Hi,
I have set-up PBR but somehow it only seems to work for a few seconds after the router is up (I can see that because I curl ifconfig.me, I get the VPN IP for a few seconds). Then none of the PBR rules are applied even if I restart the PBR service.
I am thinking that maybe there is another package/config that is blocking PBR?
Could it be that using dnscrypt-proxy2 creates the issue?
System Board
{
"kernel": "5.15.162",
"hostname": "hibiscus",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Cisco Meraki MX65",
"board_name": "meraki,mx65",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "bcm53xx/generic",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/home/'
option domain 'home'
option expandhosts '1'
option nonegcache '0'
option cachesize '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option confdir '/tmp/dnsmasq.d'
option noresolv '1'
option localuse '1'
list server '127.0.0.53'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
Network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda6:a8dc:257f::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
list ports 'lan6'
list ports 'lan7'
list ports 'lan8'
list ports 'lan9'
list ports 'lan10'
list ports 'lan11'
list ports 'lan12'
config interface 'lan'
option device 'br-lan.14'
option proto 'static'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
option ip6assign '60'
option vlan_filtering '1'
config device
option name 'br-wan'
option type 'bridge'
list ports 'wan1'
list ports 'wan2'
config device
option name 'wan1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config device
option name 'wan2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
list dns '8.8.8.8'
list dns '8.8.4.4'
option peerdns '0'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
list dns '2001:4860:4860::8844'
list dns '8.8.4.4'
option peerdns '0'
config bridge-vlan
option device 'br-lan'
option vlan '14'
list ports 'lan3:u*'
list ports 'lan4:u*'
list ports 'lan5:u*'
list ports 'lan6:u*'
list ports 'lan7:u*'
list ports 'lan8:u*'
list ports 'lan9:u*'
list ports 'lan10:t*'
list ports 'lan11:t*'
list ports 'lan12:u*'
config bridge-vlan
option device 'br-lan'
option vlan '21'
list ports 'lan10:t'
list ports 'lan11:t'
config interface 'guest'
option device 'br-lan.21'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'fr'
option proto 'none'
option delegate '0'
option device 'tun0'
config interface 'hk'
option proto 'none'
option delegate '0'
option device 'tun1'
config interface 'uk'
option proto 'none'
option delegate '0'
option device 'tun2'
PBR
package pbr
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list supported_interface 'tun0'
list supported_interface 'tun1'
list supported_interface 'tun2'
config policy 'ignore'
option name 'ignore'
option interface 'ignore'
option dest_addr '192.168.0.0/16'
option enabled '1'
config policy 'fr_france'
option name 'fr_france'
option interface 'fr'
option dest_addr 'ifconfig.me fr'
option enabled '1'
config policy 'uk_default'
option name 'uk_default'
option proto 'tcp udp'
option interface 'uk'
option src_addr '0.0.0.0/0'
option enabled '1'
firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
list device 'tun1'
list device 'tun2'
list device 'tun3'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config rule
option name 'WAN SSH'
option src 'wan'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv4'
list src_ip '192.168.0.0/16'
config rule
option name 'WAN HTTP'
option src 'wan'
option dest_port '80'
option target 'ACCEPT'
option family 'ipv4'
list src_ip '192.168.0.0/16'
config zone 'guest'
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config rule 'guest_dns'
option name 'Allow-DNS-guest'
option src 'guest'
option proto 'udp'
option dest_port '53'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-guest'
option src 'guest'
option proto 'udp'
option dest_port '67'
option target 'ACCEPT'
option family 'ipv4'
config rule 'guest_dhcpv6'
option name 'Allow-DHCPv6-guest'
option src 'guest'
option proto 'udp'
option dest_port '547'
option target 'ACCEPT'
option family 'ipv6'
config forwarding 'f_lan_guest'
option src 'lan'
option dest 'guest'
config forwarding 'f_guest_wan'
option src 'guest'
option dest 'wan'
config zone 'z_fr'
option name 'FR'
option input 'REJECT'
option output 'REJECT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'fr'
config forwarding 'f_lan_fr'
option src 'lan'
option dest 'FR'
config forwarding 'f_guest_fr'
option src 'guest'
option dest 'FR'
config zone 'z_hk'
option name 'HK'
option input 'REJECT'
option output 'REJECT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'hk'
config forwarding 'f_lan_hk'
option src 'lan'
option dest 'HK'
config forwarding 'f_guest_hk'
option src 'guest'
option dest 'HK'
config zone 'z_us'
option name 'US'
option input 'REJECT'
option output 'REJECT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'us'
config forwarding 'f_lan_us'
option src 'lan'
option dest 'US'
config forwarding 'f_guest_us'
option src 'guest'
option dest 'US'
config zone 'z_uk'
option name 'UK'
option input 'REJECT'
option output 'REJECT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'uk'
config forwarding 'f_lan_uk'
option src 'lan'
option dest 'UK'
config forwarding 'f_guest_uk'
option src 'guest'
option dest 'UK'
PBR Status
/etc/init.d/pbr status
/etc/init.d/pbr reload
/etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.4. WAN (IPv4): wan/br-wan/192.168.1.254.
