PBR route domain through specific interface

Installing and Using OpenWrt
1

Hi folks! Been struggling to route specific domains through mine desired interface, but can't it make to work. Could please somebody advise why mine "hosts_to_skip_wg" does not kickstart when client is within 192.168.1.1/24 network and I am still being routed through WG0

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option ipv6_enabled '1'
	option resolver_set 'none'
	option rule_create_option 'add'
	option enabled '1'
	option webui_show_ignore_target '1'

config include
	option path '/etc/pbr.netflix.user'
	option enabled '0'

config include
	option path '/etc/pbr.aws.user'
	option enabled '0'

config policy
	option name 'Allow LAN access from OpenVPN'
	option interface 'ignore'
	option dest_addr '192.168.8.0/24'

config policy
	option name 'Allow LAN access from VPN FREE'
	option dest_addr '192.168.20.0/24'
	option interface 'ignore'

config policy
	option interface 'wan'
	option name 'openvpn'
	option src_port '1194'
	option proto 'tcp'
	option chain 'output'

config policy
	option name 'LIANLI_to_wan'
	option chain 'output'
	option interface 'wan'
	option src_addr '192.168.1.233'
	option enabled '0'

config policy
	option name 'hosts_to_skip_wg'
	option src_addr '192.168.1.1/24'
	option dest_addr 'ipchicken.com'
	option interface 'wan'
	option chain 'output'

config policy
	option name 'lan_to_wg'
	option src_addr '192.168.1.1/24'
	option interface 'WG0'

config policy
	option name 'openvpn_in_to_wg'
	option src_addr '192.168.8.0/24'
	option interface 'WG0'

config policy
	option name 'guest_to_vpn'
	option src_addr '192.168.30.1/24'
	option interface 'WG0'

config policy
	option src_addr '192.168.10.1/24'
	option name 'iot_to_vpn'
	option interface 'WG0'

config policy
	option name 'iot_to_wan'
	option src_addr '192.168.40.1/24'
	option chain 'output'
	option interface 'wan'

config policy
	option name 'vpn_free'
	option interface 'wan'
	option chain 'output'
	option src_addr '192.168.20.1/24'

config policy
	option name 'transmission'
	option interface 'WG0'
	option src_addr '172.16.0.2'
	option chain 'output'

config policy
	option interface 'wan'
	option enabled '0'
2

Could somebody please advise and Happy New Year ! :slight_smile:

3

You have used output chain which is for the router only and I think it is for your clients to use so should be on the FORWARD chain (which is default I think so just try with deleting option chain 'output'

Second possible problem, you already have this:

It depends on what has the precedence, you might need to swap these in the config file (but better read up on 'precedence', it is in the documentation)

4
  • From my side of the world, a nslookup of ipchicken.com resolves to 3 IPv4 addresses
  • Is it valid to make such a PBR entry (i.e. a domain)?
  • Do the IP's work instead?
5

Made it happen. Thanks for the hinting to direct ip addresses.
To resolve my problem:

  1. First of all I forgot about firewall. So I opened access from lan to wan.
  2. Afterwars installed dnsmaq-full for pbr resolver
  3. Changed default service gateway from WAN back to VPN tunnel so I am covered in situations when PBR is off.
  4. Changed for all rules having chains as an output to preroute
6

Can you post the config?

7 
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option ipv6_enabled '1'
	option resolver_set 'dnsmasq.nftset'
	option rule_create_option 'add'
	option enabled '1'
	option webui_show_ignore_target '1'

config include
	option path '/etc/pbr.netflix.user'
	option enabled '0'

config include
	option path '/etc/pbr.aws.user'
	option enabled '0'

config policy
	option name 'Allow LAN access from OpenVPN'
	option interface 'ignore'
	option dest_addr '192.168.8.0/24'

config policy
	option name 'Allow LAN access from VPN FREE'
	option dest_addr '192.168.20.0/24'
	option interface 'ignore'

config policy
	option interface 'wan'
	option name 'openvpn'
	option src_port '1194'
	option proto 'tcp'
	option chain 'output'

config policy
	option name 'hosts_to_skip_wg'
	option dest_addr 'ipchicken.com'
	option interface 'wan'

config policy
	option name 'lan_to_wg'
	option src_addr '192.168.1.1/24'
	option interface 'WG0'

config policy
	option name 'openvpn_in_to_wg'
	option src_addr '192.168.8.0/24'
	option interface 'WG0'

config policy
	option name 'guest_to_vpn'
	option src_addr '192.168.30.1/24'
	option interface 'WG0'

config policy
	option src_addr '192.168.10.1/24'
	option name 'iot_to_vpn'
	option interface 'WG0'

config policy
	option name 'iot_to_wan'
	option src_addr '192.168.40.1/24'
	option interface 'wan'

config policy
	option name 'vpn_free'
	option interface 'wan'
	option src_addr '192.168.20.1/24'

config policy
	option name 'transmission'
	option interface 'WG0'
	option src_addr '172.16.0.2'

config policy
	option interface 'wan'
	option enabled '0'```
1 Like