I want to assign openvpn client to each device

i have openwrt router which i have install openvpn, however it is connecting and working very well, but i do have a problem.
all my devices that are connected to my lan port and wifi are showing one vpn ip address location. i want to be able assign openvpn client connection for each location, per local ip address(Example i have vpn location Tokyo, Hongkong and Germany) But i want device 1 - 192.168.16.2 connect to Tokyo, 2- 192.168.16.3 - connect to Hongkong, 3 -192.168.16.4 - connect Germany, all in one lan port or subnet.
PBR package is not suitable for my situation.

Please Help.

Thank you all in advance.

Well that is exactly the use case for PBR
See: https://docs.openwrt.melmac.net/pbr/

2 Likes

It is not working for me, i have tried i could. i think i am missing something. someone should help me. show me what to do. he is my screenshot.

The pragmatic solution for this use case would be running the VPN client on the individual systems, instead of on the router. While pbr does allow this on the router as well, that is not so convenient for very dynamic changes.

3 Likes

I fully agree with the former speaker we can review you config to see what is possible with PBR in your case.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
cat /etc/config/pbr
/etc/init.d/pbr status
uci set pbr.config.verbosity='2
uci commit pbr
/etc/init.d/pbr reload
/etc/init.d/pbr status

If you use WireGuard:

wg show

If you use openvpn:

for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn
2 Likes

The exit point is decided by your VPN provider, you cannot force it locally. So, either you have one VPN connection for each exit point, or you ask your provider to distribute the traffic for you.

2 Likes

I actually assumed he had several tunnels otherwise it does not make sense at all

2 Likes

Here are the result that i got. Right now there no internet at the moment. Thank you in advance.

ubus call system board

ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "XVPCS",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda4:871b:e22f::/48'
        option packet_steering '1'

config device
        option name 'wan'
        option macaddr '62:38:e0:b7:2e:28'

config interface 'lan4'
        option device 'lan4'
        option proto 'static'
        option ipaddr '162.16.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'lan1'
        option proto 'static'
        option device 'lan1'
        option ipaddr '172.16.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'lan2'
        option proto 'static'
        option device 'lan2'
        option ip6assign '60'
        option ipaddr '172.16.20.1'
        option netmask '255.255.255.0'

config interface 'lan3'
        option proto 'static'
        option device 'lan3'
        option ipaddr '172.16.30.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type 'bridge'
        option name 'br-wireless'
        option bridge_empty '1'
        option igmp_snooping '1'
        option acceptlocal '1'

config interface 'wireless'
        option proto 'static'
        option device 'br-wireless'
        option ipaddr '110.110.120.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '10'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'vtun0'
        option proto 'none'
        option device 'tun0'

config interface 'vtun1'
        option proto 'none'
        option device 'tun1'

config interface 'vtun2'
        option proto 'none'
        option device 'tun2'

config interface 'vtun3'
        option proto 'none'
        option device 'tun3'

config interface 'vtun4'
        option proto 'none'
        option device 'tun4'

config interface 'vtun5'
        option proto 'none'
        option device 'tun5'

config interface 'vtun6'
        option proto 'none'
        option device 'tun6'

config interface 'vtun7'
        option proto 'none'
        option device 'tun7'

config interface 'vtun8'
        option proto 'none'
        option device 'tun8'

config interface 'vtun9'
        option proto 'none'
        option device 'tun9'

config interface 'vtun10'
        option proto 'none'
        option device 'tun10'

config interface 'vtun11'
        option proto 'none'
        option device 'tun11'

config interface 'vtun12'
        option proto 'none'
        option device 'tun12'

config interface 'vtun13'
        option proto 'none'
        option device 'tun13'

config interface 'vtun14'
        option proto 'none'
        option device 'tun14'

config interface 'vtun15'
        option proto 'none'
        option device 'tun15'

config interface 'vtun16'
        option proto 'none'
        option device 'tun16'

config interface 'vtun17'
        option proto 'none'
        option device 'tun17'

config interface 'vtun18'
        option proto 'none'
        option device 'tun18'

config interface 'vtun19'
        option proto 'none'
        option device 'tun19'

config interface 'vtun20'
        option proto 'none'
        option device 'tun20'

config interface 'vtun21'
        option proto 'none'
        option device 'tun21'

config interface 'vtun22'
        option proto 'none'
        option device 'tun22'

config interface 'vtun23'
        option proto 'none'
        option device 'tun23'

config interface 'vtun24'
        option proto 'none'
        option device 'tun24'

config interface 'vtun25'
        option proto 'none'
        option device 'tun25'

config interface 'vtun26'
        option proto 'none'
        option device 'tun26'

config interface 'vtun27'
        option proto 'none'
        option device 'tun27'

config interface 'vtun28'
        option proto 'none'
        option device 'tun28'

config interface 'vtun29'
        option proto 'none'
        option device 'tun29'

config interface 'vtun30'
        option proto 'none'
        option device 'tun30'

config interface 'usbmodem'
        option proto 'dhcp'
        option device 'usb0'
        option metric '20'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device
        option type 'bridge'
        option name 'br-lan1'
        list ports 'br-lan1.10'
        list ports 'br-lan1.20'
        list ports 'br-lan1.30'
        list ports 'br-lan1.40'
        list ports 'br-lan1.50'
        list ports 'br-lan1.60'
        list ports 'br-lan1.70'
        list ports 'br-lan1.80'
        list ports 'br-lan1.90'
        list ports 'br-lan1.100'
        list ports 'lan1'
        option bridge_empty '1'

config device
        option type 'bridge'
        option name 'br-lan2'
        list ports 'br-lan2.11'
        list ports 'br-lan2.21'
        list ports 'br-lan2.31'
        list ports 'br-lan2.41'
        list ports 'br-lan2.51'
        list ports 'br-lan2.61'
        list ports 'br-lan2.71'
        list ports 'br-lan2.81'
        list ports 'br-lan2.91'
        list ports 'br-lan2.101'
        list ports 'lan2'
        option bridge_empty '1'

config device
        option type 'bridge'
        option name 'br-lan3'
        list ports 'br-lan3.12'
        list ports 'br-lan3.22'
        list ports 'br-lan3.32'
        list ports 'br-lan3.42'
        list ports 'br-lan3.52'
        list ports 'br-lan3.62'
        list ports 'br-lan3.72'
        list ports 'br-lan3.82'
        list ports 'br-lan3.92'
        list ports 'br-lan3.102'
        list ports 'lan3'
        option bridge_empty '1'

config device
        option type 'bridge'
        option name 'br-lan4'
        list ports 'lan4'
        option bridge_empty '1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '10'
        list ports 'br-lan1.10:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '20'
        list ports 'br-lan1.20:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '30'
        list ports 'br-lan1.30:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '40'
        list ports 'br-lan1.40:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '50'
        list ports 'br-lan1.50:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '60'
        list ports 'br-lan1.60:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '70'
        list ports 'br-lan1.70:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '80'
        list ports 'br-lan1.80:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '90'
        list ports 'br-lan1.90:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan1'
        option vlan '100'
        list ports 'br-lan1.100:t'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan2'
        option vlan '11'
        list ports 'br-lan2.11:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '21'
        list ports 'br-lan2.21:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '31'
        list ports 'br-lan2.31:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '41'
        list ports 'br-lan2.41:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '51'
        list ports 'br-lan2.51:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '61'
        list ports 'br-lan2.61:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '71'
        list ports 'br-lan2.71:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '81'
        list ports 'br-lan2.81:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '91'
        list ports 'br-lan2.91:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan2'
        option vlan '101'
        list ports 'br-lan2.101:t'
        list ports 'lan2'

