PBR-Wireguard issue

PacoY · June 14, 2025, 8:34am

Hello,

I am trying to redirect all my traffic trought wireguard ( mullvad) by using PBR, to have the possibility to still use wn for some device.

I have set up the wireguard interface, it's working when i redirect directly lan to the wireguard zone on the firewall, but with this solution i do not have the possibility to use wan for some device.

When i try to use PBR, i lost all connection, even so the wireguard interface is able to make the handshake.

Here is my configuration :

/etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option expandhosts '1'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        
   config rule
        option src 'wan'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '56718'
        option name 'Allow Wireguard Inbound'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'mullvad'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'mullvad'

/etc/config/network
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        option mtu '1500'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.105.1'
        list dns '80.67.169.40'
        list dns '80.67.169.12'
        list dns '45.11.45.11'
        list dns '185.222.222.222'
        list dns '88.198.92.222'
        list dns '2001:910:800::12'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '80.67.169.12'
        list dns '80.67.169.40'
        list dns '194.242.2.2'
        list dns '194.242.2.3'
config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2001:910:800::12'
        list dns '2001:910:800::40'
        list dns '2a07:e340::2'
        list dns '2a07:e340::3'

config interface 'mullvad'
        option proto 'wireguard'
        option private_key 'XXXXXXX'
        list addresses '10.74.147.136/32'
        list addresses 'fc00:bbbb:bbbb:bb01::b:9387/128'

config wireguard_mullvad
        option description 'mullvad'
        option public_key 'XXXXX'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option route_allowed_ips '1'
        option endpoint_host '193.32.126.66'
        option endpoint_port '51820'

/etc/config/pbr
config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list ignored_interface 'vpnserver'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'mullvad'
        option src_addr '192.168.105.0/24'
        option interface 'mullvad'

And the output of /etc/init.d/pbr status and /etc/init.d/pbr reload

pbr - environment
pbr 1.1.8-r10 running on ImmortalWrt 24.10.1.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.105.0/24 }  goto pbr_mark_0x020000 comment "mullvad"

pbr chains - policies
	chain pbr_forward { # handle 40
	}
	chain pbr_input { # handle 41
	}
	chain pbr_output { # handle 42
	}
	chain pbr_postrouting { # handle 44
	}
	chain pbr_prerouting { # handle 43
		ip saddr 192.168.105.0/24 goto pbr_mark_0x020000 comment "mullvad" # handle 683
	}
	chain pbr_dstnat { # handle 39
	}

pbr chains - marking
	chain pbr_mark_0x010000 { # handle 323
		meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 679
		return # handle 680
	}
	chain pbr_mark_0x020000 { # handle 326
		meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 681
		return # handle 682
	}

pbr nft sets

pbr tables & routing
IPv4 table 256 pbr_wan route:
default via 78.197.36.254 dev wan 
IPv4 table 256 pbr_wan rule(s):
29997:	from all sport 56718 lookup pbr_wan
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 pbr_mullvad route:
default via 10.74.147.136 dev mullvad 
IPv4 table 257 pbr_mullvad rule(s):
29998:	from all fwmark 0x20000/0xff0000 lookup pbr_mullvad

Using wan interface (on_start): wan [✓]
Found wan gateway (on_start): 78.197.36.254 [✓]
Setting up routing for 'wan/78.197.36.254' [✓]
Setting up routing for 'mullvad/10.74.147.136' [✓]
Routing 'mullvad' via mullvad [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
Setting interface trigger for mullvad [✓]

pbr 1.1.8-r10 monitoring interfaces: wan mullvad 
pbr 1.1.8-r10 (fw4 nft file mode) started with gateways:
wan/78.197.36.254
mullvad/10.74.147.136 [✓]

I am sure i am missing something, but i cannot find the mistake.

Thanks.

egc · June 14, 2025, 9:25am

You are missing a FORWARD rule from LAN to mullvad firewall zone so add that

For working IPv6 instead of ::0/0 use 8000::/1, ::/1 as allowed IPs and use the interface instead of the IPv4 subnet so use @br-lan instead of 192.168.105.0/24

For a proper setup see:

You need the Client setup guide

PacoY · June 14, 2025, 10:28am

Thanks for the reply.

If a put a Forward rule from lan to mullvad zone it is working, but for all the device. PBR are not working for me with this forward rule.

It seems that this PBR rule normally make lan go throught mullvad, with the possibilty to add an other rule to route a device through wan instead of mullvad.

config policy
        option name 'mullvad'
        option src_addr '192.168.105.0/24'
        option interface 'mullvad'

Do i really need to forward the lan to mullvad on the firewall or PBR can handle this ?

egc · June 14, 2025, 10:36am

You have to disable Route Allowed IPs so that default traffic is going via the WAN
It can be disabled on Network > Interfaces > WireGuard Interface > Peers and edit the peer

Yes if you want to have traffic going from the lan to mullvad

PacoY · June 16, 2025, 4:05pm

Thanks, it was this parameter.
Now I just need to figure out how to well configure PBR.

egc · June 16, 2025, 4:31pm

Great you got it working.

For PBR see:

and of course there are many helpful forum members if you run into trouble

system · June 26, 2025, 4:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.