I'm currently using my router to route all my traffic through a VPN. How can I define an IP list and then configure openwrt to not route the traffic going to theses addresses through VPN and send them directly to my modem instead? For example, I want to access the ip range 104.24.0.0/14 with my modem but everything else with my VPN.
Policy-Based Routing (PBR).
1 Like
Can you be a bit more specific? Because I'm currently routing using firewall zones. It would be great if you gave an example
I read these articles, but the problem is that I have an IP list of more than 30+ IP ranges that I want to add. Do I have to add them one by one?
I put all IP ranges inside a text file then selected all and copied them inside the PBR rule. When I restart the service for changes to take effect, luci just hangs on restarting pbr service as in the pic below:
If I refresh the page and check the log, I find that the routing is not enabled and therefore, it has no effect
I don't understand. Can you show the resulting config file?
It's a very long list of public IPs:
After leaving it alone for about 15 minutes, the routing started to take effect!
Does this mean every time the router restarts it will take that long to load the policies?
I think, yes. I do not know, how it is implemented now (using nftables), you can see output of nft list ruleset command.
You can use PBR with netifd as it is more resource efficient.
It does not require additional apps or services to operate.
I didn't make much of it, here it is:
table inet fw4 {
set pbr_wan_4_src_ip_cfg046ff5 {
type ipv4_addr
flags interval
auto-merge
comment "lan2wan"
elements = { 192.168.3.0/24 }
}
set pbr_wan_4_dst_ip_cfg056ff5 {
type ipv4_addr
flags interval
auto-merge
comment "IRI"
elements = { 2.57.3.0/24, 2.144.0.0/14,
2.176.0.0/12, 5.1.43.0/24,
5.10.248.0/24, 5.22.0.0/17,
5.22.192.0/21, 5.22.200.0/22,
5.23.112.0/21, 5.34.192.0/20,
5.42.217.0/24, 5.42.223.0/24,
5.52.0.0/16, 5.53.32.0/19,
5.56.128.0/22, 5.56.132.0/24,
5.56.134.0/23, 5.57.32.0/21,
5.61.24.0/23, 5.61.26.0/24,
5.61.28.0/22, 5.62.160.0/19,
5.62.192.0/18, 5.63.8.0/21,
5.72.0.0/15, 5.74.0.0/16,
5.75.0.0/17, 5.104.208.0/21,
5.106.0.0/16, 5.112.0.0/12,
5.134.128.0/18, 5.134.192.0/21,
5.144.128.0/21, 5.145.112.0/22,
5.145.116.0/24, 5.159.48.0/21,
5.160.0.0/16, 5.182.44.0/22,
5.190.0.0/16, 5.198.160.0/19,
5.200.64.0/18, 5.200.128.0/17,
5.201.128.0/17, 5.202.0.0/16,
5.208.0.0/12, 5.232.0.0/14,
5.236.0.0/17, 5.236.128.0/20,
5.236.144.0/21, 5.236.156.0/22,
5.236.160.0/19, 5.236.192.0/18,
5.237.0.0/16, 5.238.0.0/15,
5.250.0.0/17, 5.252.216.0/22,
5.253.24.0/22, 5.253.96.0/22,
5.253.225.0/24, 31.2.128.0/17,
31.7.64.0/21, 31.7.72.0/22,
31.7.76.0/23, 31.7.88.0/22,
31.7.96.0/19, 31.7.128.0/20,
