Help configuring MultiWAN Routing in FreshTomato

Discussion in 'Tomato Firmware' started by ElementOmicron, Apr 12, 2019.

  1. ElementOmicron

    ElementOmicron Connected Client Member

    FreshTomato Version: 2019.1 K26ARM USB AIO-64K

    I have a VPN device for work and I use a Desktop computer to share this connection with other computers on my LAN. I mainly do this currently with the following configuration


    br0 (LAN) -
    br1 (LAN1) -
    br3 (LAN3) -

    VPN Device uses my WAN to start a VPN session to my work. All LAN (LAN0) clients connect through wifi. The VPN device outputs a DHCP server that gives out one IP and bonds to the first MAC address that responds and gives it an IP like The Desktop has two network cards. One consumes that address and the other is set to which feeds back into LAN3 of the router.


    Network flow:
    WAN--->ROUTER (LAN 1)---->(Port 0 - inbound) VPN Device (Port 1 - outbound)---> Windows Desktop running Internet connection sharing (ICS) ---> (LAN 3) Router

    and then I have routes in the static routing table to allow traffic from the LAN (LAN0) to route traffic to the Desktop ICS and use it as a gateway


    LAN Access:

    I do it this way so that

    1) LAN1 and LAN3 can only access WAN
    2) LAN3 can reply to packets started by LAN


    I thought I could use MultiWAN Routing on the router in place of the Desktop computer. I reconfigured VLAN3 as WAN 2 and set WAN2 to get an address via DHCP. So the connections would now be


    Network Flow for WAN2:
    WAN --> ROUTER (LAN1)---> (Port 0 - inbound) VPN Device (Port 1 - outbound)---->(WAN2) Router

    So in this configuration the WAN2 on the router would be consuming the address instead of the Desktop. There would be no LAN3 (192.168.75.x) and traffic would just route through LAN (LAN0) to WAN2 if the destination address was on 10.0.0.x

    However I run into issues with this. First off it seems I'm either doing the MultiWAN router wrong or its buggy. I set the following options


    in my head this would mean "Use WAN1 for all internet traffic except if the source is my laptop (the IP) AND I'm trying to hit something in the - range then use WAN2 instead"

    but it seemingly makes my entire network unable to connect to WAN1 and my PC can't connect to WAN2 either. I tried MAC instead of IP as well for the souuce but that also did not work.

    Is this not how MultiWAN routing works? FYI if I ssh into the router I'm able to ping stuff on the internet through WAN1 and ping computers on the other side of WAN2 fine - it's just that machines cannot seem to hit it.

    Let me know if you need more information - I'd be happy to provide it.

    Last edited: Apr 13, 2019
  2. rs232

    rs232 Network Guru Member

    I suggest you edit your post to make more understandable. May be work on the English and perhaps add a network diagram?
    Last edited: Apr 13, 2019
  3. rs232

    rs232 Network Guru Member

    Which one is the tomato router? first one? second one? both?

    "and then I have routes on my LAN to allow traffic to connect throu...." where? on what device?

    do you actually have two WAN (Internet connection) or are you referring to WAN as the physical port of the device?

    Where are your LAN devices connecting physically?

    You have to remember that we know absolutely nothing about your network and with all the respect the above quoted text is not quiet understandable like most of the post. How about a proper network diagram? Even a scribble on paper and upload a picture of it.
    Last edited: Apr 13, 2019
  4. ElementOmicron

    ElementOmicron Connected Client Member

    There is only one router

    Currently I do the routes on the router, I'll provide picture. This allows me to point traffic meant for to the ICS Desktop device. In the "New config" I had no static routes and I thought that the routes would be done by the MultiWAN Routing page instead...?

    I have one WAN connection to the internet. I'm referring to WAN2 as the VPN'ed output connection that comes out of the VPN box. The VPN box would use my WAN connection to create the VPN but it outputs a DHCP IP address which currently the Desktop grabs but in the "new config" I would be setting WAN2 on the router to DHCP to grab that IP.

    Devices on my actual LAN (LAN0) connect through wifi to the router

    Ok so I did a drawing of the configs and hopefully the above makes sense. Let me know if I'm still not clear enough. Sorry for not being descriptive enough - I guess I have a hard time envisioning from your point of view =/ Just let me know if you need something further though, I'm happy to provide it :)
  5. rs232

    rs232 Network Guru Member

    Ok you do not need MultiWAN as you have no multiple Internet connections. So remove the relevant config.

    What you're trying to do (i'm still unclear on the wiring though) is a simple routing policy.
    something for iptables where a packer from source IP X.X.X.X/32 to destination Y.Y.Y.Y/24 is redirected to your VPN device.

