Configuring EzPlanet WRT54GS firmware for dual WAN (multi homed)

There are a number of routers supported by EzPlanet running Linux that have a base WAN (Ethernet) port and one or more LAN Ethernet ports.

These routers could also be configured to load balance two (or more) WAN (ADSL) Internet links.

The instructions in this article are gathered form DD-WRT message board and, with some modifications, can be applied to set up any Linux box to load balance between two or more WAN links.

EzPlanet WRT firmware configuration

First of all you'll need to create a new vlan, called vlan2

Enter in the web interface, Settings / VLANs. Set the PORT4 to a new VLAN. Than enter in the console through a telnet or ssh session, and do the following commands:

nvram set vlan0ports="1 2 3 5*"
nvram set vlan2ports="4 5"
nvram set vlan2hwname=et0
nvram commit
here, the scripts I used to startup the interface. You need to call then in rc_firewall

wan2.firewall Code:

#!/bin/sh

WAN2_IFNAME=vlan2 WAN2_IPADDR=10.0.0.2 WAN2_GATEWAY=10.0.0.1 WAN2_NETMASK=255.0.0.0

if [ "$(nvram get wan2_ipaddr)" != "$WAN2_IPADDR" ]; then nvram set wan2_ifname=$WAN2_IFNAME nvram set wan2_ipaddr=$WAN2_IPADDR nvram set wan2_gateway=$WAN2_GATEWAY nvram set wan2_netmask=$WAN2_NETMASK nvram commit fi

ifconfig $(nvram get wan2_ifname) up $(nvram get wan2_ipaddr) netmask $(nvram get wan2_netmask)

routes.firewall Code:
#!/bin/sh

ip rule flush

ip rule add lookup main prio 32766 ip rule add lookup default prio 32767

ip rule add from $(nvram get wan_ipaddr) table 100 prio 100 ip rule add fwmark 0x100 table 100 prio 101

ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200 ip rule add fwmark 0x200 table 200 prio 201

ip route flush table 100 ip route flush table 200

for TABLE in 100 200 do ip route | grep link | while read ROUTE do ip route add table $TABLE to $ROUTE done done

ip route add table 100 default via $(nvram get wan_gateway) ip route add table 200 default via $(nvram get wan2_gateway)

firewall.firewall Code:
#!/bin/sh

#DD-WRT firewall rules #BEGIN

#apply simple forward rules for RULE in $(nvram get forward_spec) do FROM=`echo $RULE | cut -d '>' -f 1` TO=`echo $RULE | cut -d '>' -f 2` STATE=`echo $FROM | cut -d ':' -f 2` PROTO=`echo $FROM | cut -d ':' -f 3` SPORT=`echo $FROM | cut -d ':' -f 4` DEST=`echo $TO | cut -d ':' -f 1` DPORT=`echo $TO | cut -d ':' -f 2` if [ "$STATE" = "on" ]; then if [ "$PROTO" = "both" ]; then #udp #iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p udp --dport $SPORT -j ACCEPT iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT #tcp #iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p tcp --dport $SPORT -j ACCEPT iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT else #iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p $PROTO --dport $SPORT -j ACCEPT iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT fi fi done

#apply range forward rules for RULE in $(nvram get forward_port) do FROM=`echo $RULE | cut -d '>' -f 1` TO=`echo $RULE | cut -d '>' -f 2` STATE=`echo $FROM | cut -d ':' -f 2` PROTO=`echo $FROM | cut -d ':' -f 3` SPORT=`echo $FROM | cut -d ':' -f 4` EPORT=`echo $FROM | cut -d ':' -f 5`

if [ "$STATE" = "on" ]; then if [ "$PROTO" = "both" ]; then #udp #iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p udp --dport $SPORT:$EPORT -j ACCEPT iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO #tcp #iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p tcp --dport $SPORT:$EPORT -j ACCEPT iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO else #iptables -A FORWARD -d $(nvram get wan2_ipaddr) -p $PROTO --dport $SPORT:$EPORT -j ACCEPT iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO fi fi done

iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT --to $(nvram get lan_ipaddr)

if [ $(nvram get remote_management) -eq 1 ]; then iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $(nvram get http_wanport) -j DNAT --to $(nvram get lan_ipaddr):$(nvram get http_lanport) fi