config bridge-vlan
        option device 'br-lan3'
        option vlan '12'
        list ports 'br-lan3.12:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '22'
        list ports 'br-lan3.22:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '32'
        list ports 'br-lan3.32:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '42'
        list ports 'br-lan3.42:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '52'
        list ports 'br-lan3.52:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '62'
        list ports 'br-lan3.62:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '72'
        list ports 'br-lan3.72:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '82'
        list ports 'br-lan3.82:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '92'
        list ports 'br-lan3.92:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan3'
        option vlan '102'
        list ports 'br-lan3.102:t'
        list ports 'lan3'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option sequential_ip '1'
        option port '54'
        list interface 'lan1'
        list interface 'lan2'
        list interface 'lan3'
        list interface 'lan4'
        option allservers '1'
        option server '162.16.1.1'
        option server '172.16.10.1'
        option server '172.16.20.1'
        option server '172.16.30.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan1'
        option interface 'lan1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,172.16.10.1'
        list dhcp_option '3,172.16.10.1'

config dhcp 'lan2'
        option interface 'lan2'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,172.16.20.1'
        list dhcp_option '3,172.16.20.1'

config dhcp 'lan3'
        option interface 'lan3'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,172.16.30.1'
        list dhcp_option '3,172.16.30.1'

config dhcp 'lan4'
        option interface 'lan4'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,162.16.1.1'
        list dhcp_option '3,162.16.1.1'

config dhcp 'usbmodem'
        option interface 'usbmodem'
        option ignore '1'

cat /etc/config/firewall


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'usbmodem'

config zone
        option name 'lan_fw1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan1'

config zone
        option name 'lan_fw2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan2'

config forwarding
        option src 'lan_fw1'
        option dest 'wan_fw'

config forwarding
        option src 'lan_fw3'
        option dest 'wan_fw'

config forwarding
        option src 'lan_fw2'
        option dest 'wan_fw'

config forwarding
        option src 'lan_fw4'
        option dest 'wan_fw'

config forwarding
        option src 'wireless_fw'
        option dest 'wan_fw'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan_fw'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan_fw'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan_fw'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan_fw'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan_fw'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan_fw'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan_fw'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP-1'
        list proto 'esp'
        option src 'wan_fw'
        option dest 'lan_fw1'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP-2'
        list proto 'esp'
        option src 'wan_fw'
        option dest 'lan_fw2'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP-3'
        option src 'wan_fw'
        option dest 'lan_fw3'
        option target 'ACCEPT'
        list proto 'esp'

config rule
        option name 'Allow-IPSec-ESP-4'
        option src 'wan_fw'
        option dest 'lan_fw4'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP-W'
        list proto 'esp'
        option src 'wan_fw'
        option dest 'wireless_fw'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-1'
        list proto 'udp'
        option src 'wan_fw'
        option dest 'lan_fw1'
        option dest_port '500'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-2'
        option src 'wan_fw'
        option dest 'lan_fw2'
        option dest_port '500'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-3'
        option src 'wan_fw'
        option dest 'lan_fw3'
        option dest_port '500'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-4'
        option src 'wan_fw'
        option dest 'lan_fw4'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP-W'
        option src 'wan_fw'
        option dest 'wireless_fw'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'lan_fw3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan3'

config zone
        option name 'lan_fw4'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan4'

config zone
        option name 'wireless_fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wireless'

config zone
        option name 'vtun0_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun0'

config zone
        option name 'vtun1_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun1'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun2_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun2'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun3_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun3'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun4_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun4'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun5_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun5'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun6_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun6'

config zone
        option name 'vtun7_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun7'

config zone
        option name 'vtun8_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun8'

config zone
        option name 'vtun9_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun9'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun10_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun10'
        option masq '1'

config zone
        option name 'vtun11_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun11'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun12_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun12'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun13_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun13'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun14_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun14'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun15_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun15'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun16_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun16'

config zone
        option name 'vtun17_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun17'

config zone
        option name 'vtun18_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun18'

config zone
        option name 'vtun19_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun19'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun20_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun20'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun21_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun21'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun22_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun22'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun23_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun23'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun24_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun24'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun25_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun25'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun26_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun26'

config zone
        option name 'vtun27_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun27'

config zone
        option name 'vtun28_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vtun28'

config zone
        option name 'vtun29_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun29'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'vtun30_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vtun30'
        option masq '1'
        option mtu_fix '1'

config redirect
        option dest 'lan_fw1'
        option target 'DNAT'
        option name 'rdp-172.16.10.183'
        option src 'vtun1_fw'
        option src_dport '0-65535'
        option dest_ip '172.16.10.183'
        option dest_port '0-65535'
        option enabled '0'

config redirect
        option dest 'lan_fw4'
        option target 'DNAT'
        option name 'all-145.168.1.100'
        option src 'vtun5_fw'
        option src_dport '0-65535'
        option dest_ip '145.168.1.100'
        option dest_port '0-65535'
        option enabled '0'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config rule
        option name 'Allow-LAN4-Access-LAN1'
        option src 'lan_fw4'
        option target 'ACCEPT'
        option dest 'lan_fw1'
        list proto 'all'

config rule
        option name 'Allow-LAN4-Access-LAN2'
        list proto 'all'
        option src 'lan_fw4'
        option dest 'lan_fw2'
        option target 'ACCEPT'

config rule
        option name 'Allow-LAN4-Access-LAN3'
        option src 'lan_fw4'
        option dest 'lan_fw3'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp'
        option dest_port '1194'

config rule
        option name 'Deny-Access-LUCI-1'
        option src 'lan_fw1'
        option target 'REJECT'
        option dest_port '80'
        option enabled '0'

config rule
        option name 'Deny-Access-LUCI-2'
        option src 'lan_fw2'
        option dest_port '80'
        option target 'REJECT'
        option enabled '0'

config rule
        option name 'Deny-Access-LUCI-3'
        option src 'lan_fw3'
        option dest_port '80'
        option target 'REJECT'
        option enabled '0'

config rule
        option name 'Deny-Access-LUCI-1'
        option src 'lan_fw1'
        option target 'REJECT'
        option dest_port '80'
        option enabled '0'

config forwarding
        option src 'lan_fw4'
        option dest 'vtun5_fw'

config forwarding
        option src 'lan_fw4'
        option dest 'vtun11_fw'

ip route show


default via 192.168.0.1 dev wan proto static src 192.168.0.126 metric 10

default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 proto kernel scope link src 172.16.30.1 linkdown

192.168.0.0/24 dev wan proto static scope link metric 10

192.168.100.0/24 dev usb0 proto static scope link metric 20

ip route show table all


default via 192.168.0.1 dev wan table pbr_wan

default via 192.168.100.1 dev usb0 table pbr_wan proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_wan proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_wan proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_wan proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_wan proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_wan proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_wan proto static scope link metric 20

unreachable default table pbr_vtun0

default via 192.168.100.1 dev usb0 table pbr_vtun0 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun0 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun0 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun0 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun0 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun0 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun0 proto static scope link metric 20

default via 192.168.0.1 dev wan table 1 proto static src 192.168.0.126 metric 10

110.110.120.0/24 dev br-wireless table 1 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table 1 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table 1 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table 1 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table 1 proto kernel scope link src 172.16.30.1 linkdown

