I have an issue with intermitted IPv4 and IPv6 connectivity both from the CLI of the router and from clients on the LAN. I need help! I am using IPv6 as I need remote access and my ISP uses CGNAT. The IPv6 remote access when publishing ports in the firewall and wireguard client to server VPN works well. My ISP delegates a /56 network.
But, I have regular situations where some clients can connect to the internet via the router with both iPv4 and IPv6 and other clients on the same LAN subnet can only connect IPv4. Occasionally I lose IPv6 on server which causes my IPv6 dynamic DNS with duckdns to fail the updates and when IPv6 fails as it is the preferred protocol, the router cannot download opkg updates etx locally. I'm confident IPv6 is set up correctly with address delegation etc, but I have a complicated setup with multiple LAN/VLAN subnets and both a Wireguard private internet connection via Surfshark and a VPN server which allows remote clients to connect to my home LAN. Occasionally it all works great, but its very temperamental. I suspect it is down to inconsistent policy based routing but I need help to pin point the issue.
I have also tried the custom user files /etc/pbr/pbr.user.wg_server_and_client`: provided to overcome the protocol limitations (see Local WireGuard Server + WireGuard Client (Scenario 1)), to allow running a WireGuard “server” on your router when a WireGuard “client” is set up as default routing.
Can anyone help with the diagnosis of the issue. It may be as simple as applying a rule to route all Ipv6 down a particular interface but I cannot work it out,
Here are my configs
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:ab:cd::/48'
config device
option name 'eth2'
option macaddr 'xxxxxxxxxxxxxxxxx'
config interface 'wan'
option device 'eth2'
option proto 'dhcp'
option peerdns '0'
option ipv6 '1'
list dns '162.252.172.57'
list dns '149.154.159.92'
option delegate '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
config device
option name 'eth1'
option macaddr 'xxxxxxxxxxxxxxx'
config device
option name 'eth0'
option macaddr 'xxxxxxxxxxxxxxx'
option peerdns '0'
option dns '162.252.172.57 149.154.159.92'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.5.1'
option device 'br-lan.1'
option ip6assign '64'
option delegate '0'
option ip6hint '5'
option defaultroute '0'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth0:u*'
list ports 'eth1:u*'
config interface 'IOT'
option proto 'static'
option device 'br-lan.100'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option delegate '0'
option ip6assign '64'
option ip6hint '10'
config bridge-vlan
option device 'br-lan'
option vlan '100'
list ports 'eth0:t'
list ports 'eth1:t'
config interface 'GUEST'
option proto 'static'
option device 'br-lan.200'
option ipaddr '10.1.20.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
option ip6assign '64'
option ip6hint '10'
config bridge-vlan
option device 'br-lan'
option vlan '200'
list ports 'eth0:t'
list ports 'eth1:t'
config interface 'LANVPN'
option device 'br-lan.300'
option proto 'static'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
option defaultroute '0'
option delegate '0'
option ip6assign '64'
option ip6hint '10'
config bridge-vlan
option device 'br-lan'
option vlan '300'
list ports 'eth0:t'
list ports 'eth1:t'
config interface 'OPENVPNCLI'
option proto 'none'
option device 'tun0'
option auto '0'
config bridge-vlan
option device 'br-lan'
option vlan '300'
list ports 'eth0:t'
list ports 'eth1:t'
config interface 'WGPIA'
option proto 'wireguard'
list addresses '10.14.0.2/16'
option defaultroute '0'
option peerdns '0'
list dns '162.252.172.57'
list dns '149.154.159.92'
option private_key 'xxxxxxxxxxxxxxxxxxxxx'
option delegate '0'
config interface 'wg_SVR'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxx'
option listen_port '51821'
list addresses '192.168.40.1/24'
list addresses 'fd00:ab:cd:40::1/64'
option mtu '1280'
option defaultroute '0'
option delegate '0'
option ip4table 'local'
option ip6table 'local'
config wireguard_wg_SVR
option public_key 'xxxxxxxxxxxxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option description 'jonesi_iphone'
option persistent_keepalive '25'
option private_key 'xxxxxxxxxxxxxxxxxxxxxx'
option route_allowed_ips '1'
list allowed_ips '192.168.40.2/32'
config wireguard_wg_SVR
option public_key 'XW1M3MfxysKly273p6MWipKVlYfvDCCQ3i4PtNgUdH4='
option preshared_key 'zXWk6rWrWnIxr9J0GoGdJrHukfpudBp/4v73e1HqkQ8='
option description 'jonesi_dragonfly'
option route_allowed_ips '1'
option persistent_keepalive '25'
option private_key 'xxxxxxxxxxxxxxxxxxxxxx'
list allowed_ips '192.168.40.3/32'
config wireguard_WGPIA 'wireguard_WGPIA'
option description 'xxxxxxxxxxxxxxx'
option public_key 'xxxxxxxxxxxxxxxx'
option endpoint_host 'xxxxxxxxxxxxxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2620:119:35::35'
list dns '2620:119:53::53'
option ip6assign '64'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'LANVPN'
list network 'wg_SVR'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'OPENVPNCLI'
list network 'WGPIA'
config zone
option name 'GUEST'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'GUEST'
config zone
option name 'IOT'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'IOT'
config zone
option name 'WGPIA'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'OPENVPNCLI'
option output 'ACCEPT'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
list network 'OPENVPNCLI'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option dest 'wan'
option src 'GUEST'
config forwarding
option dest 'wan'
option src 'IOT'
config forwarding
option src 'lan'
option dest 'OPENVPNCLI'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option target 'ACCEPT'
list icmp_type 'echo-request'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'LANVPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'GUEST'
config forwarding
option src 'lan'
option dest 'IOT'
config forwarding
option src 'lan'
option dest 'LANVPN'
config forwarding
option src 'lan'
option dest 'WGPIA'
config forwarding
option src 'LANVPN'
option dest 'GUEST'
config forwarding
option src 'LANVPN'
option dest 'IOT'
config forwarding
option src 'LANVPN'
option dest 'lan'
config forwarding
option src 'LANVPN'
option dest 'OPENVPNCLI'
config forwarding
option src 'LANVPN'
option dest 'wan'
config forwarding
option src 'LANVPN'
option dest 'WGPIA'
config rule
option name 'Allow MONIT WebIF from WAN'
option src 'wan'
option dest_port '2812'
option target 'ACCEPT'
list proto 'tcp'
config rule 'wan_https_allow'
option name 'Allow HTTPS WebIF from WAN'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
option family 'ipv6'
config rule 'wan_ssh_allow'
option name 'Allow SSH from WAN'
option src 'wan'
option proto 'tcp'
option dest_port '8022'
option target 'ACCEPT'
option family 'ipv6'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config rule 'wg_rule_SVR'
option name 'Allow-WireGuard-SVR-wan'
option src 'wan'
option dest_port '51821'
option proto 'udp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'SSH-to-router'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '2222'
option dest_port '8022'
config redirect
option target 'DNAT'
option name 'WebIF Router 8443'
option family 'ipv6'
list proto 'tcp'
option src 'wan'
option src_dport '8443'
option dest_port '443'
pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.3. WAN (IPv4): wan/eth2/100.101.64.1. WAN (IPv6): wan6/eth2/2a0e:1d42:0:e7::162.
