Reply
Highlighted
New Member
Posts: 3
Registered: ‎11-17-2017
Kudos: 1
Solutions: 1
Accepted Solution

EdgeRouter X - Dual WAN Load-Balance with OpenVPN

Hi

I have openVPN that works when only ETH0 is operational.
If I enable load balancing on ETH0 and ETH1,  I can not connect to the VPN anymore.
So, I just want to add a routing table to force OpenVPN to use the ETH0 interface.
Could you help me, please.

Pascal


Accepted Solutions
New Member
Posts: 3
Registered: ‎11-17-2017
Kudos: 1
Solutions: 1

Re: EdgeRouter X - Dual WAN Load-Balance with OpenVPN

Thanks a lot for your help.
I finally redid my setup with only two wan.
Then I followed your instructions, and all works perfectly.

 

Pascal

View solution in original post


All Replies
Member
Posts: 220
Registered: ‎07-14-2015
Kudos: 18
Solutions: 4

Re: EdgeRouter X - Dual WAN Load-Balance with OpenVPN

[ Edited ]

I had the same issue - looking at my config all I did was the load balance wizard then added these bits to the config:

 

sticky {
            dest-addr enable
            dest-port disable
            proto disable
            source-addr disable
            source-port disable
        }

So that it always used the same WAN that it went out of.

 

The commands are:

 

set load-balance group G sticky dest-addr enable

 

I also set lb-lcoal to disable:

 

set load-balance group G lb-local disable

Since then my openvpn has worked without issue - im running my openvpn vtun0 as a client on my router connecting to my remote openvpn server.

 

Cheers

Andy

Member
Posts: 220
Registered: ‎07-14-2015
Kudos: 18
Solutions: 4

Re: EdgeRouter X - Dual WAN Load-Balance with OpenVPN

Pop your sanitized config on here if you want us to look at it Man Happy

New Member
Posts: 3
Registered: ‎11-17-2017
Kudos: 1
Solutions: 1

Re: EdgeRouter X - Dual WAN Load-Balance with OpenVPN

[ Edited ]

Thank you for your answer.

I just tested your solution, it does not work for me.

Here is my configuration.

 

 

