Domain vpn bypass not working dnsmasq-full

These last few days, Amazon has not worked correctly with my VPN and I want to bypass the domain, I have tried but it keeps coming through the VPN and not the wan and I don't know what else to do.

I leave you my pbr configuration

Thank you for your attention

There is an amazon Policy listed , it is now not enabled as your screenshot shows.

I suggest you enable it and reboot the router.

The problem with domains like Amazon (and Netflix etc.) is that there are a lot of domains and subdomains often changing and it is difficult to catch them all

If indeed it is not activated but it is activated www.cual-es-mi-ip.net which is a domain that tells you your IP and that way I find out if the bypass is working or not and it does not work

Ok so your problem is not that routing amazon.es via the WAN does not work but that routing of domains via the WAN does not work at all?

If so that could be because domain resolution is done by the router itself (it depends on your settings) in that case you have to choose the output instead of the prerouting chain

I have tried all the exits and none of them work, I don't know why.
What do you want me to send you configuration to see if I solve the problem, thank you.
here have configs





Assuming it is for your local LAN clients set the policy to test (I use ipleak.net or ipchicken.com ) to the prerouting chain, Save and Apply.

After that reboot and try again

Test from a local LAN client e.g. your PC, Laptop or connected phone.

If that does not work then please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
cat /etc/config/pbr
/etc/init.d/pbr status
uci set pbr.config.verbosity='2
uci commit pbr
/etc/init.d/pbr reload
/etc/init.d/pbr status
#for ipset/nftset reboot and after reboot contact the domains first before getting output of the following items:
nft list ruleset
cat /tmp/dnsmasq.d/pbr

But it will be tomorrow that I can have a look but probably some of the gurus will have a look earlier :slight_smile:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "Intel(R) N100",
        "model": "Default string Default string",
        "board_name": "default-string-default-string",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth2'
        list ports 'eth3'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.28.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'wan'
        option device 'wan.20'
        option proto 'pppoe'
        option username ''
        option password ''
        option ipv6 '0'
        option delegate '0'
        option peerdns '0'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '20'
        option name 'wan.20'

config interface 'madrid'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.5.0.2/32'
        option mtu '1420'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config wireguard_madrid
        option description 'es196.conf'
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host 'es196.nordvpn.com'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'barcelona'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.5.0.2/32'
        list dns '103.86.96.100'
        list dns '103.86.99.100'
        option mtu '1420'
        option auto '0'

config wireguard_barcelona
        option description 'es238.conf'
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host 'es238.nordvpn.com'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'eeuu'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.5.0.2/32'
        list dns '103.86.96.100'
        list dns '103.86.99.100'
        option mtu '1420'
        option auto '0'

config wireguard_eeuu
        option description 'us9795.conf'
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host 'us9795.nordvpn.com'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'turquia'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.5.0.2/32'
        list dns '103.86.96.100'
        list dns '103.86.99.100'
        option mtu '1420'
        option auto '0'

config wireguard_turquia
        option description 'turquia.conf'
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host 'tr55.nordvpn.com'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'madrid_surf'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'
        option auto '0'

config wireguard_madrid_surf
        option description 'es-mad.conf'
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'es-mad.prod.surfshark.com'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'ip_exclusiva'
        option proto 'none'
        option device 'tun0'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '365d'
        option dhcpv4 'server'
        list dhcp_option '6,103.86.96.100,103.86.96.100'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'madrid'
        list network 'barcelona'
        list network 'eeuu'
        list network 'turquia'
        list network 'madrid_surf'
        list network 'ip_exclusiva'

config forwarding
        option src 'lan'
        option dest 'vpn'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'lan'
        option dest 'wan'

root@OpenWrt:~# ip route show
default dev madrid proto static scope link
10.0.0.1 dev pppoe-wan proto kernel scope link src xxxxxxxxx
185.199.100.13 via 10.0.0.1 dev pppoe-wan proto static
192.168.28.0/24 dev br-lan proto kernel scope link src 192.168.28.1

root@OpenWrt:~# ip route show
default dev madrid proto static scope link
10.0.0.1 dev pppoe-wan proto kernel scope link src xxxxxxxxxxx
185.199.100.13 via 10.0.0.1 dev pppoe-wan proto static
192.168.28.0/24 dev br-lan proto kernel scope link src 192.168.28.1
root@OpenWrt:~# ip route show table all
default via 10.0.0.1 dev pppoe-wan table pbr_wan
192.168.28.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.28.1
default via 10.5.0.2 dev madrid table pbr_madrid
192.168.28.0/24 dev br-lan table pbr_madrid proto kernel scope link src 192.168.28.1
unreachable default table pbr_barcelona
192.168.28.0/24 dev br-lan table pbr_barcelona proto kernel scope link src 192.168.28.1
unreachable default table pbr_eeuu
192.168.28.0/24 dev br-lan table pbr_eeuu proto kernel scope link src 192.168.28.1
unreachable default table pbr_turquia
192.168.28.0/24 dev br-lan table pbr_turquia proto kernel scope link src 192.168.28.1
unreachable default table pbr_madrid_surf
192.168.28.0/24 dev br-lan table pbr_madrid_surf proto kernel scope link src 192.168.28.1
unreachable default table pbr_ip_exclusiva
192.168.28.0/24 dev br-lan table pbr_ip_exclusiva proto kernel scope link src 192.168.28.1
default dev madrid proto static scope link
10.0.0.1 dev pppoe-wan proto kernel scope link src 79.116.159.129
185.199.100.13 via 10.0.0.1 dev pppoe-wan proto static
192.168.28.0/24 dev br-lan proto kernel scope link src 192.168.28.1
local 10.5.0.2 dev madrid table local proto kernel scope host src 10.5.0.2
local 79.116.159.129 dev pppoe-wan table local proto kernel scope host src xxxxxxxxxxx
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.28.1 dev br-lan table local proto kernel scope host src 192.168.28.1
broadcast 192.168.28.255 dev br-lan table local proto kernel scope link src 192.168.28.1
unreachable default dev lo table pbr_wan metric 1024 pref medium
unreachable default dev lo table pbr_madrid metric 1024 pref medium
unreachable default dev lo table pbr_barcelona metric 1024 pref medium
unreachable default dev lo table pbr_eeuu metric 1024 pref medium
unreachable default dev lo table pbr_turquia metric 1024 pref medium
unreachable default dev lo table pbr_madrid_surf metric 1024 pref medium
unreachable default dev lo table pbr_ip_exclusiva metric 1024 pref medium
fe80::1 dev pppoe-wan proto kernel metric 256 pref medium
fe80::4f74:9f81 dev pppoe-wan proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev wan.20 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fe80:: dev wan.20 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
local fe80::4f74:9f81 dev pppoe-wan table local proto kernel metric 0 pref medium
local fe80::2e2:59ff:fe00:921b dev wan.20 table local proto kernel metric 0 pref medium
local fe80::2e2:59ff:fe00:921b dev eth1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan.20 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev pppoe-wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev madrid table local proto kernel metric 256 pref medium

root@OpenWrt:~# ip rule show
0:      from all lookup local
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_madrid
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_barcelona
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_eeuu
30004:  from all fwmark 0x50000/0xff0000 lookup pbr_turquia
30005:  from all fwmark 0x60000/0xff0000 lookup pbr_madrid_surf
30006:  from all fwmark 0x70000/0xff0000 lookup pbr_ip_exclusiva
32766:  from all lookup main
32767:  from all lookup default

root@OpenWrt:~# cat /etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        option ipv6_enabled '1'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'router wifi'
        option src_addr '192.168.28.223'
        option interface 'wan'
        option enabled '0'

config policy
        option name 'portatil gerardo'
        option src_addr '192.168.28.106'
        option interface 'wan'
        option enabled '0'

config policy
        option name 'amazon'
        option dest_addr 'www.amazon.es'
        option interface 'wan'
        option enabled '0'

config policy
        option name 'prueba'
        option interface 'wan'
        option dest_addr 'www.cual-es-mi-ip.net'
        option enabled '0'
root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.3. WAN (IPv4): wan/pppoe-wan/10.0.0.1.
============================================================
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
        chain pbr_forward { # handle 36
        }
        chain pbr_input { # handle 37
        }
        chain pbr_output { # handle 38
        }
        chain pbr_prerouting { # handle 39
        }
        chain pbr_postrouting { # handle 40
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 { # handle 912
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 913
                return # handle 914
        }
        chain pbr_mark_0x020000 { # handle 915
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 916
                return # handle 917
        }
        chain pbr_mark_0x030000 { # handle 918
                counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 919
                return # handle 920
        }
        chain pbr_mark_0x040000 { # handle 921
                counter packets 0 bytes 0 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 922
                return # handle 923
        }
        chain pbr_mark_0x050000 { # handle 924
                counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000 # handle 925
                return # handle 926
        }
        chain pbr_mark_0x060000 { # handle 927
                counter packets 0 bytes 0 meta mark set meta mark & 0xff06ffff | 0x00060000 # handle 928
                return # handle 929
        }
        chain pbr_mark_0x070000 { # handle 930
                counter packets 0 bytes 0 meta mark set meta mark & 0xff07ffff | 0x00070000 # handle 931
                return # handle 932
        }
============================================================
pbr nft sets
============================================================
IPv4 table 256 route: default via 10.0.0.1 dev pppoe-wan
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 256 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 257 route: default via 10.5.0.2 dev madrid
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_madrid
IPv6 table 257 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 257 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 258 route: unreachable default
IPv4 table 258 rule(s):
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_barcelona
IPv6 table 258 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 258 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 259 route: unreachable default
IPv4 table 259 rule(s):
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_eeuu
IPv6 table 259 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 259 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 260 route: unreachable default
IPv4 table 260 rule(s):
30004:  from all fwmark 0x50000/0xff0000 lookup pbr_turquia
IPv6 table 260 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 260 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 261 route: unreachable default
IPv4 table 261 rule(s):
30005:  from all fwmark 0x60000/0xff0000 lookup pbr_madrid_surf
IPv6 table 261 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 261 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 262 route: unreachable default
IPv4 table 262 rule(s):
30006:  from all fwmark 0x70000/0xff0000 lookup pbr_ip_exclusiva
IPv6 table 262 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 262 rule(s):
unreachable default dev lo metric 1024 pref medium

root@OpenWrt:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'wan/pppoe-wan/10.0.0.1/::/0' [✓]
Setting up routing for 'madrid/10.5.0.2/::/0' [✓]
Setting up routing for 'barcelona/0.0.0.0/::/0' [✓]
Setting up routing for 'eeuu/0.0.0.0/::/0' [✓]
Setting up routing for 'turquia/0.0.0.0/::/0' [✓]
Setting up routing for 'madrid_surf/0.0.0.0/::/0' [✓]
Setting up routing for 'ip_exclusiva/tun0/0.0.0.0/::/0' [✓]
Deactivating traffic killswitch [✓]
pbr 1.1.1-7 monitoring interfaces: wan madrid barcelona eeuu turquia madrid_surf ip_exclusiva
pbr 1.1.1-7 (nft) started with gateways:
wan/pppoe-wan/10.0.0.1/::/0
madrid/10.5.0.2/::/0 [✓]
barcelona/0.0.0.0/::/0
eeuu/0.0.0.0/::/0
turquia/0.0.0.0/::/0
madrid_surf/0.0.0.0/::/0
ip_exclusiva/tun0/0.0.0.0/::/0

root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.3. WAN (IPv4): wan/pppoe-wan/10.0.0.1.
============================================================
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
        chain pbr_forward { # handle 36
        }
        chain pbr_input { # handle 37
        }
        chain pbr_output { # handle 38
        }
        chain pbr_prerouting { # handle 39
        }
        chain pbr_postrouting { # handle 40
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 { # handle 509
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 510
                return # handle 511
        }
        chain pbr_mark_0x020000 { # handle 512
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 513
                return # handle 514
        }
        chain pbr_mark_0x030000 { # handle 515
                counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 516
                return # handle 517
        }
        chain pbr_mark_0x040000 { # handle 518
                counter packets 0 bytes 0 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 519
                return # handle 520
        }
        chain pbr_mark_0x050000 { # handle 521
                counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000 # handle 522
                return # handle 523
        }
        chain pbr_mark_0x060000 { # handle 524
                counter packets 0 bytes 0 meta mark set meta mark & 0xff06ffff | 0x00060000 # handle 525
                return # handle 526
        }
        chain pbr_mark_0x070000 { # handle 527
                counter packets 0 bytes 0 meta mark set meta mark & 0xff07ffff | 0x00070000 # handle 528
                return # handle 529
        }
============================================================
pbr nft sets
============================================================
IPv4 table 256 route: default via 10.0.0.1 dev pppoe-wan
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 256 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 257 route: default via 10.5.0.2 dev madrid
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_madrid
IPv6 table 257 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 257 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 258 route: unreachable default
IPv4 table 258 rule(s):
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_barcelona
IPv6 table 258 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 258 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 259 route: unreachable default
IPv4 table 259 rule(s):
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_eeuu
IPv6 table 259 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 259 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 260 route: unreachable default
IPv4 table 260 rule(s):
30004:  from all fwmark 0x50000/0xff0000 lookup pbr_turquia
IPv6 table 260 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 260 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 261 route: unreachable default
IPv4 table 261 rule(s):
30005:  from all fwmark 0x60000/0xff0000 lookup pbr_madrid_surf
IPv6 table 261 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 261 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 262 route: unreachable default
IPv4 table 262 rule(s):
30006:  from all fwmark 0x70000/0xff0000 lookup pbr_ip_exclusiva
IPv6 table 262 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 262 rule(s):
unreachable default dev lo metric 1024 pref medium

root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.3. WAN (IPv4): wan/pppoe-wan/10.0.0.1.
============================================================
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
        chain pbr_forward { # handle 36
        }
        chain pbr_input { # handle 37
        }
        chain pbr_output { # handle 38
        }
        chain pbr_prerouting { # handle 39
        }
        chain pbr_postrouting { # handle 40
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 { # handle 509
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 510
                return # handle 511
        }
        chain pbr_mark_0x020000 { # handle 512
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 513
                return # handle 514
        }
        chain pbr_mark_0x030000 { # handle 515
                counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 516
                return # handle 517
        }
        chain pbr_mark_0x040000 { # handle 518
                counter packets 0 bytes 0 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 519
                return # handle 520
        }
        chain pbr_mark_0x050000 { # handle 521
                counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000 # handle 522
                return # handle 523
        }
        chain pbr_mark_0x060000 { # handle 524
                counter packets 0 bytes 0 meta mark set meta mark & 0xff06ffff | 0x00060000 # handle 525
                return # handle 526
        }
        chain pbr_mark_0x070000 { # handle 527
                counter packets 0 bytes 0 meta mark set meta mark & 0xff07ffff | 0x00070000 # handle 528
                return # handle 529
        }
============================================================
pbr nft sets
============================================================
IPv4 table 256 route: default via 10.0.0.1 dev pppoe-wan
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 256 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 257 route: default via 10.5.0.2 dev madrid
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_madrid
IPv6 table 257 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 257 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 258 route: unreachable default
IPv4 table 258 rule(s):
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_barcelona
IPv6 table 258 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 258 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 259 route: unreachable default
IPv4 table 259 rule(s):
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_eeuu
IPv6 table 259 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 259 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 260 route: unreachable default
IPv4 table 260 rule(s):
30004:  from all fwmark 0x50000/0xff0000 lookup pbr_turquia
IPv6 table 260 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 260 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 261 route: unreachable default
IPv4 table 261 rule(s):
30005:  from all fwmark 0x60000/0xff0000 lookup pbr_madrid_surf
IPv6 table 261 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 261 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 262 route: unreachable default
IPv4 table 262 rule(s):
30006:  from all fwmark 0x70000/0xff0000 lookup pbr_ip_exclusiva
IPv6 table 262 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 262 rule(s):
unreachable default dev lo metric 1024 pref medium
root@OpenWrt:~# nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname { "tun0", "madrid" } jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
                jump handle_reject
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname { "tun0", "madrid" } jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname { "tun0", "madrid" } jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 10 bytes 705 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 2 bytes 112 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname "pppoe-wan" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
                oifname "pppoe-wan" counter packets 0 bytes 0 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "pppoe-wan" counter packets 39 bytes 6130 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_vpn {
                jump reject_from_vpn
        }

