I have since installed PBR but am not sure how to use it. Also after starting from scratch again and giving each of the the interfaces a metric and adding the text suggested by lleachii I seem to have been able to actually connect to the tunnel, the luci-wireguard status says there was a handshake with the VPN for WAN.
But damned if i know how to make the resulting wireless connection have internet...
Im not sure what exactly theyre supposed to look like these rules...
Here are some outputs:
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
list network 'wan'
list network 'wanb'
list network 'VPN'
list network 'VPNB'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'torrents'
option src 'wan'
option src_dport '52321'
option dest_ip '192.168.1.10'
option dest_port '52321'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Forced DNS'
option src_dport '53'
option dest_port '53'
option src 'lan'
option src_dip '192.168.1.1'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'torrents lab'
option src 'wan'
option src_dport '25271'
option dest_ip '192.168.1.12'
option dest_port '25271'
config zone
option name 'vpn'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ipv6 '0'
option delegate '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
list dns 'XX.XX.XXX.XXX'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option ipv6 '0'
option metric '1'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
list dns 'XX.XX.XXX.XXX'
config interface 'wanb'
option proto 'dhcp'
option device 'eth4'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
list dns 'XX.XX.XXX.XXX'
option metric '2'
config interface 'VPN'
option proto 'wireguard'
option private_key 'gIkLrrme9P3CAFcJJKa+rEsFV7DuiUjg0snR6LtZz2U='
list addresses '10.67.182.48/32'
option peerdns '0'
list dns '100.64.0.7'
option metric '3'
config interface 'VPNB'
option proto 'wireguard'
option private_key 'gIkLrrme9P3CAFcJJKa+rEsFV7DuiUjg0snR6LtZz2U='
list addresses '10.67.182.48/32'
option peerdns '0'
list dns '100.64.0.7'
option metric '4'
config wireguard_VPN
option description 'de-dus-wg-001.conf'
option public_key 'ku1NYeOAGbY65YL/JKZhrqVzDJKXQiVj9USXbfkOBA0='
list allowed_ips '0.0.0.0/0'
option endpoint_host '185.254.75.3'
option endpoint_port '51820'
option route_allowed_ips '1'
config wireguard_VPNB
option description 'de-dus-wg-001.conf'
option public_key 'ku1NYeOAGbY65YL/JKZhrqVzDJKXQiVj9USXbfkOBA0='
list allowed_ips '0.0.0.0/0'
option endpoint_host '185.254.75.3'
option endpoint_port '51820'
option route_allowed_ips '1'
config device
option name 'VPN'
option ipv6 '0'
config device
option name 'VPNB'
option ipv6 '0'
config device
option type '8021q'
option ifname 'eth0'
option vid '2'
option name 'eth0.2'
option ipv6 '0'
config device
option type '8021q'
option ifname 'eth3'
option vid '2'
option name 'eth3.2'
option ipv6 '0'
config route
option interface 'VPN'
option target '0.0.0.0/0'
option table '1'
option gateway '192.168.1.1'
option metric '3'
config rule
option dest '192.168.1.0/24'
option priority '1'
option lookup 'main'
config rule
option src '192.168.1.0/24'
option dest '0.0.0.0/0'
option priority '2'
option lookup '1'
/etc/config/mwan3
config globals 'globals'
option mmx_mask '0x3F00'
option logging '1'
option loglevel 'notice'
list rt_table_lookup '220'
option local_source 'lan'
config interface 'wan'
option enabled '1'
option family 'ipv4'
option initial_state 'online'
option track_method 'ping'
option count '1'
option size '56'
option timeout '4'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
option interval '30'
option reliability '1'
option max_ttl '70'
list track_ip '1.0.0.1'
list track_ip '81.17.144.170'
config interface 'wanb'
option family 'ipv4'
option reliability '1'
option enabled '1'
option initial_state 'online'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
option interval '30'
list track_ip '1.0.0.1'
list track_ip '81.17.144.170'
config policy 'wan_only'
list use_member 'wan_m1_w1'
option last_resort 'unreachable'
config policy 'wanb_only'
list use_member 'wanb_m2_w2'
option last_resort 'unreachable'
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'balanced'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option use_policy 'balanced'
option family 'ipv4'
config rule 'default_rule_v6'
option dest_ip '::/0'
option use_policy 'balanced'
option family 'ipv6'
config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '1'
config member 'wanb_m2'
option interface 'wanb'
option metric '2'
option weight '3'
config policy 'wans'
list use_member 'wan_m1_w3'
list use_member 'wanb_m2'
option last_resort 'unreachable'
config interface 'VPN'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config interface 'VPNB'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config member 'vpn_m3'
option interface 'wan'
option metric '3'
option weight '1'
config member 'vpnb_m4'
option interface 'wan'
option metric '4'
option weight '3'
ip route show
default via 100.64.149.1 dev eth0 proto static src 100.64.149.129 metric 1
default via 192.168.8.1 dev eth4 proto static src 192.168.8.100 metric 2
100.64.149.0/24 dev eth0 proto static scope link metric 1
XXX.XXX.XX.X via 100.64.149.1 dev eth0 proto static metric 1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.8.0/24 dev eth4 proto static scope link metric 2
Output of "ip -4 a show"
-------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth0@dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 100.64.149.129/24 brd 100.64.149.255 scope global eth0
valid_lft forever preferred_lft forever
7: eth4@dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.8.100/24 brd 192.168.8.255 scope global eth4
valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
16: VPNB: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.67.182.48/32 brd 255.255.255.255 scope global VPNB