192.168.0.0/24 dev wan table 1 proto static scope link metric 10

192.168.100.0/24 dev usb0 table 1 proto static scope link metric 20

unreachable default table pbr_vtun1

default via 192.168.100.1 dev usb0 table pbr_vtun1 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun1 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun1 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun1 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun1 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun1 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun1 proto static scope link metric 20

unreachable default table pbr_vtun2

default via 192.168.100.1 dev usb0 table pbr_vtun2 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun2 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun2 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun2 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun2 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun2 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun2 proto static scope link metric 20

unreachable default table pbr_vtun3

default via 192.168.100.1 dev usb0 table pbr_vtun3 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun3 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun3 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun3 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun3 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun3 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun3 proto static scope link metric 20

unreachable default table pbr_vtun4

default via 192.168.100.1 dev usb0 table pbr_vtun4 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun4 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun4 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun4 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun4 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun4 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun4 proto static scope link metric 20

unreachable default table pbr_vtun5

default via 192.168.100.1 dev usb0 table pbr_vtun5 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun5 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun5 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun5 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun5 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun5 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun5 proto static scope link metric 20

unreachable default table pbr_vtun6

default via 192.168.100.1 dev usb0 table pbr_vtun6 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun6 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun6 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun6 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun6 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun6 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun6 proto static scope link metric 20

unreachable default table pbr_vtun7

default via 192.168.100.1 dev usb0 table pbr_vtun7 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun7 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun7 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun7 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun7 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun7 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun7 proto static scope link metric 20

unreachable default table pbr_vtun8

default via 192.168.100.1 dev usb0 table pbr_vtun8 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun8 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun8 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun8 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun8 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun8 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun8 proto static scope link metric 20

unreachable default table pbr_vtun9

default via 192.168.100.1 dev usb0 table pbr_vtun9 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun9 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun9 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun9 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun9 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun9 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun9 proto static scope link metric 20

unreachable default table pbr_vtun10

default via 192.168.100.1 dev usb0 table pbr_vtun10 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun10 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun10 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun10 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun10 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun10 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun10 proto static scope link metric 20

unreachable default table pbr_vtun11

default via 192.168.100.1 dev usb0 table pbr_vtun11 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun11 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun11 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun11 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun11 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun11 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun11 proto static scope link metric 20

unreachable default table pbr_vtun12

default via 192.168.100.1 dev usb0 table pbr_vtun12 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun12 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun12 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun12 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun12 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun12 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun12 proto static scope link metric 20

unreachable default table pbr_vtun13

default via 192.168.100.1 dev usb0 table pbr_vtun13 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun13 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun13 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun13 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun13 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun13 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun13 proto static scope link metric 20

unreachable default table pbr_vtun14

default via 192.168.100.1 dev usb0 table pbr_vtun14 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun14 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun14 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun14 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun14 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun14 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun14 proto static scope link metric 20

unreachable default table pbr_vtun15

default via 192.168.100.1 dev usb0 table pbr_vtun15 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun15 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun15 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun15 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun15 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun15 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun15 proto static scope link metric 20

unreachable default table pbr_vtun16

default via 192.168.100.1 dev usb0 table pbr_vtun16 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun16 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun16 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun16 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun16 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun16 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun16 proto static scope link metric 20

unreachable default table pbr_vtun17

default via 192.168.100.1 dev usb0 table pbr_vtun17 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun17 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun17 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun17 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun17 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun17 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun17 proto static scope link metric 20

unreachable default table pbr_vtun18

default via 192.168.100.1 dev usb0 table pbr_vtun18 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun18 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun18 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun18 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun18 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun18 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun18 proto static scope link metric 20

unreachable default table pbr_vtun19

default via 192.168.100.1 dev usb0 table pbr_vtun19 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun19 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun19 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun19 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun19 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun19 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun19 proto static scope link metric 20

unreachable default table pbr_vtun20

default via 192.168.100.1 dev usb0 table pbr_vtun20 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun20 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun20 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun20 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun20 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun20 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun20 proto static scope link metric 20

unreachable default table pbr_vtun21

default via 192.168.100.1 dev usb0 table pbr_vtun21 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun21 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun21 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun21 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun21 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun21 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun21 proto static scope link metric 20

unreachable default table pbr_vtun22

default via 192.168.100.1 dev usb0 table pbr_vtun22 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun22 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun22 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun22 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun22 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun22 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun22 proto static scope link metric 20

unreachable default table pbr_vtun23

default via 192.168.100.1 dev usb0 table pbr_vtun23 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun23 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun23 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun23 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun23 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun23 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun23 proto static scope link metric 20

unreachable default table pbr_vtun24

default via 192.168.100.1 dev usb0 table pbr_vtun24 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun24 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun24 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun24 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun24 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun24 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun24 proto static scope link metric 20

unreachable default table pbr_vtun25

default via 192.168.100.1 dev usb0 table pbr_vtun25 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun25 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun25 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun25 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun25 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun25 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun25 proto static scope link metric 20

unreachable default table pbr_vtun26

default via 192.168.100.1 dev usb0 table pbr_vtun26 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun26 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun26 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun26 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun26 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun26 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun26 proto static scope link metric 20

unreachable default table pbr_vtun27

default via 192.168.100.1 dev usb0 table pbr_vtun27 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun27 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun27 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun27 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun27 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun27 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun27 proto static scope link metric 20

unreachable default table pbr_vtun28

default via 192.168.100.1 dev usb0 table pbr_vtun28 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun28 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun28 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun28 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun28 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun28 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun28 proto static scope link metric 20

unreachable default table pbr_vtun29

default via 192.168.100.1 dev usb0 table pbr_vtun29 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun29 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun29 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun29 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun29 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun29 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun29 proto static scope link metric 20

unreachable default table pbr_vtun30

default via 192.168.100.1 dev usb0 table pbr_vtun30 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_vtun30 proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_vtun30 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_vtun30 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_vtun30 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_vtun30 proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_vtun30 proto static scope link metric 20

default via 192.168.100.1 dev usb0 table pbr_usbmodem

default via 192.168.100.1 dev usb0 table pbr_usbmodem proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless table pbr_usbmodem proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 table pbr_usbmodem proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 table pbr_usbmodem proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 table pbr_usbmodem proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 table pbr_usbmodem proto kernel scope link src 172.16.30.1 linkdown

192.168.100.0/24 dev usb0 table pbr_usbmodem proto static scope link metric 20

default via 192.168.0.1 dev wan proto static src 192.168.0.126 metric 10

default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20

110.110.120.0/24 dev br-wireless proto kernel scope link src 110.110.120.1

162.16.1.0/24 dev lan4 proto kernel scope link src 162.16.1.1

172.16.10.0/24 dev lan1 proto kernel scope link src 172.16.10.1 linkdown

172.16.20.0/24 dev lan2 proto kernel scope link src 172.16.20.1 linkdown

172.16.30.0/24 dev lan3 proto kernel scope link src 172.16.30.1 linkdown

192.168.0.0/24 dev wan proto static scope link metric 10

192.168.100.0/24 dev usb0 proto static scope link metric 20

local 110.110.120.1 dev br-wireless table local proto kernel scope host src 110.110.120.1

broadcast 110.110.120.255 dev br-wireless table local proto kernel scope link src 110.110.120.1

local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1

local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1

broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1

local 162.16.1.1 dev lan4 table local proto kernel scope host src 162.16.1.1

broadcast 162.16.1.255 dev lan4 table local proto kernel scope link src 162.16.1.1

local 172.16.10.1 dev lan1 table local proto kernel scope host src 172.16.10.1

broadcast 172.16.10.255 dev lan1 table local proto kernel scope link src 172.16.10.1 linkdown

local 172.16.20.1 dev lan2 table local proto kernel scope host src 172.16.20.1

broadcast 172.16.20.255 dev lan2 table local proto kernel scope link src 172.16.20.1 linkdown

local 172.16.30.1 dev lan3 table local proto kernel scope host src 172.16.30.1

broadcast 172.16.30.255 dev lan3 table local proto kernel scope link src 172.16.30.1 linkdown