31.14.80.0/20, 31.14.112.0/20,
31.14.144.0/20, 31.24.85.64/27,
31.24.200.0/21, 31.24.232.0/21,
31.25.90.0/23, 31.25.92.0/22,
31.25.104.0/21, 31.25.128.0/21,
31.25.232.0/23, 31.40.0.0/21,
31.41.35.0/24, 31.47.32.0/19,
31.56.0.0/14, 31.130.176.0/20,
31.170.48.0/22, 31.170.52.0/23,
31.170.54.0/24, 31.170.56.0/21,
31.171.216.0/21, 31.184.128.0/18,
31.193.112.0/21, 31.193.186.0/24,
31.214.132.0/23, 31.214.146.0/23,
31.214.154.0/24, 31.214.168.0/21,
31.214.200.0/23, 31.214.228.0/22,
31.214.248.0/21, 31.216.62.0/24,
31.217.208.0/21, 37.9.248.0/21,
37.10.64.0/22, 37.10.109.0/24,
37.10.117.0/24, 37.19.80.0/20,
37.32.0.0/19, 37.32.32.0/20,
37.32.112.0/20, 37.44.56.0/21,
37.63.128.0/17, 37.75.240.0/21,
37.98.0.0/17, 37.114.192.0/18,
37.129.0.0/16, 37.130.200.0/21,
37.137.0.0/16, 37.143.144.0/21,
37.148.0.0/17, 37.148.248.0/22,
37.152.160.0/19, 37.153.128.0/22,
37.153.176.0/20, 37.156.0.0/22,
37.156.8.0/21, 37.156.16.0/20,
37.156.48.0/20, 37.156.100.0/22,
37.156.112.0/20, 37.156.128.0/20,
37.156.144.0/22, 37.156.152.0/21,
37.156.160.0/21, 37.156.176.0/22,
37.156.212.0/22, 37.156.232.0/21,
37.156.240.0/22, 37.156.248.0/22,
37.191.64.0/19, 37.202.128.0/17,
37.221.0.0/18, 37.228.131.0/24,
37.228.133.0/24, 37.228.135.0/24,
37.228.136.0/22, 37.235.16.0/20,
37.254.0.0/15, 45.8.160.0/22,
45.9.144.0/22, 45.9.252.0/22,
45.15.200.0/22, 45.15.248.0/22,
45.81.16.0/22, 45.82.136.0/22,
45.84.156.0/22, 45.84.248.0/22,
45.86.4.0/22, 45.86.87.0/24,
45.86.196.0/22, 45.87.4.0/22,
45.89.136.0/22, 45.89.200.0/22,
45.89.236.0/22, 45.90.72.0/22,
45.91.152.0/22, 45.92.92.0/22,
45.94.212.0/22, 45.94.252.0/22,
45.128.140.0/22, 45.129.36.0/22,
45.129.116.0/22, 45.132.32.0/24,
45.132.168.0/21, 45.135.240.0/22,
45.138.132.0/22, 45.139.9.0/24,
45.139.10.0/23, 45.139.100.0/22,
45.140.28.0/22, 45.140.224.0/21,
45.142.188.0/22, 45.144.16.0/22,
45.144.124.0/22, 45.147.76.0/22,
45.148.248.0/22, 45.149.76.0/22,
45.150.88.0/22, 45.150.150.0/24,
45.155.192.0/22, 45.156.180.0/22,
45.156.184.0/22, 45.156.192.0/21,
45.156.200.0/22, 45.157.244.0/22,
45.158.120.0/22, 45.159.112.0/22,
45.159.148.0/22, 45.159.196.0/22,
46.18.248.0/21, 46.21.80.0/20,
46.28.72.0/21, 46.32.0.0/19,
46.34.96.0/19, 46.34.160.0/19,
46.36.96.0/20, 46.38.128.0/23,
46.38.130.0/24, 46.38.131.0/25,
46.38.131.128/26, 46.38.132.0/22,
46.38.136.0/21, 46.38.144.0/20,
46.41.192.0/18, 46.51.0.0/17,
46.62.128.0/17, 46.100.0.0/16,
46.102.120.0/21, 46.102.128.0/20,
46.102.184.0/22, 46.143.0.0/17,
46.143.204.0/22, 46.143.208.0/21,
46.143.244.0/22, 46.143.248.0/22,
46.148.32.0/20, 46.164.64.0/18,
46.167.128.0/19, 46.182.32.0/21,
46.209.0.0/16, 46.224.0.0/15,
46.235.76.0/23, 46.245.0.0/17,
46.248.32.0/19, 46.249.96.0/24,
46.249.120.0/21, 46.251.224.0/25,
