRESS of their box for the connexion to work and I can only do that for the default WAN port on the interface.
    Edit: Was too quick to post this one... WANx port mac address can be changed!

    Thank you!
     
  43. Bird333

    Bird333 Network Guru Member

    Any progress on this?
     
  44. compsman

    compsman Serious Server Member

    another good option to add, i have asked before, a gateway ipv6 address for the router, my windows 10 computers will screw on the dns suffix, adds my domain, yes, i am aware the win 10 computers are appending the dns suffix.
    i can pick not to append, but causes problems??
    example, my router has the domain, compsman.com


    C:\Users\Comps>ping -4 comps

    Pinging comps.compsman.com [xxxx] with 32 bytes of data:
    Reply from xxxx(wan ip): bytes=32 time<1ms TTL=64
    Reply from xxxx: bytes=32 time<1ms TTL=64
    Reply from xxxx: bytes=32 time<1ms TTL=64
    Reply from xxxx: bytes=32 time<1ms TTL=64

    Ping statistics for 71.222.12.105:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    C:\Users\Comps>ping -6 comps
    Ping request could not find host comps. Please check the name and try again.

    C:\Users\Comps>




    my ipconfig

    Ethernet adapter Ethernet:

    Connection-specific DNS Suffix . : compsman.com
    IPv6 Address. . . . . . . . . . . : 2602:47:de0c:6900::xxxx
    IPv6 Address. . . . . . . . . . . : 2602:47:de0c:6900:xxxxxxx
    Temporary IPv6 Address. . . . . . : 2602:47:de0c:6900:xxxxxxx
    Link-local IPv6 Address . . . . . : fe80::a998:xxxxxxx
    IPv4 Address. . . . . . . . . . . : 192.168.0.6
    Subnet Mask . . . . . . . . . . . : 255.255.254.0
    Default Gateway . . . . . . . . . : fe80::4216:xxxxx
    192.168.0.1



    have a link-local as a gateway is bad... changes every time it leases


    causes the win 10 to add .compsman.com

    i must ping like this to stay local,
    ping comps.local

    or ping comps resolves as comps.compsman.com


    win 10 uses ipv6 if it has one over ipv4 for hostname dns
    C:\Users\Comps>ping comps-web

    Pinging Comps-WEB [fe80::xxxxx] with 32 bytes of data:
    Reply from fe80::xxxxx: time<1ms
    Reply from fe80::xxxxx: time<1ms
    Reply from fe80::xxxxxx: time<1ms
    Reply from fe80::xxxxxx: time<1ms

    Ping statistics for fe80::xxxxx:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    if a hostname is not on.

    C:\Users\Comps>ping comps-we

    Pinging comps-we.compsman.com wan ip.


    am i doing something wrong? i hate ipv4 with ipv6 haha
     
  45. toza24

    toza24 New Member Member

    Thanks, Shibby for this awesome firmware. So i am trying to setup Wireless client WAN on R7000. Looks like there is an bug/issue when using any kind of encryption. I've ran a test on one router and two different hotspots (Verizon/Sprint) (connecting tomato to these) none worked with encryption, as soon as i switch to "Open" everything works flawlessly.

    Tried all variations of WEP 64,128bit, WPA,WPA2 AES/TKIP settings and none work except for "open". Not sure what logs to collect, but will grab them if you point me in the right direction.


    I did a full nvram erase several times just to make sure. Hoping to get WEP and WPA2 to work mostly.

    Also i think adding the Virtual AP interface of the same band as the Wireless Client messes up routing table.

    Thanks
     
    Last edited: Jan 31, 2016
  46. compsman

    compsman Serious Server Member

    have you tried just wpa2 aes only? i been noticing a bug, where if a line currupt, in nvram, just chance 1 thing in that part, switch back, save. i been saving 2 times, if i changed anything. the bug i hate the most i discovered, is, if i have a fully connected router, meaning, ipv4/ipv6 both, if modem whats so ever reboots, 90% of the time, my 6rd Relay, Will get fucked up, then the mac address will be in the interface name box, (cant be that long)
    causing my 6rd relay be dead forever, till i manually set ipv6 changing the interface name to a 1 number
    or it wont correct itself, save, then switch back to 6rd relay, making the ipv6 functional again (i think its time you add interface checking.)
     