firewall
{
  all - ping enable broadcast - ping disable group
  {
    network - group PRIVATE_NETS
    {
    network 192.168 .0 .0 / 16
	network 172.16 .0 .0 / 12 network 10.0 .0 .0 / 8}
  }
  ipv6 - receive - redirects disable
    ipv6 - src - route disable
    ip - src - route disable log - martians disable modify balance
  {
    rule 10
    {
      action modify description "do NOT load balance lan to lan" destination
      {
	group
	{
	network - group PRIVATE_NETS}
      }
      modify
      {
      table main}
    }
    rule 20
    {
      action modify
	description "do NOT load balance destination public address"
	destination
      {
	group
	{
	address - group ADDRv4_eth0}
      }
      modify
      {
      table main}
    }
    rule 30
    {
      action modify
	description "do NOT load balance destination public address"
	destination
      {
	group
	{
	address - group ADDRv4_eth1}
      }
      modify
      {
      table main}
    }
    rule 40
    {
      action modify
	description "do NOT load balance destination public address"
	destination
      {
	group
	{
	address - group ADDRv4_eth2}
      }
      modify
      {
      table main}
    }
    rule 50
    {
      action modify
	description "do NOT load balance destination public address"
	destination
      {
	group
	{
	address - group ADDRv4_eth3}
      }
      modify
      {
      table main}
    }
    rule 70
    {
      action modify modify
      {
      lb - group G}
    }
  }
  name WAN_IN
  {
    default -action drop description "WAN to internal" rule 10
    {
      action accept description "Allow established/related" state
      {
      established enable related enable}
    }
    rule 20
    {
      action drop description "Drop invalid state" state
      {
      invalid enable}
    }
  }
  name WAN_LOCAL
  {
    default -action drop description "WAN to router" rule 10
    {
      action accept description "Allow established/related" state
      {
      established enable related enable}
    }
    rule 20
    {
      action drop description "Drop invalid state" state
      {
      invalid enable}
    }
    rule 50
    {
      action accept description OpenVPN destination
      {
      port 1194}
    log enable protocol udp}
  }
receive - redirects disable
    send - redirects enable source - validation disable syn - cookies enable}
interfaces
{
  ethernet eth0
  {
    address 172.17 .0 .2 / 24 description WAN duplex auto firewall
    {
      in
      {
      name WAN_IN}
      local
      {
      name WAN_LOCAL}
    }
  speed auto}
  ethernet eth1
  {
    address 172.17 .1 .2 / 24 description "WAN 2" duplex auto firewall
    {
      in
      {
      name WAN_IN}
      local
      {
      name WAN_LOCAL}
    }
  speed auto}
  ethernet eth2
  {
    address 172.17 .2 .2 / 24 description "WAN 3" duplex auto firewall
    {
      in
      {
      name WAN_IN}
      local
      {
      name WAN_LOCAL}
    }
  speed auto}
  ethernet eth3
  {
    address 172.17 .3 .2 / 24 description "WAN 4" duplex auto firewall
    {
      in
      {
      name WAN_IN}
      local
      {
      name WAN_LOCAL}
    }
  speed auto}
  ethernet eth4
  {
  duplex auto speed auto}
  loopback lo
  {
  }
  openvpn vtun0
  {
    description "OpenVPN server"
      encryption aes256
      hash sha256
      mode server
      openvpn - option "--port 1194"
      openvpn - option-- tls - server
      openvpn - option "--comp-lzo yes"
      openvpn - option-- persist - key
      openvpn - option-- persist - tun
      openvpn - option "--keepalive 10 120"
      openvpn - option "--user nobody"
      openvpn - option "--group nogroup" server
    {
    name - server 172.16 .0 .1
	push - route 172.16 .0 .0 / 16 subnet 172.18 .0 .0 / 16}
    tls
    {
    ca - cert - file / config / auth / cacert.pem
	cert - file / config / auth / host.pem
	dh - file / config / auth / dh2048.pem
	key - file / config / auth / host - decrypted.key}
  }
  switch switch0
    {
      address 172.16 .0 .1 / 16 description Local firewall
      {
	in
	{
	modify balance}
      }
      mtu 1500 switch -port
	{
	  interface eth4
	  {
	  }
	vlan - aware disable}
    }
}
load - balance
{
  group G
  {
    interface eth0
    {
    weight 50}
    interface eth1
    {
    weight 50}
    interface eth2
    {
    }
    interface eth3
    {
    }
    lb - local disable lb - local - metric - change disable sticky
    {
    dest - addr enable}
  }
}
port - forward
{
  auto - firewall enable hairpin - nat enable lan - interface eth4 rule 1
  {
    description GPRS_UDP forward - to
    {
    address 172.16 .2 .0 port 2000}
  original - port 2000 protocol udp}
  rule 2
  {
    description LORAWAN forward - to
    {
    address 172.16 .0 .125 port 1700}
  original - port 1700 protocol udp}
  rule 3
  {
    description CLIPPER forward - to
    {
    address 172.16 .10 .150 port 5900}
  original - port 5900 protocol tcp_udp}
wan - interface eth0}
protocols
{
  static
  {
    route 0.0 .0 .0 / 0
    {
      next - hop 172.17 .0 .1
      {
      }
      next - hop 172.17 .1 .1
      {
      }
      next - hop 172.17 .2 .1
      {
      }
      next - hop 172.17 .3 .1
      {
      }
    }
  }
}

service
{
  dhcp - server
  {
    disabled false hostfile - update disable shared - network - name LAN
    {
      authoritative enable subnet 172.16 .0 .0 / 16
      {
	default -router 172.16 .0 .1
	  dns - server 172.16 .0 .1
	  dns - server 8.8 .8 .8 lease 86400 start 172.16 .0 .101
	{
	stop 172.16 .0 .200}
      }
    }
  use - dnsmasq disable}
  dns
  {
    forwarding
    {
    cache - size 150 listen - on switch0 listen - on vtun0}
  }
  gui
  {
  http - port 80 https - port 443 older - ciphers enable}
  nat
  {
    rule 5000
    {
    description "masquerade for WAN"
	outbound - interface eth0 type masquerade}
    rule 5002
    {
    description "masquerade for WAN 2"
	outbound - interface eth1 type masquerade}
    rule 5004
    {
    description "masquerade for WAN 3"
	outbound - interface eth2 type masquerade}
    rule 5006
    {
    description "masquerade for WAN 4"
	outbound - interface eth3 type masquerade}
  }
  ssh
  {
  port 22 protocol - version v2}
  unms
  {
  disable}
}

system
{
  conntrack
  {
    expect - table - size 4096 hash - size 4096 table - size 32768 tcp
    {
    half - open - connections 512 loose enable max - retrans 3}
  }
  host - name ubnt login
  {
    user ubnt
    {
      authentication
      {
      encrypted - password ****************}
    level admin}
  }
  name - server 8.8 .8 .8 ntp
  {
    server 0.u bnt.pool.ntp.org
    {
    }
    server 1.u bnt.pool.ntp.org
    {
    }
    server 2.u bnt.pool.ntp.org
    {
    }
    server 3.u bnt.pool.ntp.org
    {
    }
  }
  syslog
  {
    global
    {
      facility all
      {
      level notice}
      facility protocols
      {
      level debug}
    }
  }
time - zone Europe / Paris}
Member
Posts: 220
Registered: ‎07-14-2015
Kudos: 18
Solutions: 4

Re: EdgeRouter X - Dual WAN Load-Balance with OpenVPN

[ Edited ]

Your config is really heard to read you should use the </> tab to paste code in,

 

From the config it looks like you are using 4 x wans? But only eth0 and 1 are in your load balance group?

