How to set default route for custom routing table

Hi,

what I want to achieve in the end: I have to internal networks int1 (192.168.64.0/24) and int2 (192.168.96.0/24). I have two upstream interfaces: wan (192.168.203.100) and one openvpn client interface with dynamic ips. The openvpn client interface is the default route, but int1 should routed over wan in the internet.

openvpn client works fine and the route from int2 via openvpn in the internet works fine. I don't want to use "PBR app" or "mwan3". I wan't to use PBR with netifd (https://openwrt.org/docs/guide-user/network/routing/pbr).

Here is the config for the int1 interface:

config interface 'int1'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '192.168.64.254'
        option netmask '255.255.255.0'
        option gateway '192.168.203.254'
        option ip4table 'int1'

The routing table for this interface is created:

# ip route show table int1
192.168.64.0/24 dev br-lan.40 scope link

But the default route is missing! Also when I set up an extra static default route for this table in /etc/config/network it is not added to the table. There is no hint in the logs.

My only idea is: openwrt doesn't add the default route to this custom table, because there is the same default route in the main table:

# ip route show table main
...
default via 192.168.203.254 dev wan
...

Is this the problem? If so: How to solve? If not: Any other ideas?

Thanks a lot!

By using the options ip4table and ip6table.

Be sure to declare the name of your table here:

/etc/iproute2/rt_tables

Otherwise, you can only use numeric table IDs.

Can you please explain more what you mean? I used the option ip4table in my config, as you can see above.

Yes, I declared it in /etc/iproute2/rt_tables.

OpenVPN is not managed by netifd and needs a few of workarounds:

• Network interface
• Dynamic connection
• Default gateway

Here's a tested and working script that automatically configures named routing tables and compatible with the above workarounds:

• PBR extras

Thank you for the hint, but I'm trying for two days now. So I restarted multiple times (the network and the whole router).

Or course a typo is possible. But I did it with the web interface and searched for a type multiple times. I don't think that there is a typo.

Yes I know, but I think it's working fine, because I can ping through the tun0 interface (and the wan interface) and int2 is routed via openvpn in the internet.

int1 should be routed via wan (no openvpn) in the internet.

Well, it works for me and I reproduced this setup multiple times over the years including the latest stable OpenWrt release, so just try co carefully follow the instructions:

• Route LAN to OpenVPN

Thanks again. But also again: The routing of int2 via openvpn works fine!

The routing of int1 via wan is not working. wan is not a openvpn interface. It is normal ethernet.

Is there any option to debug openwrt? There must be a reason why openwrt doesn't use the config option gateway '192.168.203.254'. Adding this manually with ip route add default via 192.168.203.254 table int1 works! So the problem is that openwrt ignores for some reason the option gateway '192.168.203.254'.

Yes, I know this script. I don't want to use at the moment, because I don't want an extra table for every interface. But I used the script to check my setup.

Then there must be a problem in your configuration.
Collect and post the output when the issue happens:

ip -4 route show table all; ip -4 rule show
uci show network; grep -v -e "^#" -e "^$" /etc/iproute2/rt_tables

Redact the private parts if necessary.

I can understand that it would be much easier for you to say something about my problem if I would post this information. But I'm sorry. I can't do this. There is much to much information in the output to post to the internet.

Well two outputs are possible:

# ip -4 rule show
0:      from all lookup local
10000:  from 192.168.64.254 lookup int1
20000:  from all to 192.168.64.254/24 lookup int1
32766:  from all lookup main
32767:  from all lookup default
90020:  from all iif lo lookup int1

and

# grep -v -e "^#" -e "^$" /etc/iproute2/rt_tables
128     prelocal
255     local
254     main
253     default
0       unspec
1       int1

Please tell me what information you need from the other commands. I'll try to cut things together then.

Some more information: If I change this option to an address inside the 192.168.64.0/24 network, then the default route in the int1 table is created! I can't understand, why this route is created for (useless) default routes in 192.168.64.0/24 but not for useful routes to an upstream interface.

This is networking basics, the gateway must be on the same subnet as the address/mask, unless you are using a tunneling WAN protocol.

But you must not add gateway on the downstream interfaces, unless it is a different host in your LAN serving as a VPN gateway.

You can specify a custom routing table for the WAN interface, then make a rule for one of your LANs to lookup that table.

Yes, of course I know that if I configure a linux network interface the gateway has to be on the same subnet. (Otherwise the machine don't know where to send packages by default.) But (at least for me) it is completely unclear what openwrt does with the configuration parameters from /etc/config/network.

Nevertheless: I'm a step further. Now I'm using:

config route
        option target '0.0.0.0/0'
        option table 'int1'
        option gateway '192.168.203.254'
        option interface 'wan'

The difference is that the interface is wan instead of int1. Now the routing table is correct:

# ip route show table int1
default via 192.168.203.254 dev wan 
192.168.64.0/24 dev br-lan.40 scope link

Perfect! But sadly it doesn't work. From int1:

$ ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.64.254 icmp_seq=1 Destination Port Unreachable

Although the main question of this thread is solved now: Does someone have another hint for me?

If so: Thank you very much!

Probably you are still missing the relevant routing rule to lookup the custom table.

Ok, I deleted option ip4table 'int1' in the interface definition (see my first post), because this leads only to:

# ip rule show
0:      from all lookup local 
10000:  from 192.168.64.254 lookup int1
20000:  from all to 192.168.64.254/24 lookup int1
32766:  from all lookup main 
32767:  from all lookup default 
90014:  from all iif lo lookup int1

So int1 is only looked up if there is a packet from 192.168.64.254 (openwrt itself) but not from 192.168.64.0/24. Instead I created rule:

config rule
        option priority '30000'
        option in 'int1'
        option lookup 'int1'

This works so far, but now only the routes from table int1 are used! Not from main! I need the other routes from main and only the default route should be used from the table int1 for the packets arriving from int1.

To explain a little bit more: I have set up a routing from int2 to int1 via the Firewall-Web-Gui. This works fine without the rule from my last post. But with this rule enabled this doesn't work anymore. Because of this I think that only the table for int1 is read and not the main table anymore.

This is what I have been trying to explain to you from the very beginning and what the PBR extras script is designed to solve.
To allow using the main table, lower the priority of the custom routing rules to about 40000 and assign each upstream interface including the VPN to own separate tables.