Does PBR work with macvlan interfaces?

It seems it does not.

The situation: I have a backbone network with multiple gateway-capable routers 192.168.17.0/24. Since mwan3 and pbr do not like have multiple default gateways on the same network, I had to create a macvlan device to fake another interface on the same network with its own gateway.

config interface 'wan'
	option device 'eth0.21'
	option proto 'static'
	list ipaddr '192.168.17.1/24'
	option gateway '192.168.17.5'

config device 'macvlan0'
	option name 'macvlan0'
	option type 'macvlan'
	option ifname 'eth0.21'

config interface 'wan2'
	option device 'macvlan0'
	option proto 'static'
	list ipaddr '192.168.17.2/24'
	option gateway '192.168.17.6'

/etc/init.d/pbr restart

Routing 'test1' via wan2 [✗]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
pbr 1.2.1-r87 monitoring interfaces: wan
pbr 1.2.1-r87 (fw4 nft file mode) started with gateways:
wan/eth0.21/192.168.17.5 [✓]
ERROR: Policy 'test1' has an unknown interface!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.1/#ErrorMessagesDetails!

Can someone confirm this bug? Are there any solutions?

Did you have configured it?!

/etc/config/pbr

config pbr 'config'
	option enabled '1'
	option fw_mask '00ff0000'
	list ignored_interface 'vpnserver'
	option ipv6_enabled '0'
	option lan_device 'br-lan'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	option nft_user_set_counter '0'
	option procd_boot_trigger_delay '5000'
	option procd_reload_delay '0'
	list resolver_instance '*'
	option resolver_set 'dnsmasq.nftset'
	option strict_enforcement '1'
	option uplink_interface 'wan'
	option uplink_interface6 'wan6'
	option uplink_ip_rules_priority '30000'
	option uplink_mark '00010000'
	option verbosity '2'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option config_compat '24'

config policy 'test1'
	option name 'test1'
	option enabled '1'
	option dest_addr 'ipv4.icanhazip.com wtfismyip.com'
	option interface 'wan2'

Nothing out of the odinary here.

You can add an interface which is not supported by default to the list of supported interfaces have you tried that?

Please tell me how, thank you.

Under Advanced Configuration

afbeelding1452×384 35.8 KB

Manual: https://docs.openwrt.melmac.ca/pbr/1.2.1/

Things work well. One small problem though: the policies are not applied to traffic originated from the OpenWrt device itself. Is there any way to make it applied to the localhost?

No of course not.

Default is the PREROUTING chain for forwarded traffic the router itself uses the OUTPUT chain.

Consider reading the manual

This time I did read the manual. Changing the default chain from prerouting to output does not have any effect though.

Well the OUTPUT chain is what works for the router itself I use it for routing DNS request and that works for me.

I noticed that you are using domains destination, you might want to have a look at:

If that does not help then better start a new thread with this particular problem and provide the following information:
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
cat /etc/config/pbr
service pbr restart
service pbr status

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.