PBR isn't working, wireguard blocking it

Hi all,

Could you take a look at my setup. I can't get pbr working, and I have a hunch it is a simple fix within wireguard since I followed mullvad's instructions.

I was just going to try pbr on a single device first, once working, then I wanted to progress to something better.

Kindest regards

root@OpenWrt:/etc/config# cat dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.64.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:/etc/config# cat firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config zone
        option name 'WGZONE'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WGINTERFACE'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

root@OpenWrt:/etc/config#```

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc9:fcdb:2690::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.xx.x'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key 'redacted'
        list addresses '10.71.80.225/32'
        option force_link '1'

config wireguard_WGINTERFACE
        option public_key 'redacted'
        option endpoint_host 'xxx.xxx.xxx.xxx'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0' >>> this is because i run starlink and get ipv6 leaks

config route
        option interface 'WGINTERFACE'
        option target '100.64.0.7/23'

root@OpenWrt:/etc/config#```

root@OpenWrt:/etc/config# cat pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'shitpad'
        option src_addr '16:CC:63:4A:54:57'
        option interface 'wan'
        option enabled '0'

root@OpenWrt:/etc/config#```

root@OpenWrt:/etc/config# wg show
interface: WGINTERFACE
  public key: <redacted>
  private key: (hidden)
  listening port: 58150

peer: <redacted>
  endpoint: x.x.x.x:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 15 seconds ago
  transfer: 164.92 GiB received, 108.90 GiB sent```

I can honestly say that I've never failed so miserably at any task in my life, then with openwrt.

With pbr enabled, and allowing forwards: lan > wginterface/wan6 in firewall, all devices on the wifi go around wireguard, and all eth go through wireguard.

So I disabled wan6 for now, and the outcome was that devices specified in pbr -by mac addresses- would just hang, and all other was fine. Wifi or eth.

Should I enable or disable 'use dns advertised by peer'? on any interface?(I use mullvad vpn)

With messing around with it, I noticed that my rt3200 will sometimes fail to restart properly.

As you also want some some traffic to go via the wan, so you have to allow that traffic thus add:

config forwarding
        option src 'lan'
        option dest 'wan'

I do not like the only use of their DNS server as that is only available after the tunnel is up and so you might end in a catch 22 situation as you need DNS to get the correct time and to resolve an endpoint for the WG server (unless the end point is an IP address).

Also the use of

is wrong as your client using the wan is not able to use DNS, you can of course create a route for this via the WG interface but you are having a "DNS leak" in that case

My advice remove everything related to Mullvads DNS and just add DNS servers 1.1.1.1 and 9.9.9.9 to the wan to begin with, when everything is working look into DNS.
For some background reading:

Hi egc,

Does this have anything to do with mullvad instructions and starlink? quoted the article below so you don't need to follow the link.

Change DNS on LAN Interface

No content blocking

Click on DHCP server - Advanced Settings - DHCP-Options: 6,10.64.0.1

DNS content blocking

To use our content blocking DNS, see Custom DNS entries for use with our VPN >service. This example uses 100.64.0.7 (which enables ad blocking, tracker >blocking and malware blocking).
Click on DHCP server - Advanced Settings - DHCP-Options: 6,100.64.0.7
Some Internet providers like Starlink may use CGNAT which uses the same IP range >as our content blocking DNS. In this case the DNS IP will not work by default. You can >add a static route to make sure that the DNS IP you select is using the VPN tunnel.
Go to Network > Routes > Static IPv4 Routes and add the following:
Interface: WGINTERFACE
Route type: unicast
Target: 100.64.0.7/32 (use the same DNS IP that you set in the DHCP-Options above)
https://mullvad.net/en/help/running-wireguard-router.

Split DNS is a can of worms, see my advice above.

