Help setting up Policy-Based Routing

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello. Once upon a time I asked how to set up WireGuard on a router. I finally managed to do it. To do this, I just created an interface with these settings

config interface 'Cloudflare'
	option proto 'wireguard'
	option private_key '********************************************'
	list addresses '100.16.0.2/32'
	option mtu '1280'

config wireguard_Cloudflare
	option public_key '############################################'
	option endpoint_host '162.159.193.5'
	option endpoint_port '2408'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config route 'route_wireguard'
	option interface 'Cloudflare'
	option target '0.0.0.0/0'
	option gateway '192.168.1.1'
	option metric '1024'

And then specified Firewall Settings >> Create / Assign firewall-zone >> wan

Now all Internet traffic from all devices connected to the router goes through WireGuard. YouTube works everywhere. But this is not quite what I need. I need WireGuard to work only on a smartphone and TV. But not on PC. I heard that with the help of Policy-Based Routing this can be done. But I dont know how.

Once again more clearly. How to set up Policy-Based Routing in such a way that one local device accesses the Internet via WireGuard. And another local device went online without WireGuard. What do I need to change in my current settings to do this?

2

Regarding your question: "How to make it work on only a smartphone and TV?"

  • You can create a new network interface and wifi that only those two devices connect to
  • Then you create firewall entries (zone & forwarding) for that network, so that it forwards to the wireguard interface
  • All other devices use the network that forwards traffic from LAN to WAN directly (if your internet connection is over WAN)
3

I only have these devices and connect to Wi-Fi, the PC is connected by wire. Why should I create a separate Wi-Fi?

In general, your option is not suitable. I need one of two

  • Route specific devices on the local network through WireGuard. After all, each of them has a fixed IP address tied to a MAC address.

  • Connect all wired devices directly to the Internet. And all wireless (Wi-Fi) devices through WireGuard

4

As explained in the PBR readme, it is very easy to do that. You select the source address and the interface. As simple as that and really hard to mess it up.

5

That's just the point, it doesn't work for me
image

image
image989×522 23.8 KB

What am I doing wrong?

6

Hard to tell if you have not followed the instructions how to get help.

1 Like
7

I kind of showed in detail and wrote what I did. Should I throw off a list of ALL configs of my router that are absolutely irrelevant to the case?

8

Should you throw them all? Well, it depends. According to your expertise which one is not relevant to the case?

1 Like
9

Everything except
/etc/config/firewall
/etc/config/network

10

Everything except firewall and network is not relevant?

1 Like
11
/etc/config/dhcp 
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'K14M-PC'
	option dns '1'
	option mac 'B4:2E:99:97:0C:23'
	option ip '192.168.1.10'
	option leasetime 'infinite'

config host
	option name 'K14M-Android'
	option dns '1'
	option mac 'E0:1F:88:C5:AB:F6'
	option ip '192.168.1.11'
	option leasetime 'infinite'

config host
	option name 'Chromecast'
	option dns '1'
	option mac 'A4:77:33:86:AE:70'
	option ip '192.168.1.20'
	option leasetime 'infinite'

config host
	option name 'Chaika-TV'
	option dns '1'
	option mac '00:51:ED:BA:E2:52'
	option ip '192.168.1.30'
	option leasetime 'infinite'
/etc/config/firewall 
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'Cloudflare'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'
/etc/config/network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7a:812e:8c92::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'c0:25:e9:d3:49:b1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'Cloudflare'
	option proto 'wireguard'
	option private_key '4FfRSMw5kD2ckXJqGpvI6qQBXO3nbEmDAfOdqosknkY='
	list addresses '100.16.0.2/32'
	option mtu '1280'

config wireguard_Cloudflare
	option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
	option endpoint_host '162.159.193.5'
	option endpoint_port '2408'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config route 'route_wireguard'
	option interface 'Cloudflare'
	option target '0.0.0.0/0'
	option gateway '192.168.1.1'
	option metric '1024'
/etc/config/pbr 
config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'

config include
	option path '/usr/share/pbr/pbr.user.aws'

config include
	option path '/usr/share/pbr/pbr.user.netflix'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option src_addr '192.168.1.11 192.168.1.20 192.168.1.30'
	option interface 'Cloudflare'
	option name 'CLOUDFLARE For ALL'

config policy
	option name '192.168.1.10'
	option src_addr '192.168.1.10'
	option interface 'wan'
/etc/init.d/pbr 
root@K14M:~# /etc/init.d/pbr
Syntax: /etc/init.d/pbr [command]

Available commands:
        start           Start the service
        stop            Stop the service
        restart         Restart the service
        reload          Reload configuration files (or restart if service does not implement reload)
        enable          Enable service autostart
        disable         Disable service autostart
        enabled         Check if service is started on boot
        status          Generates output required to troubleshoot routing issues
                Use '-d' option for more detailed output
                Use '-p' option to automatically upload data under VPR paste.ee account
                        WARNING: while paste.ee uploads are unlisted, they are still publicly available
                List domain names after options to include their lookup in report
        version         Show version information
        on_firewall_reload      Run service on firewall reload
        on_interface_reload     Run service on indicated interface reload
        running         Check if service is running
        status          Service status
        trace           Start with syscall trace
        info            Dump procd service info

root@K14M:~#
12

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik
Please edit your post accordingly. Thank you! :slight_smile:

1 Like
13

And where did I write that I changed something besides this?

14

In the previous post

You want to say you didn't add the wireguard interface in firewall?

1 Like
15

Well, I wrote that I only changed /etc/config/network and /etc/config/firewall

16

What file are these settings stored in?

config interface 'Cloudflare'
	option proto 'wireguard'
	option private_key '********************************************'
	list addresses '100.16.0.2/32'
	option mtu '1280'

config wireguard_Cloudflare
	option public_key '############################################'
	option endpoint_host '162.159.193.5'
	option endpoint_port '2408'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config route 'route_wireguard'
	option interface 'Cloudflare'
	option target '0.0.0.0/0'
	option gateway '192.168.1.1'
	option metric '1024'
17

Network. Is this some knowledge test? Are you questioning my knowledge here?

1 Like
18

We are not supposed to know beforehand what have you changed if we don't read it.

1 Like
19

Naturally, I doubt it. If a person asks me what I have already written, but he probably did not read carefully or is poorly versed in the topic once he asks a question about what I have already answered. Right?

20

Well, I wrote in the first message what changes I made. Why ask again?