One client refuses to listen to pbr

Installing and Using OpenWrt
1

After many hours, I need some help :frowning:

Setup:

Everything through WAN, pbr policy to route specific clients through wireguard via hostname -where possible.

https-dns-proxy, quad9 and not mullvad for all clients

Goal:

To be able to sometimes route a client through vpn for iptv and sometimes through WAN for prime.

I don’t just want the answer, I wish to learn so would appreciate your thought process in diagnosing the issue.

What I’ve tried:

different chains, ip/mac address and hostname in the pbr policy,

pbr DNS policy works, but iPad.lan refuses to use VPN.

root@OpenWrt:~# cat /etc/config/https-dns-proxy
config main 'config'
        option canary_domains_icloud '1'
        option canary_domains_mozilla '1'
        option dnsmasq_config_update '*'
        option force_dns '1'
        list force_dns_port '53'
        list force_dns_port '853'
# ports listed below are used by some
# of the dnscrypt-proxy v1 resolvers
#       list force_dns_port '553'
#       list force_dns_port '1443'
#       list force_dns_port '4343'
#       list force_dns_port '4434'
#       list force_dns_port '5443'
#       list force_dns_port '8443'
        list force_dns_src_interface 'lan'
        option procd_trigger_wan6 '0'
        option heartbeat_domain 'heartbeat.melmac.ca'
        option heartbeat_sleep_timeout '10'
        option heartbeat_wait_timeout '10'
        option user 'nobody'
        option group 'nogroup'
        option listen_addr '127.0.0.1'

#config https-dns-proxy
#       option bootstrap_dns '1.1.1.1,1.0.0.1'
#       option resolver_url 'https://cloudflare-dns.com/dns-query'
#       option listen_port '5054'

# config https-dns-proxy
#       option bootstrap_dns '8.8.8.8,8.8.4.4'
#       option resolver_url 'https://dns.google/dns-query'
#       option listen_port '5054'

config https-dns-proxy
        option bootstrap_dns '9.9.9.9,149.112.112.112'
        option resolver_url 'https://dns.quad9.net/dns-query'
        option listen_port '5053'

root@OpenWrt:~# ip route show
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
root@OpenWrt:~# ip -6 route show
fd71:e0a9:50a::/64 dev br-lan  metric 1024
unreachable fd71:e0a9:50a::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
anycast fd71:e0a9:50a:: dev br-lan  metric 0
anycast fe80:: dev eth0  metric 0
anycast fe80:: dev br-lan  metric 0
multicast ff00::/8 dev eth0  metric 256
multicast ff00::/8 dev br-lan  metric 256
root@OpenWrt:~# Read from remote host 192.168.2.1: Operation timed out

root@OpenWrt:~# cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd71:e0a9:50a::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