First get basic things working and then look into DNS

I misread what you were trying to tell me. Ok, all set.

config forwarding
        option src 'lan'
        option dest 'WGZONE'

config forwarding
        option src 'lan'
        option dest 'wan'

config route
        option interface 'WGINTERFACE'
        option target '100.64.0.7/23'
        option disabled '1'
config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

Do I really need to reboot after such changes? can uci network reload suffice?

It appears that the clients are still going through wireguard.

This should do instead of rebooting

service network restart
service firewall restart
service pbr restart

Default routing is via WireGuard.

You use PBR to make some clients use e.g. the WAN interface.

This is disabled but if you enable it then your shitpad should use the wan

Of course if you do not want default routing via WireGuard then disable Route Allowed IPs on the WireGuard peer

service network restart
service firewall restart
service pbr restart

Perfect!

This is disabled but if you enable it then your shitpad should use the wan

Haha forgot I named it that! made me laugh!

Some strange behavior. I had already set the device to enabled, but nothing changed however, after running those service restart commands, it made some changes. EVEN THOUGH I had rebooted the router twice. Also noticed that attended sysupgrade is failing too! and I am on 23.05.4 so could update...

Anyway, the shitpad is indeed going through WAN however, so are other clients not listed in the pbr tables?

I certainly would first update, preferably to 24.10.1 before doing anything else, especially PBR has been updated a lot

I presume then that all my configs are good then?

Ok will get an update!

EDIT: bugger, is the server down? luci and auc fail.

auc -c
auc/0.3.2-1
Server:    https://sysupgrade.openwrt.org
Running:   23.05.4 r24012-d8dd03c46f on mediatek/mt7622 (linksys,e8450-ubi)
No data available (61)

auc -c -b 24.10.0
auc/0.3.2-1
Server:    https://asu.aparcar.org/
Running:   23.05.4 r24012-d8dd03c46f on mediatek/mt7622 (linksys,e8450-ubi)
No data available (61)

You might need to perform some voodo to update, carefully read the wiki and other available information

That was a ruff ride, bricked it...

anyway, my RT3200 is back!

Sadly though, same problem persists with my backup configs installed on a fresh install of openwrt.
Wireless clients appear to be going through WAN without and policy based rules. Please help!

It might help if we see your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip rule show
wg show
cat /etc/config/pbr
service pbr status

Certainly!
Thank you for your time!

{
        "kernel": "6.6.86",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}

cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc9:fcdb:2690::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.99.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key 'xxx''
        list addresses '10.71.80.225/32'
        option force_link '1'

config wireguard_WGINTERFACE
        option public_key 'xxx'
        option endpoint_host '185.195.232.70'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'

config route
        option interface 'WGINTERFACE'
        option target '100.64.0.7/23'
        option disabled '1'

cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc9:fcdb:2690::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.99.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key 'xxx'
        list addresses '10.71.80.225/32'
        option force_link '1'

config wireguard_WGINTERFACE
        option public_key 'xxx'
        option endpoint_host '185.195.232.70'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'

config route
        option interface 'WGINTERFACE'
        option target '100.64.0.7/23'
        option disabled '1'

cat dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        #list dhcp_option '6,10.64.0.1'    (does # comment out in ash?)

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'WGZONE'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WGINTERFACE'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

config forwarding
        option src 'lan'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

ip route show
default dev WGINTERFACE proto static scope link
100.64.0.0/10 dev wan proto kernel scope link src 100.71.122.211
185.195.232.70 via 100.64.0.1 dev wan proto static
192.168.99.0/24 dev br-lan proto kernel scope link src 192.168.99.1

ip rule show
0:      from all lookup local
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_WGINTERFACE
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

wg show
interface: WGINTERFACE
  public key: xxx
  private key: (hidden)
  listening port: 37083

peer: xxx
  endpoint: 185.195.232.70:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 11 seconds ago
  transfer: 1.84 GiB received, 162.83 MiB sent

cat pbr
config pbr 'config'
        option enabled '0'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        list resolver_instance '*'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_gc_interval ''
        option nft_set_policy 'performance'
        option nft_set_timeout ''
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

