PBR routing transmission over wgclient fails

Hello!,

So I'm trying to route my transmission over wgclient by using the policy-based-routing package.

but for some reason it keeps sending all my traffic to wan regardless.

here is a node screenshot of a advanced setup, the 2 bottom rules are the ones in question:

I also tried setting the 0.0.0.0 ip in transmission to 10.234.53.1 (lans gateway) and then route policies over this ip, but for some reason when I check the traffic graph in OpenWrt I see my wan ip as src and connections to torrent peers, I also added the output rule temporary as I have seen this on other topics but I think the prerouting should usual work.

did I missed a forwarding rule?

Are you sure that Transmission uses a fixed port for outgoing connections?

1 Like

If im correct in the configuration I have set peer port I believe this should make it static from what I could see in the traffic graph in openwrt in the connections tab I saw my isp ip talking to the bittorrent peers on that port which is wrong.

however I also tried to use aria2 and with one port static it seems like 0.0.0.0 is completely ignored.

here are my configurations for OpenWrt 22.03.4 (Mochabin):

PBR:

config pbr 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        option enabled '1'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'wireguard'
        list supported_interface 'lan'
        list supported_interface 'iptv'
        list supported_interface 'pcnet'
        list supported_interface 'steamcache'
        list supported_interface 'tvnet'
        list supported_interface 'wlan0'
        list supported_interface 'wlan1'
        list supported_interface 'zigbee'
        list supported_interface 'neko'
        list supported_interface 'blackhole'

config policy
        option interface 'ignore'
        option name 'Allow-IGMP'
        option src_addr '224.0.0.254'
        option dest_port '5353 5443'

config policy
        option interface 'ignore'
        option dest_addr '10.234.53.1 10.234.53.10 10.234.53.20 10.234.53.3'
        option name 'Default-Allow-PCnet-To-Modem'
        option src_addr '10.34.79.0/24'

config policy
        option name 'allow-transmission'
        option src_addr '10.34.79.0/24'
        option dest_port '9091'
        option interface 'ignore'
        option dest_addr '10.234.53.1'

config policy
        option dest_addr '192.168.16.2'
        option src_addr '10.14.0.0/24 10.34.79.0/24'
        option name 'Neko Ignore-locals'
        option interface 'ignore'

config policy
        option src_addr '192.168.16.2'
        option dest_addr '10.34.79.0/24 10.14.0.0/24'
        option interface 'ignore'
        option name 'Neko-ignore-locals-2'

config policy
        option dest_port '8008 8009 8443 5353 5443'
        option interface 'ignore'
        option name 'Allow-Chromecast-Via-WGServer-To-Zigbee'
        option src_addr '10.14.0.0/24'
        option dest_addr '10.33.77.0/24'

config policy
        option dest_port '8008 8009 8443 5353 5443'
        option interface 'ignore'
        option name 'Allow-chromecast-Via-Zigbee-To-WGServer'
        option src_addr '10.33.77.0/24'
        option dest_addr '10.14.0.0/24'

config policy
        option interface 'ignore'
        option name 'Default-Allow-steamcache'
        option dest_addr '172.19.0.2'
        option src_addr '10.34.79.0/24 10.14.0.0/24'

config policy
        option name 'Ignore mdns'
        option interface 'ignore'
        option dest_addr '224.0.0.0/24'

config policy
        option name 'ignore mdns'
        option interface 'ignore'
        option src_addr '224.0.0.0/24'

config policy
        option name 'Ignore-printer'
        option src_addr '10.33.77.5'
        option interface 'ignore'

config policy
        option name 'Ignore-printer'
        option src_addr '10.34.79.0/24 10.14.0.0/24'
        option dest_addr '10.33.77.5'
        option interface 'ignore'

config policy
        option name 'Default-Allow-WGServer'
        option interface 'wgclient'
        option src_addr '10.14.0.0/24'

config policy
        option interface 'wgclient'
        option name 'neko'
        option src_addr '192.168.16.2'

config policy
        option name 'Default-Allow-WG'
        option interface 'wgclient'
        option src_addr '10.34.79.0/24 10.234.80.0/24 10.234.81.0/24'

config policy
        option interface 'wgclient'
        option dest_port '6881'
        option src_addr '0.0.0.0/0'
        option name 'aria2'

config policy
        option src_port '6881'
        option interface 'wgclient'
        option src_addr '0.0.0.0/0'
        option name 'aria2'

