Moderator: I am posting a new topic because the PBR thread is so big that it is hard to keep track of a conversation.
I think I might have asked this question before, but I am still battling with PBR service.
The main issue is that the documentation is unclear and my configuration is the result of trial and error using luci. It looks like PBR might have been conceived only for single router deployments, thus assuming that the router where it runs has a WAN interface.
Running OpenWRT 24 on all routers.
I have a 'satellite' router, so not the main WAN router, that runs wireguard VPN and I use PBR to route everything from a subnet VLAN through the VPN.
The default route for this router is through the LAN interface.
Here is the pbr configuration:
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
option ipv6_enabled '0'
option procd_wan_interface 'lan'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list supported_interface 'wg_sovereign'
config policy
option name 'marconi'
option src_addr '192.168.20.0/24'
option interface 'wg_sovereign'
option dest_addr '0.0.0.0/0'
This policy works, although every time there is a reconnect on the wg interface, I have to restart pbr manually as it stops working.
This is the log when PBR is started:
Using wan interface (on_start): lan [✓]
Found wan gateway (on_start): 192.168.90.1 [✓]
Setting up routing for 'wg_sovereign/192.168.14.2' [✗]
Routing 'marconi' via wg_sovereign [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wg_sovereign [✓]
pbr 1.1.8-r10 monitoring interfaces: wg_sovereign
ERROR:
ip -4 route add default via 192.168.90.1 dev br-lan proto static table 256
ERROR: Failed to set up 'wg_sovereign/192.168.14.2'!
ERROR:
ERROR: Failed to set up any gateway!
WARNING: Please set 'dhcp.lan.force=1' to speed up service start-up.
WARNING: Please set 'dhcp.service.force=1' to speed up service start-up.
Once started, the route is created and it works, however I would like to understand the error and how to configure it properly so that on Wireguard reconnection the PBR route is restarted automatically without manual intervention.
Here is a diagram:
Satellite Router - LAN ----> 192.168.90.0/24 ---> 192.168.90.1/24 MAIN ROUTER ---> WAN to Internet (Provider A)
| |
| VLAN 192.168.20.0/24 (default route NATted through Remote router)
|
WG VPN to Remote router (VIA LAN)
|
Remote Router ----> WAN to Internet (Provider B)
Please could anyone help?