Issues with PBR and OWRT

dsako · January 2, 2024, 2:46pm

Hello, I am looking for two things, get advice on the best/most effective method to route traffic as well as tackle the issue i've been having with PBR policy.

Ultimately, I'd like some specific MAC addresses to route via my OpenVPN and all the other machines to go to the WAN directly.

I set up openvpn and it works perfectly, I also set up PBR but for some odd reason, as soon as I enable the OVPN, all the traffic goes through the VPN regardless of my PBR policies.

It could very well be a configuration issue, here are my firewall rules:

`

root@OpenWrt:/etc/config# cat firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'netfreetun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'lan'
        option dest 'wan'

Let me know what other logs you need to help me troubleshoot.

Thanks in advance

pavelgl · January 2, 2024, 4:53pm

Stop routing all network traffic through the VPN.

https://docs.openwrt.melmac.net/pbr/#OpenVPNtunnelconfiguredviaucietcconfigopenvpn

Add netfreetun to the list of supported interfaces.

https://docs.openwrt.melmac.net/pbr/#BasicOpenVPNClientConfig

If the specific MAC-based clients are not routed through the VPN, we'll need to see the contents of the pbr configuration file.

dsako · January 2, 2024, 5:17pm

Thanks for your quick reply Pavel.

I added:
pull-filter ignore "redirect-gateway

Now, none of the traffic is flowing through to VPN, it is all going through the WAN.

netfreetun is part of the interfaces:

config interface 'netfreetun'
        option proto 'none'
        option device 'tun0'

Here's the config file for pbr:

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'PapaSony'
        option interface 'netfreetun'

pavelgl · January 2, 2024, 5:40pm

The policy is incomplete.
Add the MAC address of the device in the Local addresses / devices field.
You should see it listed in the config file.

config policy
        option name 'PapaSony'
        option interface 'netfreetun'
        option src_addr '00:11:22:33:44:55'

dsako · January 2, 2024, 5:47pm

I added the MAC address (x'd it in the output below) and it still won't redirect the traffic to the VPN:

config policy
        option name 'PapaSony'
        option interface 'netfreetun'
        option src_addr 'XX:XX:XX:XX:XX:XX'

pavelgl · January 2, 2024, 5:53pm

Run service pbr restart and check for errors.
Post the output service pbr status redacting the public IPs and the MAC addresses.

dsako · January 2, 2024, 6:00pm

no errors when running the restart.

root@OpenWrt:/etc/config# service pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.0. WAN (IPv4): wan/eth0/x.x.x.129.
============================================================
Dnsmasq version 2.89  Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
        chain pbr_forward { # handle 518
        }
        chain pbr_input { # handle 519
        }
        chain pbr_output { # handle 520
        }
        chain pbr_prerouting { # handle 521
                ether saddr @pbr_netfreetun_4_src_mac_cfg046ff5 goto pbr_mark_0x020000 comment "PapaSony" # handle 2092
        }
        chain pbr_postrouting { # handle 522
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 { # handle 2085
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2086
                return # handle 2087
        }
        chain pbr_mark_0x020000 { # handle 2088
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2089
                return # handle 2090
        }
============================================================
pbr nft sets
        set pbr_netfreetun_4_src_mac_cfg046ff5 { # handle 2091
                type ether_addr
                flags interval
                counter
                auto-merge
                comment "PapaSony"
                elements = { xx:xx:xx:xx:xx:xx counter packets 0 bytes 0 }
        }
============================================================
IPv4 table 256 route: default via xx.xx.xx.xxdev eth0
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via x.x.x.178 dev tun0
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_netfreetun

pavelgl · January 2, 2024, 6:28pm

Everything looks fine. Are you sure the traffic is not going through the VPN?

Check these counters after some time.They should not show null values.

dsako · January 2, 2024, 6:39pm

Traffic isn't going through VPN for sure.

And the packets counter isn't moving. I also tried changing from MAC address to IP address and no change. It seems like as soon as I added : pull-filter ignore "redirect-gateway", the VPN no longer works.

pavelgl · January 2, 2024, 6:55pm

It should move. Try using the device's IP address instead of the MAC.

This indicates that it is still working.

You didn't install mwan3 as well, did you?

dsako · January 2, 2024, 8:37pm

Nope, no MWAN3 installed.

And still doesn't seem to work

dsako · January 4, 2024, 3:04am

Anyone else have an idea how to fix this issue?