root@OpenWrt:~# uci show pbr
pbr.config=pbr
pbr.config.enabled='1'
pbr.config.verbosity='2'
pbr.config.strict_enforcement='0'
pbr.config.resolver_set='none'
pbr.config.resolver_instance='*'
pbr.config.ipv6_enabled='1'
pbr.config.ignored_interface='vpnserver'
pbr.config.boot_timeout='30'
pbr.config.rule_create_option='add'
pbr.config.procd_reload_delay='1'
pbr.config.webui_show_ignore_target='1'
pbr.config.nft_rule_counter='0'
pbr.config.nft_set_auto_merge='1'
pbr.config.nft_set_counter='0'
pbr.config.nft_set_flags_interval='1'
pbr.config.nft_set_flags_timeout='0'
pbr.config.nft_set_policy='performance'
pbr.config.webui_supported_protocol='all' 'tcp' 'udp' 'tcp udp' 'icmp'
pbr.@include[0]=include
pbr.@include[0].path='/usr/share/pbr/pbr.user.aws'
pbr.@include[0].enabled='0'
pbr.@include[1]=include
pbr.@include[1].path='/usr/share/pbr/pbr.user.netflix'
pbr.@include[1].enabled='0'
pbr.@policy[0]=policy
pbr.@policy[0].name='shitpad'
pbr.@policy[0].src_addr='cc:44:63:c6:2d:97'
pbr.@policy[0].interface='wg_interface'
pbr.@policy[0].chain='prerouting'
pbr.@policy[1]=policy
pbr.@policy[1].name='walle'
pbr.@policy[1].interface='wg_interface'
pbr.@policy[1].src_addr='archangel'
pbr.@dns_policy[0]=dns_policy
pbr.@dns_policy[0].name='walle'
pbr.@dns_policy[0].src_addr='archangel'
pbr.@dns_policy[0].dest_dns_port='53'
pbr.@dns_policy[0].dest_dns='9.9.9.9'
pbr.@dns_policy[1]=dns_policy
pbr.@dns_policy[1].name='shitpad'
pbr.@dns_policy[1].src_addr='cc:44:63:c6:2d:97'
pbr.@dns_policy[1].dest_dns='9.9.9.9'
pbr.@dns_policy[1].dest_dns_port='53'
pbr.@dns_policy[2]=dns_policy
pbr.@dns_policy[2].name='nvidia'
pbr.@dns_policy[2].src_addr='192.168.2.208'
pbr.@dns_policy[2].dest_dns='9.9.9.9'
pbr.@dns_policy[2].dest_dns_port='53'
pbr.@policy[2]=policy
pbr.@policy[2].name='nvidia'
pbr.@policy[2].src_addr='192.168.2.208'
pbr.@policy[2].interface='wg_interface'
pbr.@policy[3]=policy
pbr.@policy[3].name='all_clients_via_wg'
pbr.@policy[3].dest_addr='127.0.0.1:53'
pbr.@policy[3].interface='wg_interface'
pbr.@policy[3].enabled='0'
pbr.@policy[3].chain='output'
pbr.@policy[4]=policy
pbr.@policy[4].name='Macbook pro'
pbr.@policy[4].src_addr='Mac'
pbr.@policy[4].interface='wg_interface'
pbr.@policy[4].enabled='0'
pbr.@dns_policy[3]=dns_policy
pbr.@dns_policy[3].name='Macbook pro'
pbr.@dns_policy[3].src_addr='Mac'
pbr.@dns_policy[3].dest_dns='9.9.9.9'
pbr.@dns_policy[3].dest_dns_port='53'
pbr.@dns_policy[3].enabled='0'
pbr.@policy[5]=policy
pbr.@policy[5].name='OnePLus'
pbr.@policy[5].src_addr='OnePlus-Nord2-5G'
pbr.@policy[5].interface='wg_interface'
pbr.@dns_policy[4]=dns_policy
pbr.@dns_policy[4].name='OnePLus'
pbr.@dns_policy[4].src_addr='OnePlus-Nord2-5G'
pbr.@dns_policy[4].dest_dns='9.9.9.9'
pbr.@dns_policy[4].dest_dns_port='53'

root@OpenWrt:~# cat /tmp/dhcp.leases
redacted
1770490211 cc:44:63:c6:2d:97 192.168.2.239 iPad 01:cc:44:63:c6:2d:97
root@OpenWrt:~# nslookup google.com iPad
;; connection timed out; no servers could be reached

root@OpenWrt:~# nslookup google.com 192.168.2.239
;; connection timed out; no servers could be reached
I hate crapple!

root@OpenWrt:~# nslookup iPad
Server:         127.0.0.1
Address:        127.0.0.1:53

Name:   iPad.lan
Address: 192.168.2.239

Non-authoritative answer:

root@OpenWrt:~# uci show pbr.config.ipv6_enabled
pbr.config.ipv6_enabled='1'
root@OpenWrt:~# nslookup google.com 192.168.2.239
;; connection timed out; no servers could be reached
??????? why this

root@OpenWrt:~# ip route get 192.168.2.239
192.168.2.239 dev br-lan src 192.168.2.1 uid 0
    cache
root@OpenWrt:~# ip route show |grep 192.168.2.239
root@OpenWrt:~# wg show
interface: wg_interface
  public key: redacted
  private key: (hidden)
  listening port: 35592

peer: INRhM0h4T1hi9j28pcC+vRv47bp7DIsNKtagaFZFSBI=
  endpoint: redacted
  allowed ips: 0.0.0.0/0, ::/0, ::/1, 8000::/1
  latest handshake: 11 seconds ago
  transfer: 87.92 KiB received, 140.07 KiB sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~#

Many thank you’s!