local 192.168.0.126 dev wan table local proto kernel scope host src 192.168.0.126

broadcast 192.168.0.255 dev wan table local proto kernel scope link src 192.168.0.126

local 192.168.100.236 dev usb0 table local proto kernel scope host src 192.168.100.236

broadcast 192.168.100.255 dev usb0 table local proto kernel scope link src 192.168.100.236

unreachable default dev lo table pbr_wan metric 1024 pref medium

unreachable default dev lo table pbr_vtun0 metric 1024 pref medium

unreachable default dev lo table pbr_vtun1 metric 1024 pref medium

unreachable default dev lo table pbr_vtun2 metric 1024 pref medium

unreachable default dev lo table pbr_vtun3 metric 1024 pref medium

unreachable default dev lo table pbr_vtun4 metric 1024 pref medium

unreachable default dev lo table pbr_vtun5 metric 1024 pref medium

unreachable default dev lo table pbr_vtun6 metric 1024 pref medium

unreachable default dev lo table pbr_vtun7 metric 1024 pref medium

unreachable default dev lo table pbr_vtun8 metric 1024 pref medium

unreachable default dev lo table pbr_vtun9 metric 1024 pref medium

unreachable default dev lo table pbr_vtun10 metric 1024 pref medium

unreachable default dev lo table pbr_vtun11 metric 1024 pref medium

unreachable default dev lo table pbr_vtun12 metric 1024 pref medium

unreachable default dev lo table pbr_vtun13 metric 1024 pref medium

unreachable default dev lo table pbr_vtun14 metric 1024 pref medium

unreachable default dev lo table pbr_vtun15 metric 1024 pref medium

unreachable default dev lo table pbr_vtun16 metric 1024 pref medium

unreachable default dev lo table pbr_vtun17 metric 1024 pref medium

unreachable default dev lo table pbr_vtun18 metric 1024 pref medium

unreachable default dev lo table pbr_vtun19 metric 1024 pref medium

unreachable default dev lo table pbr_vtun20 metric 1024 pref medium

unreachable default dev lo table pbr_vtun21 metric 1024 pref medium

unreachable default dev lo table pbr_vtun22 metric 1024 pref medium

unreachable default dev lo table pbr_vtun23 metric 1024 pref medium

unreachable default dev lo table pbr_vtun24 metric 1024 pref medium

unreachable default dev lo table pbr_vtun25 metric 1024 pref medium

unreachable default dev lo table pbr_vtun26 metric 1024 pref medium

unreachable default dev lo table pbr_vtun27 metric 1024 pref medium

unreachable default dev lo table pbr_vtun28 metric 1024 pref medium

unreachable default dev lo table pbr_vtun29 metric 1024 pref medium

unreachable default dev lo table pbr_vtun30 metric 1024 pref medium

unreachable default dev lo table pbr_usbmodem metric 1024 pref medium

fda4:871b:e22f:50::/64 dev br-wireless proto static metric 1024 pref medium

unreachable fda4:871b:e22f::/48 dev lo proto static metric 2147483647 pref medium

fe80::/64 dev eth0 proto kernel metric 256 pref medium

fe80::/64 dev wan proto kernel metric 256 pref medium

fe80::/64 dev usb0 proto kernel metric 256 pref medium

fe80::/64 dev phy1-ap0 proto kernel metric 256 pref medium

fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium

fe80::/64 dev br-wireless proto kernel metric 256 pref medium

local ::1 dev lo table local proto kernel metric 0 pref medium

anycast fda4:871b:e22f:50:: dev br-wireless table local proto kernel metric 0 pref medium

local fda4:871b:e22f:50::1 dev br-wireless table local proto kernel metric 0 pref medium

anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium

anycast fe80:: dev wan table local proto kernel metric 0 pref medium

anycast fe80:: dev usb0 table local proto kernel metric 0 pref medium

anycast fe80:: dev phy1-ap0 table local proto kernel metric 0 pref medium

anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium

anycast fe80:: dev br-wireless table local proto kernel metric 0 pref medium

local fe80::53:52ff:fe04:3232 dev usb0 table local proto kernel metric 0 pref medium

local fe80::6038:e0ff:feb7:2e28 dev wan table local proto kernel metric 0 pref medium

local fe80::6238:e0ff:feb7:2e28 dev eth0 table local proto kernel metric 0 pref medium

local fe80::6238:e0ff:feb7:2e29 dev phy1-ap0 table local proto kernel metric 0 pref medium

local fe80::6238:e0ff:feb7:2e2a dev phy0-ap0 table local proto kernel metric 0 pref medium

local fe80::6238:e0ff:feb7:2e2a dev br-wireless table local proto kernel metric 0 pref medium

multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium

multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium

multicast ff00::/8 dev usb0 table local proto kernel metric 256 pref medium

multicast ff00::/8 dev phy1-ap0 table local proto kernel metric 256 pref medium

multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium

multicast ff00::/8 dev br-wireless table local proto kernel metric 256 pref medium

ip rule show


0:      from all lookup local
1001:   from all iif wan lookup 1
2001:   from all fwmark 0x100/0x3f00 lookup 1
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
3001:   from all fwmark 0x100/0x3f00 unreachable
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_vtun0
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_vtun1
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_vtun2
30004:  from all fwmark 0x50000/0xff0000 lookup pbr_vtun3
30005:  from all fwmark 0x60000/0xff0000 lookup pbr_vtun4
30006:  from all fwmark 0x70000/0xff0000 lookup pbr_vtun5
30007:  from all fwmark 0x80000/0xff0000 lookup pbr_vtun6
30008:  from all fwmark 0x90000/0xff0000 lookup pbr_vtun7
30009:  from all fwmark 0xa0000/0xff0000 lookup pbr_vtun8
30010:  from all fwmark 0xb0000/0xff0000 lookup pbr_vtun9
30011:  from all fwmark 0xc0000/0xff0000 lookup pbr_vtun10
30012:  from all fwmark 0xd0000/0xff0000 lookup pbr_vtun11
30013:  from all fwmark 0xe0000/0xff0000 lookup pbr_vtun12
30014:  from all fwmark 0xf0000/0xff0000 lookup pbr_vtun13
30015:  from all fwmark 0x100000/0xff0000 lookup pbr_vtun14
30016:  from all fwmark 0x110000/0xff0000 lookup pbr_vtun15
30017:  from all fwmark 0x120000/0xff0000 lookup pbr_vtun16
30018:  from all fwmark 0x130000/0xff0000 lookup pbr_vtun17
30019:  from all fwmark 0x140000/0xff0000 lookup pbr_vtun18
30020:  from all fwmark 0x150000/0xff0000 lookup pbr_vtun19
30021:  from all fwmark 0x160000/0xff0000 lookup pbr_vtun20
30022:  from all fwmark 0x170000/0xff0000 lookup pbr_vtun21
30023:  from all fwmark 0x180000/0xff0000 lookup pbr_vtun22
30024:  from all fwmark 0x190000/0xff0000 lookup pbr_vtun23
30025:  from all fwmark 0x1a0000/0xff0000 lookup pbr_vtun24
30026:  from all fwmark 0x1b0000/0xff0000 lookup pbr_vtun25
30027:  from all fwmark 0x1c0000/0xff0000 lookup pbr_vtun26
30028:  from all fwmark 0x1d0000/0xff0000 lookup pbr_vtun27
30029:  from all fwmark 0x1e0000/0xff0000 lookup pbr_vtun28
30030:  from all fwmark 0x1f0000/0xff0000 lookup pbr_vtun29
30031:  from all fwmark 0x200000/0xff0000 lookup pbr_vtun30
30032:  from all fwmark 0x210000/0xff0000 lookup pbr_usbmodem
32766:  from all lookup main
32767:  from all lookup default

cat /etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '1'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'prt-162.16.1.100'
        option src_addr '162.16.1.100'
        option interface 'wan'

config policy
        option name 'fw-162.16.1.100'
        option src_addr '162.16.1.100'
        option chain 'forward'
        option interface 'wan'

config policy
        option name 'rdp-172.16.10.105'
        option src_addr '172.16.10.105'
        option interface 'vtun11'
        option src_port '0-65535'
        option dest_port '0-65535'
        option enabled '0'
        option chain 'forward'

config policy
        option name 'rdp-sys-ubuntu-172.16.10.104'
        option src_addr '172.16.10.104'
        option interface 'vtun5'
        option src_port '0-65535'
        option dest_port '0-65535'
        option chain 'forward'
        option enabled '0'