46.251.224.128/28, 46.251.224.144/29,
46.251.226.0/24, 46.251.237.0/24,
46.255.216.0/21, 49.12.203.0/24,
62.3.14.0/24, 62.3.41.0/24,
62.3.42.0/24, 62.32.49.128/26,
62.32.49.192/27, 62.32.49.224/29,
62.32.49.240/28, 62.32.50.0/24,
62.32.53.64/26, 62.32.53.168/29,
62.32.53.224/28, 62.32.61.96/27,
62.32.61.224/27, 62.32.63.128/26,
62.60.128.0/20, 62.60.144.0/22,
62.60.152.0/21, 62.60.160.0/22,
62.60.196.0/22, 62.60.200.0/21,
62.60.208.0/20, 62.95.84.234,
62.95.85.246, 62.95.100.236,
62.95.103.210, 62.95.117.78,
62.95.119.76, 62.102.128.0/20,
62.133.46.0/24, 62.193.0.0/19,
62.204.61.0/24, 62.220.96.0/19,
63.243.185.0/24, 64.214.116.16,
65.108.157.0/24, 66.79.96.0/19,
67.16.178.147, 67.16.178.148/31,
67.16.178.150, 69.194.64.0/18,
72.14.201.40/30, 77.36.128.0/17,
77.42.0.0/17, 77.77.64.0/18,
77.81.32.0/20, 77.81.76.0/24,
77.81.78.0/24, 77.81.82.0/23,
77.81.128.0/21, 77.81.144.0/20,
77.81.192.0/19, 77.90.139.180/30,
77.95.220.0/24, 77.104.64.0/18,
77.237.64.0/19, 77.237.160.0/19,
77.238.104.0/21, 77.238.112.0/20,
77.245.224.0/20, 78.31.232.0/22,
78.38.0.0/15, 78.109.192.0/20,
78.110.112.0/20, 78.111.0.0/20,
78.154.32.0/19, 78.157.32.0/19,
78.158.160.0/19, 79.127.0.0/17,
79.132.192.0/23, 79.132.200.0/21,
79.132.208.0/20, 79.143.84.0/23,
79.143.86.0/24, 79.174.160.0/21,
79.175.128.0/19, 79.175.160.0/22,
79.175.164.0/23, 79.175.166.0/24,
79.175.167.0/25, 79.175.167.128/30,
79.175.167.132/31, 79.175.167.144/28,
79.175.167.160/27, 79.175.167.192/26,
79.175.168.0/21, 79.175.176.0/20,
80.66.176.0/20, 80.71.112.0/20,
80.71.149.0/24, 80.75.0.0/20,
80.85.82.80/29, 80.91.208.0/24,
80.191.0.0/17, 80.191.128.0/18,
80.191.192.0/19, 80.191.224.0/20,
80.191.240.0/24, 80.191.241.128/25,
80.191.242.0/23, 80.191.244.0/22,
80.191.248.0/21, 80.210.0.0/18,
80.210.128.0/17, 80.241.70.250/31,
80.242.0.0/20, 80.249.112.0/22,
80.250.192.0/20, 80.253.128.0/19,
80.255.3.160/27, 81.12.0.0/17,
81.16.112.0/20, 81.28.32.0/19,
81.29.240.0/20, 81.31.160.0/19,
81.31.224.0/22, 81.31.228.0/23,
81.31.230.0/24, 81.31.233.0/24,
81.31.234.0/23, 81.31.236.0/22,
81.31.240.0/23, 81.31.248.0/22,
81.90.144.0/20, 81.91.128.0/19,
81.92.216.0/24, 81.163.0.0/21,
82.99.192.0/18, 82.138.140.0/25,
82.180.192.0/18, 82.198.136.76/30,
83.120.0.0/14, 83.147.192.0/23,
83.147.194.0/24, 83.147.222.0/23,
83.147.240.0/22, 83.147.252.0/24,
83.147.254.0/24, 83.149.208.65,
83.150.192.0/22, 84.17.168.32/27,
84.47.192.0/18, 84.241.0.0/18,
85.9.64.0/18, 85.15.0.0/18,
85.133.128.0/21, 85.133.138.0/23,
85.133.140.0/22, 85.133.144.0/23,
85.133.147.0/24, 85.133.148.0/22,
85.133.152.0/22, 85.133.157.0/24,
85.133.158.0/23, 85.133.160.0/22,
85.133.166.0/23, 85.133.168.0/21,
85.133.176.0/23, 85.133.178.0/24,
85.133.180.0/22, 85.133.184.0/21,
85.133.192.0/21, 85.133.200.0/23,
