How to kill switch (blackhole) traffic with policy based routing?

Hello!

Could you please help me to set up a kill switch for a policy based routing?

Let's assume I have two output interfaces: wan and wg_out. The lan network is allowed to use both of them. I.e. firewall zones forwarding are set as follows:

/etc/config/firewall (Forwardings)
config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wg_out'

Also I have a rule and a routing table to reroute traffic marked with 0x2 mark to the wg_out interface:

/etc/config/network
config rule
        option name 'mark0x2'
        option mark '0x2'
        option priority '110'
        option lookup 'wg_out_table'

config route 'wg_out_route'
        option interface 'wg_out'
        option table 'wg_out_table'
        option target '0.0.0.0/0'
        option metric '10'

config route
        option interface 'wg_out'
        option type 'blackhole'
        option target '0.0.0.0/0'
        option metric '255'
        option table 'wg_out_table'

Traffic marking is done by the firewall rule:

/etc/config/firewall (Rules)
config rule
        option name 'Mark 0x2 (VPN reroute) for lan'
        option family 'ipv4'
        option src 'lan'
        option ipset 'vpn_reroute_test'
        option dest '*'
        option target 'MARK'
        option set_mark '0x2'
        list proto 'all'

The vpn_reroute_test nft set is filled with myip.com IP address.

If the wg_out interface is up and running I get its IP from visiting myip.com
If the wg_out interface is down (disabled) then I get the wan interface IP.

I want receive a connection error, i.e. stop marked 0x2 traffic from overflowing to wan when the wg_out is down.
I thought that the blackhole route will do this, but got no luck.

I appreciate any advice. Thank you!=

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

lan-wan forwarding is not needed in your setup AT ALL.

1 Like

Unfortunately it is relevant.
I reroute only traffic which has been marked 0x2 to wg_out, i.e. only traffic going to myip.com. All other traffic flows through wan interface. If I delete lan -> wan forwarding I will loose access to any other host except myip.com.

Regarding your first question about configuration. I have posted relevant settings in the first post. What other configuraion should I mention? There are quite a lot lines with sensitive information which will be hard to clean.

The important thing to remember is that there are two separate systems in play here. The routing table(s) determine where the kernel will attempt to forward a packet. The firewall rules determine if that forward will be allowed or blocked.

Make the firewall conditional so that only what you want non-VPN is forwarded lan->wan, the IP destinations that you want to only ever go via VPN are rejected or dropped if they try to go to WAN.

1 Like

I figured it out.
Thanks to this article: https://openwrt.org/docs/guide-user/network/routing/pbr_netifd#prohibitive_routes

My configuration was almost correct. I just messed up with the interface in the blackhole route. It should be set to loopback:

config route
        option interface 'loopback'
        option type 'blackhole'
        option target '0.0.0.0/0'
        option metric '255'
        option table 'wg_out_table'

After this modification everything works like a charm! My VPN traffic won't overflow into wan if the wg_out is down.

1 Like

Actually intetface "loopback" can hold blackhole route. "ip route" does not need interface for them, it is just decoration for netifd to catch up.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.