PBR not working

After upgrading to OpenWrt 22.03.3. my PBR rule is not working.
I installed the PBR packages.
In the previous version I used the VPN-policy package and the configuration was working


root@OpenWrt:/etc/config# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option cachesize '10000'
        list addnhosts '/etc/safe-search/enabled'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra 'hybrid'
        option dhcpv6 'hybrid'
        option limit '240'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'viomi'
        option dns '1'
        option mac '50:ec:50:ee:b1:64'
        option ip '192.168.2.193'

config host
        option name 'rm4mini-leavingroom'
        option dns '1'
        option mac '24:df:a7:e4:74:95'
        option ip '192.168.2.102'

config host
        option ip '192.168.2.253'
        option mac '34:48:ED:CA:BA:E9'
        option name 'ILpolevoy02.lan'
        option dns '1'

config host
        option ip '192.168.2.190'
        option mac 'DC:A6:32:DF:64:DE'
        option name 'polevoy.duckdns.org'
        option dns '1'

config host
        option name 'KIDS-PC'
        option ip '192.168.2.104'
        option mac '10:7B:44:91:CA:66'

config host
        option name 'MOM-PC'
        option ip '192.168.2.125'
        option mac 'F4:6D:04:E9:2A:25'

config host
        option ip '192.168.2.192'
        option mac 'A0:85:FC:2C:9D:4F'
        option name 'XBOX-wifi'
        option dns '1'

config host
        option mac 'A4:50:46:68:F1:DF'
        option name 'Miriam-POCO'
        option dns '1'
        option ip '192.168.2.243'

config host
        option name 'lenovo-tab'
        option mac '84:B8:B8:3A:8A:24'
        option ip '192.168.2.124'

config host
        option name 'PARTNER-TV'
        option mac '98:93:CC:A8:0F:B1'
        option ip '192.168.2.109'

config host
        option name 'PRINTER'
        option mac '00:BB:C1:D2:45:7d'
        option ip '192.168.2.241'

config host
        option name 'TP-LINK'
        option mac 'F8:8C:21:DE:1F:FE'
        option ip '192.168.2.123'

config host
        option name 'OnePlus-Nord-CE-5G'
        option ip '192.168.2.115'
        option mac 'EE:1B:85:CC:12:C9'

config host
        option ip '192.168.2.177'
        option mac '98:06:3C:20:1C:26'
        option dns '1'
        option name 'Samsungtv.lan'

config host
        option name 'tasmota_zbridge1-1802'
        option ip '192.168.2.141'
        option mac '84:CC:A8:96:27:0A'

config host
        option ip '192.168.2.191'
        option mac 'A0:85:FC:2C:9D:4D'
        option name 'XBOX-lan'
        option dns '1'

config host
        option ip '192.168.2.201'
        option mac 'BE:F0:87:92:C2:71'
        option name 'David-phone'
        option dns '1'

config host
        option name 'OnePlus-Nord-CE-5G'
        option ip '192.168.2.127'
        option mac '9A:68:1E:11:37:67'

config host
        option name 'POCO-F2-Pro'
        option ip '192.168.2.160'
        option mac 'A6:D6:24:66:89:08'

config host
        option ip '192.168.2.220'
        option mac '28:CD:C4:04:8F:01'
        option name 'MOM-Laptop'
        option dns '1'

config host
        option ip '192.168.2.132'
        option mac '32:C7:D3:B7:F0:0C'
        option name 'MOM-phone'
        option dns '1'

config host
        option ip '192.168.2.227'
        option mac '5C:0C:E6:C7:0A:D7'
        option name 'Nintendo'
        option dns '1'

config host
        option name 'POCO-F2-Pro'
        option ip '192.168.2.185'
        option mac '1A:7C:78:F0:6F:1A'

config host
        option name 'solaredge'
        option dns '1'
        option mac '84:D6:C5:0A:A4:F2'
        option ip '192.168.2.236'

config host
        option name 'poco-yannai'
        option dns '1'
        option mac 'A4:50:46:4F:86:4B'
        option ip '192.168.2.207'

config domain
        option name 'polevoy.duckdns.org'
        option ip '192.168.2.190'