85.133.203.0/24, 85.133.204.0/22,
85.133.208.0/22, 85.133.212.0/23,
85.133.214.0/24, 85.133.219.0/24,
85.133.220.0/23, 85.133.223.0/24,
85.133.224.0/24, 85.133.226.0/23,
85.133.228.0/22, 85.133.232.0/22,
85.133.237.0/24, 85.133.238.0/23,
85.133.240.0/20, 85.185.0.0/16,
85.198.0.0/19, 85.198.48.0/20,
85.204.30.0/23, 85.204.76.0/23,
85.204.80.0/20, 85.204.104.0/23,
85.204.128.0/22, 85.204.208.0/20,
85.208.252.0/22, 85.239.192.0/19,
86.55.0.0/16, 86.57.0.0/17,
86.104.32.0/20, 86.104.80.0/20,
86.104.96.0/20, 86.104.232.0/21,
86.104.240.0/21, 86.105.40.0/21,
86.105.128.0/20, 86.106.142.0/24,
86.106.192.0/21, 86.107.0.0/20,
86.107.80.0/20, 86.107.144.0/20,
86.107.172.0/22, 86.107.208.0/20,
86.109.32.0/19, 87.107.0.0/16,
87.128.22.75, 87.236.38.0/23,
87.236.208.0/26, 87.236.209.0/24,
87.236.210.0/23, 87.236.213.0/24,
87.236.214.0/24, 87.247.168.0/21,
87.247.176.0/20, 87.248.128.0/24,
87.248.139.0/24, 87.248.140.0/23,
87.248.142.0/24, 87.248.147.0/24,
87.248.150.0/24, 87.248.152.0/22,
87.248.156.0/24, 87.248.159.0/24,
87.251.128.0/19, 87.252.206.64/29,
88.131.151.198, 88.131.172.60,
88.131.205.98, 88.131.225.174,
88.131.233.244, 88.131.234.222,
88.131.235.24, 88.131.240.122/31,
88.135.32.0/20, 88.135.68.0/24,
89.32.0.0/19, 89.32.96.0/20,
89.32.196.0/23, 89.32.248.0/22,
89.33.18.0/23, 89.33.100.0/22,
89.33.128.0/23, 89.33.204.0/23,
89.33.234.0/23, 89.33.240.0/23,
89.34.20.0/23, 89.34.32.0/19,
89.34.88.0/23, 89.34.94.0/23,
89.34.128.0/19, 89.34.168.0/23,
89.34.176.0/23, 89.34.200.0/23,
89.34.248.0/21, 89.35.58.0/23,
89.35.68.0/22, 89.35.120.0/22,
89.35.132.0/23, 89.35.156.0/23,
89.35.176.0/23, 89.35.180.0/22,
89.35.194.0/23, 89.36.16.0/23,
89.36.48.0/20, 89.36.96.0/20,
89.36.176.0/20, 89.36.194.0/23,
89.36.226.0/23, 89.36.252.0/23,
89.37.0.0/20, 89.37.30.0/23,
89.37.42.0/23, 89.37.102.0/23,
89.37.144.0/21, 89.37.152.0/22,
89.37.168.0/22, 89.37.198.0/23,
89.37.208.0/22, 89.37.218.0/23,
89.37.240.0/20, 89.38.24.0/23,
89.38.80.0/20, 89.38.102.0/23,
89.38.184.0/21, 89.38.192.0/21,
89.38.212.0/22, 89.38.242.0/23,
89.38.244.0/22, 89.39.8.0/22,
89.39.186.0/23, 89.39.208.0/24,
89.40.78.0/23, 89.40.106.0/23,
89.40.110.0/23, 89.40.128.0/23,
89.40.152.0/21, 89.40.240.0/20,
89.41.8.0/21, 89.41.16.0/21,
89.41.32.0/23, 89.41.40.0/22,
89.41.58.0/23, 89.41.184.0/22,
89.41.192.0/19, 89.41.240.0/21,
89.42.32.0/23, 89.42.44.0/22,
89.42.56.0/23, 89.42.68.0/23,
89.42.96.0/21, 89.42.136.0/22,
89.42.150.0/23, 89.42.184.0/21,
89.42.196.0/22, 89.42.208.0/22,
89.42.228.0/23, 89.43.0.0/20,
89.43.36.0/23, 89.43.70.0/23,
89.43.88.0/21, 89.43.96.0/21,
89.43.144.0/21, 89.43.182.0/23,
89.43.188.0/23, 89.43.204.0/23,
89.43.216.0/21, 89.43.224.0/21,
89.44.112.0/23, 89.44.118.0/23,
89.44.128.0/21, 89.44.146.0/23,