============================================================
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
chain pbr_forward { # handle 66
}
chain pbr_input { # handle 67
}
chain pbr_output { # handle 68
ip saddr @pbr_WGPIA_4_src_ip_cfg026ff5 ip daddr @pbr_WGPIA_4_dst_ip_cfg026ff5 goto pbr_mark_0x020000 comment "SURFSHARK-UP" # handle 2343
ip6 saddr @pbr_WGPIA_6_src_ip_cfg026ff5 ip6 daddr @pbr_WGPIA_6_dst_ip_cfg026ff5 goto pbr_mark_0x020000 comment "SURFSHARK-UP" # handle 2344
}
chain pbr_prerouting { # handle 69
ip saddr @pbr_wan_4_src_ip_cfg036ff5 ip daddr @pbr_wan_4_dst_ip_cfg036ff5 goto pbr_mark_0x010000 comment "DUCKDNS" # handle 2349
ip6 saddr @pbr_wan_6_src_ip_cfg036ff5 ip6 daddr @pbr_wan_6_dst_ip_cfg036ff5 goto pbr_mark_0x010000 comment "DUCKDNS" # handle 2350
ip saddr @pbr_WGPIA_4_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "VPN_VLAN" # handle 2353
ip6 saddr @pbr_WGPIA_6_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "VPN_VLAN" # handle 2354
ip saddr @pbr_wan_4_src_ip_cfg056ff5 tcp sport 443 tcp dport { 443, 8443, 10000, 10001 } goto pbr_mark_0x010000 comment "REMOTE_MGMT" # handle 2358
ip6 saddr @pbr_wan_6_src_ip_cfg056ff5 tcp sport 443 tcp dport { 443, 8443, 10000, 10001 } goto pbr_mark_0x010000 comment "REMOTE_MGMT" # handle 2360
ip saddr @pbr_wan_4_src_ip_cfg056ff5 udp sport 443 udp dport { 443, 8443, 10000, 10001 } goto pbr_mark_0x010000 comment "REMOTE_MGMT" # handle 2362
ip6 saddr @pbr_wan_6_src_ip_cfg056ff5 udp sport 443 udp dport { 443, 8443, 10000, 10001 } goto pbr_mark_0x010000 comment "REMOTE_MGMT" # handle 2364
ip saddr @pbr_wan_4_src_ip_cfg056ff5 tcp sport 443 tcp dport { 443, 8443, 10000, 10001 } goto pbr_mark_0x010000 comment "REMOTE_MGMT" # handle 2366
ip6 saddr @pbr_wan_6_src_ip_cfg056ff5 tcp sport 443 tcp dport { 443, 8443, 10000, 10001 } goto pbr_mark_0x010000 comment "REMOTE_MGMT" # handle 2368
ip saddr @pbr_wan_4_src_ip_cfg056ff5 udp sport 443 udp dport { 443, 8443, 10000, 10001 } goto pbr_mark_0x010000 comment "REMOTE_MGMT" # handle 2370
ip6 saddr @pbr_wan_6_src_ip_cfg056ff5 udp sport 443 udp dport { 443, 8443, 10000, 10001 } goto pbr_mark_0x010000 comment "REMOTE_MGMT" # handle 2372
ip saddr @pbr_wan_4_src_ip_cfg066ff5 tcp sport 9981-9982 tcp dport 19981-19982 goto pbr_mark_0x010000 comment "TVHeadendWAN" # handle 2375
ip6 saddr @pbr_wan_6_src_ip_cfg066ff5 tcp sport 9981-9982 tcp dport 19981-19982 goto pbr_mark_0x010000 comment "TVHeadendWAN" # handle 2376
ip saddr @pbr_wan_4_src_ip_cfg066ff5 udp sport 9981-9982 udp dport 19981-19982 goto pbr_mark_0x010000 comment "TVHeadendWAN" # handle 2377
ip6 saddr @pbr_wan_6_src_ip_cfg066ff5 udp sport 9981-9982 udp dport 19981-19982 goto pbr_mark_0x010000 comment "TVHeadendWAN" # handle 2378
ip saddr @pbr_wan_4_src_ip_cfg096ff5 tcp sport { 6055, 8123, 60554 } tcp dport { 8123, 60554, 60555 } goto pbr_mark_0x010000 comment "VPN_BYPASS" # handle 2383
ip6 saddr @pbr_wan_6_src_ip_cfg096ff5 tcp sport { 6055, 8123, 60554 } tcp dport { 8123, 60554, 60555 } goto pbr_mark_0x010000 comment "VPN_BYPASS" # handle 2386
ip saddr @pbr_wan_4_src_ip_cfg0a6ff5 ip daddr @pbr_wan_4_dst_ip_cfg0a6ff5 goto pbr_mark_0x010000 comment "HASS_REMOTE" # handle 2391
ip6 saddr @pbr_wan_6_src_ip_cfg0a6ff5 ip6 daddr @pbr_wan_6_dst_ip_cfg0a6ff5 goto pbr_mark_0x010000 comment "HASS_REMOTE" # handle 2392
ip saddr @pbr_WGPIA_4_src_ip_cfg0b6ff5 ip daddr @pbr_WGPIA_4_dst_ip_cfg0b6ff5 goto pbr_mark_0x020000 comment "WEBBLOCK" # handle 2397
ip6 saddr @pbr_WGPIA_6_src_ip_cfg0b6ff5 ip6 daddr @pbr_WGPIA_6_dst_ip_cfg0b6ff5 goto pbr_mark_0x020000 comment "WEBBLOCK" # handle 2398
ip saddr @pbr_wan_4_src_ip_cfg126ff5 goto pbr_mark_0x010000 comment "INTERNET_WAN" # handle 2401
ip6 saddr @pbr_wan_6_src_ip_cfg126ff5 goto pbr_mark_0x010000 comment "INTERNET_WAN" # handle 2402
}
chain pbr_postrouting { # handle 70
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 { # handle 2330
counter packets 125260 bytes 13162702 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2331
return # handle 2332
}
chain pbr_mark_0x020000 { # handle 2333
counter packets 312369 bytes 1272179119 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2334
return # handle 2335
}
chain pbr_mark_0x030000 { # handle 2336
counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 2337
return # handle 2338
}
============================================================
pbr nft sets
set pbr_WGPIA_4_src_ip_cfg026ff5 { # handle 2339
type ipv4_addr
flags interval
counter
auto-merge
comment "SURFSHARK-UP"
elements = { 192.168.5.0/24 counter packets 2094 bytes 263519 }
}
set pbr_WGPIA_6_src_ip_cfg026ff5 { # handle 2340
type ipv6_addr
flags interval
counter
auto-merge
comment "SURFSHARK-UP"
}
set pbr_WGPIA_4_dst_ip_cfg026ff5 { # handle 2341
type ipv4_addr
flags interval
counter
auto-merge
comment "SURFSHARK-UP"
elements = { 8.8.4.4 counter packets 0 bytes 0 }
}
set pbr_WGPIA_6_dst_ip_cfg026ff5 { # handle 2342
type ipv6_addr
flags interval
counter
auto-merge
comment "SURFSHARK-UP"
}
set pbr_wan_4_src_ip_cfg036ff5 { # handle 2345
type ipv4_addr
flags interval
counter
auto-merge
comment "DUCKDNS"
elements = { 192.168.5.0/24 counter packets 125526 bytes 13191789 }
}
set pbr_wan_6_src_ip_cfg036ff5 { # handle 2346
type ipv6_addr
flags interval
counter
auto-merge
comment "DUCKDNS"
}
set pbr_wan_4_dst_ip_cfg036ff5 { # handle 2347
type ipv4_addr
flags interval
counter
auto-merge
comment "DUCKDNS"
}
set pbr_wan_6_dst_ip_cfg036ff5 { # handle 2348
type ipv6_addr
flags interval
counter
auto-merge
comment "DUCKDNS"
}
set pbr_WGPIA_4_src_ip_cfg046ff5 { # handle 2351
type ipv4_addr
flags interval
counter
auto-merge
comment "VPN_VLAN"
elements = { 192.168.30.0/24 counter packets 312381 bytes 1272205832 }
}
set pbr_WGPIA_6_src_ip_cfg046ff5 { # handle 2352
type ipv6_addr
flags interval
counter
auto-merge
comment "VPN_VLAN"
}
set pbr_wan_4_src_ip_cfg056ff5 { # handle 2355
type ipv4_addr
flags interval
counter
auto-merge
comment "REMOTE_MGMT"
elements = { 192.158.5.1 counter packets 0 bytes 0, 192.168.5.201 counter packets 468 bytes 76224 }
}
set pbr_wan_6_src_ip_cfg056ff5 { # handle 2356
type ipv6_addr
flags interval
counter
auto-merge
comment "REMOTE_MGMT"
}
set pbr_wan_4_src_ip_cfg066ff5 { # handle 2373
type ipv4_addr
flags interval
counter
auto-merge
comment "TVHeadendWAN"
elements = { 192.168.5.201 counter packets 234 bytes 38112 }
}
set pbr_wan_6_src_ip_cfg066ff5 { # handle 2374
type ipv6_addr
flags interval
counter
auto-merge
comment "TVHeadendWAN"
}
set pbr_wan_4_src_ip_cfg096ff5 { # handle 2379
type ipv4_addr
flags interval
counter
auto-merge
comment "VPN_BYPASS"
elements = { 192.168.5.10 counter packets 0 bytes 0, 192.168.5.201-192.168.5.202 counter packets 888 bytes 93834 }
}
set pbr_wan_6_src_ip_cfg096ff5 { # handle 2380
type ipv6_addr
flags interval
counter
auto-merge
comment "VPN_BYPASS"
}
set pbr_wan_4_src_ip_cfg0a6ff5 { # handle 2387
type ipv4_addr
flags interval
counter
auto-merge
comment "HASS_REMOTE"
elements = { 192.168.5.10 counter packets 0 bytes 0, 192.168.5.202 counter packets 771 bytes 74778 }
}
set pbr_wan_6_src_ip_cfg0a6ff5 { # handle 2388
type ipv6_addr
flags interval
counter
auto-merge
comment "HASS_REMOTE"
}
set pbr_wan_4_dst_ip_cfg0a6ff5 { # handle 2389
type ipv4_addr
flags interval
counter
auto-merge
comment "HASS_REMOTE"
}
set pbr_wan_6_dst_ip_cfg0a6ff5 { # handle 2390
type ipv6_addr
flags interval
counter
auto-merge
comment "HASS_REMOTE"
}