    I'm not sure about your description of the LANs you refer to LAN / LAN2 and LAN3 but this is not what I see on the VLAN config page. Also as you have no Multiwan WAN2 shouldn't be part of the config
  6. ElementOmicron

    ElementOmicron Connected Client Member

    I edited my op above to hopefully make it a little clearer.

    The reason I'm setting WAN2 on the router and having it grab is because I need something to grab that IP. Think of it like your cable modem - the cable modem gets an address and then latches onto the first MAC address on your network, this is the same thing. So I'm setting the VPN Box to come back to Port 3 and having it use DHCP as WAN2 so that the VPN box can grab the MAC of the router Port 3. Then I want to pass traffic through there. Hope that makes sense?

    Perhaps you mean I don't need to MultiWAN Routing page but just need to use the Static routing table?
  7. rs232

    rs232 Network Guru Member

    You totally don't need Multiwan, so go in order remove all the multiwan config, make sure you have 3 VLANs on the router WAN LAN1 and LAN2 (unless you have guest networks as well).

    Your devices plug to LAN1 and so on interface of the VPN device. The other Interface of the VPN device goes in LAN2.
  8. ElementOmicron

    ElementOmicron Connected Client Member

    ok but how would I set the IP for the interface of LAN2? Like basically the VPN box just serves as a DHCP server on the output that only gives out one address. So right now I have the Desktop consume that address, in my op I was saying that I could set WAN2 of the router to use DHCP to consume that address. If I set it as LAN2, what would consume that address?

    Also I am totally sorry - I had gotten it wrong in my OP, everywhere I stated LAN2 was supposed to be LAN1. I fixed the post. LAN2 is my guest network (unrelated) that only uses wifi.
  9. rs232

    rs232 Network Guru Member

    There is some info missing here. The VPN device has two interfaces, one public and one private.

    Can you add this info under this specifying where the VPN device plugs?

    br0 (LAN) -
    br1 (LAN1) -
    br3 (LAN3) -

    If you ask me you should plug the work device directly behind the VPN device and let it get a 10.x IP. So outside your LAN address space. Preferred!

    If you need that device to be for whatever reason in your LAN network, plug it to the router instead but you'll have to enable br2 and work with iptables to:
    1) route packets with source to destination 10.x towards the VPN 10.x ip address
    2) sNAT the with the br2 10.x IP of the router

    P.S. Does the device behind the VPN device need to be DHCP enabled? Can't it be a static IP?
  10. ElementOmicron

    ElementOmicron Connected Client Member

    br0 (LAN) - - Where my laptop and other devices sit
    br1 (LAN1) - - Where the VPN input plugs in. ONLY the VPN devices is on here, basically I'm just using this so that the VPN device can get access to WAN only. I then use iptables on the Firewall script of the router to block all traffic on this VLAN except to access the WAN. So only devices on here - The router (LAN1)
    192.168.50.(100-200 basically whatever DHCP address it grabs from the router) - the VPN device input

    br3 (LAN3) - - Where the Desktop computer sits. The only devices here - The router (LAN3) - The Desktop after ICS. Acts as a gateway that I guess changes all packets to make it look like they all come from (the other NIC in the Desktop where the output from the VPN device plugs in).

    Yes, that is how the Desktop works now. However I have multiple devices I want to route through to the WORK interface so this is not ideal, hence why I'm trying to change it. Also I would prefer not to have a Desktop sitting there JUST for ICS. So basically I'm attempting to make the router act as DHCP client and do the same thing that the Desktop does for ICS.

    I'm not sure thats right, see the above - maybe that will make it more clear. Unless you mean "route packets with source 192.168.1.x to destination 10.x...", but even then there is no VPN 10.x ip, at least not on the VPN device. Do you mean the IP that WAN2 grabs?

    Yes, it must be DHCP enabled as the address it gives out is given from a DHCP server back at work and that subnet is shared with a bunch of other machines, all on DHCP. I mean I could set it to static...but I do not know the subnet config and it could possibly conflict with a different IP. Best to leave it DHCP.
    Last edited: Apr 13, 2019
  11. ElementOmicron

    ElementOmicron Connected Client Member

    Ok I was able to finally get this to work as desired (or at least..mostly as desired). So I didn't use the MultiWAN routing page at all, just a static route (like you said). Then I had to set the WAN as 256 priority and the WAN2 as 1 to make all traffic normally go through the WAN.

    Only thing I need to do now is I guess come up with a iptables rule to limit traffic able to go to WAN2 to only my laptop ( I'll open another post for that.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice