Forcing a client to use wireguard interface

Hello.

I've got a working site-to-site VPN set up between two routers running wireguard on openwrt. I can ping both the vpn ip and the router ip from both routers, and the wireguard status handshake timer is being updated.

How do I force specific MAC addresses to use wireguard? I want a whitelist of allowed clients that will be forced through the wireguard interface.

PBR is your friend.

I'm a novice at networking and linux and I tried following [Solved] PBR and Wireguard -- DNS Leak but it didn't seem to work.

Is there a basic walkthrough that's on the level of how to install openwrt in the first place? (https://openwrt.org/toh/dynalink/dl-wrx36)

EDIT:

This doesn't seem to work with static leases for the relevant IP addresses
image

Local ports is wrong, leave it empty.
Protocol should be all.
Chain is prerouting.
And interface is the wireguard not wan.

Hi Sulwh! Try to take a lot of inspiration from YouTube's Wireguard's various backgrounds until the end of the day. Then your mind will understand and work better... Kindly, I just picked up some advice if it can help you at least one. See the links below:

Have a good day! :upside_down_face:

I already set up a site-to-site VPN, which is what this video is talking about.

image

So this lets me ping 192.168.1.1 from the client, but I cannot ping google.com or any other websites. This is weird because if I ssh into the the router, I can ping google.com from it.

Does this mean there's something wrong with how my routing is set up? The "server" router is behind another router that has its firewall turned off, while the "client" router is directly facing the internet. All IPs involved are static.

EDIT: I also saw some guides saying that local traffic should be ignored? Does this rule do anything useful for me?

image

EDIT2: This may be related, but I cannot ping any of the clients from the router side (I can ping the client router 192.168.2.1, but I cannot ping the client at 192.168.2.250)

Ok, maybe you'll find one if you watch what's missing or find one example of what you're looking for.

I have looked. I could not find any videos or guides for my situation (routing specific ip and mac addresses through wireguard in openwrt using the web gui).

That is why I am asking on this forum.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
uci export pbr; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

On the router that cannot connect to the other side's internet (dnsmasq is on port 5353 because to let adguardhome use port 53) - SITE_B:

{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Dynalink DL-WRX36",
        "board_name": "dynalink,dl-wrx36",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq807x/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'ULA'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ip4table 'lan'
        option ip6table 'lan'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option dns 'DNS'
        option peerdns '0'
        option ip4table 'wan'
        option ip6table 'wan'

config interface 'WG'
        option proto 'wireguard'
        option private_key 'PRIVATE_KEY'
        option listen_port '51820'
        option ip4table 'work_WG'
        option ip6table 'WG'
        list addresses '10.10.10.2/24'

config wireguard_WG
        option description 'WireGuard'
        option public_key 'PUBLIC_KEY'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '192.168.1.0/24'
        option endpoint_host '192.168.68.54'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option route_allowed_ips '1'

config rule 'default'
        option lookup 'work_WG'
        option in 'lan'
        option out 'WG'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        list server '192.168.2.1'
        option port '5353'
        option dnsforwardmax '1024'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.2.1'
        list dhcp_option '3,192.168.2.1'
        list dns '::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac 'MAC_ADDR1'
        option ip '192.168.2.250'

config host
        option mac 'MAC_ADDR2'
        option ip '192.168.2.251'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.2/32'
        option dest_port '51820'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '51820'

package pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Ignore Local Traffic'
        option interface 'ignore'
        option dest_addr '10.10.10.0/24 192.168.1.0/24'

config policy
        option name 'WireGuard'
        option interface 'WG'
        option src_addr '192.168.2.250 192.168.2.251'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 68.129.197.73/24 brd 68.129.197.255 scope global wan
       valid_lft forever preferred_lft forever
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
22: WG: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.10.10.2/24 brd 10.10.10.255 scope global WG
       valid_lft forever preferred_lft forever
192.168.2.0/24 dev br-lan table lan proto static scope link
default via 68.129.197.1 dev wan table pbr_wan
default via 10.10.10.2 dev WG table pbr_WG
10.10.10.0/24 dev WG table work_WG proto static scope link
192.168.1.0/24 dev WG table work_WG proto static scope link
default via IP_ADDRESS dev wan proto static src IP_ADDRESS
IP_ADDRESS/24 dev wan proto kernel scope link src IP_ADDRESS
192.168.1.161 via IP_ADDRESS dev wan proto static
192.168.68.54 via IP_ADDRESS dev wan proto static
local 10.10.10.2 dev WG table local proto kernel scope host src 10.10.10.2
broadcast 10.10.10.255 dev WG table local proto kernel scope link src 10.10.10.2
local IP_ADDRESS dev wan table local proto kernel scope host src IP_ADDRESS
broadcast IP_ADDRESS dev wan table local proto kernel scope link src IP_ADDRESS
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1
0:      from all lookup local
0:      from 192.168.2.250 lookup work_WG
0:      from 192.168.2.251 lookup work_WG
1:      from all iif br-lan oif WG lookup work_WG
10000:  from 192.168.2.1 lookup lan
10000:  from 10.10.10.2 lookup work_WG
20000:  from all to 192.168.2.1/24 lookup lan
20000:  from all to 10.10.10.2/24 lookup work_WG
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_WG
32766:  from all lookup main
32767:  from all lookup default
90007:  from all iif lo lookup wan
90015:  from all iif lo lookup WG
90016:  from all iif lo lookup lan
90022:  from all iif lo lookup work_WG