  47. toza24

    toza24 New Member Member

    yeah i have tried wpa2 aes only and it still wont DHCP. DDWRT connects just fine on that same router.


    BTw it appers to connect to the AP like the signal and all shows ... but it doesnt DHCP not does it work with a static ..
     
    Last edited: Feb 3, 2016
  48. toza24

    toza24 New Member Member

    Also noticed a small issue, when i changed from Wireless client to AP in "Virtual wifi" page settings did not propagate to the "Basic" page and i had to change them manually.

    Also if i change any setting via the Virtual Wireless page, it automatically drops the width of 5Ghz wireless back to 20Mhz.. even i f didnt modify 5ghz Wl interface. so i have to go back to Basic page and change it back to 80Mhz
     
  49. compsman

    compsman Serious Server Member

    half true, half not, depending how the dhcp leases, so lets say you have 192.168.1.1
    if ip range set from 192.168.1.2-192.168.1.100
    then you can use statics above the 100,but not like 192.168.1.54, but can have 192.168.1.114 as static
    but let say the range is 1-254 for dhcp
    then having a static ip could cost a conflict, dhcp could hand out the static ip.

    just keep the dhcp ip range 100 ips sample i use 192.168.0.200-251

    meaning i can static all the 192.168.0.2-199
     
  50. compsman

    compsman Serious Server Member

    did you upgrade the firmware and not fully reset nvram?
     
  51. toza24

    toza24 New Member Member

    fully erased nvram twice to make sure. As for statics the range on the main router is different subet that my tomato router wireless client. neither static not the dhcp work, like i said if i change the auth to "open" everything works fine DHCP and all

    meaning main router and tomato set to no auth, but as soon as i enable wep,wpa,wpa2 ..things no longer work
     
  52. willoz88

    willoz88 New Member Member

    Well Done Shibby, it's possible set Transmission to use only a preferred wan interface?
     
  53. ziddey

    ziddey Network Guru Member

    You can specify a source port and use that in Transmission.

    ------

    It would be awesome to allow multiwan using other gateways in the lan. I have a bunch of other router with dhcp disabled that I have in the same subnet. Further, being able to specify rules to apply load balancing to would be sweet.
    e.g. something like http://linuxbutler.com/tcpip-outbound-round-robin-load-balancing-iptables/
     
    Last edited: Feb 14, 2016
  54. toza24

    toza24 New Member Member

    Seems that the wifi driver is problematic on R7000 some devices cant connect to the 2.4GHz on R7000 with v132 on it, and things that do connect and work perform really bad. But everything connects really really well with a cheap Xiaomi Mini router with factory firmware, so something seems wrong, and yes i did do a full nvram erase many times.
     
  55. npumcrisz

    npumcrisz Network Newbie Member

    Just my opinion:
    Wouldn't it be nice we could actually install 132-multiwan on an actual multiwan router?;)
    Instead of converting a lan to a wan port.:(
    Most consumer-routers have only 4-lan ports unless we purchase a L2/3 switch..... what do you think?
     
  56. toza24

    toza24 New Member Member

    Sad thing is that my R7000 with 9dbi gain antennas and 132 Tomato is sitting collecting dust now, i switched to the Xiaomi Mini with Padavan firmware .....at half the specs is still hands down better performer; wireless speed and SMB shares are way more responsive and faster on Xiaomi, wishing R7000 Tomato would work this well.

    But maybe its not Tomato firmware problem, maybe its the shitty inefficient Broadcom processors. Xiaomi mini run MediaTek processor, and produces little heat
     
  57. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    For dual wan this is best is what your saying? I dont understand how that thing could have so much better wireless and smb performance? Care to get into numbers?
     
