PBR without VPNs but WANs

Can PBR work without any VPNs? (e.g. with only multiple WANs.)
My needs are not load balance but redirect traffic of certain domains (various and many) via the specified interface, and the rest go for the other.

I tried to set my PBR rules referenced the following youtube video. And could not get it to work.

I'm curious if the VPNs were necessary for PBR. If not, what went wrong with my settings?

output of ubus call system board

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT1900ACS",
	"board_name": "linksys,wrt1900acs",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}

output of uci export dhcp

root@OpenWrt:~# uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

output of uci export firewall

root@OpenWrt:~# uci export firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'aiot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'aiot'

config forwarding
	option src 'aiot'
	option dest 'wan'

config rule
	option name 'iot-dhcp'
	list proto 'udp'
	option src 'aiot'
	option src_port '68'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'iot-dns'
	option src 'aiot'
	option dest_port '53'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

output of uci export network

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd92:25fd:1166::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.6.1'

config device
	option name 'wan'
	option macaddr 'c2:56:27:c7:c2:52'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'aiot'
	option proto 'static'
	option ipaddr '192.168.7.1'
	option netmask '255.255.255.0'

config interface 'wwan'
	option proto 'dhcp'

output of uci export pbr

root@OpenWrt:~# uci export pbr
package pbr

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'ipinfo.io'
	option dest_addr 'ipinfo.io'
	option interface 'wan'

config policy
	option name 'ifconfig.me'
	option dest_addr 'ifconfig.me'
	option interface 'wwan'

output of pbr status

root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.0.1-16 running on OpenWrt 22.03.5. WAN (IPv4): wan/wan/192.168.31.1.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward {
	}
	chain pbr_input {
	}
	chain pbr_output {
	}
	chain pbr_prerouting {
		ip daddr @pbr_wan_4_dst_ip_cfg066ff5 goto pbr_mark_0x010000 comment "ipinfo.io"
		ip daddr @pbr_wwan_4_dst_ip_cfg076ff5 goto pbr_mark_0x020000 comment "ifconfig.me"
	}
	chain pbr_postrouting {
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 {
		counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
		return
	}
	chain pbr_mark_0x020000 {
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
		return
	}
============================================================
pbr nft sets
	set pbr_wan_4_dst_ip_cfg066ff5 {
		type ipv4_addr
		flags interval
		auto-merge
		comment "ipinfo.io"
		elements = { 34.117.59.81 }
	}
	set pbr_wwan_4_dst_ip_cfg076ff5 {
		type ipv4_addr
		flags interval
		auto-merge
		comment "ifconfig.me"
		elements = { 34.160.111.145 }
	}
============================================================
IPv4 table 256 route: default via 192.168.31.1 dev wan
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 192.168.90.254 dev wlan1
IPv4 table 257 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_wwan
root@OpenWrt:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'wan/192.168.31.1' [✓]
Setting up routing for 'wwan/wlan1/192.168.90.254' [✓]
Routing 'ipinfo.io' via wan [✓]
Routing 'ifconfig.me' via wwan [✓]
Deactivating traffic killswitch [✓]
pbr 1.0.1-16 monitoring interfaces: wan wwan
pbr 1.0.1-16 (nft) started with gateways:
wan/192.168.31.1 [✓]
wwan/wlan1/192.168.90.254
root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.0.1-16 running on OpenWrt 22.03.5. WAN (IPv4): wan/wan/192.168.31.1.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward {
	}
	chain pbr_input {
	}
	chain pbr_output {
	}
	chain pbr_prerouting {
		ip daddr @pbr_wan_4_dst_ip_cfg066ff5 goto pbr_mark_0x010000 comment "ipinfo.io"
		ip daddr @pbr_wwan_4_dst_ip_cfg076ff5 goto pbr_mark_0x020000 comment "ifconfig.me"
	}
	chain pbr_postrouting {
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 {
		counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
		return
	}
	chain pbr_mark_0x020000 {
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
		return
	}
============================================================
pbr nft sets
	set pbr_wan_4_dst_ip_cfg066ff5 {
		type ipv4_addr
		flags interval
		auto-merge
		comment "ipinfo.io"
		elements = { 34.117.59.81 }
	}
	set pbr_wwan_4_dst_ip_cfg076ff5 {
		type ipv4_addr
		flags interval
		auto-merge
		comment "ifconfig.me"
		elements = { 34.160.111.145 }
	}
============================================================
IPv4 table 256 route: default via 192.168.31.1 dev wan
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 192.168.90.254 dev wlan1
IPv4 table 257 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_wwan

No, they are not.

At first glance, everything seems to be correct. Make sure you don't also use mwan3 at the same time.

If you are testing the configuration from the router itself using curl or something else, you need to add option chain 'output' to each policy.

Thanks for your help. I did tests from the router. Now it works from PCs. Big thanks

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.