Policy-Based Routing not working correctly


This plugin works sometimes but mostly it doesn't. I make the necessary adjustments before use, it works sometimes but when I reset the router, it stops working.
When I press the restart button, the above error appears. I configured the tun0 interface.

Log:

Sun Feb 21 16:04:04 2021 user.notice vpn-policy-routing [3429]: Routing 'blank' via OVPN [βœ—]
Sun Feb 21 16:04:22 2021 user.notice vpn-policy-routing [3429]: Routing 'blank' via OVPN [βœ—]
Sun Feb 21 16:04:22 2021 user.notice vpn-policy-routing [3429]: service started with gateways: wan/eth0.2/178.233.192.1 [βœ“] OVPN/tun0/0.0.0.0
Sun Feb 21 16:04:22 2021 user.notice vpn-policy-routing [3429]: ERROR: iptables -t mangle -I VPR_PREROUTING -j MARK --set-xmark 0x020000/0xff0000  -d icanhazip.com  -m comment --comment blank  ERROR: iptables -t mangle -I VPR_PREROUTING -j MARK --set-xmark 0x020000/0xff0000  -d example.org  -m comment --comment blank
Sun Feb 21 16:04:22 2021 user.notice vpn-policy-routing [3429]: ERROR: DNSMASQ ipset support is enabled in vpn-policy-routing, but DNSMASQ is either not installed or installed DNSMASQ does not support ipsets!
Sun Feb 21 16:04:22 2021 user.notice vpn-policy-routing [3429]: service monitoring interfaces: wan OVPN .

Thanks for helps

iptables -t mangle -I VPR_PREROUTING \
-j MARK --set-xmark 0x020000/0xff0000 \
-d example.org -m comment --comment blank

What does it say?

just this

iptables v1.8.3 (legacy): host/network `example.org' not found
Try `iptables -h' or 'iptables --help' for more information.
1 Like
nslookup example.org

Did you install dnsmasq-full and ipset?

Server:		46.197.15.60
Address:	46.197.15.60#53

Name:      example.org
Address 1: 93.184.216.34
Address 2: 2606:2800:220:1:248:1893:25c8:1946
1 Like
ubus call system board; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

just dnsmasq installed

{
	"kernel": "4.14.218",
	"hostname": "MiRouter4A",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Xiaomi Mi Router 3G v2",
	"board_name": "xiaomi,mir3g-v2",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07-SNAPSHOT",
		"revision": "r11295-365d573af4",
		"target": "ramips/mt7621",
		"description": "OpenWrt 19.07-SNAPSHOT r11295-365d573af4"
	}
}
==> /etc/resolv.conf <==
# Interface wan
nameserver 46.197.15.60
nameserver 178.233.140.110
nameserver 176.240.150.250

==> /tmp/resolv.conf <==
# Interface wan
nameserver 46.197.15.60
nameserver 178.233.140.110
nameserver 176.240.150.250

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 46.197.15.60
nameserver 178.233.140.110
nameserver 176.240.150.250
head: /tmp/resolv.*/*: No such file or directory

1 Like

Make sure these resolvers also reply correctly:

nslookup example.org 178.233.140.110
nslookup example.org 176.240.150.250

yes they work correctly

Server:		178.233.140.110
Address:	178.233.140.110#53

Name:      example.org
Address 1: 93.184.216.34
Address 2: 2606:2800:220:1:248:1893:25c8:1946
root@MiRouter4A:~# nslookup example.org 176.240.150.250
Server:		176.240.150.250
Address:	176.240.150.250#53

Name:      example.org
Address 1: 93.184.216.34
Address 2: 2606:2800:220:1:248:1893:25c8:1946
1 Like

dnsmasq-full is needed for domain name based PBR

ipset is kinda optional but useful for verification that dnsmasq populates ipset properly, which is then referenced in iptables to mark packets which then will be picked up by ip-rule.

No, it can work without dnsmasq or IP sets.
The full package is required only for IP sets.

It looks like some iptables module/extension is missing.

Try to perform a clean build, or download a fresh snapshot.
Preferably checkout a stable release if you are building from Git.

dnsmasq-full worked for me, but now when the openvpn connection breaks, PBR not working until the restart router.

When this happens, collect the output and post it to pastebin.com redacting the private parts:

uci show network; uci show firewall; uci show dhcp; \
uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing support; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

There is a discussion for this VBR at:

VPN Policy-Based Routing + Web UI -- Discussion - Community Builds, Projects & Packages - OpenWrt Forum

Also, I recommend that you have a look at the readme as it has helped me out greatly.

I am no expert but I second the comment from @ppmm that DNSMasq Full is needed to do some of the advanced routing in an efficient way.

If it is just OpenVPN that does not trigger a restart of VBR, I put the below entries in my OpenVPN config to ensure VBR is triggered when the VPN goes down and then back up. Maybe this can help you.

option script_security '2'
option route_up '"/etc/init.d/vpn-policy-routing reload"'