What's new

Specific routes in Dual WAN routing failover mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ManuCH

Occasional Visitor
Hey everyone,

I'm currently using my AC-RT3200 in Dual WAN mode with failover (ISP1 is much faster, 250 Mbit/s, vs the 40 Mbit/s of ISP2, so I don't want load balancing).

Unfortunately, in failover mode you cannot set specific routes from the UI. So what I'm trying to achieve is to set a specific route to a certain destination from command-line (because I work for ISP2 and I'd like to have all our business-related traffic go to ISP2 directly without taking the long route through ISP1).

I have tried the following:
Code:
route add -net x.x.x.x netmask 255.255.255.0 gw y.y.y.y dev vlan3

But the only thing I obtain is no traffic being routed to x.x.x.x at all anymore.

I have searched through the forums for quite a bit and only found instructions for selective routing if Dual WAN is set to load balancing. This all doesn't seem to apply in my case, as "ip rule list" doesn't show the 100/200 entries:

Code:
0:    from all lookup local 
32766:    from all lookup main 
32767:    from all lookup default

Any clue on how I can achieve this without enabling load balancing?

Thank you! :)
 
Hey everyone,

I'm currently using my AC-RT3200 in Dual WAN mode with failover (ISP1 is much faster, 250 Mbit/s, vs the 40 Mbit/s of ISP2, so I don't want load balancing).

Unfortunately, in failover mode you cannot set specific routes from the UI. So what I'm trying to achieve is to set a specific route to a certain destination from command-line (because I work for ISP2 and I'd like to have all our business-related traffic go to ISP2 directly without taking the long route through ISP1).

I have tried the following:
Code:
route add -net x.x.x.x netmask 255.255.255.0 gw y.y.y.y dev vlan3

But the only thing I obtain is no traffic being routed to x.x.x.x at all anymore.

I have searched through the forums for quite a bit and only found instructions for selective routing if Dual WAN is set to load balancing. This all doesn't seem to apply in my case, as "ip rule list" doesn't show the 100/200 entries:

Code:
0:    from all lookup local
32766:    from all lookup main
32767:    from all lookup default

Any clue on how I can achieve this without enabling load balancing?

Thank you! :)

You can indeed easily create your own routing table for ISP2 (aka table 100/200 or custom), then add the appropriate RPDB rule(s).....

Code:
ip rule add from 192.168.0.1/24 to yyy.yyy.yyy.yyy table isp2 prio 77
ip route flush cache
ip rule

ip route add table isp2 default via yyy.yyy.yyy.yyy dev vlan3
ip route show table isp2

However, surely it would be easier to simply configure DUAL WAN Load-Balance mode (with selective DUAL WAN routing via the GUI), with only the ratio of load balancing requiring alteration?

i.e. Clearly the default of 3:1 isn't appropriate so 99:1 would be better?
P.S. Not 100% sure what the (GUI) limits are for specifying the ratio.

If this does not fit your requirements, then at least you would be able to manually replicate the DUAL WAN settings for use when in DUAL WAN Fail-over mode, although it's been a long time since I played with DUAL WAN Fail-over and not sure what the 'Standby' state of the secondary WAN now really means...so it could be that in DUAL WAN Fail-over mode the secondary WAN isn't actually usable until the Primary WAN fails?, whereas in DUAL WAN Load-Balance mode those quirky ASUS programmers would imply that both WAN interfaces are always UP and functioning! ;)
 
Last edited:
Thank you for that! I think I'm getting close - but not quite there yet.

First of all, the "ip rule" command seems to want an integer for the table ID, so I gave it 200. Currently this is what I see:

Code:
# ip rule
0:    from all lookup local 
77:    from 192.168.30.0/24 to x.x.x.x/24 lookup 200 
32766:    from all lookup main 
32767:    from all lookup default

Code:
# ip route show table 200
default via y.y.y.y dev vlan3

Code:
# ip route show cache x.x.x.x
x.x.x.x from 192.168.30.5 via y.y.y.y dev vlan3  src 192.168.30.1 
    cache <src-direct>  mtu 1500 advmss 1460 hoplimit 64 iif br0

So everything looks right - but I can't ping the destination from my LAN, at all. However I can ping it successfully from the router shell, and it's going through ISP2.

Are there some NAT/SNAT commands to add somewhere so that it properly routes the answer back to my LAN? I'm under the impression that in failover mode the secondary WAN is only partially active (but it's probably not hard to get it working - I'm just missing the relevant commands as I'm not so familiar with AsusWRT yet - it would be easier on a Cisco, lol).

And yes, load balance mode would probably be easier, but as you said, it doesn't actually fail over in case the primary WAN fails - and my ISP1 is faster, but more unstable (guess you can't have it all!).

Thank you for your patience :)
 
Thank you for that! I think I'm getting close - but not quite there yet.

First of all, the "ip rule" command seems to want an integer for the table ID, so I gave it 200. Currently this is what I see:

Code:
# ip rule
0:    from all lookup local
77:    from 192.168.30.0/24 to x.x.x.x/24 lookup 200
32766:    from all lookup main
32767:    from all lookup default

Code:
# ip route show table 200
default via y.y.y.y dev vlan3

Code:
# ip route show cache x.x.x.x
x.x.x.x from 192.168.30.5 via y.y.y.y dev vlan3  src 192.168.30.1
    cache <src-direct>  mtu 1500 advmss 1460 hoplimit 64 iif br0

So everything looks right - but I can't ping the destination from my LAN, at all. However I can ping it successfully from the router shell, and it's going through ISP2.