/etc/init.d/pbr status

============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.3. WAN (IPv4): usbmodem/usb0/192.168.100.1.
============================================================
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
        chain pbr_forward { # handle 169
                ip saddr @pbr_wan_4_src_ip_cfg056ff5 goto pbr_mark_0x010000 comment "fw-162.16.1.100" # handle 7745
                ip6 saddr @pbr_wan_6_src_ip_cfg056ff5 goto pbr_mark_0x010000 comment "fw-162.16.1.100" # handle 7746
        }
        chain pbr_input { # handle 170
        }
        chain pbr_output { # handle 171
        }
        chain pbr_prerouting { # handle 172
                ip saddr @pbr_wan_4_src_ip_cfg046ff5 goto pbr_mark_0x010000 comment "prt-162.16.1.100" # handle 7741
                ip6 saddr @pbr_wan_6_src_ip_cfg046ff5 goto pbr_mark_0x010000 comment "prt-162.16.1.100" # handle 7742
        }
        chain pbr_postrouting { # handle 173
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 { # handle 7640
                counter packets 4824 bytes 1468742 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 7641
                return # handle 7642
        }
        chain pbr_mark_0x020000 { # handle 7643
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 7644
                return # handle 7645
        }
        chain pbr_mark_0x030000 { # handle 7646
                counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 7647
                return # handle 7648
        }
        chain pbr_mark_0x040000 { # handle 7649
                counter packets 0 bytes 0 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 7650
                return # handle 7651
        }
        chain pbr_mark_0x050000 { # handle 7652
                counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000 # handle 7653
                return # handle 7654
        }
        chain pbr_mark_0x060000 { # handle 7655
                counter packets 0 bytes 0 meta mark set meta mark & 0xff06ffff | 0x00060000 # handle 7656
                return # handle 7657
        }
        chain pbr_mark_0x070000 { # handle 7658
                counter packets 0 bytes 0 meta mark set meta mark & 0xff07ffff | 0x00070000 # handle 7659
                return # handle 7660
        }
        chain pbr_mark_0x080000 { # handle 7661
                counter packets 0 bytes 0 meta mark set meta mark & 0xff08ffff | 0x00080000 # handle 7662
                return # handle 7663
        }
        chain pbr_mark_0x090000 { # handle 7664
                counter packets 0 bytes 0 meta mark set meta mark & 0xff09ffff | 0x00090000 # handle 7665
                return # handle 7666
        }
        chain pbr_mark_0x0a0000 { # handle 7667
                counter packets 0 bytes 0 meta mark set meta mark & 0xff0affff | 0x000a0000 # handle 7668
                return # handle 7669
        }
        chain pbr_mark_0x0b0000 { # handle 7670
                counter packets 0 bytes 0 meta mark set meta mark & 0xff0bffff | 0x000b0000 # handle 7671
                return # handle 7672
        }
        chain pbr_mark_0x0c0000 { # handle 7673
                counter packets 0 bytes 0 meta mark set meta mark & 0xff0cffff | 0x000c0000 # handle 7674
                return # handle 7675
        }
        chain pbr_mark_0x0d0000 { # handle 7676
                counter packets 0 bytes 0 meta mark set meta mark & 0xff0dffff | 0x000d0000 # handle 7677
                return # handle 7678
        }
        chain pbr_mark_0x0e0000 { # handle 7679
                counter packets 0 bytes 0 meta mark set meta mark & 0xff0effff | 0x000e0000 # handle 7680
                return # handle 7681
        }
        chain pbr_mark_0x0f0000 { # handle 7682
                counter packets 0 bytes 0 meta mark set meta mark & 0xff0fffff | 0x000f0000 # handle 7683
                return # handle 7684
        }
        chain pbr_mark_0x100000 { # handle 7685
                counter packets 0 bytes 0 meta mark set meta mark & 0xff10ffff | 0x00100000 # handle 7686
                return # handle 7687
        }
        chain pbr_mark_0x110000 { # handle 7688
                counter packets 0 bytes 0 meta mark set meta mark & 0xff11ffff | 0x00110000 # handle 7689
                return # handle 7690
        }
        chain pbr_mark_0x120000 { # handle 7691
                counter packets 0 bytes 0 meta mark set meta mark & 0xff12ffff | 0x00120000 # handle 7692
                return # handle 7693
        }
        chain pbr_mark_0x130000 { # handle 7694
                counter packets 0 bytes 0 meta mark set meta mark & 0xff13ffff | 0x00130000 # handle 7695
                return # handle 7696
        }
        chain pbr_mark_0x140000 { # handle 7697
                counter packets 0 bytes 0 meta mark set meta mark & 0xff14ffff | 0x00140000 # handle 7698
                return # handle 7699
        }
        chain pbr_mark_0x150000 { # handle 7700
                counter packets 0 bytes 0 meta mark set meta mark & 0xff15ffff | 0x00150000 # handle 7701
                return # handle 7702
        }
        chain pbr_mark_0x160000 { # handle 7703
                counter packets 0 bytes 0 meta mark set meta mark & 0xff16ffff | 0x00160000 # handle 7704
                return # handle 7705
        }
        chain pbr_mark_0x170000 { # handle 7706
                counter packets 0 bytes 0 meta mark set meta mark & 0xff17ffff | 0x00170000 # handle 7707
                return # handle 7708
        }
        chain pbr_mark_0x180000 { # handle 7709
                counter packets 0 bytes 0 meta mark set meta mark & 0xff18ffff | 0x00180000 # handle 7710
                return # handle 7711
        }
        chain pbr_mark_0x190000 { # handle 7712
                counter packets 0 bytes 0 meta mark set meta mark & 0xff19ffff | 0x00190000 # handle 7713
                return # handle 7714
        }
        chain pbr_mark_0x1a0000 { # handle 7715
                counter packets 0 bytes 0 meta mark set meta mark & 0xff1affff | 0x001a0000 # handle 7716
                return # handle 7717
        }
        chain pbr_mark_0x1b0000 { # handle 7718
                counter packets 0 bytes 0 meta mark set meta mark & 0xff1bffff | 0x001b0000 # handle 7719
                return # handle 7720
        }
        chain pbr_mark_0x1c0000 { # handle 7721
                counter packets 0 bytes 0 meta mark set meta mark & 0xff1cffff | 0x001c0000 # handle 7722
                return # handle 7723
        }
        chain pbr_mark_0x1d0000 { # handle 7724
                counter packets 0 bytes 0 meta mark set meta mark & 0xff1dffff | 0x001d0000 # handle 7725
                return # handle 7726
        }
        chain pbr_mark_0x1e0000 { # handle 7727
                counter packets 0 bytes 0 meta mark set meta mark & 0xff1effff | 0x001e0000 # handle 7728
                return # handle 7729
        }
        chain pbr_mark_0x1f0000 { # handle 7730
                counter packets 0 bytes 0 meta mark set meta mark & 0xff1fffff | 0x001f0000 # handle 7731
                return # handle 7732
        }
        chain pbr_mark_0x200000 { # handle 7733
                counter packets 0 bytes 0 meta mark set meta mark & 0xff20ffff | 0x00200000 # handle 7734
                return # handle 7735
        }
        chain pbr_mark_0x210000 { # handle 7736
                counter packets 0 bytes 0 meta mark set meta mark & 0xff21ffff | 0x00210000 # handle 7737