        chain output_vpn {
                jump accept_to_vpn
        }

        chain forward_vpn {
                jump reject_to_vpn
        }

        chain accept_to_vpn {
                meta nfproto ipv4 oifname { "tun0", "madrid" } ct state invalid counter packets 127 bytes 6088 drop comment "!fw4: Prevent NAT leakage"
                oifname { "tun0", "madrid" } counter packets 471 bytes 46168 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
        }

        chain reject_from_vpn {
                iifname { "tun0", "madrid" } counter packets 24 bytes 1312 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
        }

        chain reject_to_vpn {
                oifname { "tun0", "madrid" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                oifname { "tun0", "madrid" } jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain srcnat_vpn {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
                jump pbr_prerouting comment "Jump into pbr prerouting chain"
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
                jump pbr_postrouting comment "Jump into pbr postrouting chain"
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
                jump pbr_input comment "Jump into pbr input chain"
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
                jump pbr_output comment "Jump into pbr output chain"
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                iifname { "tun0", "madrid" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
                oifname { "tun0", "madrid" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
                jump pbr_forward comment "Jump into pbr forward chain"
        }

        chain pbr_forward {
        }

        chain pbr_input {
        }

        chain pbr_output {
        }

        chain pbr_prerouting {
        }

        chain pbr_postrouting {
        }

        chain pbr_mark_0x010000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
                return
        }

        chain pbr_mark_0x020000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
                return
        }

        chain pbr_mark_0x030000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000
                return
        }

        chain pbr_mark_0x040000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff04ffff | 0x00040000
                return
        }

        chain pbr_mark_0x050000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000
                return
        }

        chain pbr_mark_0x060000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff06ffff | 0x00060000
                return
        }

        chain pbr_mark_0x070000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff07ffff | 0x00070000
                return

root@OpenWrt:~# cat /tmp/dnsmasq.d/pbr
cat: can't open '/tmp/dnsmasq.d/pbr': No such file or directory

I hope you did not show us the real public keys for all your WireGuard interfaces otherwise you better redo the configs.

At this moment it seems there is no policy active (all show option enabled '0')

So I suggest you enable an option, reboot the router test again and then show again:

nft list ruleset
cat /tmp/dnsmasq.d/pbr
ip route show
ip route show table pbr_wan
1 Like

Those keys that I have shown are the one next to the server, all my VPN clients have the same one but just in case they are already deleted.
I'll clarify if I bypass a local device if it works, what doesn't work is with domains.
Here I leave you what you ask of me.
Thank you

root@OpenWrt:~# nft list ruleset
table inet fw4 {
        set pbr_wan_4_dst_ip_cfg096ff5 {
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "prueba"
        }

        set pbr_wan_6_dst_ip_cfg096ff5 {
                type ipv6_addr
                flags interval
                counter
                auto-merge
                comment "prueba"
        }