2

There is no default route via the wan

You show a WG connection but you do not show the interface settings

nslookup works like this:
nslookup < domain to lookup > < optional: DNS server >

So please show the whole config and connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
cat /etc/config/pbr
service pbr restart
service pbr status

I assume you only want to route client with IP address 192.168.2.139 via the VPN?

For the record how I setup a WireGuard client:
WireGuard Client Setup Guide

PBR see:

3

You show a WG connection but you do not show the interface settings

oops, my mistake!

I assume you only want to route client with IP address 192.168.2.139 via the VPN?

Yes exactly.

For the record how I setup a WireGuard client:

I actually Followed your github :slight_smile:

thank your Sir! you the real mvp

root@OpenWrt:~# ubus call system board && cat /etc/config/network && cat /etc/config/dhcp && cat /etc/con
fig/firewall && ip route show && ip -6 route show && ip route show table all && ip rule show && wg show &
& cat /etc/config/pbr && service pbr restart && service pbr status
{
        "kernel": "6.6.119",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd71:e0a9:50a::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '127.0.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option peerdns '0'
        list dns '0::1'

config interface 'wg_interface'
        option proto 'wireguard'
        option private_key 'redacted'

config wireguard_wg_interface
        option public_key 'redacted'
        option endpoint_host '1red'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        list allowed_ips '::/1'
        list allowed_ips '8000::/1'
        option persistent_keepalive '25'

config route
        option interface 'wg_interface'
        option target '100.64.0.7/32'


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '100.64.0.23'
        list doh_server '127.0.0.1#5053'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wg_interface'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'
        list masq_src 'fc00:bbbb:bbbb:bb01::6:4edd/64'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

default via 100.64.0.1 dev wan proto static src 100.71.122.211
100.64.0.0/10 dev wan proto kernel scope link src 100.71.122.211
100.64.0.7 dev wg_interface proto static scope link
185.195.232.69 via 100.64.0.1 dev wan proto static
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
default from 2a0d:3344:136:f200::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default from 2a0d:3344:200:f83c::/64 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
2a0d:3344:136:f200::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a0d:3344:136:f200::/56 dev lo proto static metric 2147483647 pref medium
2a0d:3344:200:f83c::/64 dev wan proto static metric 256 pref medium
unreachable 2a0d:3344:200:f83c::/64 dev lo proto static metric 2147483647 pref medium
fd71:e0a9:50a::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd71:e0a9:50a::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
default via 100.64.0.1 dev wan table pbr_wan
192.168.2.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.2.1
default via 100.64.0.1 dev wan proto static src 100.71.122.211
100.64.0.0/10 dev wan proto kernel scope link src 100.71.122.211
100.64.0.7 dev wg_interface proto static scope link
185.195.232.69 via 100.64.0.1 dev wan proto static
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
local 100.71.122.211 dev wan table local proto kernel scope host src 100.71.122.211
broadcast 100.127.255.255 dev wan table local proto kernel scope link src 100.71.122.211
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1
default from 2a0d:3344:136:f200::/56 via fe80::200:5eff:fe00:101 dev wan table pbr_wan proto static metric 512 pref medium
default from 2a0d:3344:200:f83c::/64 via fe80::200:5eff:fe00:101 dev wan table pbr_wan proto static metric 512 pref medium
2a0d:3344:200:f83c::/64 dev wan table pbr_wan proto static metric 256 pref medium
fe80::/64 dev wan table pbr_wan metric 256 pref medium
default via fe80::200:5eff:fe00:101 dev wan table pbr_wan metric 128 pref medium
default from 2a0d:3344:136:f200::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default from 2a0d:3344:200:f83c::/64 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
2a0d:3344:136:f200::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a0d:3344:136:f200::/56 dev lo proto static metric 2147483647 pref medium
2a0d:3344:200:f83c::/64 dev wan proto static metric 256 pref medium
unreachable 2a0d:3344:200:f83c::/64 dev lo proto static metric 2147483647 pref medium
fd71:e0a9:50a::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd71:e0a9:50a::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2a0d:3344:136:f200:: dev br-lan table local proto kernel metric 0 pref medium
local 2a0d:3344:136:f200::1 dev br-lan table local proto kernel metric 0 pref medium
anycast 2a0d:3344:200:f83c:: dev wan table local proto kernel metric 0 pref medium
local 2a0d:3344:200:f83c:c641:1eff:fef8:98ae dev wan table local proto kernel metric 0 pref medium
anycast fd71:e0a9:50a:: dev br-lan table local proto kernel metric 0 pref medium
local fd71:e0a9:50a::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
local fe80::c641:1eff:fef8:98ae dev wan table local proto kernel metric 0 pref medium
local fe80::c641:1eff:fef8:98af dev eth0 table local proto kernel metric 0 pref medium
local fe80::c641:1eff:fef8:98af dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg_interface table local proto kernel metric 256 pref medium
0:      from all lookup local
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default
interface: wg_interface
  public key: red
  private key: (hidden)
  listening port: 35592

