Policy based routing (pbr) on wifi-1

Is it possible to add policy-based routing on whole wifi-1.
Dear All,
I have configured Wireguard and I want to connect it on all wifi-1 connected devices using PBR.
Kindly suggest.
Your help can make my day.

Thanks :slight_smile:

Sure install the PBR package:

1 Like

Thanks @egc,
I have already installed it but not found any way where I can make wireguard configuration against wifi, Could you please share a pbr example configuration.

Thanks

@sunilalw2007: Try to be a bit clearer about what you're trying to achieve so people can help you out.

Fwiw, you don't need the PBR package for basic policy-based routing - just stick with OpenWRT's default interfaces. But if you’re working on more complex setups, the PBR add-on might be a solid choice.

Ref:

  1. Configuring multiple VLANs with different default gateways, v23.05 (DSA) - #5 by mikma
  2. Configuring multiple VLANs with different default gateways, v23.05 (DSA) - #11 by Boilerplate4U
1 Like

if you have a dedicated VPN wifi, wouldn't it be easier to simply set up a guest wifi, separated from the rest of the LAN, and route it through the tunnel ?

1 Like

Thank @Boilerplate4U and @frollic for instant help, Actually, I have configured wireguard with cloudflare tunnel, but I don't want to use it with whole network, I just want to use it with my radio0 Wi-Fi. this is the requirement.

didn't know my post said you should/would ...

1 Like

In this case you route per clients IP address.

I would recommend to setup a guest wifi:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

This guest wifi is on a different subnet which makes it easy to route this whole subnet with PBR via the tunnel.

1 Like

@egc, Could you please provide the same link for command line. I am new in networking; it will be easy to create if available.

google is your friend: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

1 Like

@egc Thanks for guest configuration :pray:
.
Applied above solution, after applied using Guest network i am able to connect. Internet working same as other SSID.
while restart firewall I am getting below issue, please suggest

root@OpenWrt:~# service firewall restart
Automatically including '/usr/share/nftables.d/ruleset-post/30-pbr.nft'
Automatically including '/usr/share/nftables.d/table-post/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat_lan/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_forward/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_input/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_output/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_postrouting/30-pbr.nft'
Automatically including '/usr/share/nftables.d/chain-post/mangle_prerouting/30-pbr.nft'

That is normal if you have the PBR package installed

Okay, what is the next step I have to apply to redirect wiregured on it?

Disable Route Allowed IPs so that there is no default route via the tunnel.

If your your guest wifi is 192.168.2.0/24 then add that as subnet to route via the WG tunnel

This is my own guest wifi which is using 192.168.91.0/24 subnet, adjust accordingly

Edit the guide is excellent: https://docs.openwrt.melmac.net/pbr/1.1.7-1/

Thanks @egc , PBR config applied as per your suggestion,
Below is my wireguard config, Could you please elaborate more 1st and 2nd points accordingly, what lines I have to add.

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'GXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option mtu '1280'
	list addresses 'XXX:XXX::X:X:X:X:XXX:XXX/128'
	list addresses 'XX.XX.XX.XX/32'

config wireguard_wg0
	option description 'peer'
	option public_key 'bXXXXXXXXXXXXXXXXXXXX='
	option endpoint_host 'XXX.XXX.XX.XX'
	option endpoint_port 'XXXX'
	list allowed_ips '::/0'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '0'

WireGuard looks good

If you have problems please post latest configs
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show
cat /etc/config/pbr
/etc/init.d/pbr status
uci set pbr.config.verbosity='2
uci commit pbr
/etc/init.d/pbr reload
/etc/init.d/pbr status

ubus call system board

{
        "kernel": "5",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link DIR-2640 A1",
        "board_name": "dlink,dir-2640-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "rXXXXXXXXXXf",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.4 rXXXXXXXXXf"
        }
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'XXXXXXXXXXXX/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option device 'wan'
option proto 'dhcp'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'

config interface 'wg0'
option proto 'wireguard'
option private_key 'GFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
list dns '1.1.1.1'
list dns '1.0.0.1'
option mtu '1280'
list addresses 'XXXX.x.x>X.X>X>>>X>X>>X>X>x..x/128'
list addresses '172.16.172.16/32'

config wireguard_wg0
option description 'Warp'
option public_key 'bmXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
option endpoint_host 'XXXXXXXXXXXXXX'
option endpoint_port '2408'
list allowed_ips '::/0'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '0'

config device 'guest_dev'
option type 'bridge'
option name 'br-guest'

config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1/24'
config wifi-device 'radio0'
        option type 'mac80211'
        option path '1XXXXXXXXXXXXXXXXXXXXXX0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '3'
        option country 'IN'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '24'
        option encryption 'psk2'
        option key 'password'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'XXXXXXXXXXXXXXXXXXXXXXXX'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '3'
        option country 'IN'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '5G'
        option encryption 'psk2'
        option key 'password'

config wifi-iface 'guest'
        option device 'radio0'
        option mode 'ap'
        option network 'guest'
        option ssid 'Guest'
        option encryption 'sae'
        option key 'password'
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option family 'any'
        option proto 'tcp udp'
        option src 'lan'
        option src_dport '53'
        option target 'DNAT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'
config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_boot_delay '0'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.wg_server_and_client'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'Guest-WiFi'
        option src_addr '192.168.3.1/24'
        option interface 'wg0'

Using wan interface (on_start): wan
Found wan gateway (on_start): 192.168.0.1
Setting up routing for 'wan/192.168.0.1' [βœ“]
Setting up routing for 'wg0/172.16.0.2' [βœ“]
Routing 'Guest-WiFi' via wg0 [βœ“]
Installing fw4 nft file [βœ“]
pbr 1.1.6-20 monitoring interfaces: wan wg0
pbr 1.1.6-20 (fw4 nft file mode) started with gateways:
wan/192.168.0.1 [βœ“]
wg0/172.16.0.2
pbr - environment
pbr 1.1.6-20 running on OpenWrt 23.05.4.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.3.1/24 }  goto pbr_mark_0x020000 comment "Guest-WiFi"

pbr chains - policies
        chain pbr_forward { # handle 38
        }
        chain pbr_input { # handle 39
        }
        chain pbr_output { # handle 40
        }
        chain pbr_postrouting { # handle 42
        }
        chain pbr_prerouting { # handle 41
                ip saddr 192.168.3.0/24 goto pbr_mark_0x020000 comment "Guest-WiFi" # handle 299
        }
        chain pbr_dstnat_lan { # handle 37
        }

pbr chains - marking
        chain pbr_mark_0x010000 { # handle 293
                meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 294
                return # handle 295
        }
        chain pbr_mark_0x020000 { # handle 296
                meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 297
                return # handle 298
        }

pbr nft sets

IPv4 table 256 route: default via 192.168.0.1 dev wan
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 172.16.0.2 dev wg0
IPv4 table 257 rule(s):
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg0

@egc Please suggest what configuration I missed, currently no internet with guest. as we discussed, the goal is to connect wireguard vpn with only Guest Wi-Fi using PBR.

Thanks