Configure PBR with WG

Hey Guys,

I’m trying to configure PBR with WG.

Basically, what I want is to create a separate Wi-Fi SSID and all the devices connected to this SSID will have VPN.

I had used PBR with domain name-based policies and with device Ip’s but I’m not satisfied with these setups. Because domain name-based policies aren’t working as I expected.

I tried to search on internet but did not find and guide for separate WIFI SSID route traffic through WG interface.

Anyone please helps me to configure all the traffic from particular SSID will route to WG interface.

Thanks,

If the SSID is connected to a separate subnet then that is no problem.

Setup a guest wifi:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

Then route that guest subnet via pbr, the PBR guide has instructions how to route a subnet or interface via the WG tunnel:

thank you so much i will follow the instructions

also if i want that all the traffic from router LAN port 1 will route through wg interface i have to follow the same below instructions?

Yes you add the lan port 1 to br-guest instead of br-lan, assuming your router is using DSA

image813×267 7.59 KB

in bridge ports i will select lan1?

Yes but first remove it from br-lan

there is no where mention to add br-lan in above instructions.

okay will do this and will update here.

thanks bro wg is now working with guest network.

can you please check the ip ranges will it include all the ips in guest interface?

image908×533 14.7 KB

also i configured lan1 in br-guest and another openwrt router is connected through lan1 but it do not have internet now

image917×707 29.8 KB

image923×711 30.6 KB

As you did not show your settings I cannot tell.

but it is easier to use the interface (device) name preceded with an @ so in this case just use as local address /devices:

@br-guest

If it does not work then please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show
cat /etc/config/pbr
service pbr reload
service pbr status

image916×532 9.27 KB

login as: root
root@10.0.1.1's password:


BusyBox v1.36.1 (2025-02-03 23:09:37 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.0, r28427-6df0e3d02a
 -----------------------------------------------------
root@Androidtv:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "Androidtv",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}
root@Androidtv:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde5:8779:a4c1::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'
        list ports 'lan1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.2.1'
        option netmask '255.255.255.0'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'WPoaJp710PwKLwFiAduzNHVL9CmTBmVRcTIZl4tg2Fk='
        list addresses '172.16.0.2/32'
        list addresses '2606:4700:110:837d:2c16:1f6a:d6e8:e881/128'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'
        option mtu '1280'

config wireguard_wg
        option description 'Imported peer configuration'
        option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host '162.159.192.1'
        option endpoint_port '2408'
        option persistent_keepalive '25'

root@Androidtv:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option phy 'wl0'
        option band '2g'
        option channel '11'
        option htmode 'HT40'
        option country 'SA'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'ZERO'
        option encryption 'psk2'
        option key '95506666'

config wifi-device 'radio1'
        option type 'mac80211'
        option phy 'wl1'
        option band '5g'
        option channel '48'
        option htmode 'VHT40'
        option country 'SA'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'ZERO'
        option encryption 'psk2'
        option key '95506666'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Needed'
        option encryption 'psk2'
        option key '95506666'
        option network 'guest'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Needed'
        option encryption 'psk2'
        option key '95506666'
        option network 'guest'

root@Androidtv:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '127.0.0.1#5453'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@Androidtv:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wg'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'blocked'
        option src 'lan'
        option dest 'wan'
        list dest_ip '10.0.0.1'
        list dest_ip '192.168.1.1'
        list dest_ip '192.168.0.1'
        option target 'REJECT'
        list proto 'all'
        list src_ip '!10.0.1.213'
        list src_ip '!10.0.1.187'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'allowdns'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'allowdhcp'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

