Favourite Projects



OpenWRT Multi WAN How To

March 12th, 2007 by lukav


This is a simple how to make your openwrt work with more than one WAN. I’ve used these steps to make my ASUS WL-500G Premium work with 2 WANs where in my case I route specific IP ranges through the second interface. However the instruction can be used to setup load balancing although not so perfect. I’ve actually installed X-Wrt to begin with so I use webif2 interface to setup some of the things. I’ll try to describe those steps without webif2 using ssh, but I must stress that those would be my assumptions and if something doesn’t work you should refer to openwrt and xwrt pages and forums.

As a first step make sure you setup your primary WAN interface. Then we are going setup the second interface. Choose one of the LAN ports of your router and separate this port in a new vlan. In my case I’ve setup my 1-st port as vlan2.

webif2: Network/VLAN, click on “Add New VLAN” then deselect eNet1 from VLAN 0 row and select it on the VLAN 2 row, check Internal also on that row. Click Save and then Apply.

ssh: Execute

nvram set vlan0ports=2 3 4 5*

to remove the port from vlan2 and

nvram set vlan2ports=1 5

to add it in the new vlan, I guess you should also execute:

nvram set vlan2hwname=et0

Now we need to setup IP address and bring up the second interface.

webif2: you can use the System/NVRAM page to setup the NVRAM variables described below: ssh:

nvram set wan2_ifname=vlan2
nvram set wan2_proto=static
nvram set
nvram set
nvram set
nvram set ifup_interfaces="lan wan wan2 wifi"

The last line would make sure wan2 interface is broth up on restart. Let’s try

ifup wan2

now. If


show you vlan2 with the ip address you should be in business. Please note that you can use dhcp instead of static proto, but I haven’t tested this.
You can do

nvram commit

so your changes are saved.

Ok. Now we must make sure that requests on a certain interface are replied via the same interface. Detailed information can be found at
Check if the file /etc/iproute2/rt_tables exists and if not create it. Then put/add lines for the 2 interfaces in it:

mkdir /etc/iproute2
echo "201 WAN1" >> /etc/iproute2/rt_tables
echo "202 WAN2" >> /etc/iproute2/rt_tables

I’ve setup a little script that will add all the necessary rules in the ip tables as described in lartc howto. It would also remove the extra default route added for the second interface by the S40network script. So just save the following as S45routing and put it in /etc/init.d so it gets executed after on boot. Make sure it is executable:


cat << EOF > /etc/init.d/S45routing

. /etc/
WAN1="$(nvram get wan_ifname)"
WAN1_IP="$(nvram get wan_ipaddr)"
WAN1_NETMASK="$(nvram get wan_netmask)"
WAN1_GETEWAY="$(nvram get wan_gateway)"

eval $( "$WAN1_IP" "$WAN1_NETMASK")

WAN2="$(nvram get wan2_ifname)"
WAN2_IP="$(nvram get wan2_ipaddr)"
WAN2_NETMASK="$(nvram get wan2_netmask)"
WAN2_GETEWAY="$(nvram get wan2_gateway)"

eval $( "$WAN2_IP" "$WAN2_NETMASK")

LAN="$(nvram get lan_ifname)"
LAN_IP="$(nvram get lan_ipaddr)"
LAN_NETMASK="$(nvram get lan_netmask)"

eval $( "$LAN_IP" "$LAN_NETMASK")

route del default gw $WAN2_GETEWAY

ip route flush table WAN1
ip route flush table WAN2
ip route del $WAN1_NETWORK/$WAN1_PREFIX dev $WAN1 src $WAN1_IP
ip route del $WAN2_NETWORK/$WAN2_PREFIX dev $WAN2 src $WAN2_IP
ip rule del from $WAN1_NETWORK/$WAN1_PREFIX table WAN1
ip rule del from $WAN2_NETWORK/$WAN2_PREFIX table WAN2

ip rule add from $WAN1_NETWORK/$WAN1_PREFIX table WAN1 prio 201
ip rule add from $WAN2_NETWORK/$WAN2_PREFIX table WAN2 prio 202

ip route add $WAN1_NETWORK/$WAN1_PREFIX dev $WAN1 src $WAN1_IP
ip route add $WAN2_NETWORK/$WAN2_PREFIX dev $WAN2 src $WAN2_IP

ip route add table WAN1 $WAN1_NETWORK/$WAN1_PREFIX dev $WAN1 src $WAN1_IP
ip route add table WAN1 $LAN_NETWORK/$LAN_PREFIX dev $LAN
ip route add table WAN1 dev lo
ip route add table WAN1 $WAN2_NETWORK/$WAN2_PREFIX dev $WAN2
ip route add table WAN1 default via $WAN1_GETEWAY dev $WAN1