Are there some NAT/SNAT commands to add somewhere so that it properly routes the answer back to my LAN? I'm under the impression that in failover mode the secondary WAN is only partially active (but it's probably not hard to get it working - I'm just missing the relevant commands as I'm not so familiar with AsusWRT yet - it would be easier on a Cisco, lol).

And yes, load balance mode would probably be easier, but as you said, it doesn't actually fail over in case the primary WAN fails - and my ISP1 is faster, but more unstable (guess you can't have it all!).

Thank you for your patience :)

Apologies, I forget that ASUS/RMerlin continue to see no apparent need to tag the RPDB tables by name, so I have /jffs/scripts/init-start create the human friendly tags...

e.g.

Code:
# If RPDB name table doesn't exist create the alias entries
# Done before the sleep as wan-start will call IPTablesDump.sh and it helps with documenting tables!

# Tables 111:115 reserved by RMerlin RPDB Selective Policy routing
# Tables 100/200 reserved by ASUS Dual WAN aka Primary and Secondary WAN
if [ ! -d /etc/iproute2/ ]; then
    # Tag the VPN RPDB tables by name!!!
    /usr/bin/logger -s -t "($(basename $0))" $$ "Creating RPDB name table /etc/iproute2/rt_tables"
    mkdir /etc/iproute2
    echo 111 hma >  /etc/iproute2/rt_tables
    echo 112 vpn2 >> /etc/iproute2/rt_tables
    echo 113 vpn3 >> /etc/iproute2/rt_tables
    echo 114 vpn4 >> /etc/iproute2/rt_tables
    echo 115 vpn5 >> /etc/iproute2/rt_tables
    echo 100 talktalk >>  /etc/iproute2/rt_tables
    echo 200 three >>  /etc/iproute2/rt_tables
    /usr/bin/logger -s -t "($(basename $0))" $$ "         " `cat /etc/iproute2/rt_tables`
    /usr/bin/logger -s -t "($(basename $0))" $$ "Created RPDB name table /etc/iproute2/rt_tables"
fi

So you too may create a meaningful tag for table 200 etc. and use the tag in the commands.
 
Last edited:
OK, this solves the issue of being able to use tags instead of numbers.

But even so, unfortunately it still doesn't work:

So everything looks right - but I can't ping the destination from my LAN, at all. However I can ping it successfully from the router shell, and it's going through ISP2.

Are there some NAT/SNAT commands to add somewhere so that it properly routes the answer back to my LAN? I'm under the impression that in failover mode the secondary WAN is only partially active (but it's probably not hard to get it working - I'm just missing the relevant commands as I'm not so familiar with AsusWRT yet - it would be easier on a Cisco, lol).

Anywhere else I need to look? Where are NAT/SNAT rules defined?
 
OK, this solves the issue of being able to use tags instead of numbers.

But even so, unfortunately it still doesn't work:



Anywhere else I need to look? Where are NAT/SNAT rules defined?

I said it has been a long time :oops: ....more than likely you are missing the inbound rule :eek:, and/or clone the contents of table main to table isp2 except for the default entry!

Code:
ip rule add from yyy.yyy.yyy.yyy table isp2 prio 77
ip route flush cache

So I strongly suggest you simply configure DUAL WAN Load-Balance....and let ASUS configure tables 100/200 etc. then manually tweak the routing ratio or disable it!

NOTE: Apparently in DUAL WAN Load-Balance mode, auto-failover is implied?
 
Last edited:
You were right, there were several routes missing that are created automatically in Load-Balance mode. But hey, it's always fun to tinker around, right? Lots of things learned on how this router works :)

Anyway, I now switched to Load-Balance mode, so it's easier to add and remove routes (from the UI). It indeed seems to imply auto-failover. It didn't work the first time I tried, now it does - so all is good.

Thanks again!
 
You were right, there were several routes missing that are created automatically in Load-Balance mode. But hey, it's always fun to tinker around, right? Lots of things learned on how this router works :)

Anyway, I now switched to Load-Balance mode, so it's easier to add and remove routes (from the UI). It indeed seems to imply auto-failover. It didn't work the first time I tried, now it does - so all is good.

Thanks again!

No problem.
 
Are there some NAT/SNAT commands to add somewhere so that it properly routes the answer back to my LAN? I'm under the impression that in failover mode the secondary WAN is only partially active (but it's probably not hard to get it working - I'm just missing the relevant commands as I'm not so familiar with AsusWRT yet - it would be easier on a Cisco, lol).

I know I'm opening an old grave lol but I recently had to do something like this myself and the last thing you need for a successful solution is an iptables POSTROUTING Masquerade rule.

Something like this:

Code:
iptables -t nat -A POSTROUTING -s x.x.x.x/24 -d y.y.y.y -j MASQUERADE

x.x.x.x is your router Subnet.
y.y.y.y is the destination IP you want to access.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top