PBR cannot reach other device

xize · April 20, 2023, 3:30pm

Hello!,

So I got two different devices each seperated into its own vlan.

When I go into my luci-app-pbr I routed each network I want over the Wireguard interface, if I wanted to make a switch accessible over the lan network and ignore pbr policies on its whole (from wgclient to non), I used the ignore rule.

Now this works fine, but when I try it reversed: accessing two devices on the same wireguard route the connection get dropped.

This is about two network interfaces in particular:

neko (only one raspberry device is on here which hosts neko)
pcnet (only my pc is on this network)

For both of them I want to make a route to wgclient, but still being able to talk with each other once pbr is routed.

note: 10.34.79.1/24 is pcnet, and 192.168.16.1/24 is the raspberry pi on neko.

now the configuration:

firewall (I have cut alot of data here, but I can add the full config):

config zone
	option name 'pcnet'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'pcnet'

config rule
	option src 'pcnet'
	option dest 'neko'
	option target 'ACCEPT'
	option name 'Allow-Neko-For-PCNET'
	list proto 'all'

config zone
	option name 'neko'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'neko'

config forwarding
	option src 'neko'
	option dest 'wgclient'

config forwarding
	option src 'pcnet'
	option dest 'wgclient'

config zone
	option name 'wgclient'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option input 'DROP'
	list network 'wgclient'

config forwarding
	option src 'wgclient'
	option dest 'wan'

pbr (full config):


config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'
	list supported_interface 'lan'
	list supported_interface 'iptv'
	list supported_interface 'pcnet'
	list supported_interface 'steamcache'
	list supported_interface 'tvnet'
	list supported_interface 'wlan0'
	list supported_interface 'wlan1'
	list supported_interface 'zigbee'
	list supported_interface 'neko'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Allow-IPTV'
	option src_addr '10.216.171.99/22'
	option interface 'ignore'

config policy
	option interface 'ignore'
	option name 'Allow-IGMP'
	option src_addr '224.0.0.254'
	option dest_port '5353 5443'

config policy
	option src_addr '10.34.79.1/24'
	option interface 'ignore'
	option name 'Default-Allow-PCnet-To-Modem'
	option dest_addr '10.234.53.1 10.234.53.10 10.234.53.20 10.234.53.3 10.33.77.5'

config policy
	option src_addr '10.14.0.1/24'
	option dest_addr '10.33.77.1/24'
	option dest_port '8008 8009 8443 5353 5443'
	option interface 'ignore'
	option name 'Allow-Chromecast-Via-WGServer-To-Zigbee'

config policy
	option src_addr '10.33.77.1/24'
	option dest_addr '10.14.0.1/24'
	option dest_port '8008 8009 8443 5353 5443'
	option interface 'ignore'
	option name 'Allow-chromecast-Via-Zigbee-To-WGServer'

config policy
	option interface 'ignore'
	option name 'Default-Allow-steamcache'
	option dest_addr '172.19.0.2'
	option src_addr '10.34.79.1/24 10.14.0.1/24'

config policy
	option name 'Ignore mdns'
	option dest_addr '224.0.0.1/24'
	option interface 'ignore'

config policy
	option name 'ignore mdns'
	option src_addr '224.0.0.1/24'
	option interface 'ignore'

config policy
	option name 'Default-Allow-WGServer'
	option src_addr '10.14.0.1/24'
	option interface 'wgclient'

config policy
	option dest_addr '192.168.16.2'
	option src_addr '10.34.79.1/24'
	option interface 'neko'
	option name 'Route-Neko'

config policy
	option name 'Default-Allow-WG'
	option interface 'wgclient'
	option src_addr '10.34.79.1/24 10.234.80.1/24 10.234.81.1/24 192.168.16.1/24'

if I disable PBR then it works but I can't figure out why it won't work for PBR, I have tried to add a rule to ignore it, before and after the wgclient route gets set (the last rule), but nothing got it working

many thanks !

vgaetera · April 22, 2023, 7:26am

You should nullify bits covered by netmask:
https://openwrt.org/docs/guide-user/network/routing/pbr_app

xize · April 22, 2023, 8:10am

Aha, thank you very much!.

After I moved my ignore rule up wgserver and used the nullified ranges it worked fine, it reloaded alot faster too!.

system · May 2, 2023, 8:10am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.