  58. toza24

    toza24 New Member Member

    Padavan firmware is not dual wan yet, but in general responsiveness of the router doesn't go to shit with with time. I am in a high WIFI density neighborhood, and 2.4 barely works here, with Xiaomi it actually works. on 5GHz Xiaomi works better too, even though it has shitty little antennas where as my R7000 has 9dbi Asus antennas,

    Yet:
    2.4 GHz connection ranges: Tomato: 48 -117Mbps Xiaomi: 216 -300Mbps (note i tried all the setting RTS/CTS/ Noise reduction, tomato practically doesn't work on 2.4GHz unless noise reduction is on.)
    on 5Ghz:
    Tomato: 174MBps Xiaomi: 234Mbps (same channels) but when connected to Xiaomi connection just feels more responsive. and trasfer speeds are generally fasted and better.

    on SMB, Xiaomi is instant at opening shares and when playing a video files, skipping into the middle of the file is really fast. Unlike with Tomato (which i didn't realize until i tried Padavan) and i owned many routers running Tomato such as ASUS R68U, its same on all of them.

    (I am doing everything wireless)

    my guess is that 1. Drivers are no good 2. Broadcom chips are crap
     
  59. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    Asus doesnt make 9dbi antennas afaik
     
  60. toza24

    toza24 New Member Member

  61. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    Thats 2.4 only and wont work on a dual band router, also 9dbi antennas are dumb IMO i would never use more then 6dbi antennas
     
  62. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

  63. toza24

    toza24 New Member Member

  64. toza24

    toza24 New Member Member

  65. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    Thats crazy, can you link somewhere to buy that would maybe ship to canada?

    Also how can you use seperate 5ghz and 2.4ghz antennas? Lol rp sma splitter??! Not good idea using mixed antennas for dual band router imo
     
  66. toza24

    toza24 New Member Member

    i didnt separate, alfa is 2.4/5ghz but still it wont matter if the rest of the router is crap. I got Xiaomi as a backup/travel router but now its my primary :)

    I went from Tomato Asus 66u -> AC68U -> Netgear R7000 to Xiaomi Mini with Padavan :)
     
  67. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    Do you have a link where to purchase?
     
  68. toza24

    toza24 New Member Member

  69. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    Xaomi mini only has 100mbps ports so the numbers you claim are impossible :(
     
  70. toza24

    toza24 New Member Member

    Also :) Xiaomi only has one USB port, but i currently have a mini usb hub on it with external HDD and 128Gb flash both working :)
     
  71. toza24

    toza24 New Member Member

    yeah like i said i only use wireless ! the eth port is only 100Mbps. All i can tell you is that it feels much more pleasant to browse and surf with that setup VS all other tomato routers i had
     
  72. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    It only has 100mbps ports... No gigabit... The numbers u claim are not possible unless im missing something??
     
  73. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    So you get 300mbps from the nas? That doesnt really mean much

    If the ports cant do gig then you cant get over 95mbps over wifi unless its local nas traffic...
     
  74. toza24

    toza24 New Member Member

    You are missing the fact that i connect between devices via wireless. You might be right but this is the most lag free setup i found for myself.
     
  75. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    Ok well thats not even comparible to R7000 then lmao
     
  76. toza24

    toza24 New Member Member

    ummm 95 Mbps/8 is only 11.5 MB ..so yeah i get that via USB on both R7000 and Xiaomi

    So not sure where 1 Gig eth helps here :)

    There is some lag issue when streaming from the USB nas on tomato
     
  77. toza24

    toza24 New Member Member

    anyway R7000 is beefy but useless for me
     
  78. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    Ur missing the point, i dont want wireless throughput to my nas or other wireless devices to be fast

    I want it to be fast to the internet and my entire network not just my nas
     
  79. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    Looking to sell your R7000?
     
  80. toza24

    toza24 New Member Member

    Yeah i am probably selling it for 150$ .

    "I want it to be fast to the internet and my entire network not just my nas"
    Is your ISP connection faster than 100Mbps ? ?
     
  81. Connor McCaffrey

    Connor McCaffrey Networkin' Nut Member

    I cam get them for 200CAD with tax and shipping $179.99 + tax free shipping

    Whih is $148 USD so if u can do $130 or lower let me know need to grab another soon
     
  82. kanata2004

    kanata2004 New Member Member

    Anybody got 3G USB Modem work with the version 133 multi wan? It does not work for me. Flash back to 132 single wan, works fine.
    Both ZTE MF631 and MF636 work with version 132 signal wan, but none works with 133.
     