============================================================
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
chain pbr_forward { # handle 67
}
chain pbr_input { # handle 68
}
chain pbr_output { # handle 69
}
chain pbr_prerouting { # handle 70
ip daddr @pbr_ignore_4_dst_ip_ignore return comment "ignore" # handle 1663
ip daddr @pbr_fr_4_dst_ip_fr_france goto pbr_mark_0x020000 comment "fr_france" # handle 1665
ip saddr @pbr_uk_4_src_ip_uk_default goto pbr_mark_0x040000 comment "uk_default" # handle 1667
}
chain pbr_postrouting { # handle 71
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 { # handle 1647
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1648
return # handle 1649
}
chain pbr_mark_0x020000 { # handle 1650
counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1651
return # handle 1652
}
chain pbr_mark_0x030000 { # handle 1653
counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 1654
return # handle 1655
}
chain pbr_mark_0x040000 { # handle 1656
counter packets 131 bytes 63194 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 1657
return # handle 1658
}
chain pbr_mark_0x050000 { # handle 1659
counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000 # handle 1660
return # handle 1661
}
============================================================
pbr nft sets
set pbr_ignore_4_dst_ip_ignore { # handle 1662
type ipv4_addr
flags interval
counter
auto-merge
comment "ignore"
elements = { 192.168.0.0/16 counter packets 994 bytes 1030943 }
}
set pbr_fr_4_dst_ip_fr_france { # handle 1664
type ipv4_addr
flags interval
counter
auto-merge
comment "fr_france"
}
set pbr_uk_4_src_ip_uk_default { # handle 1666
type ipv4_addr
flags interval
counter
auto-merge
comment "uk_default"
elements = { 0.0.0.0/0 counter packets 142 bytes 73557 }
}
============================================================
dnsmasq sets
nftset=/ifconfig.me/4#inet#fw4#pbr_fr_4_dst_ip_fr_france # fr_france
nftset=/fr/4#inet#fw4#pbr_fr_4_dst_ip_fr_france # fr_france
============================================================
IPv4 table 256 route: default via 192.168.1.254 dev br-wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.100.0.2 dev tun0
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_fr
IPv4 table 258 route: default via 10.100.0.2 dev tun1
IPv4 table 258 rule(s):
30002: from all fwmark 0x30000/0xff0000 lookup pbr_hk
IPv4 table 259 route: default via 10.100.0.2 dev tun2
IPv4 table 259 rule(s):
30003: from all fwmark 0x40000/0xff0000 lookup pbr_uk
IPv4 table 260 route: unreachable default
IPv4 table 260 rule(s):
30004: from all fwmark 0x50000/0xff0000 lookup pbr_us
Activating traffic killswitch [✓]
Setting up routing for 'wan/br-wan/192.168.1.254' [✓]
Setting up routing for 'fr/tun0/10.100.0.2' [✓]
Setting up routing for 'hk/tun1/10.100.0.2' [✓]
Setting up routing for 'uk/tun2/10.100.0.2' [✓]
Setting up routing for 'us/tun3/0.0.0.0' [✓]
Routing 'ignore' via ignore [✓]
Routing 'fr_france' via fr [✓]
Routing 'uk_default' via uk [✓]
Deactivating traffic killswitch [✓]
pbr 1.1.1-7 monitoring interfaces: wan fr hk uk us
pbr 1.1.1-7 (nft) started with gateways:
wan/br-wan/192.168.1.254 [✓]
fr/tun0/10.100.0.2
hk/tun1/10.100.0.2
uk/tun2/10.100.0.2
us/tun3/0.0.0.0
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.4. WAN (IPv4): wan/br-wan/192.168.1.254.