config host
        option ip '192.168.2.182'
        option mac '54:8D:5A:15:AC:6B'
        option name 'ILpolevoy02-wifi'
        option dns '1'

config host
        option ip '192.168.2.120'
        option mac '9E:FC:9C:F0:61:05'
        option name 'MOM-Phone'
        option dns '1'

config host
        option ip '192.168.2.108'
        option mac '40:91:51:4E:FE:47'
        option name 'switcher'
        option dns '1'

config host
        option ip '192.168.2.187'
        option mac '50:2C:C6:2F:20:23'
        option name 'Masterbedroom-AC'
        option dns '1'

config host
        option ip '192.168.2.206'
        option mac 'D0:5A:FD:6C:E8:BF'
        option name 'Mom-realme-7-5G'
        option dns '1'

config host
        option ip '192.168.2.121'
        option mac 'EC:0B:AE:EE:23:5A'
        option name 'yannai-remote'
        option dns '1'

config host
        option ip '192.168.2.152'
        option mac 'EC:0B:AE:EE:2B:04'
        option name 'computer-remote'
        option dns '1'

config host
        option ip '192.168.2.254'
        option mac 'EC:0B:AE:A0:58:32'
        option name 'david-Remote'
        option dns '1'

config host
        option name 'ThingsTurn_4A68'
        option ip '192.168.2.178'
        option mac '28:6D:CD:4E:4A:68'

root@OpenWrt:/etc/config# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wwan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'
        list network 'wanb'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'HomeAssistant'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8123'
        option dest 'lan'
        option dest_ip '192.168.2.190'
        option dest_port '8123'

config rule
        option name 'Filter-Parental-Controls-Friday'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        option weekdays 'Fri'
        option stop_time '23:59:59'
        option start_time '17:00:00'
        list proto 'all'

config rule
        option name 'Filter-Parental-Controls-SAT'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        option weekdays 'Sat'
        option start_time '00:00:00'
        option stop_time '17:50:00'
        list proto 'all'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

root@OpenWrt:/etc/config# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fdeb:426f:7ff6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'WAN'
        option device 'eth1'
        option proto 'dhcp'
        option metric '1'
        option peerdns '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config interface 'wwan'
        option proto 'dhcp'
        option auto '0'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option name 'eth2'
        option ipv6 '0'

config interface 'wanb'
        option device 'eth2'
        option proto 'dhcp'
        option metric '20'

root@OpenWrt:/etc/config# cat /etc/config/pbr

config pbr 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        option enabled '1'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'HA'
        option interface 'wanb'
        option src_addr '192.168.2.190/32'
        option dest_addr '0.0.0.0/0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