set pbr_WGPIA_4_src_ip_cfg0b6ff5 { # handle 2393
type ipv4_addr
flags interval
counter
auto-merge
comment "WEBBLOCK"
elements = { 192.168.5.0/24 counter packets 125344 bytes 13172906 }
}
set pbr_WGPIA_6_src_ip_cfg0b6ff5 { # handle 2394
type ipv6_addr
flags interval
counter
auto-merge
comment "WEBBLOCK"
}
set pbr_WGPIA_4_dst_ip_cfg0b6ff5 { # handle 2395
type ipv4_addr
flags interval
counter
auto-merge
comment "WEBBLOCK"
}
set pbr_WGPIA_6_dst_ip_cfg0b6ff5 { # handle 2396
type ipv6_addr
flags interval
counter
auto-merge
comment "WEBBLOCK"
}
set pbr_wan_4_src_ip_cfg126ff5 { # handle 2399
type ipv4_addr
flags interval
counter
auto-merge
comment "INTERNET_WAN"
elements = { 192.168.5.0/24 counter packets 125317 bytes 13166122 }
}
set pbr_wan_6_src_ip_cfg126ff5 { # handle 2400
type ipv6_addr
flags interval
counter
auto-merge
comment "INTERNET_WAN"
}
============================================================
dnsmasq sets
nftset=/duckdns.org/4#inet#fw4#pbr_wan_4_dst_ip_cfg036ff5,6#inet#fw4#pbr_wan_6_dst_ip_cfg036ff5 # DUCKDNS
nftset=/xxxxx.duckdns.org/4#inet#fw4#pbr_wan_4_dst_ip_cfg0a6ff5,6#inet#fw4#pbr_wan_6_dst_ip_cfg0a6ff5 # HASS_REMOTE
nftset=/xxxx.duckdns.org/4#inet#fw4#pbr_wan_4_dst_ip_cfg0a6ff5,6#inet#fw4#pbr_wan_6_dst_ip_cfg0a6ff5 # HASS_REMOTE
nftset=/thepiratebay.org/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
nftset=/rarbg.to/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
nftset=/torrents.eu/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
nftset=/limetorrents.info/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
nftset=/yts.mx/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
nftset=/eztv.ag/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
nftset=/torlock.com/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
nftset=/torrentdownloads.me/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
nftset=/extratorrents.ch/4#inet#fw4#pbr_WGPIA_4_dst_ip_cfg0b6ff5,6#inet#fw4#pbr_WGPIA_6_dst_ip_cfg0b6ff5 # WEBBLOCK
============================================================
IPv4 table 256 route: default via 100.101.64.1 dev eth2
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 route: default from 2a0e:1d42:0:e7::13b via fe80::aa7:41ff:feff:480c dev eth2 proto static metric 512 pref medium
default from 2a0e:1d42:0:e7::162 via fe80::aa7:41ff:feff:480c dev eth2 proto static metric 512 pref medium
default from 2a0e:1d42:0:e7::169 via fe80::aa7:41ff:feff:480c dev eth2 proto static metric 512 pref medium
default from 2a0e:1d47:8480:6500::/56 via fe80::aa7:41ff:feff:480c dev eth2 proto static metric 512 pref medium
IPv6 table 256 rule(s):
default from 2a0e:1d42:0:e7::13b via fe80::aa7:41ff:feff:480c dev eth2 proto static metric 512 pref medium
default from 2a0e:1d42:0:e7::162 via fe80::aa7:41ff:feff:480c dev eth2 proto static metric 512 pref medium
default from 2a0e:1d42:0:e7::169 via fe80::aa7:41ff:feff:480c dev eth2 proto static metric 512 pref medium
default from 2a0e:1d47:8480:6500::/56 via fe80::aa7:41ff:feff:480c dev eth2 proto static metric 512 pref medium
2a0e:1d47:8480:6502::/64 dev eth2 proto static metric 1024 pref medium
fd00:ab:cd:2::/64 dev eth2 proto static metric 1024 pref medium
fe80::/64 dev eth2 proto kernel metric 256 pref medium
IPv4 table 257 route: default via 10.14.0.2 dev WGPIA
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_WGPIA
IPv6 table 257 route:
IPv6 table 257 rule(s):
IPv4 table 258 route: default via 192.168.40.1 dev wg_SVR
IPv4 table 258 rule(s):
30002: from all fwmark 0x30000/0xff0000 lookup pbr_wg_SVR
IPv6 table 258 route: default dev wg_SVR metric 1024 pref medium
IPv6 table 258 rule(s):
fd00:ab:cd:40::/64 dev wg_SVR metric 1024 pref medium
default dev wg_SVR metric 1024 pref medium