        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname { "tun0", "madrid" } jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
                jump handle_reject
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname { "tun0", "madrid" } jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname { "tun0", "madrid" } jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 8 bytes 601 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 2 bytes 112 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname "pppoe-wan" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
                oifname "pppoe-wan" counter packets 7 bytes 4390 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "pppoe-wan" counter packets 25 bytes 1540 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_vpn {
                jump reject_from_vpn
        }

        chain output_vpn {
                jump accept_to_vpn
        }

        chain forward_vpn {
                jump reject_to_vpn
        }

        chain accept_to_vpn {
                meta nfproto ipv4 oifname { "tun0", "madrid" } ct state invalid counter packets 62 bytes 3800 drop comment "!fw4: Prevent NAT leakage"
                oifname { "tun0", "madrid" } counter packets 441 bytes 44934 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
        }

        chain reject_from_vpn {
                iifname { "tun0", "madrid" } counter packets 12 bytes 752 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
        }

        chain reject_to_vpn {
                oifname { "tun0", "madrid" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                oifname { "tun0", "madrid" } jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain srcnat_vpn {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
                jump pbr_prerouting comment "Jump into pbr prerouting chain"
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
                jump pbr_postrouting comment "Jump into pbr postrouting chain"
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
                jump pbr_input comment "Jump into pbr input chain"
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
                jump pbr_output comment "Jump into pbr output chain"
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                iifname { "tun0", "madrid" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
                oifname { "tun0", "madrid" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
                jump pbr_forward comment "Jump into pbr forward chain"
        }

        chain pbr_forward {
        }

        chain pbr_input {
        }

        chain pbr_output {
        }

        chain pbr_prerouting {
                ip daddr @pbr_wan_4_dst_ip_cfg096ff5 goto pbr_mark_0x010000 comment "prueba"
                ip6 daddr @pbr_wan_6_dst_ip_cfg096ff5 goto pbr_mark_0x010000 comment "prueba"
        }

        chain pbr_postrouting {
        }

        chain pbr_mark_0x010000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
                return
        }

        chain pbr_mark_0x020000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
                return
        }

        chain pbr_mark_0x030000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000
                return
        }

        chain pbr_mark_0x040000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff04ffff | 0x00040000
                return
        }

        chain pbr_mark_0x050000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000
                return
        }

        chain pbr_mark_0x060000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff06ffff | 0x00060000
                return
        }

        chain pbr_mark_0x070000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff07ffff | 0x00070000
                return

root@OpenWrt:~# cat /tmp/dnsmasq.d/pbr
nftset=/www.cual-es-mi-ip.net/4#inet#fw4#pbr_wan_4_dst_ip_cfg096ff5,6#inet#fw4#pbr_wan_6_dst_ip_cfg096ff5 # prueba

root@OpenWrt:~# ip route show
default dev madrid proto static scope link
10.0.0.1 dev pppoe-wan proto kernel scope link src 86.127.246.18
185.199.100.13 via 10.0.0.1 dev pppoe-wan proto static
192.168.28.0/24 dev br-lan proto kernel scope link src 192.168.28.1

root@OpenWrt:~# ip route show table pbr_wan
default via 10.0.0.1 dev pppoe-wan
192.168.28.0/24 dev br-lan proto kernel scope link src 192.168.28.1

Now the necessary firewall rule is made:

There is no IP address yet as that should be coming from DNSMasq which will fill the nftset if the domain is resolved by DNSMasq.

so please ping www.cual-es-mi-ip.net from your local lan client and check again if pbr_wan_4_dst_ip_cfg096ff5 is showing the IP address of that site.

You are using DNSMasq for DNS resolution?

To be sure you have the nftset version of DNSMasq please show the output of:
dnsmasq -v

When I go to www.cual-es-mi-ip.net I do not get any output so maybe that is something specific for your provider but otherwise use ipleak.net and make a policy with ipleak.net for your PBR domain

OK you are not using DNSMasq for your local name resolution so that can never work this way :frowning:

If I delete this '6,103.86.96.100,103.86.96.100' the local client bypass does not work either.
I have changed to test ipleak.net but it is the same.