89.44.176.0/21, 89.44.190.0/23,
89.44.202.0/23, 89.44.240.0/22,
89.45.48.0/20, 89.45.68.0/23,
89.45.80.0/23, 89.45.89.0/24,
89.45.112.0/21, 89.45.126.0/23,
89.45.152.0/21, 89.45.230.0/23,
89.46.44.0/23, 89.46.60.0/23,
89.46.94.0/23, 89.46.184.0/21,
89.46.216.0/22, 89.47.64.0/20,
89.47.128.0/19, 89.47.196.0/22,
89.47.200.0/22, 89.144.128.0/18,
89.165.0.0/17, 89.196.0.0/16,
89.198.0.0/15, 89.219.64.0/18,
89.219.192.0/18, 89.221.80.0/20,
89.235.64.0/18, 91.92.104.0/24,
91.92.114.0/24, 91.92.121.0/24,
91.92.122.0/23, 91.92.124.0/22,
91.92.129.0/24, 91.92.130.0/23,
91.92.132.0/22, 91.92.145.0/24,
91.92.146.0/23, 91.92.148.0/22,
91.92.156.0/22, 91.92.164.0/22,
91.92.172.0/22, 91.92.180.0/22,
91.92.184.0/21, 91.92.192.0/23,
91.92.204.0/22, 91.92.208.0/21,
91.92.220.0/22, 91.92.228.0/23,
91.92.231.0/24, 91.92.236.0/22,
91.98.0.0/16, 91.106.64.0/19,
91.108.128.0/19, 91.109.104.0/21,
91.129.4.216, 91.129.18.175,
91.129.18.177, 91.129.20.124,
91.129.20.153, 91.129.27.160/31,
91.129.27.186/31, 91.129.27.188/31,
91.133.128.0/17, 91.134.114.80/28,
91.147.64.0/20, 91.184.64.0/19,
91.185.128.0/19, 91.186.192.0/23,
91.186.201.0/24, 91.186.216.0/23,
91.186.218.0/24, 91.190.88.0/21,
91.194.6.0/24, 91.199.9.0/24,
91.199.18.0/24, 91.199.27.0/24,
91.199.30.0/24, 91.207.138.0/23,
91.207.205.0/24, 91.208.165.0/24,
91.209.96.0/24, 91.209.161.0/24,
91.209.179.0/24, 91.209.183.0/24,
91.209.184.0/24, 91.209.186.0/24,
91.209.242.0/24, 91.212.16.0/24,
91.212.252.0/24, 91.213.151.0/24,
91.213.157.0/24, 91.213.167.0/24,
91.213.172.0/24, 91.216.4.0/24,
91.217.64.0/23, 91.217.177.0/24,
91.220.79.0/24, 91.220.113.0/24,
91.220.243.0/24, 91.221.240.0/23,
91.222.196.0/22, 91.222.204.0/22,
91.224.20.0/23, 91.224.110.0/23,
91.224.176.0/23, 91.225.52.0/22,
91.226.224.0/23, 91.227.84.0/22,
91.227.246.0/23, 91.228.22.0/23,
91.228.132.0/23, 91.228.189.0/24,
91.229.46.0/23, 91.229.214.0/23,
91.230.32.0/24, 91.232.64.0/22,
91.232.68.0/23, 91.232.72.0/22,
91.233.56.0/22, 91.234.52.0/24,
91.236.168.0/23, 91.237.254.0/23,
91.238.0.0/24, 91.239.14.0/24,
91.239.108.0/22, 91.239.210.0/24,
91.239.214.0/24, 91.240.60.0/22,
91.240.116.0/24, 91.240.180.0/22,
91.241.20.0/23, 91.241.92.0/24,
91.242.44.0/23, 91.243.126.0/23,
91.243.160.0/20, 91.244.120.0/22,
91.245.228.0/22, 91.246.31.0/24,
91.246.44.0/24, 91.247.66.0/23,
91.247.171.0/24, 91.247.174.0/24,
91.250.224.0/20, 91.251.0.0/16,
92.42.48.0/21, 92.43.160.0/22,
92.61.176.0/20, 92.114.16.0/20,
92.114.48.0/22, 92.114.64.0/20,
92.119.57.0/24, 92.119.58.0/24,
92.119.68.0/22, 92.242.192.0/19,
92.246.144.0/22, 92.246.156.0/22,
92.249.56.0/22, 93.88.64.0/21,
93.88.72.0/23, 93.93.204.0/24,
93.110.0.0/16, 93.113.224.0/20,
93.114.16.0/20, 93.114.104.0/21,
