IPV4 routing question (LuCi)

Why, when I set up the following routes:

does ip route show:

root@OpenWrt:~# ip route show
default dev WireGuard scope link via dev wan

not include my exception to -> wan?

Edit: ip route show only shows the main table, but the route to is added in table 2. You can show all routes with the command ip route show table all. (Or specify table 2.)

1 Like

Because you didn't specify the gateway.

Do not create any static routes.
Assign each interface to a separate routing table.
Add custom routing rules with a priority of 15000 or 30000.
The priority depends on which built-in rules you want to override.

1 Like

Ah, I think I see. Nice. So for each interface, create table with default route to that device, and then just create the set of rules to move the packets around on their merry way? Is that what you mean? I can see how this might simplify things as compared to rules with many different forms of routes.

Would you recommend creating tables with names or just use numbers? I could create table name to match that of interface? Maybe that would make things easier for myself?

So something like:

root@OpenWrt:~# cat /etc/iproute2/rt_tables
# reserved values
128     prelocal
255     local
254     main
253     default
0       unspec
# local
#1      inr.ruhep

1       br-lan
2       veth0
3       veth1
4       WireGuard
5       wan
1 Like

Yep, there's a script that configures PBR exactly like that:
And it supports both IPv4 and IPv6.

1 Like

Dear @vgaetera,

I have tried to route packets in this way, but I am not understanding something at a pretty fundamental level, as follows:-

With IP rule set to:

14000:  from all to iif br-lan lookup lan-wan

and the lan-wan table set to:

default dev lan-wan scope link

why doesn't ping show up on interface 'lan-wan'?

Otherwise, in my case should I run that script you linked above?

Ultimately my main goal is to create an intermediate interface between br-lan and wan/wireguard thorugh which all inbound and outbound packets ingress and egress. I am really struggling to work out how to do this :frowning:

I'm curious whether using veth is absolutely necessary on not.
What makes you think that utilizing veth is the right way?
Using veth typically involves setting up a separate namespace.
Are you sure multiple namespaces are supported by netifd?
Perhaps veth is not a suitable tool for this kind of problem.

It may well not be necessary. I tried setting up a software bridge 'lan-wan' with IP and then the following rules:

from all iif br-lan lookup lan-wan
from all iif lan-wan lookup wan

And tables for all interfaces just setting default route to that interface.

But that also failed. I mean at least just outgoing ping was not routed from br-lan to wan.

Why? The first rule should move packets from br-lan to lan-wan and then the second should move packets from lan-wan to wan, right? Or am I completely mistaken here?

If using lan-wan could you outline just a basic recipe to ensure all incoming and outgoing traffic flows through 'lan-wan'?

1 Like

It may require a separate namespace to work as you expect.
Or probably it's a design limitation of the veth interface.
Pretty sure it should work if you exclude veth from the picture.
Perhaps you should try a dummy/tap interface instead of veth.
It looks like this on my router:

# ip rule show
0:	from all lookup local
10000:	from lookup lan
10000:	from lookup wan
10000:	from lookup vpn
20000:	from all to lookup lan
20000:	from all to lookup wan
20000:	from all to lookup vpn
30000:	from all to lookup wan
30000:	from all to lookup wan
32766:	from all lookup main
32767:	from all lookup default
40000:	from all lookup vpn
90005:	from all iif lo lookup lan
90007:	from all iif lo lookup wan
90009:	from all iif lo lookup vpn

# uci show network

The main table only contains the route to the VPN endpoint.
Most traffic goes to the rule with a priority of 40000.
Only a couple of local resources need to bypass the VPN.
See also: Routing basics > How it works

Thanks for sharing and for your continued help here. Could you possibly outline what rules you would add to route VPN/wan traffic via such a 'lan-wan' intermediate interface? That's the part that I am really struggling with.

Also with your rules there how does ping from lan client get picked up? Does it get caught by the:

32766: from all lookup main


BTW this is what I have now:

root@OpenWrt:~# ip rule
0:      from all lookup local
10000:  from lookup br-lan
10000:  from lookup wan
10000:  from lookup vpn
15000:  from all iif br-lan lookup vpn
20000:  from all to lookup br-lan
20000:  from all to lookup wan
20000:  from all to lookup vpn
32766:  from all lookup main
32767:  from all lookup default
40000:  from all iif br-lan lookup wan
90007:  from all iif lo lookup wan
90095:  from all iif lo lookup br-lan
90100:  from all iif lo lookup vpn

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.