config policy
        option name 'transmission'
        option dest_port '51413'
        option interface 'wgclient'
        option src_addr '0.0.0.0/0'

config policy
        option name 'transmission'
        option src_port '51413'
        option interface 'wgclient'
        option src_addr '0.0.0.0/0'

firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'

config zone
        option name 'wlan0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wlan0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wlan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wlan1'

config zone
        option name 'zigbee'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'zigbee'

config zone
        option name 'tvnet'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'tvnet'

config zone
        option name 'wgclient'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option input 'DROP'
        option mtu_fix '1'
        list network 'wgclient'

config forwarding
        option src 'wgclient'
        option dest 'wan'

config forwarding
        option src 'zigbee'
        option dest 'wan'

config forwarding
        option src 'tvnet'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'pcnet'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'pcnet'

config zone
        option name 'neko'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'neko'

config rule
        option name 'Allow-IGMP-Proxy-Lan'
        option src 'lan'
        option dest 'lan'
        list dest_ip '224.0.0.1/4'
        option target 'ACCEPT'

config zone
        option name 'iptv'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'iptv'

config forwarding
        option src 'iptv'
        option dest 'wan'

config rule
        option name 'allow iptv'
        option src 'lan'
        option dest 'iptv'
        option target 'ACCEPT'

config rule
        option name 'allow-mcast'
        option src 'iptv'
        option dest 'lan'
        list dest_ip '224.0.0.1/4'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'iptv'

config include
        option path '/etc/firewall.fail2ban'
        option enabled '1'
        option reload '1'

config zone
        option name 'wgserver'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wgserver'

config forwarding
        option src 'wlan0'
        option dest 'wgserver'

config rule
        option name 'Allow-chromecast'
        option src 'zigbee'
        list dest_ip '224.0.0.251'
        option target 'ACCEPT'
        option dest_port '5353 5443'
        option dest '*'

config rule
        option name 'Allow-Chromecast'
        option target 'ACCEPT'
        option dest 'zigbee'
        option src 'wgserver'
        option dest_port '8008 8009 8443 5353 5443'

config rule
        option name 'Allow-Chromecast'
        option target 'ACCEPT'
        option src 'zigbee'
        option dest_port '8008 8009 8443'
        option dest 'wgserver'

config forwarding
        option src 'wgserver'
        option dest 'wgclient'

config forwarding
        option src 'wlan1'
        option dest 'wgserver'

config forwarding
        option src 'pcnet'
        option dest 'wgclient'

config rule
        option src 'lan'
        option dest 'zigbee'
        list dest_ip '10.33.77.5'
        option dest_port '80 443'
        option target 'ACCEPT'
        option name 'Allow-Printer-To-Lan'

config rule
        option name 'Allow pcnet to switch'
        option src 'pcnet'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'all'
        list dest_ip '10.234.53.10'
        list dest_ip '10.234.53.20'
        list dest_ip '10.234.53.3'
        list dest_ip '10.234.53.4'

config rule
        option name 'Allow-ChromeCast'
        option src 'wgserver'
        list dest_ip '224.0.0.251'
        option dest_port '5353 8008-8009 8443'
        option target 'ACCEPT'
        option enabled '0'

config redirect
        option dest 'wgclient'
        option target 'DNAT'
        option name 'force_pcnet_wgclient'
        option src 'pcnet'
        option src_dport '53'
        option dest_ip '0.0.0.0'
        option enabled '0'

config rule
        option name 'Allow_Chromecast'
        option src 'zigbee'
        list dest_ip '224.0.0.251'
        option dest_port '5353 8008-8009 8443'
        option target 'ACCEPT'
        option enabled '0'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config zone
        option name 'steamcache'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'SteamCache'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option input 'DROP'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'steamcache'
        option dest 'wan'

config rule
        option name 'Allow-SteamCache'
        option dest 'steamcache'
        option target 'ACCEPT'
        list dest_ip '172.19.0.2'
        list proto 'all'
        option src 'pcnet'

config rule
        option name 'Allow-SteamCachce'
        list proto 'all'
        option src 'wgserver'
        option dest 'steamcache'
        list dest_ip '172.19.0.2'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config rule
        option src 'pcnet'
        option dest 'zigbee'
        option target 'ACCEPT'
        option name 'Allow-PCnet-To-Printer'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        list dest_ip '10.33.77.5'
        option dest_port '443 80 3911'