                return # handle 7738
        }
============================================================
pbr nft sets
        set pbr_wan_4_src_ip_cfg046ff5 { # handle 7739
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "prt-162.16.1.100"
                elements = { 162.16.1.100 counter packets 4529 bytes 862079 }
        }
        set pbr_wan_6_src_ip_cfg046ff5 { # handle 7740
                type ipv6_addr
                flags interval
                counter
                auto-merge
                comment "prt-162.16.1.100"
        }
        set pbr_wan_4_src_ip_cfg056ff5 { # handle 7743
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "fw-162.16.1.100"
                elements = { 162.16.1.100 counter packets 329 bytes 608023 }
        }
        set pbr_wan_6_src_ip_cfg056ff5 { # handle 7744
                type ipv6_addr
                flags interval
                counter
                auto-merge
                comment "fw-162.16.1.100"
        }
============================================================
IPv4 table 256 route: default via 192.168.0.1 dev wan
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 256 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 257 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_vtun0
IPv6 table 257 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 257 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 258 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 258 rule(s):
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_vtun1
IPv6 table 258 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 258 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 259 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 259 rule(s):
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_vtun2
IPv6 table 259 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 259 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 260 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 260 rule(s):
30004:  from all fwmark 0x50000/0xff0000 lookup pbr_vtun3
IPv6 table 260 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 260 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 261 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 261 rule(s):
30005:  from all fwmark 0x60000/0xff0000 lookup pbr_vtun4
IPv6 table 261 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 261 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 262 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 262 rule(s):
30006:  from all fwmark 0x70000/0xff0000 lookup pbr_vtun5
IPv6 table 262 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 262 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 263 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 263 rule(s):
30007:  from all fwmark 0x80000/0xff0000 lookup pbr_vtun6
IPv6 table 263 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 263 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 264 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 264 rule(s):
30008:  from all fwmark 0x90000/0xff0000 lookup pbr_vtun7
IPv6 table 264 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 264 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 265 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 265 rule(s):
30009:  from all fwmark 0xa0000/0xff0000 lookup pbr_vtun8
IPv6 table 265 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 265 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 266 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 266 rule(s):
30010:  from all fwmark 0xb0000/0xff0000 lookup pbr_vtun9
IPv6 table 266 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 266 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 267 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 267 rule(s):
30011:  from all fwmark 0xc0000/0xff0000 lookup pbr_vtun10
IPv6 table 267 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 267 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 268 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 268 rule(s):
30012:  from all fwmark 0xd0000/0xff0000 lookup pbr_vtun11
IPv6 table 268 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 268 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 269 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 269 rule(s):
30013:  from all fwmark 0xe0000/0xff0000 lookup pbr_vtun12
IPv6 table 269 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 269 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 270 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 270 rule(s):
30014:  from all fwmark 0xf0000/0xff0000 lookup pbr_vtun13
IPv6 table 270 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 270 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 271 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 271 rule(s):
30015:  from all fwmark 0x100000/0xff0000 lookup pbr_vtun14
IPv6 table 271 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 271 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 272 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 272 rule(s):
30016:  from all fwmark 0x110000/0xff0000 lookup pbr_vtun15
IPv6 table 272 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 272 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 273 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 273 rule(s):
30017:  from all fwmark 0x120000/0xff0000 lookup pbr_vtun16
IPv6 table 273 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 273 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 274 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 274 rule(s):
30018:  from all fwmark 0x130000/0xff0000 lookup pbr_vtun17
IPv6 table 274 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 274 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 275 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 275 rule(s):
30019:  from all fwmark 0x140000/0xff0000 lookup pbr_vtun18
IPv6 table 275 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 275 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 276 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 276 rule(s):
30020:  from all fwmark 0x150000/0xff0000 lookup pbr_vtun19
IPv6 table 276 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 276 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 277 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 277 rule(s):
30021:  from all fwmark 0x160000/0xff0000 lookup pbr_vtun20
IPv6 table 277 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 277 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 278 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 278 rule(s):
30022:  from all fwmark 0x170000/0xff0000 lookup pbr_vtun21
IPv6 table 278 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 278 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 279 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 279 rule(s):
30023:  from all fwmark 0x180000/0xff0000 lookup pbr_vtun22
IPv6 table 279 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 279 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 280 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 280 rule(s):
30024:  from all fwmark 0x190000/0xff0000 lookup pbr_vtun23
IPv6 table 280 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 280 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 281 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 281 rule(s):
30025:  from all fwmark 0x1a0000/0xff0000 lookup pbr_vtun24