ip route add table WAN2 $WAN2_NETWORK/$WAN2_PREFIX dev $WAN2 src $WAN2_IP
ip route add table WAN2 $LAN_NETWORK/$LAN_PREFIX dev $LAN
ip route add table WAN2 dev lo
ip route add table WAN2 $WAN1_NETWORK/$WAN1_PREFIX dev $WAN1
ip route add table WAN2 default via $WAN2_GETEWAY dev $WAN2

ip rule del table BG_ROUTES prio 220
ip rule add table BG_ROUTES prio 220

chmod +x /etc/init.d/S45routing

Execute the file or restart your router. At this point you should have 2 working WANs where they both reply on ping from external network. Now there are 2 approaches from here:

1: Setup load balancing by specifying multiple default routes. I’ll quote the LARTC on this:

quote: ”

The second question is how to balance traffic going out over the two providers. This is actually not hard if you already have set up split access as above.

Instead of choosing one of the two providers as your default route, you now set up the default route to be a multipath route. In the default kernel this will balance routes over the two providers. It is done as follows (once more building on the example in the section on split-access):

  ip route add default scope global nexthop via $P1 dev $IF1 weight 1
     nexthop via $P2 dev $IF2 weight 1

This will balance the routes over both providers. The weight parameters can be tweaked to favor one provider over the other.

Note that balancing will not be perfect, as it is route based, and routes are cached. This means that routes to often-used sites will always be over the same provider.

2: route specific range of ip via the second interface as me:

I’ll layout how I do it and you can tweak it as you like:

First add one more line in /etc/iproute2/rt_tables

echo "220 BG_ROUTES" >> /etc/iproute2/rt_tables

Then I have 2 files in /etc/route directory:

mkdir /etc/route
touch /etc/route/bg_routes.txt

– those are the ip ranges that goes via the second interface

touch /etc/route/exc_bg_routes.txt

– those are the ranges that I want to be sure would go via the first. I do this becuase I get bg_routes.txt from a third party periodically.

Then I use those 2 scripts to populate the tables:

cat << EOF > /etc/route/
ip route flush table BG_ROUTES
chmod +x /etc/route/ (2007.04.01 – this script has been updated with the contribution from robert at irrelevant dot com)

cat << EOF > /etc/route/

WAN1="$(nvram get wan_ifname)"
WAN1_IP="$(nvram get wan_ipaddr)"
WAN1_NETMASK="$(nvram get wan_netmask)"
WAN1_GETEWAY="$(nvram get wan_gateway)"

WAN2="$(nvram get wan2_ifname)"
WAN2_IP="$(nvram get wan2_ipaddr)"
WAN2_NETMASK="$(nvram get wan2_netmask)"
WAN2_GETEWAY="$(nvram get wan2_gateway)"

ip route flush table BG_ROUTES

awk '{
       if (match($1,/^[0-9]/) && $1 != "" && $1 != "" && $1 != "" )
         print "ip route add table BG_ROUTES "$1" via '$WAN2_GETEWAY' dev '$WAN2'"
     }' /etc/route/bg_routes.txt | ash

awk '{ if (match($1,/^[0-9]/))
         print "ip route add table BG_ROUTES "$1" via '$WAN1_GETEWAY' dev '$WAN1'"
     }' /etc/route/exc_bg_routes.txt | ash
chmod +x /etc/route/

I have added /etc/route/ as a last line to the file S45routing so it gets executed at boot.

echo "/etc/route/" >> /etc/init.d/S45routing

Ok the last thing we need to do is to modify /etc/init.d/S35firewall so the firewall rules apply to both interfaces….

Here is my modified version: (It was been reported that this version is old so it would be better to make the changes by hand in your current version. In the beggining of the script add the lines that sets the variables WAN2 and WAN2DEV. Then follow the script line by line and whenever you see a rule for WAN, dublicate it for WAN2. Skip the rule MINIUPNPD)

last update of this file was:12.04.2007


## Please make changes in /etc/firewall.user

. /etc/
WAN="$(nvram get wan_ifname)"
WAN2="$(nvram get wan2_ifname)"
WANDEV="$(nvram get wan_device)"
WAN2DEV="$(nvram get wan2_device)"
LAN="$(nvram get lan_ifname)"

for T in filter nat; do
  iptables -t $T -F
  iptables -t $T -X

iptables -N input_rule
iptables -N input_wan
iptables -N output_rule
iptables -N forwarding_rule
iptables -N forwarding_wan

iptables -t nat -N NEW
iptables -t nat -N prerouting_wan
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule

iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
[ -z "$WAN2" ] || iptables -A LAN_ACCEPT -i "$WAN2" -j RETURN
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
[ -z "$WAN2DEV" -o "$WAN2DEV" = "$WAN2" ] || iptables -A LAN_ACCEPT -i "$WAN2DEV" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT

###  (connections with the router as destination)

  # base case
  iptables -P INPUT DROP
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option ! 2 -j  DROP

  # insert accept rule or to jump to new accept-check table here
  iptables -A INPUT -j input_rule
  iptables -A INPUT -i $WAN -j input_wan
  iptables -A INPUT -i $WAN2 -j input_wan

  # allow
  iptables -A INPUT -j LAN_ACCEPT       # allow from lan/wifi interfaces
  iptables -A INPUT -p icmp     -j ACCEPT       # allow ICMP
  iptables -A INPUT -p gre      -j ACCEPT       # allow GRE

  # reject (what to do with anything not allowed earlier)
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

### (connections with the router as source)

  # base case
  iptables -P OUTPUT DROP
  iptables -A OUTPUT -m state --state INVALID -j DROP
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  # insert accept rule or to jump to new accept-check table here
  iptables -A OUTPUT -j output_rule

  # allow
  iptables -A OUTPUT -j ACCEPT          #allow everything out

  # reject (what to do with anything not allowed earlier)
  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

### (connections routed through the router)

  # base case
  iptables -P FORWARD DROP
  iptables -A FORWARD -m state --state INVALID -j DROP
  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

  # insert accept rule or to jump to new accept-check table here
  iptables -A FORWARD -j forwarding_rule
  iptables -A FORWARD -i $WAN -j forwarding_wan
  iptables -A FORWARD -i $WAN2 -j forwarding_wan

  # allow
  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
  iptables -A FORWARD -i $LAN -o $WAN2 -j ACCEPT

  # reject (what to do with anything not allowed earlier)
  # uses the default -P DROP

### MASQ
  iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
  iptables -t nat -A PREROUTING -j prerouting_rule
  iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan
  iptables -t nat -A PREROUTING -i $WAN2 -j prerouting_wan

  iptables -t nat -A POSTROUTING -j postrouting_rule
  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
  iptables -t nat -A POSTROUTING -o $WAN2 -j MASQUERADE

  iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && 
        iptables -t nat -A NEW -j DROP

[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -e /etc/config/firewall ] && {
        awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash

So, that’s about it. I may have missed something or some parts may be inaccurate or unclear, but I’ll update this as feedback from you dear readers comes in.

Posted in EN, Tech, WL-500Gp | 21 Comments »

21 Responses

  1. lukav Says:

    Hi all, I leave this comment to let you know of the updates I made in the post. robert at irrelevant dot com has pointed out that I have hardcoded my ips in script and suggested an updated version of the script. I’ve used his suggestion and made the following changes in the howto:
    1: we need one more nvram set option when setting wan2 interface “nvram set”
    2: then I’ve updated S45routing script to use the new setting and to drop the extra default gateway created then wan2 interface is brought up.
    3: updated the script to use the nvram settings.

    So thats it. Thanks to Robert for his comments.

  2. lukav Says:

    Another update of the scripts and procedures was made:
    1. I’ve actually used my step by step howto and discovered that nvram setting needs “” when there is space in the value.
    2. Then I’ve realized some of the steps are not clear and the code is not suitable for copy-paste, so I’ve tried to change this also.
    3. The firewall script was changed in the newer release of X-Wrt, so I’ve upgraded my ASUS and made the changes to the new script. I’ve post a desciption how to make those changes yourself.

    No a diffrent note I’ve discovered that the order of ports is diffrent on a WRT54GL v.1.1. You can read about this in my post in the Openwrt forum

  3. Alex Says:

    Dear sir,

    Thanks for your good job. But question is what version of openwrt are you using?Kamikaze or WhiteRussian?
    I would like to do this on Kamikaze, but cannot follow you. Could you please give me some tips?Thanks!

  4. lukav Says:

    Hi Alex,
    unfortunately this how to is for White Russian 0.9. I haven’t installed Kamikaze yet so I have no idea where are the differences or the problems. I’ve read somewhere that Kamikaze will natively have support for 2 wans, so may be you should check that out.

    What problems do you have?

  5. somleac Says:

    Hi Lukav,

    I was reading your “How to” and I found it usefull but, I have a little problem: my both wan links have dynamic alocated IPs – one is runnning pppoe and the other dhcp. Will you please be so kind and let me know what should be modified in your scripts to have this working?
    Or give me a link to some other tutorial (if there is one).

    Thank you.