93.115.120.0/21, 93.115.144.0/21,
93.115.216.0/21, 93.115.224.0/20,
93.117.0.0/19, 93.117.32.0/20,
93.117.96.0/19, 93.117.176.0/20,
93.118.96.0/19, 93.118.128.0/19,
93.118.160.0/20, 93.118.180.0/22,
93.118.184.0/22, 93.119.32.0/19,
93.119.64.0/19, 93.119.208.0/20,
93.126.0.0/18, 93.190.24.0/21,
94.24.0.0/20, 94.24.16.0/21,
94.24.80.0/20, 94.24.96.0/21,
94.74.128.0/23, 94.74.130.1,
94.74.130.2/31, 94.74.130.4/30,
94.74.130.8/29, 94.74.130.16/28,
94.74.130.32/27, 94.74.130.64/26,
94.74.130.128/25, 94.74.131.0/24,
94.74.133.0/24, 94.74.134.0/23,
94.74.136.0/24, 94.74.138.0/23,
94.74.141.0/24, 94.74.142.0/23,
94.74.144.1, 94.74.144.2/31,
94.74.144.4/30, 94.74.144.8/29,
94.74.144.16/28, 94.74.144.32/27,
94.74.144.64/26, 94.74.144.128/25,
94.74.145.0/24, 94.74.146.0/24,
94.74.148.0/22, 94.74.152.0/23,
94.74.155.0/24, 94.74.160.0/22,
94.74.165.0/24, 94.74.166.0/23,
94.74.169.0/24, 94.74.170.0/24,
94.74.172.0/24, 94.74.174.0/23,
94.74.176.0/21, 94.74.186.0/24,
94.74.188.0/23, 94.74.190.0/24,
94.101.128.0/20, 94.101.176.0/20,
94.101.240.0/20, 94.139.160.0/19,
94.176.8.0/21, 94.176.32.0/21,
94.177.72.0/21, 94.182.0.0/15,
94.184.0.0/16, 94.199.136.0/22,
94.232.168.0/21, 94.241.164.0/22,
95.38.0.0/16, 95.64.0.0/17,
95.80.128.0/18, 95.81.64.0/18,
95.130.56.0/21, 95.130.225.0/24,
95.130.240.0/21, 95.142.224.0/20,
95.156.222.0/23, 95.156.233.0/24,
95.156.234.0/23, 95.156.236.0/23,
95.156.248.0/23, 95.156.252.0/22}
}
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "lan2" jump input_lan2 comment "!fw4: Handle lan2 IPv4/IPv6 input traffic"
iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "sstp-Tor" jump input_VPN comment "!fw4: Handle VPN IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "lan2" jump forward_lan2 comment "!fw4: Handle lan2 IPv4/IPv6 forward traffic"
iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "sstp-Tor" jump forward_VPN comment "!fw4: Handle VPN IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "lan2" jump output_lan2 comment "!fw4: Handle lan2 IPv4/IPv6 output traffic"
oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "sstp-Tor" jump output_VPN comment "!fw4: Handle VPN IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
iifname "lan2" jump helper_lan2 comment "!fw4: Handle lan2 IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_VPN comment "!fw4: Accept lan to VPN forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 38 bytes 3420 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 13 bytes 2065 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_lan2 {
jump accept_from_lan2
}
chain output_lan2 {
jump accept_to_lan2
}
chain forward_lan2 {
jump accept_to_wan comment "!fw4: Accept lan2 to wan forwarding"
jump accept_to_lan2
}
chain helper_lan2 {