peer: INRhM0h4T1hi9j28pcC+vRv47bp7DIsNKtagaFZFSBI=
  endpoint: red:51820
  allowed ips: 0.0.0.0/0, ::/0, ::/1, 8000::/1
  latest handshake: 1 minute, 53 seconds ago
  transfer: 100.68 KiB received, 187.34 KiB sent
  persistent keepalive: every 25 seconds

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '0'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '1'
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'shitpad'
        option src_addr 'cc:44:63:c6:2d:97'
        option interface 'wg_interface'
        option chain 'prerouting'

config policy
        option name 'walle'
        option interface 'wg_interface'
        option src_addr 'archangel'

config dns_policy
        option name 'walle'
        option src_addr 'archangel'
        option dest_dns_port '53'
        option dest_dns '9.9.9.9'

config dns_policy
        option name 'shitpad'
        option src_addr 'cc:44:63:c6:2d:97'
        option dest_dns '9.9.9.9'
        option dest_dns_port '53'

config dns_policy
        option name 'nvidia'
        option src_addr '192.168.2.208'
        option dest_dns '9.9.9.9'
        option dest_dns_port '53'

config policy
        option name 'nvidia'
        option src_addr '192.168.2.208'
        option interface 'wg_interface'

config policy
        option name 'all_clients_via_wg'
        option dest_addr '127.0.0.1:53'
        option interface 'wg_interface'
        option enabled '0'
        option chain 'output'

config policy
        option name 'Macbook pro'
        option src_addr 'Mac'
        option interface 'wg_interface'
        option enabled '0'

config dns_policy
        option name 'Macbook pro'
        option src_addr 'Mac'
        option dest_dns '9.9.9.9'
        option dest_dns_port '53'
        option enabled '0'

config policy
        option name 'OnePLus'
        option src_addr 'OnePlus-Nord2-5G'
        option interface 'wg_interface'

config dns_policy
        option name 'OnePLus'
        option src_addr 'OnePlus-Nord2-5G'
        option dest_dns '9.9.9.9'
        option dest_dns_port '53'