 

Ill copy my config in so you can compare - hopefully it helps?

 

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 109 {
            action modify
            description "Send Virgin Tivo v6 box down Virgin WAN for built in apps"
            modify {
                table 100
            }
            source {
                address 192.168.10.85/32
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name Openvpn {
        default-action accept
        description Openvpn
        rule 10 {
            action reject
            description ####
            log disable
            protocol all
            source {
                address ##########.253/32
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 20 {
            action drop
            description ####RemoteDesktop
            log disable
            protocol all
            source {
                address ########/32
            }
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 30 {
            action accept
            description Est/Rel
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        enable-default-log
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1452
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "WAN 2 - BT via pppoe0"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id bt@btbroadband.com
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN 1 - Virgin"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.10.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        description ####
        device-type tap
        firewall {
            in {
                name Openvpn
            }
            local {
                name Openvpn
            }
        }
        hash sha1
        mode client
        openvpn-option --comp-lzo
        openvpn-option --route-nopull
        protocol tcp-active
        remote-host ######
        remote-port 1194
        tls {
            ca-cert-file /config/openvpn/ca.crt
            cert-file /config/openvpn/homeRouter.crt
            key-file /config/openvpn/homeRouter.key
        }
    }
}
load-balance {
    group G {
        interface eth1 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 50
        }
        interface pppoe0 {
            route-test {
                initial-delay 60
                interval 10
                type {
                    ping {
                        target 8.8.8.8
                    }
                }
            }
            weight 50
        }
        lb-local disable
        lb-local-metric-change disable
        sticky {
            dest-addr enable
            dest-port disable
            proto disable
            source-addr disable
            source-port disable
        }
    }
}
protocols {
    static {
        route 10.9.40.0/24 {
            next-hop 10.8.40.1 {
                description "Route Back For TUN Clients"
                distance 1
            }
        }
        route 192.168.1.0/24 {
            next-hop 10.8.40.7 {
                description "Dads House"
                distance 1
            }
        }
        route 192.168.2.0/24 {
            next-hop 10.8.40.15 {
                description "####Internal ######t"
                distance 1
            }
        }
        route 192.168.8.0/24 {
            next-hop 10.8.40.15 {
                description "My Y####n##DC"
                distance 1
            }
        }
        table 100 {
            interface-route 0.0.0.0/0 {
                next-hop-interface eth1 {
                }
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.247
                dns-server 8.8.4.4
                domain-name #######
                lease 86400
                start 192.168.10.80 {
                    stop 192.168.10.243
                }
                static-mapping Andrews-Mini {
                    ip-address 192.168.10.4
                    mac-address 00:50:b6:d5:1e:e0
                }
                static-mapping FileBox {
                    ip-address 192.168.10.198
                    mac-address 9c:b6:54:0c:aa:9c
                }
                static-mapping OliCam {
                    ip-address 192.168.10.251
                    mac-address b8:27:eb:dd:3d:00
                }
                static-mapping TIVO-C680000202E048F {
                    ip-address 192.168.10.85
                    mac-address 34:1f:e4:cb:d7:8e
                }
                static-mapping UVC-G3-7e07 {
                    ip-address 192.168.10.130
                    mac-address 80:2a:a8:cc:7e:07
                }
                static-mapping linaro-alip {
                    ip-address 192.168.10.16
                    mac-address 2c:4d:54:23:f7:49
                }
                unifi-controller 192.168.10.7
            }
        }
        use-dnsmasq disable
    }
    dns {
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers disable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN 2"
            outbound-interface pppoe0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN"
            outbound-interface eth1
            type masquerade
        }
    }
    snmp {
        community ##### {
            authorization ro
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        connection wss://192.168.10.8:443+W-#############SelfSignedCertificate
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    domain-name ########
    host-name router.l############
    login {
        user ##### {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            full-name "######"
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            pppoe enable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host 192.168.10.18 {
            facility all {
                level debug
            }
        }
    }
    time-zone Europe/London
    traffic-analysis {
        dpi enable
        export enable
    }
}
New Member
Posts: 3
Registered: ‎11-17-2017
Kudos: 1
Solutions: 1

Re: EdgeRouter X - Dual WAN Load-Balance with OpenVPN

Thanks a lot for your help.
I finally redid my setup with only two wan.
Then I followed your instructions, and all works perfectly.

 

Pascal

Reply