Hi, I have openwrt 23.05 on an access point, thsi access point has a single lan port that plugs into a firewall (not openwrt). Internet traffci works fine, but now im tryign t force spciefic traffci via an open vpn.
when I try and start pbr I get an error about trying to add a default route into table 256, but that route already exists, and just to confirm, my device doesnt have a wan only a lan:
root@Merak-openwrt:~# cat /etc/config/pbr
config pbr 'config'
option debug_dnsmasq '0'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '0'
option procd_wan_interface 'lan'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '1.1.1.1'
option enabled '0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
root@Merak-openwrt:~#
root@Merak-openwrt:~# /etc/init.d/pbr restart
Resetting chains and sets [✓]
Removing routing for 'vpn/tun0/10.35.14.52' [✓]
pbr 1.1.9-r1 (fw4 nft file mode) stopped [✓]
Command failed: Not found
Processing environment (on_start) [✓]
Setting up routing for 'vpn/tun0/10.35.14.52' [✗]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
Setting interface trigger for vpn [✓]
pbr 1.1.9-r1 monitoring interfaces: wan vpn
Command failed: Invalid argument
ERROR: Command failed: ip -4 route add default via 192.168.1.254 dev br-lan proto static src 192.168.1.250 table 256!
ERROR: Failed to set up 'vpn/tun0/10.35.14.52'!
ERROR: Failed to set up any gateway!
root@Merak-openwrt:~#
If you really want to use PBR, note that you do have to set your wan (which is your lan) in the pbr config see the PBR read.me but not sure if this will work or is sufficient
I have some additional notes about setting up a WireGuard client on a dumb AP but that does not include using PBR see: WireGuard Client Setup Guide
Yep thats actually what I have done, this is a new ssid called vpn, however the issue is I need things like netflix to go via vpn but my local streaming apps to go direct to wan else they do not work.
The Manual method with creating routing tables and routing rules does not support domain names directly. There is a workaround and that is using creating an ipset for your domains and adding an FWMARK to it, then use a rule with that FWMARK adding it to your desired routing table
This is not quite right you have made to default routes in the same routing table
Remove the vpnlan and when you add a rule to table lanroute then you should have routing via the lan assuming gateway is correct and firewall is correct.
N.B.: have you created lanroute as tablename in /etc/iproute2/rt_tables? Otherwise just use numbers
thanks I have removed the conflicting route. Infact I removed both static route entries and used the default gateway field in the lan network interface instead.
On a fresh PBR install the first error I get is:
ERROR: The wan interface not found, you need to set the 'pbr.config.procd_wan_interface' option!
So I define it as lan, because lan is my only interface. then I get this:
ERROR: Command failed: ip -4 route add default via 192.168.1.254 dev br-lan proto static table 256!
ERROR: Failed to set up 'vpn/tun0/10.35.14.4'!
ERROR: Failed to set up any gateway!
Looks to be confused between lan and vpn, I am wondering, is there a way to tell it not to try and add the routes? and I can just add the two entries myself?
Either you go the manual route with creating routing tables e.g.:
Or use the PBR app, do not use both.
If you want to see if the PBR app can work then remove the config route
That said I do not know for sure if the PBR app can work on a DumbAP as I have never tried it, but we can see if we can get it working.
Lets start with the current and full config, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
cat /etc/config/pbr
service pbr restart
service pbr status
I decided to go with a less elegant solution, however - pleased to say its working actually quite well.
I wrote a basic bash script to dig a list of domains against the same dns server the wifi clients are using, and add those to the main route table via the lan. cron it to run every 2 minutes and remove ip’s that are no longer matching. (also tip - disable ipv6)
Happy to share it but any AI could write to for you.