Resetting chains and sets [✓]
Removing routing for 'wan/100.64.0.1/fe80::200:5eff:fe00:101' [✓]
Removing routing for 'wg_interface/0.0.0.0/::/0' [✓]
pbr 1.2.0-r6 (fw4 nft file mode) stopped [✓]
Using uplink IPv4 interface (on_start): wan [✓]
Found uplink IPv4 gateway (on_start): 100.64.0.1 [✓]
Using uplink IPv6 interface (on_start): wan6 [✓]
Found uplink IPv6 gateway (on_start): fe80::200:5eff:fe00:101 [✓]
Processing environment (on_start) [✓]
Setting up routing for 'wan/100.64.0.1/fe80::200:5eff:fe00:101' [✓]
Setting up routing for 'wg_interface/0.0.0.0/::/0' [✓]
Routing 'shitpad' via wg_interface [✓]
Routing 'walle' via wg_interface [✓]
Routing 'nvidia' via wg_interface [✓]
Routing 'OnePLus' via wg_interface [✓]
Routing 'walle' DNS to 9.9.9.9:53 [✓]
Routing 'shitpad' DNS to 9.9.9.9:53 [✓]
Routing 'nvidia' DNS to 9.9.9.9:53 [✓]
Routing 'OnePLus' DNS to 9.9.9.9:53 [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
Setting interface trigger for wan6 [✓]
Setting interface trigger for wg_interface [✓]
pbr 1.2.0-r6 monitoring interfaces: wan wan6 wg_interface
pbr 1.2.0-r6 (fw4 nft file mode) started with gateways:
wan/100.64.0.1/fe80::200:5eff:fe00:101 [✓]
wg_interface/0.0.0.0/::/0

pbr - environment
pbr 1.2.0-r6 installed on OpenWrt 24.10.5.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ether saddr { cc:44:63:c6:2d:97 }  goto pbr_mark_0x020000 comment "shitpad"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.2.235 }  goto pbr_mark_0x020000 comment "walle"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.2.208 }  goto pbr_mark_0x020000 comment "nvidia"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.2.126 }  goto pbr_mark_0x020000 comment "OnePLus"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.235 }  meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "walle"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.235 }  meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "walle"
add rule inet fw4 pbr_dstnat ether saddr { cc:44:63:c6:2d:97 }  meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "shitpad"
add rule inet fw4 pbr_dstnat ether saddr { cc:44:63:c6:2d:97 }  meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "shitpad"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.208 }  meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "nvidia"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.208 }  meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "nvidia"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.126 }  meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "OnePLus"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.126 }  meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "OnePLus"

pbr chains - policies
        chain pbr_forward { # handle 30
        }
        chain pbr_input { # handle 31
        }
        chain pbr_output { # handle 32
        }
        chain pbr_postrouting { # handle 34
        }
        chain pbr_prerouting { # handle 33
        }
        chain pbr_dstnat { # handle 29
        }

pbr chains - marking

pbr nft sets

pbr tables & routing
IPv4 table 256 pbr_wan route:
default via 100.64.0.1 dev wan
IPv4 table 256 pbr_wan rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv6 table 256 pbr_wan route:
default from 2a0d:3344:136:f200::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default from 2a0d:3344:200:f83c::/64 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default via fe80::200:5eff:fe00:101 dev wan metric 128 pref medium
IPv6 table 256 pbr_wan rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 pbr_wg_interface route:
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 table 257 pbr_wg_interface rule(s):

IPv6 table 257 pbr_wg_interface route:
Error: ipv6: FIB table does not exist.
Dump terminated
IPv6 table 257 pbr_wg_interface rule(s):```
4

Hmm I see the problem:

Not sure what is causing this but start with removing this:

The WireGuard interface is lacking an address.
This is necessary both IPv6 and IPv4

It looks like you are using Mullvad :slight_smile:
Remove the masquerading of this address (looks like Mullvad address)

If you have set the IPv4 address and the IPv6 address on the WireGuard interface and have done all of the above then reboot and test again

5

ok changes have been made.
iPad(stubborn device) appears to be leaking ipv6 but is hitting wireguard ipv4. DNS is hitting pbr dns policy correctly(quad9). According to mullvad.net/check.

