https://sindro.me/tags/mwan3/ Recent content in Mwan3 on Marcello Barnaba Hugo en-us Tue, 07 Apr 2026 00:00:00 +0000 https://sindro.me/posts/2026-04-07-banip-icmp-mwan3/ Tue, 07 Apr 2026 00:00:00 +0000 https://sindro.me/posts/2026-04-07-banip-icmp-mwan3/ <p><strong>TL;DR:</strong> If you run OpenWrt with mwan3 (multi-WAN failover) and a <strong>split-tunnel</strong> WireGuard VPN (i.e., you&rsquo;re NOT routing all traffic through it), add <code>nohostroute=1</code> to your WireGuard interface. Without it, netifd creates a static route for the WireGuard endpoint at interface-up time, pinned to whatever uplink happens to be active at that moment. By the first corollary of Murphy&rsquo;s Law, anything that can go wrong will go wrong <em>at the worst possible moment</em> — so your primary link will be down precisely when WireGuard starts, and the endpoint route gets permanently stuck on the backup. Your VPN will be stuck on the slow backup while your primary link sits there doing nothing. You won&rsquo;t notice until you need to transfer something big.</p> <p>(If you <em>are</em> routing all traffic through WireGuard, you <strong>need</strong> the host route to prevent a routing loop — but on a multi-WAN setup, the same stale-route problem applies. You&rsquo;ll need a different workaround, like a hotplug script that updates the endpoint route when mwan3 switches uplinks.)</p> <p>Today I discovered that my WireGuard tunnel to a remote server has been crawling at <strong>2 Mbps</strong> since early February. The fix took two UCI commands. The root cause was the missing <code>nohostroute</code> flag — plus a bonus: my own firewall was sabotaging my own health checks, making the fiber look unreliable enough that the system never self-corrected.</p> <p>Here&rsquo;s the full forensic story, because I&rsquo;m still furious and you deserve to learn from my suffering.</p> <p>But first, some context on how this investigation actually happened. I was working with an AI coding assistant (Claude Code) that has SSH access to my infrastructure. This is possible because I have a clean foundation: SSH key authentication everywhere, proper internal DNS (<code>m42</code>, <code>golem</code> resolve to the right VPN addresses), WireGuard mesh between all nodes, and the assistant connects through a <code>ssh-agent</code> running as a systemd user service. One environment variable and the AI can reach every machine in my network — and, critically, <em>cross-reference</em> what it finds on one machine with data from another. This investigation would have taken me hours of jumping between terminals. The AI did it in minutes, methodically testing hypotheses across three machines simultaneously. The infrastructure investment in proper SSH, DNS, and VPN paid off enormously.</p>