  83. Malakai

    Malakai Networkin' Nut Member

    So today I played a little bit with the MultiWan feature on an R7000 with version 133.

    First there is a problem with the port order in Advanced > VLAN.
    I have : LAN(br0) with ports 2, 3 and 4 ; WAN with wan port and WAN2 with port 1 BUT when I connect my PC to port 4 I don't get an ip address and if I connect it to port 1 I get an ip but in the overview page the WAN2 is blinking (which is set up as DHCP client, so I shouldn't get an ip from the router on that port).
    Port 2 and 3 are ok (in the good order), but I think port 1 and 4 are inverted ; and it doesn't help to check "Invert Ports Order" in "Basic" cause everything is messed up.

    Capture.png

    Capture-1.png

    Now on the MultiWan feature : I tried both failover and load balancing.

    In failover mode you really have to wait for the amount of time specified in "Basic > Network > MultiWAN > Check connection every" to have a connection back (meantime you don't have any connection active, so any ongoing transfer will be paused or halted). So after the time from "Check connection every" you get connected with the second WAN and you have access to the Internet again. A nice thing is that when the primary connection comes back you don't have to wait for the time mentioned in "Check connection every" to use it, it feels as it is used instantly and also you don't get disconnected (any ongoing transfer will continue and use the primary WAN ; not as when you go from primary to failover).

    In load balancing mode I tried with both wans with a weight of 1, both connected through DHCP to an RT-N16 and no particular priority for one or the other on the RT-N16. So the R7000 has 2 wans with weight 1 on both, both connected to the same RT-N16 which is connected to the Internet. What I've seen is that even if the weight is the same on both wans (1), the "primary" wan (the one which is using the real wan port and which is first to be configured on the GUI) has more connections and bandwidth allocated (I don't know exactly if it is due to the MultiWan implementation on the R7000 or the way the RT-N16 distributed traffic to 2 different devices from his point of view). This was checked on the RT-N16 IP Traffic monitor. But what I really like in the load balancing scenario is that when 1 wan is disconnected the client (a laptop in my case which was downloading a big file) continues as if nothing happened (some download speed decrease but it gets quickly back) and when that wan gets back on it starts using both again (but as mentioned not really at the same weight even if I set them up with both 1 to "load balance weight"). Overall this scenario is the best if you happen to have access to 2 Internet connections (but I didn't try with different weight or more than 2 wans).

    So I'm kind of happy about this, even if I don't have yet a second Internet connection (I have a 3G dongle that is kind of hard to get working on Tomato / more infos here and here) and if the problem with the ports 1 and 4 being inverted (on the R7000 only?) would be solved it would be nice.
     
  84. willoz88

    willoz88 New Member Member

    I'm trying v133 multiwan on RT-AC56, connection with huawei e3372h non-hilink as wan2 is really unstable, many disconnection and reconnection.
    Many difficulties to reach remote webui and transmission remote webui using ddns address over wan1

    Bandwidth monitor won't work on VLAN3 (wan2)
     
    Last edited: Mar 2, 2016
  85. tvlz

    tvlz Addicted to LI Member

    This will fix the VLAN port order

    Can-vlan-gui-port-order-be-corrected

    With these Multi-Wan builds the correct Vlan port order is required, so I sent a PM to @shibby20 to see if he will use that advanced-vlan file instead.
     
  86. Malakai

    Malakai Networkin' Nut Member

    Thanks but I think I will wait for @shibby20 to implement it (if he ever does) as I don't really need MultiWan feature for now. If the need comes and Shibby didn't implement it yet I will use your hack.
     
  87. guardian

    guardian Serious Server Member

    There is definitely a problem with build 133 on Asus RT-AC3200. I was able flash and boot it, but not able to connect to the router via ethernet lan, even ping it (wifi was ok). Also, it did not connect to WAN. ifconfig -a shows there are NO vlan1/vlan2 interfaces. I have cleared nvram thoroughly many times, but it didn't help.

    Basic single-wan configuration. I have found no way for it to bring vlan* intefaces up.

    Have reverted it to build 132, and it works good again.
     