}
chain accept_from_lan2 {
iifname "lan2" counter packets 0 bytes 0 accept comment "!fw4: accept lan2 IPv4/IPv6 traffic"
}
chain accept_to_lan2 {
oifname "lan2" counter packets 10 bytes 1600 accept comment "!fw4: accept lan2 IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 27 bytes 972 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 522 bytes 33408 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
oifname "wan" counter packets 29 bytes 4350 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "wan" counter packets 1149 bytes 231329 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain input_VPN {
jump reject_from_VPN
}
chain output_VPN {
jump accept_to_VPN
}
chain forward_VPN {
jump reject_to_VPN
}
chain accept_to_VPN {
oifname "sstp-Tor" counter packets 121 bytes 9416 accept comment "!fw4: accept VPN IPv4/IPv6 traffic"
}
chain reject_from_VPN {
iifname "sstp-Tor" counter packets 1 bytes 40 jump handle_reject comment "!fw4: reject VPN IPv4/IPv6 traffic"
}
chain reject_to_VPN {
oifname "sstp-Tor" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject VPN IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "sstp-Tor" jump srcnat_VPN comment "!fw4: Handle VPN IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain srcnat_VPN {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 VPN traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
jump pbr_prerouting comment "Jump into pbr prerouting chain"
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
jump pbr_postrouting comment "Jump into pbr postrouting chain"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
jump pbr_input comment "Jump into pbr input chain"
}
chain mangle_output {
type route hook output priority mangle; policy accept;
jump pbr_output comment "Jump into pbr output chain"
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
jump pbr_forward comment "Jump into pbr forward chain"
}
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
ip saddr @pbr_wan_4_src_ip_cfg046ff5 goto pbr_mark_0x010000 comment "lan2wan"
ip daddr @pbr_wan_4_dst_ip_cfg056ff5 goto pbr_mark_0x010000 comment "IRI"
ip daddr 92.114.16.80/28 goto pbr_mark_0x010000 comment "IRI"
ip daddr 2.146.0.0/28 goto pbr_mark_0x010000 comment "IRI"
ip daddr 46.224.2.32/29 goto pbr_mark_0x010000 comment "IRI"
ip daddr 83.123.255.56/31 goto pbr_mark_0x010000 comment "IRI"
ip daddr 188.229.116.16/29 goto pbr_mark_0x010000 comment "IRI"
ip daddr 164.138.128.28/31 goto pbr_mark_0x010000 comment "IRI"
ip daddr 94.182.182.28/30 goto pbr_mark_0x010000 comment "IRI"
ip daddr @pbr_wan_4_dst_ip_cfg056ff5 goto pbr_mark_0x010000 comment "IRI"
ip daddr 5.213.255.36/31 goto pbr_mark_0x010000 comment "IRI"
ip daddr 185.228.238.0/28 goto pbr_mark_0x010000 comment "IRI"
