Because you were asked to run a few commands, just a copy-paste thing, like the
/etc/init.d/pbr status
/etc/init.d/pbr reload with verbosity setting set to 2and instead I see
And how was I to understand where the command ends here?
root@K14M:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.0.1-16 running on OpenWrt 22.03.2. WAN (IPv4): wan/eth0.2/172.16.136.1.
============================================================
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-de tect inotify dumpfile
============================================================
pbr chains - policies
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
}
chain pbr_postrouting {
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 {
}
chain pbr_mark_0x020000 {
}
============================================================
pbr nft sets
set pbr_Cloudflare_4_src_ip_cfg066ff5 {
type ipv4_addr
flags interval
auto-merge
comment "CLOUDFLARE For ALL"
elements = { 192.168.1.11, 192.168.1.20,
192.168.1.30 }
}
set pbr_wan_4_src_ip_cfg076ff5 {
type ipv4_addr
flags interval
auto-merge
comment "192.168.1.10"
elements = { 192.168.1.10 }
}
set pbr_wan_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_Cloudflare_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_Cloudflare_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_Cloudflare_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
============================================================
IPv4 table 256 route: default via 172.16.136.1 dev eth0.2
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: unreachable default
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_Cloudflare
root@K14M:~#
root@K14M:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'wan/eth0.2/172.16.136.1' [✓]
Setting up routing for 'Cloudflare/192.168.1.1' [✓]
Routing 'CLOUDFLARE For ALL' via Cloudflare [✓]
Routing '192.168.1.10' via wan [✓]
Deactivating traffic killswitch [✓]
pbr 1.0.1-16 monitoring interfaces: wan Cloudflare
pbr 1.0.1-16 (nft) started with gateways:
wan/eth0.2/172.16.136.1
Cloudflare/192.168.1.1 [✓]
root@K14M:~#
How can I know that something is wrong here if I'm doing it for the first time? I have no idea what the result should be
Should have looked here
I already showed what specifically I changed. Is it necessary to complicate everything with the command line?
Truth to be told, it was obvious from the first post that you are using the wrong gateway in the route via the vpn interface, but I was curious what else could be wrong.
And that's exactly why I ask to see everything.
config interface 'Cloudflare'
option proto 'wireguard'
option private_key '********************************************'
# Change the network prefix size below to /24, or as recommended by Cloudflare.
list addresses '100.16.0.2/32'
option mtu '1280'
config wireguard_Cloudflare
option public_key '############################################'
option endpoint_host '162.159.193.5'
option endpoint_port '2408'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
# Remove this whole section. It is redundant with route_allowed_ips above.
# And as @trendy noted, the gateway is completely wrong. This appears to be causing PBR to
# fail to install routes for the cloudflare interface. In general, PBR should be managing all the routes.
config route 'route_wireguard'
option interface 'Cloudflare'
option target '0.0.0.0/0'
option gateway '192.168.1.1'
option metric '1024'
Are you saying that PBR is configured correctly and only the WARP interface needs to be changed?
What for? I configured everything the same way as in the config file. Didn't change anything.
[Interface]
PrivateKey =
Address = 172.16.0.2/32
DNS = 1.1.1.1
MTU = 1280
[Peer]
PublicKey =
AllowedIPs = 0.0.0.0/0
Endpoint = 162.159.193.5:2408
That's exactly what I did. But nothing seems to have changed. My YouTube is blocked, it won't open without VPN. And so I can determine whether the VPN works for the entire router or only for specific devices. So YouTube opens both on a PC and on a smartphone, but it should only open on a smartphone, something is wrong...
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'K14M-PC'
option dns '1'
option mac 'B4:2E:99:97:0C:23'
option ip '192.168.1.10'
option leasetime 'infinite'
config host
option name 'K14M-Android'
option dns '1'
option mac 'E0:1F:88:C5:AB:F6'
option ip '192.168.1.11'
option leasetime 'infinite'
config host
option name 'Chromecast'
option dns '1'
option mac 'A4:77:33:86:AE:70'
option ip '192.168.1.20'
option leasetime 'infinite'
config host
option name 'Chaika-TV'
option dns '1'
option mac '00:51:ED:BA:E2:52'
option ip '192.168.1.30'
option leasetime 'infinite'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'Cloudflare'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7a:812e:8c92::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'c0:25:e9:d3:49:b1'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'Cloudflare'
option proto 'wireguard'
option private_key '********************************************'
list addresses '100.16.0.2/32'
option mtu '1280'
config wireguard_Cloudflare
option public_key '############################################'
option endpoint_host '162.159.193.5'
option endpoint_port '2408'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option enabled '1'
config include
option path '/usr/share/pbr/pbr.user.aws'
config include
option path '/usr/share/pbr/pbr.user.netflix'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option src_addr '192.168.1.11 192.168.1.20 192.168.1.30'
option interface 'Cloudflare'
option name 'CLOUDFLARE For ALL'
config policy
option name '192.168.1.10'
option src_addr '192.168.1.10'
option interface 'wan'
root@K14M:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.0.1-16 running on OpenWrt 22.03.2. WAN (IPv4): wan/eth0.2/172.16.136.1.
============================================================
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-de tect inotify dumpfile
============================================================
pbr chains - policies
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
}
chain pbr_postrouting {
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 {
}
chain pbr_mark_0x020000 {
}
============================================================
pbr nft sets
set pbr_Cloudflare_4_src_ip_cfg066ff5 {
type ipv4_addr
flags interval
auto-merge
comment "CLOUDFLARE For ALL"
elements = { 192.168.1.11, 192.168.1.20,
192.168.1.30 }
}
set pbr_wan_4_src_ip_cfg076ff5 {
type ipv4_addr
flags interval
auto-merge
comment "192.168.1.10"
elements = { 192.168.1.10 }
}
set pbr_wan_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_Cloudflare_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_Cloudflare_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_Cloudflare_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
============================================================
IPv4 table 256 route: default via 172.16.136.1 dev eth0.2
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: unreachable default
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_Cloudflare
root@K14M:~#
root@K14M:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'wan/eth0.2/172.16.136.1' [✓]
Setting up routing for 'Cloudflare/100.16.0.2' [✓]
Routing 'CLOUDFLARE For ALL' via Cloudflare [✓]
Routing '192.168.1.10' via wan [✓]
Deactivating traffic killswitch [✓]
pbr 1.0.1-16 monitoring interfaces: wan Cloudflare
pbr 1.0.1-16 (nft) started with gateways:
wan/eth0.2/172.16.136.1
Cloudflare/100.16.0.2 [✓]
root@K14M:~#
Is it still a issue to have made an interface name with capital letters? This initial setup will then propagate into other setting throughout the process.
I'm specially looking at the if name in /etc/config/network for "Cloudflare". Thinking back to when I did some misconfigured work I did this time last year.
Falsely believing I could capitalize interface name to stand out when in fact they needed to be all lowercase.
Furthermore: Since your devices all have infinite leases, have you considered making them static?
Since you want all wifi on WireGuard via Cloudflare, and the PC on Wan; have you considered using a table and a metric for that one device?
I'm I confused, wrong, mislead or dreaming?
I can not provide coffee, fact-checking, configs or psychiatrics evaluations.