config forwarding
        option src 'neko'
        option dest 'wgclient'

config rule
        option name 'Allow-wgserver-to-neko'
        option src 'wgserver'
        option dest 'neko'
        list dest_ip '192.168.16.2'
        option target 'ACCEPT'

config rule
        option name 'Allow-pcnet-to-neko'
        option src 'pcnet'
        option dest 'neko'
        option target 'ACCEPT'
        list dest_ip '192.168.16.2'
        list proto 'all'

config rule
        option name 'Wgserver-to-printer'
        option src 'wgserver'
        option dest 'zigbee'
        list dest_ip '10.33.77.5'
        option target 'ACCEPT'

config rule
        option name 'tmp-allow-wgserver-flint'
        option src 'wgserver'
        option dest 'lan'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Block-torrent-from-lan'
        option target 'DROP'
        option src_port '51413'
        option dest 'wan'

config rule
        option name 'Allow-Pcnet-to-transmission'
        option src 'pcnet'
        option dest 'lan'
        option dest_port '9091'
        option target 'ACCEPT'

transmission:

config transmission
        option enable '1'
        option config_dir '/etc/transmission'
        option alt_speed_enabled 'false'
        option alt_speed_time_enabled 'false'
        option blocklist_enabled 'false'
        option dht_enabled 'true'
        option encryption '1'
        option incomplete_dir_enabled 'false'
        option lazy_bitfield_enabled 'true'
        option lpd_enabled 'false'
        option message_level '2'
        option open_file_limit '32'
        option peer_limit_global '240'
        option peer_limit_per_torrent '60'
        option peer_port '51413'
        option peer_port_random_on_start 'false'
        option peer_socket_tos '0'
        option pex_enabled 'true'
        option port_forwarding_enabled 'false'
        option preallocation '1'
        option ratio_limit_enabled 'false'
        option rename_partial_files 'true'
        option rpc_authentication_required 'false'
        option rpc_enabled 'true'
        option rpc_port '9091'
        option script_torrent_done_enabled 'false'
        option speed_limit_down_enabled 'false'
        option speed_limit_up '40'
        option speed_limit_up_enabled 'true'
        option start_added_torrents 'false'
        option trash_original_torrent_files 'false'
        option umask '18'
        option upload_slots_per_torrent '14'
        option watch_dir_enabled 'false'
        option enabled '1'
        option user 'root'
        option group 'root'
        option download_dir '/opt/transmission'
        option scrape_paused_torrents_enabled 'false'
        option utp_enabled 'false'
        option download_queue_enabled 'false'
        option queue_stalled_enabled 'false'
        option seed_queue_enabled 'false'
        option idle_seeding_limit_enabled 'false'
        option rpc_host_whitelist_enabled 'true'
        option rpc_whitelist_enabled 'false'
        option rpc_bind_address '0.0.0.0'
        option rpc_host_whitelist '10.34.79.*'
        option bind_address_ipv4 '0.0.0.0/0'

the 10.34.79.0/24 is pcnet in where my pc is connected this is used for UI access, and 10.234.53.0/24 is the default lan where 0.0.0.0 is loopback for 10.234.53.1.

transmission is not using the peer port to connect outbound. It is better to send the whole IP traffic over VPN or use the high ports, e.g over 30.000

3 Likes

I have tried to do it with port 10000-65535 but then luci is no more accessible I think I gonna give up :stuck_out_tongue:

I also looked into the --interface option in aria2 and set it to the gateway of pcnet 10.34.79.1 but then the output chain made only luci http and the ariang web ui inaccessible but https kept working anyhow it kept trying to use WAN even when I stopped the wgclient interface, I did noticed something odd however once I turned down wgclient and re-routed the policies through pbr the wgclient showed a 0.0.0.0 route as gateway, I suspect this may be the issue.

Remove the rules with output chain. These are used for router originated packets. For packets traversing the router the prerouting chain must be used.

1 Like

Well I got it to work but I decided to take a different road, I went using a docker container and that worked excellent, I suspect 0.0.0.0 being a wildcard in PBR itself on the ignore rule so that would probably never worked for me (makes sense as anti lockdown so I think that was intended :stuck_out_tongue: ) also since the passive ports often also get mixed with other passive ports like vpn and ssl now I have singled it out to a single ip which I can easily manage :slight_smile:

Thanks for helping :smiley:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.