On "server" (behind router with firewall turned off) - IP Address is 192.168.68.54 (because it is behind a router. Is this the problem?):

{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Dynalink DL-WRX36",
        "board_name": "dynalink,dl-wrx36",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq807x/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'ULA'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'WG'
        option proto 'wireguard'
        option private_key 'PRIVATE_KEY'
        option listen_port '51820'
        list addresses '10.10.10.1/24'

config wireguard_WG
        option description 'site_b'
        option public_key 'PUBLIC_KEY'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '192.168.2.0/24'
        option route_allowed_ips '1'
        option endpoint_host 'SITE_B IP'
        option endpoint_port '51820'
        option persistent_keepalive '25'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.1/32'
        option dest_port '51820'

config forwarding
        option src 'lan'
        option dest 'vpn'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

package pbr

config pbr 'config'
        option enabled '0'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.68.54/22 brd 192.168.71.255 scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
18: WG: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.10.10.1/24 brd 10.10.10.255 scope global WG
       valid_lft forever preferred_lft forever
default via 192.168.68.1 dev wan proto static src 192.168.68.54
10.10.10.0/24 dev WG proto static scope link
SITE_B_IP_ADDRESS via 192.168.68.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev WG proto static scope link
192.168.68.0/22 dev wan proto kernel scope link src 192.168.68.54
local 10.10.10.1 dev WG table local proto kernel scope host src 10.10.10.1
broadcast 10.10.10.255 dev WG table local proto kernel scope link src 10.10.10.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.68.54 dev wan table local proto kernel scope host src 192.168.68.54
broadcast 192.168.71.255 dev wan table local proto kernel scope link src 192.168.68.54
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Multiple reasons why it is not working.
First and most important, there is no 0.0.0.0/0 in the allowed IPs for the peer in SITE_B router.
Then you are mixing PBR with netif rules, with the second having precedence, but no default route, and the first having the policy disabled.

This is unnecessary, the Allow-Wireguard rule is much preferred.

If the WG tunnel is over the internet, this is not going to work and the tunnel is initiated from the other router.

1 Like

How do I deprioritize netif? And I thought I had pbr enabled with:

config pbr 'config'
        option enabled '1'

You'd have to remove it completely, I see a lot of duplicate and unnecessary stuff here.

Policy is disabled though.

Is there an easier way to delete the ip rules other than ip ru del prio <#>?

It's locking me out after every single time and I have to restart my router to access the router again via SSH.

To delete all rules I use e.g. (TID is the table):
while ip rule delete from 0/0 to 0/0 table $TID >/dev/null 2>&1; do true; done

How do I find the TID of the ip rules?

TID is just the table in your case e.g. : work_WG

I hope you are not trying to SSH from .250 or .251

I am not, but what would happen in that case?

EDIT:

Also, I have deleted most everything in ip rules. Do I keep the remaining?

root@OpenWrt:~# ip -4 ru
0:      from all lookup local
10000:  from 192.168.2.1 lookup lan
20000:  from all to 192.168.2.1/24 lookup lan
32766:  from all lookup main
32767:  from all lookup default
90007:  from all iif lo lookup wan
90010:  from all iif lo lookup lan

I am also noticing that my changes are not kept after I reboot my router. I am currently running the following command:

while ip rule delete from 0/0 to 0/0 table work_WG >/dev/null 2>&1; do true; done; \
while ip rule delete from 0/0 to 0/0 table pbr_wan >/dev/null 2>&1; do true; done; \
while ip rule delete from 0/0 to 0/0 table pbr_WG >/dev/null 2>&1; do true; done