add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ether saddr { cc:44:63:c6:2d:97 }  goto pbr_mark_0x020000 comment "shitpad"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.2.235 }  goto pbr_mark_0x020000 comment "walle"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.2.208 }  goto pbr_mark_0x020000 comment "nvidia"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.235 }  meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "walle"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.235 }  meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "walle"
add rule inet fw4 pbr_dstnat ether saddr { cc:44:63:c6:2d:97 }  meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "shitpad"
add rule inet fw4 pbr_dstnat ether saddr { cc:44:63:c6:2d:97 }  meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "shitpad"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.208 }  meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "nvidia"
add rule inet fw4 pbr_dstnat ip saddr { 192.168.2.208 }  meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "nvidia"

pbr chains - policies
       chain pbr_forward { # handle 30
       }
       chain pbr_input { # handle 31
       }
       chain pbr_output { # handle 32
       }
       chain pbr_postrouting { # handle 34
       }
       chain pbr_prerouting { # handle 33
               ether saddr cc:44:63:c6:2d:97 goto pbr_mark_0x020000 comment "shitpad" # handle 2228
               ip saddr 192.168.2.235 goto pbr_mark_0x020000 comment "walle" # handle 2229
               ip saddr 192.168.2.208 goto pbr_mark_0x020000 comment "nvidia" # handle 2230
       }
       chain pbr_dstnat { # handle 29
               ip saddr 192.168.2.235 meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "walle" # handle 2231
               ip saddr 192.168.2.235 meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "walle" # handle 2232
               ether saddr cc:44:63:c6:2d:97 meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "shitpad" # handle 2233
               ether saddr cc:44:63:c6:2d:97 meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "shitpad" # handle 2234
               ip saddr 192.168.2.208 meta nfproto ipv4 tcp dport 53 dnat ip to 9.9.9.9:53 comment "nvidia" # handle 2235
               ip saddr 192.168.2.208 meta nfproto ipv4 udp dport 53 dnat ip to 9.9.9.9:53 comment "nvidia" # handle 2236
       }

pbr chains - marking
       chain pbr_mark_0x010000 { # handle 2222
               meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2223
               return # handle 2224
       }
       chain pbr_mark_0x020000 { # handle 2225
               meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2226
               return # handle 2227
       }

pbr nft sets

pbr tables & routing
IPv4 table 256 pbr_wan route:
default via 100.64.0.1 dev wan
IPv4 table 256 pbr_wan rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv6 table 256 pbr_wan route:
default from 2a0d:3344:136:f200::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default from 2a0d:3344:200:f83c::/64 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default via fe80::200:5eff:fe00:101 dev wan metric 128 pref medium
IPv6 table 256 pbr_wan rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 pbr_wg_interface route:
default via 10.73.100.63 dev wg_interface
IPv4 table 257 pbr_wg_interface rule(s):
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg_interface

IPv6 table 257 pbr_wg_interface route:
default dev wg_interface metric 128 pref medium
IPv6 table 257 pbr_wg_interface rule(s):
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg_interface

root@OpenWrt:~# ip rule show
0:      from all lookup local
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg_interface
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