  88. alexou77

    alexou77 New Member Member

    The multi-wan feature is really great! I am using it as a failover in ethiopia on a WRT54GL. I use the fiber access as WAN1 and 3g as WAN2. Everything looks to work great. However I have one question. Is it possible to restrict WAN2 access to some IP on my LAN? I would like only some computers on my LAN to be able to use 3G (WAN2) when fiber (WAN1) is down (which is daily in my country...). Is it possible ? Thanks
     
  89. willoz88

    willoz88 New Member Member

    Well, inceased detection time to 10 minutes and probably the E3372 where badly flashed :D
    after reflashing the e3372h both wans working well. But... :(
    I think there several bugs on the multiwan routing policy, i set transmission listening port to use only
    wan1 to avoid large traffic amount over 4G modem but transmission continues to use both wans:mad::mad:

    @shibby20 there are some tricks to employ?
     
  90. shibby20

    shibby20 Network Guru Member

    on MultiWAN Routing page you can read a note:
    when ytou can control only outgoing traffic, not incomming.
     
  91. willoz88

    willoz88 New Member Member

    Damn... i missed up this thing... Sorry :D

    So i must manually disable wan2 when i use transmission.
     
  92. shibby20

    shibby20 Network Guru Member

    and a watchdog (Check connection every... to disabled)
     
  93. osdieman

    osdieman Network Newbie Member

    Hi Shibby... first of all thank you for your work..

    i have a question i own a Asus RT-AC66U and just flashed this router... as i really would like to have the multi wan option.. now i saw there is only firmware for the RT-AC68U router a version.... is there a way to get this option working in my router..?

    best regards Osdieman
     
  94. shibby20

    shibby20 Network Guru Member

  95. osdieman

    osdieman Network Newbie Member

    Whoohoo..!!! great.. downloading as i speak.. i will let you know how go's... thank you so so much..!!

    Router is running perfect.. i do have two questions left :

    1 : I cannot sftp with filezilla ( on Mac ) and not with Winscp ( windows )

    2 : The Wan load balancing seems not to " equalize "

    Is there a way to get both options working..?

    This " equalize " option would be great.. As i have a small tp-link router and this router is able to do this... so with torrenting i can get higher speeds... now i would like to make my Asus to do this job so i can remove this TP-Link router....

    best regards Osdieman
     
    Last edited: Mar 3, 2016
  96. alexou77

    alexou77 New Member Member

    I really tried everything to make the dual wan failover works but without any success...
    It is working ONLY if I unplug the WAN1 cable! But if I block all internet access from the other router connected to WAN1, it will not failover on 3G (WAN2). I hope new releases will come because it is not stable enough to use it in production.
    Or maybe i am doing mistake in the configuration.
     

    Attached Files:

  97. gunar74

    gunar74 New Member Member

    I have tried to update my E3000 with the 133 Mega build, it says MTD file size too big. Bt-VPN works.
     
  98. shibby20

    shibby20 Network Guru Member

    please send me logs on PM.
     
  99. ptrakk

    ptrakk New Member Member

    Hey shibbmaster, I am running tomato-K26-1.28.RT-N5x-MIPSR2-133-Max on my RT-N12 rev D1.

    I reset nvram after flashing.

    enabling QOS halts all internet traffic. the rates are set correctly.

    also it worked on the 130 build.

    /var/log/messages says:
    user.crit init[1]: Error while loading rules. see /etc/iptables.error file.