============================================================
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
chain pbr_forward { # handle 67
}
chain pbr_input { # handle 68
}
chain pbr_output { # handle 69
}
chain pbr_prerouting { # handle 70
ip daddr @pbr_ignore_4_dst_ip_ignore return comment "ignore" # handle 1686
ip daddr @pbr_fr_4_dst_ip_fr_france goto pbr_mark_0x020000 comment "fr_france" # handle 1688
ip saddr @pbr_uk_4_src_ip_uk_default goto pbr_mark_0x040000 comment "uk_default" # handle 1690
}
chain pbr_postrouting { # handle 71
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 { # handle 1670
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1671
return # handle 1672
}
chain pbr_mark_0x020000 { # handle 1673
counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1674
return # handle 1675
}
chain pbr_mark_0x030000 { # handle 1676
counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 1677
return # handle 1678
}
chain pbr_mark_0x040000 { # handle 1679
counter packets 24 bytes 14660 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 1680
return # handle 1681
}
chain pbr_mark_0x050000 { # handle 1682
counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000 # handle 1683
return # handle 1684
}
============================================================
pbr nft sets
set pbr_ignore_4_dst_ip_ignore { # handle 1685
type ipv4_addr
flags interval
counter
auto-merge
comment "ignore"
elements = { 192.168.0.0/16 counter packets 43 bytes 2884 }
}
set pbr_fr_4_dst_ip_fr_france { # handle 1687
type ipv4_addr
flags interval
counter
auto-merge
comment "fr_france"
}
set pbr_uk_4_src_ip_uk_default { # handle 1689
type ipv4_addr
flags interval
counter
auto-merge
comment "uk_default"
elements = { 0.0.0.0/0 counter packets 25 bytes 14712 }
}
============================================================
dnsmasq sets
nftset=/ifconfig.me/4#inet#fw4#pbr_fr_4_dst_ip_fr_france # fr_france
nftset=/fr/4#inet#fw4#pbr_fr_4_dst_ip_fr_france # fr_france
============================================================
IPv4 table 256 route: default via 192.168.1.254 dev br-wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.100.0.2 dev tun0
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_fr
IPv4 table 258 route: default via 10.100.0.2 dev tun1
IPv4 table 258 rule(s):
30002: from all fwmark 0x30000/0xff0000 lookup pbr_hk
IPv4 table 259 route: default via 10.100.0.2 dev tun2
IPv4 table 259 rule(s):
30003: from all fwmark 0x40000/0xff0000 lookup pbr_uk
IPv4 table 260 route: unreachable default
IPv4 table 260 rule(s):
30004: from all fwmark 0x50000/0xff0000 lookup pbr_us
nft list ruleset
Warning: table ip mangle is managed by iptables-nft, do not touch!
xt match "set" counter packets 0 bytes 0 xt target "MARK"
xt match "set" counter packets 5705400 bytes 6911320708 xt target "MARK"
xt match "set" counter packets 0 bytes 0 xt target "MARK"
meta l4proto tcp xt match "multiport" meta mark & 0x00003f00 == 0x00000000 counter packets 19342 bytes 1364569 jump mwan3_rule_https
meta mark & 0x00003f00 == 0x00000000 counter packets 8758265 bytes 8004010026 xt target "CONNMARK"
counter packets 8797917 bytes 8008067925 xt target "CONNMARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 59201 bytes 10653662 xt target "MARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x0000fc00 != 0x0000fc00 counter packets 19342 bytes 1364569 xt target "SET"
meta mark & 0x0000fc00 != 0x0000fc00 counter packets 19342 bytes 1364569 xt target "SET"
iifname "br-wan" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
iifname "br-wan" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
iifname "br-wan" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
Warning: table ip6 mangle is managed by iptables-nft, do not touch!
iifname "br-wan" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 914 bytes 51599 xt target "MARK"
xt match "set" counter packets 0 bytes 0 xt target "MARK"
xt match "set" counter packets 78 bytes 7941 xt target "MARK"
xt match "set" counter packets 0 bytes 0 xt target "MARK"
meta l4proto tcp xt match "multiport" meta mark & 0x00003f00 == 0x00000000 counter packets 0 bytes 0 jump mwan3_rule_https
meta l4proto ipv6-icmp xt match "icmp6" counter packets 56 bytes 2872 return
meta l4proto ipv6-icmp xt match "icmp6" counter packets 221 bytes 35360 return
meta l4proto ipv6-icmp xt match "icmp6" counter packets 1460 bytes 104840 return
meta l4proto ipv6-icmp xt match "icmp6" counter packets 880 bytes 58784 return
meta l4proto ipv6-icmp xt match "icmp6" counter packets 0 bytes 0 return
meta mark & 0x00003f00 == 0x00000000 counter packets 40300 bytes 11196724 xt target "CONNMARK"
counter packets 40506 bytes 11219377 xt target "CONNMARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 39852 bytes 11111988 xt target "MARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
meta mark & 0x0000fc00 != 0x0000fc00 counter packets 0 bytes 0 xt target "SET"
meta mark & 0x0000fc00 != 0x0000fc00 counter packets 0 bytes 0 xt target "SET"