IPv6 table 281 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 281 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 282 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 282 rule(s):
30026:  from all fwmark 0x1b0000/0xff0000 lookup pbr_vtun25
IPv6 table 282 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 282 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 283 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 283 rule(s):
30027:  from all fwmark 0x1c0000/0xff0000 lookup pbr_vtun26
IPv6 table 283 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 283 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 284 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 284 rule(s):
30028:  from all fwmark 0x1d0000/0xff0000 lookup pbr_vtun27
IPv6 table 284 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 284 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 285 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 285 rule(s):
30029:  from all fwmark 0x1e0000/0xff0000 lookup pbr_vtun28
IPv6 table 285 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 285 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 286 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 286 rule(s):
30030:  from all fwmark 0x1f0000/0xff0000 lookup pbr_vtun29
IPv6 table 286 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 286 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 287 route: unreachable default
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 287 rule(s):
30031:  from all fwmark 0x200000/0xff0000 lookup pbr_vtun30
IPv6 table 287 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 287 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 288 route: default via 192.168.100.1 dev usb0
default via 192.168.100.1 dev usb0 proto static src 192.168.100.236 metric 20
IPv4 table 288 rule(s):
30032:  from all fwmark 0x210000/0xff0000 lookup pbr_usbmodem
IPv6 table 288 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 288 rule(s):
unreachable default dev lo metric 1024 pref medium
**for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done**
**logread | grep openvpn**
client
verb 1
dev tun
auth-user-pass /etc/openvpn/pvpnsecret
persist-key
persist-tun
nobind
<ca>
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIJAMjXFoeo5uSlMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD
VQQGEwJISzEQMA4GA1UECBMHQ2VudHJhbDELMAkGA1UEBxMCSEsxGDAWBgNVBAoT
D1NlY3VyZS1TZXJ2ZXJDQTELMAkGA1UECxMCSVQxGDAWBgNVBAMTD1NlY3VyZS1T
ZXJ2ZXJDQTEYMBYGA1UEKRMPU2VjdXJlLVNlcnZlckNBMR8wHQYJKoZIhvcNAQkB
FhBtYWlsQGhvc3QuZG9tYWluMB4XDTE2MDExNTE1MzQwOVoXDTI2MDExMjE1MzQw
OVowgagxCzAJBgNVBAYTAkhLMRAwDgYDVQQIEwdDZW50cmFsMQswCQYDVQQHEwJI
SzEYMBYGA1UEChMPU2VjdXJlLVNlcnZlckNBMQswCQYDVQQLEwJJVDEYMBYGA1UE
AxMPU2VjdXJlLVNlcnZlckNBMRgwFgYDVQQpEw9TZWN1cmUtU2VydmVyQ0ExHzAd
BgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW4wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDluufhyLlyvXzPUL16kAWAdivl1roQv3QHbuRshyKacf/1
Er1JqEbtW3Mx9Fvr/u27qU2W8lQI6DaJhU2BfijPe/KHkib55mvHzIVvoexxya26
nk79F2c+d9PnuuMdThWQO3El5a/i2AASnM7T7piIBT2WRZW2i8RbfJaTT7G7LP7O
pMKIV1qyBg/cWoO7cIWQW4jmzqrNryIkF0AzStLN1DxvnQZwgXBGv0CwuAkfQuNS
Lu0PQgPp0PhdukNZFllv5D29IhPr0Z+kwPtrAgPQo+lHlOBHBMUpDT4XChTPeAvM
aUSBsqmonAE8UUHEabWrqYN/kWNHCNkYXMkiVmK1AgMBAAGjggERMIIBDTAdBgNV
HQ4EFgQU456ijsFrYnzHBShLAPpOUqQ+Z2cwgd0GA1UdIwSB1TCB0oAU456ijsFr
YnzHBShLAPpOUqQ+Z2ehga6kgaswgagxCzAJBgNVBAYTAkhLMRAwDgYDVQQIEwdD
ZW50cmFsMQswCQYDVQQHEwJISzEYMBYGA1UEChMPU2VjdXJlLVNlcnZlckNBMQsw
CQYDVQQLEwJJVDEYMBYGA1UEAxMPU2VjdXJlLVNlcnZlckNBMRgwFgYDVQQpEw9T
ZWN1cmUtU2VydmVyQ0ExHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6C
CQDI1xaHqObkpTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCvga2H
MwOtUxWH/inL2qk24KX2pxLg939JNhqoyNrUpbDHag5xPQYXUmUpKrNJZ0z+o/Zn
NUPHydTSXE7Z7E45J0GDN5E7g4pakndKnDLSjp03NgGsCGW+cXnz6UBPM5FStFvG
dDeModeSUyoS9fjk+mYROvmiy5EiVDP91sKGcPLR7Ym0M7zl2aaqV7bb98HmMoBO
xpeZQinof67nKrCsgz/xjktWFgcmPl4/PQSsmqQD0fTtWxGuRX+FzwvF2OCMCAJg
p1RqJNlk2g50/kBIoJVPPCfjDFeDU5zGaWGSQ9+z1L6/z7VXdjUiHL0ouOcHwbiS
4ZjTr9nMn6WdAHU2
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIEnzCCA4egAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCSEsx
EDAOBgNVBAgTB0NlbnRyYWwxCzAJBgNVBAcTAkhLMRgwFgYDVQQKEw9TZWN1cmUt
U2VydmVyQ0ExCzAJBgNVBAsTAklUMRgwFgYDVQQDEw9TZWN1cmUtU2VydmVyQ0Ex
GDAWBgNVBCkTD1NlY3VyZS1TZXJ2ZXJDQTEfMB0GCSqGSIb3DQEJARYQbWFpbEBo
b3N0LmRvbWFpbjAeFw0xNjAxMTUxNjE1MzhaFw0yNjAxMTIxNjE1MzhaMIGdMQsw
CQYDVQQGEwJISzEQMA4GA1UECBMHQ2VudHJhbDELMAkGA1UEBxMCSEsxFjAUBgNV
BAoTDVNlY3VyZS1DbGllbnQxCzAJBgNVBAsTAklUMRYwFAYDVQQDEw1TZWN1cmUt
Q2xpZW50MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBo
b3N0LmRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxsnyn4v6xxDP
nuDaYS0b9M1N8nxgg7OBPBlK+FWRxdTQ8yxt5U5CZGm7riVp7fya2J2iPZIgmHQE
v/KbxztsHAVlYSfYYlalrnhEL3bDP2tY+N43AwB1k5BrPq2s1pPLT2XG951drDKG
4PUuFHUP1sHzW5oQlfVCmxgIMAP8OYkCAwEAAaOCAV8wggFbMAkGA1UdEwQCMAAw
LQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQU9MwUnUDbQKKZKjoeieD2OD5NlAEwgd0GA1UdIwSB1TCB0oAU456i
jsFrYnzHBShLAPpOUqQ+Z2ehga6kgaswgagxCzAJBgNVBAYTAkhLMRAwDgYDVQQI
EwdDZW50cmFsMQswCQYDVQQHEwJISzEYMBYGA1UEChMPU2VjdXJlLVNlcnZlckNB
MQswCQYDVQQLEwJJVDEYMBYGA1UEAxMPU2VjdXJlLVNlcnZlckNBMRgwFgYDVQQp
Ew9TZWN1cmUtU2VydmVyQ0ExHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21h
aW6CCQDI1xaHqObkpTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4Aw
DQYJKoZIhvcNAQELBQADggEBAFyFo2VUX/UFixsdPdK9/Yt6mkCWc+XS1xbapGXX
b9U1d+h1iBCIV9odUHgNCXWpz1hR5Uu/OCzaZ0asLE4IFMZlQmJs8sMT0c1tfPPG
W45vxbL0lhqnQ8PNcBH7huNK7VFjUh4szXRKmaQPaM4S91R3L4CaNfVeHfAg7mN2
m9Zn5Gto1Q1/CFMGKu2hxwGEw5p+X1czBWEvg/O09ckx/ggkkI1NcZsNiYQ+6Pz8
DdGGX3+05YwLZu94+O6iIMrzxl/il0eK83g3YPbsOrASARvw6w/8sOnJCK5eOacl
21oww875KisnYdWjHB1FiI+VzQ1/gyoDsL5kPTJVuu2CoG8=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMbJ8p+L+scQz57g
2mEtG/TNTfJ8YIOzgTwZSvhVkcXU0PMsbeVOQmRpu64lae38mtidoj2SIJh0BL/y
m8c7bBwFZWEn2GJWpa54RC92wz9rWPjeNwMAdZOQaz6trNaTy09lxvedXawyhuD1
LhR1D9bB81uaEJX1QpsYCDAD/DmJAgMBAAECgYEAvTHbDupE5U0krUvHzBEIuHbl
ptGlcfNYHoDcD3oxYR3pOGeiuElBexv+mgHVzcFLBrsQfJUlHLPfCWi3xmjRvDQc
r7N7U1u7NIzazy/PpRBaKolMRiM1KMYi2DG0i4ZONwFT8bvNHOIrZzCLY54KDrqO
n55OzC70WYjWh4t5evkCQQDkkzZUAeskBC9+JP/zLps8jhwfoLBWGw/zbC9ePDmX
0N8MTZdcUpg6KUTf1wbkLUyVtIRjS2ao6qu1jWG6K0x3AkEA3qPWyaWQWCynhNDq
u2U1cPb2kh5AJip+gqxO3emikAdajsSxeoyEC2AfyBITbeB1tvCUZH17J4i/0+OF
TEQp/wJAb/zEOGJ8PzghwK8GC7JA8mk51DEZVAaMSRovFv9wxDXcoh191AjPdmdz
zCuAv9iF1i8MUc3GbWoUWK39PIYsPwJAWh63sqfx5b8tj/WBDpnJKBDPfhYAoXJS
A1L8GZeY1fQkE+ZKcPCwAmrGcpXeh3t0Krj3WDXyw+32uC5Apr5wwQJAPZwOORea
C4YNfBPZN9BdHvVjOYGGUffpI+X+hWpLRnQFJteAi+eqwyk0Oi0SkJB+a7jcerK2
d7q7xhec5WHlng==
-----END PRIVATE KEY-----
</key>
<tls-auth>
# 
# 2048 bit OpenVPN static key 
# 
-----BEGIN OpenVPN Static key V1-----
e30af995f56d07426d9ba1f824730521
d4283db4b4d0cdda9c6e8759a3799dcb
7939b6a5989160c9660de0f6125cbb1f
585b41c074b2fe88ecfcf17eab9a33be
1352379cdf74952b588fb161a93e13df
9135b2b29038231e02d657a6225705e6
868ccb0c384ed11614690a1894bfbeb2
74cebf1fe9c2329bdd5c8a40fe882062
4d2ea7540cd79ab76892db51fc371a3a
c5fc9573afecb3fffe3281e61d72e915
79d9b03d8cbf7909b3aebf4d90850321
ee6b7d0a7846d15c27d8290e031e951e
19438a4654663cad975e138f5bc5af89
c737ad822f27e19057731f41e1e254cc
9c95b7175c622422cde9f1f2cfd3510a
dd94498b4d7133d3729dd214a16b27fb
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
remote-cert-tls server
cipher AES-256-CBC
route-method exe 
route-delay 0 
route 0.0.0.0 0.0.0.0
script-security 2 
explicit-exit-notify 2 
proto udp 
remote 5.254.15.98 15021