    here is the iptables.error file:
    Code:
    *mangle
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :QOSO - [0:0]
    -A QOSO -j CONNMARK --restore-mark --mask 0xfff
    :QOSSIZE - [0:0]
    -I QOSO 3 -m connmark ! --mark 0/0xff000 -j QOSSIZE
    -A QOSSIZE -m connmark --mark 0x1000/0xff000 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 10240: -j CONNMARK --set-mark 0x00000/0xFF
    -A QOSO -p udp --dport 53   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-mark 0x1/0xFF
    -A QOSO -p tcp --dport 53   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-mark 0x1/0xFF
    -A QOSO -p udp --dport 37   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-mark 0x1/0xFF
    -A QOSO -p tcp --dport 37   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-mark 0x1/0xFF
    -A QOSO -p udp --dport 123   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-mark 0x1/0xFF
    -A QOSO -p udp --dport 3455   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-mark 0x1/0xFF
    -A QOSO -p tcp --dport 3455   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:10239 -j CONNMARK --set-mark 0x1/0xFF
    -A QOSSIZE -m connmark --mark 0x2000/0xff000 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 51200: -j CONNMARK --set-mark 0x00000/0xFF
    -A QOSO -p udp --dport 9   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:51199 -j CONNMARK --set-mark 0x4/0xFF
    -A QOSO -p tcp --dport 9   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:51199 -j CONNMARK --set-mark 0x4/0xFF
    -A QOSO -p udp -m multiport --ports 135,2101,2103,2105   -j CONNMARK --set-mark 0x4/0xFF
    -A QOSO -p tcp -m multiport --ports 135,2101,2103,2105   -j CONNMARK --set-mark 0x4/0xFF
    -A QOSO -p tcp -m multiport --ports 22,2222   -j CONNMARK --set-mark 0x3/0xFF
    -A QOSO -p tcp -m multiport --dports 23,992   -j CONNMARK --set-mark 0x3/0xFF
    -A QOSO -p tcp -m multiport --sports 80,5938,8080,2222   -j CONNMARK --set-mark 0x3/0xFF
    -A QOSO -p udp -m multiport --ports 3389   -j CONNMARK --set-mark 0x3/0xFF
    -A QOSO -p tcp -m multiport --ports 3389   -j CONNMARK --set-mark 0x3/0xFF
    -A QOSO -p udp -m multiport --ports 1220,6970:7170,8554   -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp -m multiport --ports 1220,6970:7170,8554   -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp -m multiport --ports 554,5004,5005   -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp -m multiport --ports 554,5004,5005   -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp -m multiport --ports 1755   -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp -m multiport --ports 1755   -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp -m multiport --dports 3478,3479,5060:5063   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p tcp -m multiport --dports 3478,3479,5060:5063   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p udp -m multiport --sports 53,88,3074   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p tcp -m multiport --sports 53,88,3074   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p tcp --dport 1718:1720   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p udp -m multiport --dports 4380,27000:27050,11031,11235:11335,11999,2300:2400,6073,28800:29100,47624   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p tcp -m multiport --dports 4380,27000:27050,11031,11235:11335,11999,2300:2400,6073,28800:29100,47624   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p udp -m multiport --dports 1493,1502,1503,1542,1863,1963,3389,5061,5190:5193,7001   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp -m multiport --dports 1493,1502,1503,1542,1863,1963,3389,5061,5190:5193,7001   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p udp -m multiport --dports 1071:1074,1455,1638,1644,5000:5010,5050,5100,5101,5150,8000:8002   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp -m multiport --dports 1071:1074,1455,1638,1644,5000:5010,5050,5100,5101,5150,8000:8002   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p udp -m multiport --dports 194,1720,1730:1732,5220:5223,5298,6660:6669,22555   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp -m multiport --dports 194,1720,1730:1732,5220:5223,5298,6660:6669,22555   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p udp --dport 19294:19310   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp --dport 19294:19310   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp -m multiport --dports 6005,6006   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p udp -m multiport --ports 6571,6891:6901   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp -m multiport --ports 6571,6891:6901   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p udp -m multiport --ports 29613   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp -m multiport --ports 29613   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp -m multiport --ports 4244,5242   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p udp -m multiport --ports 5243,9785   -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p udp -m multiport --ports 3478:3497,16384:16387,16393:16402   -j CONNMARK --set-mark 0x6/0xFF
    -A QOSSIZE -m connmark --mark 0x3000/0xff000 -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 524288: -j CONNMARK --set-mark 0x00000/0xFF