root@OpenWrt:/etc/config# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.0.1-16 running on OpenWrt 22.03.3. WAN (IPv4): WAN/eth1/192.168.1.1.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
        chain pbr_forward {
        }
        chain pbr_input {
        }
        chain pbr_output {
        }
        chain pbr_prerouting {
                ip saddr @pbr_wanb_4_src_ip_cfg046ff5 ip daddr @pbr_wanb_4_dst_ip_cfg046ff5 goto pbr_mark_0x030000 comment "HA"
        }
        chain pbr_postrouting {
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
                return
        }
        chain pbr_mark_0x020000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
                return
        }
        chain pbr_mark_0x030000 {
                counter packets 691 bytes 59076 meta mark set meta mark & 0xff03ffff | 0x00030000
                return
        }
============================================================
pbr nft sets
        set pbr_wanb_4_src_ip_cfg046ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "HA"
                elements = { 192.168.2.190 }
        }
        set pbr_wanb_4_dst_ip_cfg046ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "HA"
                elements = { 0.0.0.0-255.255.255.255 }
        }
============================================================
IPv4 table 256 route: default via 192.168.1.1 dev eth1 
default via 192.168.1.1 dev eth1 proto static src 192.168.1.2 metric 1 
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_WAN
IPv4 table 257 route: unreachable default 
default via 192.168.1.1 dev eth1 proto static src 192.168.1.2 metric 1 
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_wwan
IPv4 table 258 route: default via 192.168.4.101 dev eth2 
default via 192.168.1.1 dev eth1 proto static src 192.168.1.2 metric 1 
IPv4 table 258 rule(s):
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_wanb
root@OpenWrt:/etc/config# /etc/init.d/pbr reload verbose=2
Activating traffic killswitch [✗]
Setting up routing for 'WAN/eth1/192.168.1.1' [✓]
Setting up routing for 'wwan/0.0.0.0' [✓]
Setting up routing for 'wanb/eth2/192.168.4.101' [✓]
Routing 'HA' via wanb [✓]
pbr.cfg056ff5.name=Plex/Emby Local Server validates as string with true
pbr.cfg056ff5.enabled=0 validates as bool with true
pbr.cfg056ff5.interface=wan validates as or(uci("network", "@interface"),"ignore") with false
pbr.cfg056ff5.proto is unset and defaults to or(string) (null)
pbr.cfg056ff5.chain is unset and defaults to or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING") prerouting
pbr.cfg056ff5.src_addr is unset and defaults to list(neg(or(host,network,macaddr,string))) (null)
pbr.cfg056ff5.src_port=8096 8920 32400 validates as list(neg(or(portrange,string))) with true
pbr.cfg056ff5.dest_addr is unset and defaults to list(neg(or(host,network,string))) (null)
pbr.cfg056ff5.dest_port is unset and defaults to list(neg(or(portrange,string))) (null)
pbr.cfg066ff5.name=Plex/Emby Remote Servers validates as string with true
pbr.cfg066ff5.enabled=0 validates as bool with true
pbr.cfg066ff5.interface=wan validates as or(uci("network", "@interface"),"ignore") with false
pbr.cfg066ff5.proto is unset and defaults to or(string) (null)
pbr.cfg066ff5.chain is unset and defaults to or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING") prerouting
pbr.cfg066ff5.src_addr is unset and defaults to list(neg(or(host,network,macaddr,string))) (null)
pbr.cfg066ff5.src_port is unset and defaults to list(neg(or(portrange,string))) (null)
pbr.cfg066ff5.dest_addr=plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media validates as list(neg(or(host,network,string))) with true
pbr.cfg066ff5.dest_port is unset and defaults to list(neg(or(portrange,string))) (null)
Deactivating traffic killswitch [✓]
pbr 1.0.1-16 monitoring interfaces: wwan wanb 
pbr 1.0.1-16 (nft) started with gateways:
WAN/eth1/192.168.1.1 [✓]
wwan/0.0.0.0
wanb/eth2/192.168.4.101
root@OpenWrt:/etc/config# 
  • What previous version?
  • What device are you using?

In network configuration you have WAN and in PRB wan. These are not the same, as linux is case sensitive.

1 Like

The previous version was 22.03.2
running on Raspberi pi 4

I referring to the following policy

config policy
        option name 'HA'
        option interface 'wanb'
        option src_addr '192.168.2.190/32'
        option dest_addr '0.0.0.0/0'

You referring, but PBR starts with errors because there are other policies with unknown uplink interface. Fix that first.

2 Likes

Hi
I have removed the problematic configuration. And the service is starting without error

root@OpenWrt:~# /etc/init.d/pbr reload verbose=2
Activating traffic killswitch [✗]
Setting up routing for 'WAN/eth1/192.168.1.1' [✓]
Setting up routing for 'wwan/0.0.0.0' [✓]
Setting up routing for 'wanb/eth2/192.168.4.101' [✓]
Routing 'HA' via wanb [✓]
Deactivating traffic killswitch [✓]
pbr 1.0.1-16 monitoring interfaces: wwan wanb 
pbr 1.0.1-16 (nft) started with gateways:
WAN/eth1/192.168.1.1 [✓]
wwan/0.0.0.0
wanb/eth2/192.168.4.101

But the problem persist.

As per stangri's recommendation, remove the metrics from the interfaces.
Also verify that packets indeed go outwards wanb:
opkg update; opkg install tcpdump; tcpdump -i eth2 -vn -s0 -c10
then start a ping from 192.168.2.190 to capture some traffic.

1 Like

2 posts were split to a new topic: PBR not working with mwan3