PBR - All devices through wireguard vpn except one. Can't get the one to reach internet

FriendlyFriend · November 16, 2025, 8:52pm

I setup my router with proton vpn's wireguard instructions and that worked when all traffic routed through that interface.
I'm now trying to setup pbr to be the same except to route just one laptop through the wan (so skip the VPN). Reason is to deal with problems with a software VPN and some websites that I occasionally need. I followed the DevOdyssey video instructions from the pbr docs. When enabled the laptop can't get out past the router but the other devices continue to work fine. Any pointers?

firewall config:

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn_proton0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'proton0'

config forwarding
        option src 'lan'
        option dest 'vpn_proton0'

network config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcd:33eb:585c::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '16:[...not posting here...]'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '10.2.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'proton0'
        option proto 'wireguard'
        option private_key '[...not posting here...]'
        list addresses '10.2.0.2/32'
        list dns '10.2.0.1'

config wireguard_proton0
        option description 'Imported peer configuration'
        option public_key '[...not posting here...]'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host '89.222.103.7'
        option endpoint_port '51820'
        option route_allowed_ips '1'

pbr config:

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        list resolver_instance '*'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        option rule_create_option 'add'
        option procd_boot_trigger_delay '5000'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.dnsprefetch'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'laptop_no_wiregrd_vpn'
        option src_addr '192.168.1.167'
        option interface 'wan'

egc · November 16, 2025, 9:20pm

You have to allow traffic from the laptop via the wan.

Either make a forward from lan firewall zone to wan zone or do it more specific by specifying the ip address of the laptop

On page 11 and 12 of my notes: WireGuard Client Setup Guide it is explained

FriendlyFriend · November 29, 2025, 1:11am

From page 12 I added this to /etc/config/network (with mac address and ip address changed to my laptop's) but I still can't access anything (on the laptop) past the router. Did I misunderstand something?

config rule
option name 'allow_wan'
option src 'lan'
option src_ip '192.168.1.50/32' # for IPv4 use the IPv4 address
option src_mac '00:11:22:33:44:55' # for both IPv4 and IPv6 use the MAC address
option dest 'wan'
option target 'ACCEPT'

xize · November 29, 2025, 7:04am

That snipped needs to be in /etc/config/firewall.

Then do /etc/init.d/firewall restart

Assuming the rule is correct as how you want.

On my own router I made a different approach and designed wan more like a catch all for PBR, so I do not need a zone forward (I don't like it because of leakage even though PBR does fine), or more specific source rules, PBR generates marks and based on that I can make a rule to use for all sources, I think it is a very elegant way

config rule
        option name 'Allow-bypass-vpn-mark'
        option src '*'
        option dest 'wan'
        option target 'ACCEPT'
        option mark '0x10000/0xff0000'

the mark can be found when using ip rule in the cli, so whenever I want to route something over wan in PBR this rule picks it up

egc · November 30, 2025, 9:37am

Add to /etc/config/firewall

Use only one of the rules with the correct IP/MAC address:

Furthermore place that rule on top so before other rules