To be honest there seems to be a lot of "unusual" settings in your setup.
You use non private IP address for your subnets.
You have 30 (yes thirty) tun interfaces defined ??
There are a firewall rules which I have serious doubts about.
Although I am not a VLAN expert it looks very different than what I know about DSA setup: https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

Frankly it is too much and also above my pay grade but I would consider a fresh start and first read up on the respective subjects.

About PBR, you have only one VPN tunnel/config which is not even connected with a tun interface (you need to use (dev tunX ) where X is the number of the interface you want to associate with)
For PBR you need multiple tunnels to different locations and use PBR to associate a client IP address or interface with a specific tunnel.
Make sure you do not add a default route via the tunnel so delete:

But add pull-filter ignore "redirect-gateway"

If you are going to setup from scratch consider using WireGuard instead of OpenVPN, easier to setup and much faster.

thank you for your response, I really appreciate your help. i have 36 server PC's in my 42u cabinet. i am trying to use 1 server pc to test this process , using openwrt. I have install proxmox on it. Using the default openwrt settings, it is working fine, but what i want to achieve right now, is the ability to assign openvpn to each vm but no luck vm1 - 192.168.16.2 connect to Tokyo, vm2- 192.168.16.3 - connect to Hongkong, vm3 -192.168.16.4, etc. 30 tun* is for setup, it will be upto 100 tun* if the openwrt allows upto that amount. I desolved br-lan and each lan port is standing alone example(lan1, lan2, lan3, lan4).
My Vlan's are untagged to the lan's port for now due to the testing.
I just want to know how to get pbr to work in my situation and i will handle the rest.
I will have upto 500 clients or more, that will be using the VM services. that is why i am retrying to get this done. I know it is possible, i am just having an hard time trying to get it right. you can help me thank you

Here is the list of my open vpn files. i am unable to send the full screen. I have start tun1,12,26

Here is my firewall lan_fw4 belongs to lan Port 4 I have 3 tun on it.

Here is my PBR Police, I want to connect VM or pc 3(162.16.1.100) to vtun1. I will have another pc 2 which will like to use vtun12 (162.16.1.100), .... and so on. all on the same lan port, which is plugged into 24 ports unmanaged switched

I have tried both prerouting and forwarding, i am only connecting to vtun26 which is tun26. I still believe that there is a solution for it here.

do i really need to add this to the files pull-filter ignore redirect-gateway, i am using the vpn for port forwarding. Thank you once again.

A VPN tunnel has an endpoint that is its destination.
You get a VPN config with end point in Tokyo and another one in Hong-Kong, so you make two VPN tunnels. Lets name it tun1 and tun2
You disabled the default route.
PBR automatically creates a routing table for each tun interface.
With PBR you create a rule to assign e.g. ip address192.168.16.2 to the routing table of tun1.
So the PBR rule has a local IP address of 192.168.16.1 an interface of tun1 and for forwarding you always use the PREROUTING chain.

And all this is described in the PBR guide.

1 Like

Ok, should i remove vtun*_fw from the lan_fw4 firewall


I have read through it, but i am having the same problem. I have done this before with omada tp-link vpn router, but vpn portforwarding is not supported. I love openwrt. that is why i am here.
Let stay :
ip address192.168.16.1 to the routing table of vtun1_fw - tun1
ip address192.168.16.2 to the routing table of vtun2_fw - tun2
ip address192.168.16.3 to the routing table of vtun3_fw - tun3
ip address192.168.16.4 to the routing table of vtun4_fw - tun4
and so on
Which the subnet belongs to lan4 (lan_fw4).
When using PREROUTING 192.168.16.1 tun1
When using PREROUTING 192.168.16.2 tun2
When using PREROUTING 192.168.16.3 tun3
When using PREROUTING 192.168.16.4 tun4
all seems to connect to tun4, skipping the rest.
if i remove tun4 the lan_fw4 it connects to tun3 and so on... please can you show me from gui or raw code. thank you very much. i really appreciate.

here is my screen

i have tun1, tun12, tun26
When using PREROUTING 162.16.1.100 tun1
When using PREROUTING 162.16.1.101 tun12
all seems to connect to tun26

I've taken a look at your config, and (sorry to be so blunt) it is an absolute mess. There is no way this will ever work properly. And, IMO, it is beyond saving here -- there would be so much to do that it is far faster to just start over.

I agree with the others that it would be much more practical to run the VPN client configs on the hosts themselves, rather than on your router due to the complexity of 30-some-odd VPN tunnels each being used by exactly one host.

Beyond that, I have serious concerns about the performance you'll experience. OpenVPN is very processor intensive. I don't know how much RAM and processor utilization is typical for an idle (or nearly idle) tunnel, but the encryption will put a high load on your CPU when you're transferring lots of data. If you have multiple tunnels running simultaneously, especially with active data transfer on each one, you'll quickly peg the CPU and your bandwidth will probably be severely impacted.

If you really need to run all these tunnels on the router, you'll be best by starting over and then configuring exactly 2 tunnels, 2 hosts, and PBR and getting that to work as intended. Then you can repeat the recipe to add more tunnels and policies for the hosts.

But the bottom line is that what you have in your current config needs to be completely refactored and reconsidered.

1 Like

ok, thank you i understand your point, but i know what i am doing, my config is complex, the tun*s, i was asked to send my configs here while i was still setting up the configurations on the router. my configuration is not a problem. what i want to understand and learn is PBR only. I have done this in 3 different routers firmware and it works. this is my first time using openwrt. I just love the openwrt open source. i want to be able to make it work successfully. if you can help me with PBR only. assigning of openvpn to a particular local ip addesss, instead of the whole lan port. I know it is possible. please if you can give me a screenshot or steps guide. i will appreciate it. thank you in advance.

Please believe me when I say that I don't mean this rudely... I'm not sure you do (at least not with OpenWrt, specifically). The VLAN configurations and bridges and such are entirely invalid. For example, your br-lan2 bridges multiple VLANs together, which defeats the purpose of VLANs. And that is not withstanding the fact that the syntax you've got within is also completely wrong. DSA doesn't work properly when you setup multiple bridges on the same switch chip. You seem to have mixed multiple methods of defining VLANs (i.e. DSA, swconfig, 802.11q) in a way that is totally unrecognizable. To be frank, it's like you asked an AI agent for help, printed the result, put it through a shredder and then fed the scraps into UCI in some random order.

Which is why I'm telling you that your config is messed up beyond recognition.

PBR is only one part of the equation. The rest of the configuration is very wrong.

1 Like