valid_lft forever preferred_lft forever
17: VPN: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.67.182.48/32 brd 255.255.255.255 scope global VPN
valid_lft forever preferred_lft forever
Output of "ip -4 rule show"
-------------------------------------------------
0: from all lookup local
1: from all to 192.168.1.0/24 lookup main
2: from 192.168.1.0/24 lookup 1
1001: from all iif eth0 lookup 1
1002: from all iif eth4 lookup 2
1003: from all iif VPN lookup 3
1004: from all iif VPNB lookup 4
2001: from all fwmark 0x100/0x3f00 lookup 1
2002: from all fwmark 0x200/0x3f00 lookup 2
2003: from all fwmark 0x300/0x3f00 lookup 3
2004: from all fwmark 0x400/0x3f00 lookup 4
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
3001: from all fwmark 0x100/0x3f00 unreachable
3002: from all fwmark 0x200/0x3f00 unreachable
3003: from all fwmark 0x300/0x3f00 unreachable
3004: from all fwmark 0x400/0x3f00 unreachable
30001: from all fwmark 0x20000/0xff0000 lookup pbr_wanb
30003: from all fwmark 0x40000/0xff0000 lookup pbr_VPNB
32766: from all lookup main
32767: from all lookup default
Output of "ip -4 route list table 1-250"
-------------------------------------------------
Routing table 1:
default via 100.64.149.1 dev eth0 proto static src 100.64.149.129 metric 1
100.64.149.0/24 dev eth0 proto static scope link metric 1
XXX.XXX.XX.X via 100.64.149.1 dev eth0 proto static metric 1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
Routing table 2:
default via 192.168.8.1 dev eth4 proto static src 192.168.8.100 metric 2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.8.0/24 dev eth4 proto static scope link metric 2
Routing table 3:
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
Routing table 4:
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
Output of "iptables -t mangle -w -L -v -n"
-------------------------------------------------
Chain PREROUTING (policy ACCEPT 83922 packets, 55M bytes)
pkts bytes target prot opt in out source destination
85840 56M mwan3_hook all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1218 packets, 129K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 82502 packets, 55M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1221 packets, 1153K bytes)
pkts bytes target prot opt in out source destination
1334 1306K mwan3_hook all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 83723 packets, 56M bytes)
pkts bytes target prot opt in out source destination
Chain mwan3_connected_ipv4 (2 references)
pkts bytes target prot opt in out source destination
2927 1464K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected_ipv4 dst MARK or 0x3f00
Chain mwan3_custom_ipv4 (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_custom_ipv4 dst MARK or 0x3f00
Chain mwan3_dynamic_ipv4 (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_dynamic_ipv4 dst MARK or 0x3f00
Chain mwan3_hook (2 references)
pkts bytes target prot opt in out source destination
87124 57M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 CONNMARK restore mask 0x3f00
1639 216K mwan3_ifaces_in all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
1087 153K mwan3_custom_ipv4 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
1087 153K mwan3_connected_ipv4 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
918 124K mwan3_dynamic_ipv4 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
918 124K mwan3_rules all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
87174 57M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0x3f00
6592 2431K mwan3_custom_ipv4 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x3f00/0x3f00
6592 2431K mwan3_connected_ipv4 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x3f00/0x3f00
3834 996K mwan3_dynamic_ipv4 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x3f00/0x3f00
Chain mwan3_iface_in_VPN (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- VPN * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- VPN * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- VPN * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- VPN * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* VPN */ MARK xset 0x300/0x3f00
Chain mwan3_iface_in_VPNB (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- VPNB * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- VPNB * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- VPNB * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- VPNB * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* VPNB */ MARK xset 0x400/0x3f00
Chain mwan3_iface_in_wan (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
1 56 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
551 62146 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan */ MARK xset 0x100/0x3f00
Chain mwan3_iface_in_wanb (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
0 0 MARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wanb */ MARK xset 0x200/0x3f00
Chain mwan3_ifaces_in (1 references)
pkts bytes target prot opt in out source destination
1455 189K mwan3_iface_in_wan all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
897 125K mwan3_iface_in_wanb all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
897 125K mwan3_iface_in_VPN all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
875 121K mwan3_iface_in_VPNB all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
Chain mwan3_policy_wan_only (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* unreachable */ MARK xset 0x3e00/0x3f00
Chain mwan3_policy_wanb_only (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* unreachable */ MARK xset 0x3e00/0x3f00
Chain mwan3_policy_wans (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 1 1 */ MARK xset 0x100/0x3f00
Chain mwan3_rules (1 references)
pkts bytes target prot opt in out source destination