root@OpenWrt:~# ip route show table all
default via 100.64.0.1 dev wan table pbr_wan
192.168.2.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.2.1
default via 10.73.100.63 dev wg_interface table pbr_wg_interface
192.168.2.0/24 dev br-lan table pbr_wg_interface proto kernel scope link src 192.168.2.1
default via 100.64.0.1 dev wan proto static src 100.71.122.211
100.64.0.0/10 dev wan proto kernel scope link src 100.71.122.211
185.195.232.69 via 100.64.0.1 dev wan proto static
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
local 10.73.100.63 dev wg_interface table local proto kernel scope host src 10.73.100.63
local 100.71.122.211 dev wan table local proto kernel scope host src 100.71.122.211
broadcast 100.127.255.255 dev wan table local proto kernel scope link src 100.71.122.211
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1
default from 2a0d:3344:136:f200::/56 via fe80::200:5eff:fe00:101 dev wan table pbr_wan proto static metric 512 pref medium
default from 2a0d:3344:200:f83c::/64 via fe80::200:5eff:fe00:101 dev wan table pbr_wan proto static metric 512 pref medium
2a0d:3344:200:f83c::/64 dev wan table pbr_wan proto static metric 256 pref medium
fe80::/64 dev wan table pbr_wan metric 256 pref medium
default via fe80::200:5eff:fe00:101 dev wan table pbr_wan metric 128 pref medium
fc00:bbbb:bbbb:bb01::a:643e dev wg_interface table pbr_wg_interface metric 256 pref medium
default dev wg_interface table pbr_wg_interface metric 128 pref medium
default from 2a0d:3344:136:f200::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default from 2a0d:3344:200:f83c::/64 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
2a0d:3344:136:f200::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a0d:3344:136:f200::/56 dev lo proto static metric 2147483647 pref medium
2a0d:3344:200:f83c::/64 dev wan proto static metric 256 pref medium
unreachable 2a0d:3344:200:f83c::/64 dev lo proto static metric 2147483647 pref medium
fc00:bbbb:bbbb:bb01::a:643e dev wg_interface proto kernel metric 256 pref medium
fd71:e0a9:50a::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd71:e0a9:50a::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2a0d:3344:136:f200:: dev br-lan table local proto kernel metric 0 pref medium
local 2a0d:3344:136:f200::1 dev br-lan table local proto kernel metric 0 pref medium
anycast 2a0d:3344:200:f83c:: dev wan table local proto kernel metric 0 pref medium
local 2a0d:3344:200:f83c:c641:1eff:fef8:98ae dev wan table local proto kernel metric 0 pref medium
local fc00:bbbb:bbbb:bb01::a:643e dev wg_interface table local proto kernel metric 0 pref medium
anycast fd71:e0a9:50a:: dev br-lan table local proto kernel metric 0 pref medium
local fd71:e0a9:50a::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
local fe80::c641:1eff:fef8:98ae dev wan table local proto kernel metric 0 pref medium
local fe80::c641:1eff:fef8:98af dev eth0 table local proto kernel metric 0 pref medium
local fe80::c641:1eff:fef8:98af dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg_interface table local proto kernel metric 256 pref medium
root@OpenWrt:~#```

root@OpenWrt:~# ip rule show
0: from all lookup local
29998: from all fwmark 0x20000/0xff0000 lookup pbr_wg_interface
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766: from all lookup main
32767: from all lookup default




```root@OpenWrt:~# ip -6 route show
default from 2a0d:3344:136:f200::/56 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
default from 2a0d:3344:200:f83c::/64 via fe80::200:5eff:fe00:101 dev wan proto static metric 512 pref medium
2a0d:3344:136:f200::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2a0d:3344:136:f200::/56 dev lo proto static metric 2147483647 pref medium
2a0d:3344:200:f83c::/64 dev wan proto static metric 256 pref medium
unreachable 2a0d:3344:200:f83c::/64 dev lo proto static metric 2147483647 pref medium
fc00:bbbb:bbbb:bb01::a:643e dev wg_interface proto kernel metric 256 pref medium
fd71:e0a9:50a::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd71:e0a9:50a::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
6

If you also have setup and want IPV6 then you can re-apply these rules but use the IPv6 address of the WireGuard interface with a /64 mask:

Furthermore you need to use the MAC address of the client and not the IPv4 address, make sure the client does not use a private/random mac address

That should be enough :slight_smile:

7

I think that's it :smiley: many many sincere thanks to you egc!

Mullvad checks hang and freeze, and report differing results but other tests such as dnscheck.tools are reporting dns and vpn every consecutive test (multiple). I don't think the mullvad check likes the use of other DNS servers other than mullvads.

I was wondering, is this configuration ok? is there anything wrong with using mullad vpn but with https-dns-proxy with quad9?

Note for future searchers, apple devices have a lot of potential conflicting crap installed like icloud authentication, relays, capatcha bypassing, ip hiding, dynamic mac addresses. I had to disable all of these.

8

That is correct, mullvad actually hijacks DNS53 but as you are using DOH that cannot be hijacked :slight_smile:
So using

Is actually the way to go

I think in the guide is a remark over the hijacking of DNS 53 by Mullvad

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.