ip daddr 94.182.153.24/29 goto pbr_mark_0x010000 comment "IRI"
ip daddr 94.101.182.0/27 goto pbr_mark_0x010000 comment "IRI"
ip daddr 158.255.77.238/31 goto pbr_mark_0x010000 comment "IRI"
ip daddr 81.12.28.16/29 goto pbr_mark_0x010000 comment "IRI"
ip daddr 176.65.192.202/31 goto pbr_mark_0x010000 comment "IRI"
ip daddr 2.144.3.128/28 goto pbr_mark_0x010000 comment "IRI"
ip daddr 89.45.48.64/28 goto pbr_mark_0x010000 comment "IRI"
ip daddr 37.32.16.0/27 goto pbr_mark_0x010000 comment "IRI"
ip daddr 37.32.17.0/27 goto pbr_mark_0x010000 comment "IRI"
ip daddr 37.32.18.0/27 goto pbr_mark_0x010000 comment "IRI"
ip daddr 37.32.19.0/27 goto pbr_mark_0x010000 comment "IRI"
ip daddr @pbr_wan_4_dst_ip_cfg056ff5 goto pbr_mark_0x010000 comment "IRI"
}
chain pbr_postrouting {
}
chain pbr_mark_0x010000 {
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
return
}
chain pbr_mark_0x020000 {
counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
return
}
chain pbr_mark_0x030000 {
counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000
return
}
}
all the IPs are there and it's working. The only issue is the time it takes to load
I read the article here:
I really didn't understand how to implement my case. Is there any luci tutorials?
You have HUGE AMOUNT of ranges, so it is great achievement, that it works.
There are bash scripts to manually configure rules. If you use package, you do not need it.
Yeah I know, they're for a whole country 
Any ideas how to achieve my goal in a more convenient way?
The linked script should assign interfaces to separate routing tables and set up the default routing rule.
Then you need to create firewall and routing rules setting and matching a mark for the target IP set.
You can adjust the the configured IP sets and rules using LuCI.
1 Like
Edit: after a bit of research, I understood what you did and I applied it on my router but it seems that it doesn't take effect for some reason.
Collect the runtime diagnostics and post it to pastebin.com redacting the private parts:
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
What is described here requires nothing more than adding an entry to the destination-based routing table that exists by default. Internet destinations within the /14 range would use the wan interface and gateway, while the default route remains VPN.
config route
option target '104.24.0.0/14'
option interface 'wan'
option gateway [ISP GATEWAY]I'm not sure if the gateway setting is always needed, since in many cases you can send a packet into the wan interface and it will find its way to the Internet anyway.
This actually worked! But this only accepts one IP/subnet and I want to target a list of IPs.