  6. lukav Says:

    Hi Somleac,
    well I haven’t tested that particular configuration. I guess that changing the wan[1-2]_proto to dhcp will do the trick for getting dhcp to work.
    I’ve never setup pppoe so you’ll have to read about this in the openWRT forums.
    Now after you get IP’s to both interfaces, you will have to modify the /etc/init.d/S45routing and other scripts to get the IP, mask and gateway from the setup interface, not from the nvram variables.
    have a look at /etc/ there are some functions that might help, like ifconfig_info for example.

    I’m sorry that I cannot spend some time on this and modify the scripts for you, but I’m a little too busy lately.

  7. naisioxerloro Says:

    Good design, who make it?

  8. lukav Says:

    See the footer

  9. Idetrorce Says:

    very interesting, but I don’t agree with you

  10. woorzel Says:

    thanks for the great guide 🙂
    I was wondering if anyone got the load balancing to work on white russian?
    I have boths ISPs up and running (using dhcp on both so I had to modify a few things) but routing breaks when use the multipath route. I should be good though because both ISPs work if I manually set the default route to each one of them…
    any advice welcome 🙂

  11. woorzel Says:

    okay I figured it out…
    following this guide carefully (and adapting for DHCP in my case) will get you a working setup but no load balancing on the white russian kernel.. this is because of the use of MASQUERADE in the iptables firewall script, which gets confused and dmesg keeps printing ‘MASQUERADE: Route send us somewhere else.’
    I worked around it by adding ‘-j SNAT –to $WAN1_IP’ and ‘-j SNAT –to $WAN1_IP’ instead of the MASQUERADE ones – which requires more init script hacking and is not very elegant (especially if your dynamic ips change often, mine almost never do). but it works great :]
    next step: try to add a third ISP on my wrt54gs 🙂

  12. Iair Says:

    I’ve been looking for a way to find an easy and working solution for dual/multi wan on openwrt routers. I Have Linksys WRT54GL 1.1, and I’ve tried with dd-wrt (which is user-friendlier) openWrt alone and with X-wrt.
    This is what I’m looking for, and I think a lot of people are too:
    I Have Many WAN connections and a WRT54GL router.
    I want:
    first, to be able to connect many WANs and have an internet Backup system, which is important to me.
    second, if possible, I want to load balance the internet traffic so I can get most out of every connection.

    I am about to install VoIP, Video over IP, and Internet. I want the priority to be on VoIP, so my communications are clear and without interruptions.
    I have the option of buying a Linksys Dual Wan router for US$250, but it doesn’t have QoS, and it limits to 2 WAN.
    I promise to publish the solution all around the world to help a lot of people like me.
    Thank you.

  13. lukav Says:

    Hi all,
    unfortunately I don’t have 2 providers anymore, and I haven’t played with multi WAN lately.

    if you setup the 2 WANs you should look at the scripts and figure out the appropriate changes, so that you have one set for each ISP.
    Please, post a comment here if you find a solution.


  14. lukav Says:


    if you have a spare PC, you can have a look at It has a user-friendly interface. Multi WANs and QoS.

  15. Kunawut’s knowledge blog » การทำ MultiWAN บน OpenWRT Says:

    […] […]

  16. jeffer Says:

    Thanks for sharing this.
    I am testing things with my wrt now and will come to dual wan soon.
    Is there an option to keep my mail runing with outlook and send mail?
    normal sending goes thru your isp…now i have 2 isp’s….is there a sollution for this problem?


  17. lukav Says:

    Hmmm … I cannot think of anything on the top of my head.
    May be you can make some iptables rules that handle those on the bases of port …
    For example if outgoing int is isp2 and dest port is 25 goto server 1 ….

  18. Loyd Says:

    Oh my goodness! Awesome article dude! Many thanks, However
    I am going through issues with your RSS. I don’t understand the reason why I cannot join it. Is there anybody else getting identical RSS problems? Anyone that knows the answer will you kindly respond? Thanks!!

  19. lukav Says:

    Thanks for the comments.
    What exactly are your issues with the RSS?

  20. ramesh Says:

    Hi lukav,

    may be my question is silly please provide me information,i have understood the test setup and configuration, what i want to know is multiwan concept, by doing this what exactly r v achieving like test cases,detailed design
    concept,real world example etc.

    thanks in advance.

  21. lukav Says:

    Hi Ramesh,

    it’s been 5 years since I used this but here are some examples on usage:
    1. If you have 2 internet providers and if one goes down the other takes care for the trafic without you noticing.
    2. You have 2 internet providers, one with big traffic to the servers within your country and one for the rest of the world. You want to access the servers from your country vie 1-st provider and the rest thought the other (This is how I used to use it.).

    Please also note, that this setup is 5 years old, where as the Internet connectivity is much better now, so you may have no use of this.
    Also note, that as far as I have seen, there are some custom firmware that have multi WAN support build-in, so the better approach may be to switch to some of them.