Deleting only does not resolve it you have to reboot your router and you local lan client.

Then check if the firewall (nft list ruleset) will have the IP address of the site you have visited.

Also show dnsmasq -v so that we can see if nftset is compiled in in DNSMasq

Here you have the result of dsnmasq -v

root@OpenWrt:~# dnsmasq -v
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
root@OpenWrt:~# nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname { "tun0", "madrid" } jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic"
                jump handle_reject
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname { "tun0", "madrid" } jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname { "tun0", "madrid" } jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding"
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 793 bytes 67474 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 3 bytes 168 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname "pppoe-wan" ct state invalid counter packets 580 bytes 23448 drop comment "!fw4: Prevent NAT leakage"
                oifname "pppoe-wan" counter packets 865 bytes 99847 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "pppoe-wan" counter packets 921 bytes 84640 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_vpn {
                jump reject_from_vpn
        }

        chain output_vpn {
                jump accept_to_vpn
        }

        chain forward_vpn {
                jump reject_to_vpn
        }

        chain accept_to_vpn {
                meta nfproto ipv4 oifname { "tun0", "madrid" } ct state invalid counter packets 3470 bytes 141392 drop comment "!fw4: Prevent NAT leakage"
                oifname { "tun0", "madrid" } counter packets 2898 bytes 272716 accept comment "!fw4: accept vpn IPv4/IPv6 traffic"
        }

        chain reject_from_vpn {
                iifname { "tun0", "madrid" } counter packets 1791 bytes 72926 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
        }

        chain reject_to_vpn {
                oifname { "tun0", "madrid" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                oifname { "tun0", "madrid" } jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain srcnat_vpn {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
                jump pbr_prerouting comment "Jump into pbr prerouting chain"
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
                jump pbr_postrouting comment "Jump into pbr postrouting chain"
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
                jump pbr_input comment "Jump into pbr input chain"
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
                jump pbr_output comment "Jump into pbr output chain"
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                iifname { "tun0", "madrid" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing"
                oifname { "tun0", "madrid" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing"
                jump pbr_forward comment "Jump into pbr forward chain"
        }

        chain pbr_forward {
        }

        chain pbr_input {
        }

        chain pbr_output {
        }

        chain pbr_prerouting {
        }

        chain pbr_postrouting {
        }

        chain pbr_mark_0x010000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
                return
        }

        chain pbr_mark_0x020000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
                return
        }

        chain pbr_mark_0x030000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000
                return
        }

        chain pbr_mark_0x040000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff04ffff | 0x00040000
                return
        }

        chain pbr_mark_0x050000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000
                return
        }

        chain pbr_mark_0x060000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff06ffff | 0x00060000
                return
        }

        chain pbr_mark_0x070000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff07ffff | 0x00070000
                return
        }
}

DNSMasq shows nftset so that should be good.

Your firewall does not show that PBR is already running maybe it was very short after reboot as earlier you showed it was running

I suggest you check again and otherwise reload PBR.
Make sure you are pinging the websites which you have set in the policy first because only after ping/nslookup etc the domain name is resolved by DNSMasq and added to the firewall rule.

For the record I have made a policy with ipchicken.com as domain name and use nft set and this is what my firewall rule looks like:

root@DL-WRX36:~# nft list ruleset
        set pbr_wan_4_dst_ip_cfg106ff5 {
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "ipchicken"
                elements = { 104.26.6.112 counter packets 0 bytes 0, 104.26.7.112 counter packets 0 bytes 0,
                             172.67.68.101 counter packets 12 bytes 2055 }
        }
2 Likes

I just wanted to say kudos to @egc for very thoughtfully parsing all the provided configs of complex setups and spotting the problems in the configs dead on!

It's the contributors like @egc which make OpenWrt forums great!

Thanks your kind words are really appreciated, but it is actually you we need to thank for all your work :slight_smile:

1 Like