root@Androidtv:~# ip route show
default via 10.0.0.1 dev wan proto static src 10.0.54.247
10.0.0.0/8 dev wan proto kernel scope link src 10.0.54.247
10.0.1.0/24 dev br-lan proto kernel scope link src 10.0.1.1
10.0.2.0/24 dev br-guest proto kernel scope link src 10.0.2.1
162.159.192.1 via 10.0.0.1 dev wan proto static
root@Androidtv:~# ip route show table all
default via 10.0.0.1 dev wan table pbr_wan
10.0.1.0/24 dev br-lan table pbr_wan proto kernel scope link src 10.0.1.1
10.0.2.0/24 dev br-guest table pbr_wan proto kernel scope link src 10.0.2.1
default via 172.16.0.2 dev wg table pbr_wg
10.0.1.0/24 dev br-lan table pbr_wg proto kernel scope link src 10.0.1.1
10.0.2.0/24 dev br-guest table pbr_wg proto kernel scope link src 10.0.2.1
default via 10.0.0.1 dev wan proto static src 10.0.54.247
10.0.0.0/8 dev wan proto kernel scope link src 10.0.54.247
10.0.1.0/24 dev br-lan proto kernel scope link src 10.0.1.1
10.0.2.0/24 dev br-guest proto kernel scope link src 10.0.2.1
162.159.192.1 via 10.0.0.1 dev wan proto static
local 10.0.1.1 dev br-lan table local proto kernel scope host src 10.0.1.1
broadcast 10.0.1.255 dev br-lan table local proto kernel scope link src 10.0.1.1
local 10.0.2.1 dev br-guest table local proto kernel scope host src 10.0.2.1
broadcast 10.0.2.255 dev br-guest table local proto kernel scope link src 10.0.2.1
local 10.0.54.247 dev wan table local proto kernel scope host src 10.0.54.247
broadcast 10.255.255.255 dev wan table local proto kernel scope link src 10.0.54.247
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.16.0.2 dev wg table local proto kernel scope host src 172.16.0.2
2606:4700:110:837d:2c16:1f6a:d6e8:e881 dev wg proto kernel metric 256 pref medium
fde5:8779:a4c1::/64 dev br-lan proto static metric 1024 pref medium
unreachable fde5:8779:a4c1::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev ifb4wan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2606:4700:110:837d:2c16:1f6a:d6e8:e881 dev wg table local proto kernel metric 0 pref medium
anycast fde5:8779:a4c1:: dev br-lan table local proto kernel metric 0 pref medium
local fde5:8779:a4c1::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4wan table local proto kernel metric 0 pref medium
local fe80::9806:b2ff:fef1:86aa dev ifb4wan table local proto kernel metric 0 pref medium
local fe80::ea9f:80ff:fe67:5d56 dev wan table local proto kernel metric 0 pref medium
local fe80::ea9f:80ff:fe67:5d57 dev eth0 table local proto kernel metric 0 pref medium
local fe80::ea9f:80ff:fe67:5d57 dev br-lan table local proto kernel metric 0 pref medium
local fe80::ea9f:80ff:fe67:5d57 dev br-guest table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-guest table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb4wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg table local proto kernel metric 256 pref medium
root@Androidtv:~# ip rule show
0:      from all lookup local
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default
root@Androidtv:~# wg show
interface: wg
  public key: p0ODnGuBldf/6ep8cWS4TQgvvquKpzA1kxKwIfb5Jik=
  private key: (hidden)
  listening port: 34858

peer: bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=
  endpoint: 162.159.192.1:2408
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 22 seconds ago
  transfer: 604.40 MiB received, 21.24 MiB sent
  persistent keepalive: every 25 seconds
root@Androidtv:~# cat /etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'guest'
        option src_addr '@br-guest'
        option interface 'wg'

root@Androidtv:~# service pbr reload
Using wan interface (on_start): wan [✓]
Found wan gateway (on_start): 10.0.0.1 [✓]
Setting up routing for 'wan/10.0.0.1' [✓]
Setting up routing for 'wg/172.16.0.2' [✓]
Routing 'guest' via wg [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
Setting interface trigger for wg [✓]

pbr 1.1.8-r10 monitoring interfaces: wan wg
pbr 1.1.8-r10 (fw4 nft file mode) started with gateways:
wan/10.0.0.1 [✓]
wg/172.16.0.2
WARNING: Please set 'dhcp.lan.force=1' to speed up service start-up.
root@Androidtv:~# service pbr status

pbr - environment
pbr 1.1.8-r10 running on OpenWrt 24.10.0.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting iifname { br-guest }  goto pbr_mark_0x020000 comment "guest"

pbr chains - policies
        chain pbr_forward { # handle 37
        }
        chain pbr_input { # handle 38
        }
        chain pbr_output { # handle 39
        }
        chain pbr_postrouting { # handle 41
        }
        chain pbr_prerouting { # handle 40
                iifname "br-guest" goto pbr_mark_0x020000 comment "guest" # handle 813
        }
        chain pbr_dstnat { # handle 36
        }

pbr chains - marking
        chain pbr_mark_0x010000 { # handle 807
                meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 808
                return # handle 809
        }
        chain pbr_mark_0x020000 { # handle 810
                meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 811
                return # handle 812
        }

pbr nft sets

pbr tables & routing
IPv4 table 256 pbr_wan route:
default via 10.0.0.1 dev wan
IPv4 table 256 pbr_wan rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 pbr_wg route:
default via 172.16.0.2 dev wg
IPv4 table 257 pbr_wg rule(s):
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg

root@Androidtv:~#

What is upstream e.g. on address 10.0.1.1 ?
The overlapping subnets is not something I would use, it works as the smaller subnets take precedence though

Some small things, the bridge is no longer empty so remove that:

Use a /24 subnetmask for the WG list address:

Reboot afterwards

Otherwise it looks OK at first glance

yes

you mean to say change the subnet to some other like 192.168.10.1?

image918×332 16.1 KB

i unchecked bring up empty bridge,correct?

okay

rebooted.
bro still no internet from lan1 but from wifi it is working fine.

Ok you might need to use bridged vlans instead of simply moving the port to br-guest.

I have a Dynalink DL-WRX36 and it works on that router but it is possible your router cannot deal with this and needs bridged vlans, but I am not a VLAN expert.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.