    -A QOSO -p tcp --dport 443   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:524287 -j CONNMARK --set-mark 0x4/0xFF
    -A QOSO -p tcp --dport 443   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 524288: -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p udp --dport 443   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:524287 -j CONNMARK --set-mark 0x4/0xFF
    -A QOSO -p udp --dport 443   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 524288: -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto skypetoskype -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto skypetoskype -j CONNMARK --set-mark 0x2/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto youtube-2012 -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto youtube-2012 -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto httpvideo -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto httpvideo -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto flash -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto flash -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto rtp -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto rtp -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto rtmp -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto rtmp -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto shoutcast -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto shoutcast -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO  -m layer7 --l7dir /etc/l7-protocols --l7proto rtmpt -j CONNMARK --set-mark 0x5/0xFF
    -A QOSO -p udp   -m layer7 --l7dir /etc/l7-protocols --l7proto irc -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp   -m layer7 --l7dir /etc/l7-protocols --l7proto irc -j CONNMARK --set-mark 0x6/0xFF
    -A QOSO -p tcp -m multiport --dports 80,8080   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 0:524287 -j CONNMARK --set-mark 0x4/0xFF
    -A QOSO -p tcp -m multiport --dports 80,8080   -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 524288: -j CONNMARK --set-mark 0x8/0xFF
    -A QOSO -p tcp -m multiport --dports 20,21,989,990   -j CONNMARK --set-mark 0x8/0xFF
    -A QOSO -p tcp -m multiport --dports 25,587,465,2525   -j CONNMARK --set-mark 0x7/0xFF
    -A QOSO -p tcp -m multiport --dports 110,995   -j CONNMARK --set-mark 0x7/0xFF
    -A QOSO -p tcp -m multiport --dports 119,563   -j CONNMARK --set-mark 0x8/0xFF
    -A QOSO -p tcp -m multiport --dports 143,220,585,993   -j CONNMARK --set-mark 0x7/0xFF
    -A QOSO -p udp --dport 1:65535   -j CONNMARK --set-mark 0x9/0xFF
    -A QOSO -m connmark --mark 0x0/0xff -j CONNMARK --set-mark 0x9/0xff
    -A FORWARD -o vlan1 -j QOSO
    -A OUTPUT -o vlan1 -j QOSO
    -A PREROUTING -i vlan1 -j CONNMARK --restore-mark --mask 0xfff
    -A PREROUTING -i vlan1 -j IMQ --todev 0
    -I PREROUTING -i vlan1 -j DSCP --set-dscp 0
    COMMIT
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :WANPREROUTING - [0:0]
    -A PREROUTING -d 192.168.2.2 -j WANPREROUTING
    -A PREROUTING -i vlan1 -d 192.168.73.1/255.255.255.0 -j DROP
    -A WANPREROUTING -p icmp -j DNAT --to-destination 192.168.73.1
    -A POSTROUTING  -o vlan1 -j MASQUERADE
    -A POSTROUTING -o br0 -s 192.168.73.1/255.255.255.0 -d 192.168.73.1/255.255.255.0 -j SNAT --to-source 192.168.73.1
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -N shlimit
    -A shlimit -m recent --set --name shlimit
    -A shlimit -m recent --update --hitcount 4 --seconds 60 --name shlimit -j DROP
    -A INPUT -p tcp --dport 22 -m state --state NEW -j shlimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p icmp -m limit --limit 2/second -j ACCEPT
    -A INPUT -p udp --dport 33434:33534 -m limit --limit 10/second -j ACCEPT
    :FORWARD DROP [0:0]
    -A FORWARD -m account --aaddr 192.168.73.0/255.255.255.0 --aname lan
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    :L7in - [0:0]
    -A FORWARD -i vlan1 -j L7in
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto skypetoskype -j RETURN
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto youtube-2012 -j RETURN
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto httpvideo -j RETURN
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto flash -j RETURN
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto rtp -j RETURN
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto rtmp -j RETURN
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto shoutcast -j RETURN
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto rtmpt -j RETURN
    -A L7in -m layer7 --l7dir /etc/l7-protocols --l7proto irc -j RETURN
    :wanin - [0:0]
    :wanout - [0:0]
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i vlan1 -j wanin
    -A FORWARD -o vlan1 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    COMMIT
    
    


    ------EDIT----------------------------------------------------------
    It appears there is no /etc/iptables when QOS is enabled. I don't think it is generated? how to find out which is line makes an error? how do you put ':wanin - [0:0]' into an iptables command?
     
    Last edited: Mar 4, 2016
  100. Mirko Baila

    Mirko Baila Networkin' Nut Member

    where can I find a guide?
     
    crashnburn likes this.

Share This Page