if [ $(nvram get dmz_enable) -eq 1 ]; then DMZ_IP=$(nvram get lan_ipaddr | sed -r 's/[0-9]+$//')$(nvram get dmz_ipaddr) iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT --to $DMZ_IP fi

iptables -A PREROUTING -t nat --dest $(nvram get wan2_ipaddr) -j TRIGGER --trigger-type dnat iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER --trigger-type in

iptables -A PREROUTING -t mangle -i $(nvram get wan2_ifname) -j IMQ --todev 0 iptables -A PREROUTING -t mangle -i $(nvram get wan2_ifname) -j SVQOS_IN iptables -A POSTROUTING -t mangle -o $(nvram get wan2_ifname) -j SVQOS_OUT

#DD-WRT END

#Save the gateway in the connection mark for new incoming connections iptables -t mangle -A PREROUTING -i $(nvram get wan_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100 iptables -t mangle -A PREROUTING -i $(nvram get wan2_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x200

  1. Save the gateway in the connection mark for new outgoing connections
iptables -t mangle -A POSTROUTING -o $(nvram get wan_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100 iptables -t mangle -A POSTROUTING -o $(nvram get wan2_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x200
  1. Use the correct gateway for reply packets from the LAN
iptables -t mangle -A PREROUTING -i $(nvram get lan_ifname) -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
  1. Use the correct gateway for reply packets from local connections
iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

#mask known packets to its source address iptables -A POSTROUTING -t nat -m mark --mark 0x100 -j SNAT --to-source $(nvram get wan_ipaddr) iptables -A POSTROUTING -t nat -m mark --mark 0x200 -j SNAT --to-source $(nvram get wan2_ipaddr)

#permit access to wan2 iptables -A POSTROUTING -t nat -j MASQUERADE -o $(nvram get wan2_ifname)

#restore-mark is done in PREROUTING. If restored again, will loose the outgoing marks iptables -t mangle -D SVQOS_OUT -j CONNMARK --restore-mark 2> /dev/null

#iptables -t mangle -A PREROUTING -i $(nvram get lan_ifname) -m multiport -p tcp --dport 22,25,80,110,119,143,443,993,3389 -j MARK --set-mark 0x100

#use WAN1 for common navigation, WAN2 for P2P traffic and others #iptables -t mangle -I PREROUTING -i $(nvram get lan_ifname) -s 192.168.1.100 -j MARK --set-mark 0x200

#iptables -t mangle -I PREROUTING -i $(nvram get lan_ifname) -s 192.168.1.100 -j LOG --log-prefix 'P2P: '

RP_PATH=/proc/sys/net/ipv4/conf for IFACE in `ls $RP_PATH`; do echo 0 > $RP_PATH/$IFACE/rp_filter done

Once everything works, you should use the ip route equalize to balance the load, or do a -j MARK --set-mark 0xN00 via iptables to redirect your traffig to WAN1 (0x100) or WAN2 (0x200)

The firewall scripts does not yet implement the full dd-wrt firewall, only the basic port / range forwarding.

This script works for both outgoing AND incoming connections (most scripts only handle outgoing), so you should be able to accept connections in both links simultaneously (WEB in one and FTP in another, for example).

Sample ip route equalize command:

ip route add default scope global equalize nexthop via 12.34.52.1 dev eth1 nexthop via 10.43.93.1 dev eth2

Remarks

This simple round-robin splitting of connection table entries, often doesn't "increase speed" as most people mean it. If you start up a single download it will still only be as fast as one of your connection. According to rules of round-robin this problematic situation is frequent:

  1. HTTP/FTP download -> WAN A
  2. DNS request -> WAN B
  3. HTTP/FTP download -> WAN A
So you end up with WAN A crushed with load and B idle. I used this 4-5 years ago at a business. ON AVERAGE it works well. However the first thing most n00bs do when you hand them a recipe like this is run a speed test and complain that it hasn't doubled their speeds. Also, when you lose the round-robin coin-toss so to speak it can be a drag. I suppose with BitTorrent it could help since it's frequently opening connections.

If one connection goes down, all connections in progress over that link are just stuck. There is no failover mode.

This method it may be argued, is not technically a "load balancing" method since there is no intelligent handling of traffic load, no rebalancing of connections if it becomes unbalanced, and no failover.