service pbr status

pbr - environment
pbr 1.1.8-r16 running on OpenWrt 24.10.1.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return

pbr chains - policies
        chain pbr_forward { # handle 37
        }
        chain pbr_input { # handle 38
        }
        chain pbr_output { # handle 39
        }
        chain pbr_postrouting { # handle 41
        }
        chain pbr_prerouting { # handle 40
        }
        chain pbr_dstnat { # handle 36
        }

pbr chains - marking
        chain pbr_mark_0x010000 { # handle 311
                meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 393
                return # handle 394
        }
        chain pbr_mark_0x020000 { # handle 314
                meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 395
                return # handle 396
        }

pbr nft sets

pbr tables & routing
IPv4 table 256 pbr_wan route:
default via 100.64.0.1 dev wan
IPv4 table 256 pbr_wan rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 pbr_WGINTERFACE route:
default via 10.71.80.225 dev WGINTERFACE
IPv4 table 257 pbr_WGINTERFACE rule(s):
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_WGINTERFACE

Note that I haven't copied over the pbr tables yet. The originals weren't compatible but only had 1 client, sent to WAN, by MAC address.

On first glance it looks OK

You have your default route via WireGuard.

If that is what you want then you are good to go and can use PBR to route things (clients destinations etc.) via the WAN.

If you want default route via the WAN then disable Route Allowed IPs on the WireGuard peer, you can then route things you want via WireGuard with PBR

So I've enabled pbr:

cat pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        list resolver_instance '*'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'eve'
        option src_addr '06:A0:49:D3:A6:96, 192.168.99.216'
        option interface 'wan'

config policy
        option name 'shitpad'
        option src_addr '16:CC:63:4A:54:57'
        option interface 'wan'

And I noticed that within pbr GUI there was a warning:
Please set 'dhcp.lan.force=1' to speed up service start...
Resolver set (dnsmasq.nftset) is not supported on this system..
So I fixed that with #uci set dhcp.lan.force='1'.

So mullvad.net/en/check says that clients that aren't in pbr are not using a VPN. But I noticed that it lists the wireguard ip, and the mullvad server name??? I looked this server up, and it is correct - so, 'I AM' using the VPN. However, the ipv6 address is incorrect compared to the mullvad server. So I think that is why mullvad/check is saying I am not using their VPN, am I leaking ipv6?

Quick query, what are the 'associated stations' table suppose to represent? wifi?

The server details

server1668×896 89.8 KB

The client on pbr tables (it appears pbr is working here)

mull2584×688 84.5 KB

The client not on pbr tables with incorrect ipv6

mullOnMew2720×860 101 KB

And this is a client on eth

walle1664×470 50.3 KB

I'm not sure this is the right way of going about this but I set a rule in firewall to restrict address families to ipv4 only, and it appears to be fixed.

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option family 'ipv4'```

A good way to check is using ipleak.net from the client to see what is you IPv4 and IPv6 address.

But it appears your problem was IPv6 indeed which you have "solved" by only allowing IPv4 on the WAN.

Better is to proper implement IPv6, Mullvad supports IPv6 and if your ISP and router support IPv6 then setup the WireGuard client the right way to support IPv6.

For instructions how to properly setup a WireGuard client including IPv6 see my notes, you need the Client setup guide:

Wow, great documentation. I've starred your hub.
I will go through all them as it is a good source to learn.

I've read the docs, I believe I know what changes apply to me. One thing I am not certain is where you obtained the ipv6 wireguard subnet address from?

So you want me to:

1. Ensure 'route_allowed_ips' is on.
2. Add '::/0', '::/1', '8000::/0' to the allowed_ips.
3. Set option masq6 '1' in firewall config zone wan.
4. Set masq_src 'where to obtain this?'
5. Return 'restrict to address family' back to ipv4 and ipv6

How comes ipleak.net displays DNS from mullvad when I set IP addresess to 1.1.1.1 as per your earlier instructions?