A single IP can host several sites, sometimes completely unrelated.
Define „not working“
[how to arrange User Config File with Policies]
I have 2 rules
I have set number of IPs to go though VPN using User Config File
but some wifi clients to go though WAN using Policies
How to put User Config File above Policies
References for others:
@tmomas I'm going to tag you in all the posts created by this user instead of posting them here, if you could move all the posts into the main PBR discussion I'd appreciate it.
@RSHARM you clearly have not read the README, otherwise you would have posted your questions in the main thread linked above. Other users might be inclined to try to help you, after there's a clear evidence of the minimal effort of answering your own questions by checking out the README.
Using User Config File I am not able to route IPs to a Interface with no Internet.
As that page indicates, it enables/disables service start on startup. It does not affect your ability to manually start the service.
As far as WebUI error #1 goes, next time you see it, please capture the output of ubus -S call luci.pbr getInitStatus '{"name": "pbr" }' in CLI.
For error #2, please update the luci-app-pbr package and clear browser cache.
Currently you can't. I thought long and hard about it and I couldn't come up with an elegant way to implement it, at least not in the current version. If you're good with scripting, you may be able to script adding IPs you'd collect in the user script into the pbr policies in config and arrange priorities that way.
If you're failing at shell scripting, you may be able to get some help here, but you may also be able to get help from other places where shell scripting is discussed. If you have some questions specific to pbr you should be more explicit. Either way, I don't see anyone jumping on to help you given the lack of any sort of effort to ask good questions and/or provide people with enough information to let them help you. You creating multiple threads in various parts of the forum is not a great start either.
In pbr and luci-app-pbr version 1.0.0-4 I have (hopefully) finalized transition to localizable error/warning messages.
The recursive call to process policy was setting error and warning variables in ubus data to garbage, as demonstrated by @RSHARM above.
This version is only available in my repo, if you're getting errors from pbr and/or can help me test it by introducing intentionally erroneous policies to your config file, I'd appreciate if you install version 1.0.0-4 from my repo (links in the first post).
I used to get this error on my old R7800 that was upgraded over and over... and I also get this now on my fresh install R4S with PBR. Theres nothing special in the system log and everything works fine even though I always get the error when updating the pbr package.
Upgrading pbr on root from 1.0.0-2 to 1.0.0-4... Stopping pbr service... Removing rc.d symlink for pbr... OK Installing rc.d symlink for pbr... OK Downloading https://repo.openwrt.melmac.net/pbr_1.0.0-4_all.ipk Configuring pbr.
##### Errors
Command failed: ubus call service delete { "name": "pbr" } (Not found) Collected errors: * resolve_conffiles: Existing conffile /etc/config/pbr is different from the conffile in the new package. The new conffile will be placed at /etc/config/pbr-opkg.
This is normal. /etc/config/pbr-opkg is the default that comes with the package while /etc/config/pbr is the one containing your customizations. Feel free to delete /etc/config/pbr-opkg or install difftools and do a diff of /etc/config/pbr-opkg against /etc/config/pbr and you'll see that you really just need to ignore this error.
First of all, I need the changes tested before I merge them into official source code. Second, after it's done, it may take build bots up to 2 days to produce a new binary whereas you can install the new binary from my repo right away. Finally, both principal package and WebUI are tiny packages, you should be able to upgrade them on most, even resource-limited routers.
Yeah, I've been upgrading pbr probably more than most and I can't reproduce it. The exact command used and the full console output capture would have been more helpful.
@odhiambo thank you for capturing status, I'll have a look at it.
Hi Stangri,
I'm helping a friend setup a new router that came with a flavour of Openwrt on it.
The router is this model
The issue is installing the PBR module on it as follows:
root@OpenWrt:/etc# opkg update
Downloading https://repo.openwrt.melmac.net/Packages.gz
Updated list of available packages in /var/opkg-lists/stangri_repo
Downloading https://downloads.immortalwrt.org/releases/21.02.1/packages/aarch64_generic/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://downloads.immortalwrt.org/releases/packages-18.06-k5.4/aarch64_generic/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://downloads.immortalwrt.org/releases/21.02.1/packages/aarch64_generic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://downloads.immortalwrt.org/releases/21.02.1/packages/aarch64_generic/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://downloads.immortalwrt.org/releases/21.02.1/packages/aarch64_generic/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
root@OpenWrt:/etc# opkg install pbr luci-app-pbr
Unknown package 'pbr'.
Installing luci-app-pbr (1.0.0-4) to root...
Downloading https://repo.openwrt.melmac.net/luci-app-pbr_1.0.0-4_all.ipk
Collected errors:
* pkg_hash_check_unresolved: cannot find dependency kmod-nft-core for nftables-json
* pkg_hash_fetch_best_installation_candidate: Packages for nftables-json found, but incompatible with the architectures configured
* pkg_hash_check_unresolved: cannot find dependency firewall4 for pbr
* pkg_hash_check_unresolved: cannot find dependency kmod-nft-core for pbr
* pkg_hash_check_unresolved: cannot find dependency kmod-nft-nat for pbr
* pkg_hash_fetch_best_installation_candidate: Packages for pbr found, but incompatible with the architectures configured
* opkg_install_cmd: Cannot install package pbr.
* satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-app-pbr:
* firewall4
* kmod-nft-core
* kmod-nft-nat
* kmod-nft-core
* opkg_install_cmd: Cannot install package luci-app-pbr.
debug as follows:
root@OpenWrt:/etc# cat openwrt_version
r4860-756dea68c
root@OpenWrt:/etc# cat openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_TARGET='rockchip/armv8'
DISTRIB_ARCH='aarch64_generic'
DISTRIB_TAINTS='no-all'
DISTRIB_REVISION='R22.11.13'
DISTRIB_DESCRIPTION='OpenWrt '
root@OpenWrt:/etc# cat openwrt_version
r4860-756dea68c
root@OpenWrt:/etc# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option cachesize '8000'
option mini_ttl '3600'
option ednspacket_max '1232'
list server '1.1.1.1'
option rebind_protection '0'
option noresolv '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'axl'
option dns '1'
option mac '44:37:e6:c4:0d:b6'
option ip '192.168.100.221'
config host
option name 'RBR20'
option dns '1'
option mac '78:d2:94:a1:35:8e'
option ip '192.168.100.178'
config host
option name 'Deco'
option dns '1'
option mac '1c:61:b4:03:cf:c4'
option ip '192.168.100.165'
config host
root@OpenWrt:/etc# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
option fullcone '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'zerotier'
option type 'script'
option path '/etc/zerotier.start'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'luci_app_ipsec_server'
option type 'script'
option path '/var/etc/ipsecvpn.include'
option reload '1'
config include 'mia'
option type 'script'
option path '/etc/mia.include'
option reload '1'
config rule 'openvpn'
option name 'openvpn'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1194'
config zone 'vpn'
option name 'vpn'
option output 'ACCEPT'
option masq '1'
option input 'REJECT'
option forward 'REJECT'
option network 'vpn0 vpn1'
config include 'pptpd'
option type 'script'
option path '/etc/pptpd.include'
option reload '1'
config rule 'pptp'
option name 'pptp'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1723'
config rule 'gre'
option name 'gre'
option target 'ACCEPT'
option src 'wan'
option proto '47'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker docker'
list network 'docker'
config zone 'ipsecserver'
option name 'ipsecserver'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'ipsec_server'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config forwarding
option dest 'lan'
option src 'wan'
config forwarding
option dest 'vpn'
option src 'wan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '51820'
option dest_ip '192.168.100.221'
option dest_port '51820'
option name 'wireguard-axl'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
root@OpenWrt:/etc# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd3e:27bb:38d9::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1 eth2 eth3'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_eth1_dev'
option name 'eth1'
option macaddr 'ea:c9:e2:ac:4e:d3'
config device 'lan_eth2_dev'
option name 'eth2'
option macaddr 'ea:c9:e2:ac:4e:d3'
config device 'lan_eth3_dev'
option name 'eth3'
option macaddr 'ea:c9:e2:ac:4e:d3'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
option delegate '0'
option dns '192.168.100.1'
option metric '10'
config device 'wan_eth0_dev'
option name 'eth0'
option macaddr 'ea:c9:e2:ac:4e:d4'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
option delegate '0'
option defaultroute '0'
option peerdns '0'
config interface 'vpn0'
option _orig_ifname 'tun0'
option _orig_bridge 'false'
option proto 'wireguard'
option metric '20'
option delegate '0'
option private_key 'xxxx'
option listen_port '5182'
list addresses '10.66.188.184/32'
config interface 'docker'
option ifname 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
config interface 'ipsec_server'
option ifname 'ipsec0'
option device 'ipsec0'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
option auto '0'
config wireguard_vpn0
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
option public_key 'xxxx'
option endpoint_host '198.54.132.146'
option endpoint_port '5182'
config wireguard_vpn1
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
option endpoint_port '5183'
option public_key 'xxx'
option endpoint_host '89.46.62.210'
config interface 'vpn1'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '5183'
list addresses '10.67.129.203/32'
root@OpenWrt:/etc# cat /etc/config/pbr
config pbr 'config'
option enabled '0'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled 0
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled 0
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'WireGuard Server'
option interface 'wan'
option src_port '51820'
option chain 'output'
option proto 'udp'
option enabled '0'
root@OpenWrt:/etc# /etc/init.d/pbr status
pbr 1.0.0-4 running on OpenWrt SNAPSHOT. WAN (IPv4): wan/eth0/24.36.224.1.
============================================================
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack ipset no-auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default * 0.0.0.0 U 0 0 0 vpn1
default d##-##-###-1.ho 0.0.0.0 UG 10 0 0 eth0
default * 0.0.0.0 U 20 0 0 vpn0
============================================================
Current ipsets
============================================================
Your support details have been logged to '/var/pbr-support'. [✓]
root@OpenWrt:/etc# /etc/init.d/pbr reload
ERROR: The pbr service is currently disabled!
Bring these up with the distribution maintainer.
You may have better luck installing pbr-iptables, which you would have realized if you checked out the first few paragraphs of the README. 
I feel really stupid, what should I need to do if i want the opposite? I want ips not in list to go through wan on list to go through vpn. (I also think it could be nice if you provide that example in custom user files) Thank you!
Oh, that was my wan interface named in capital letters
Go to the documentation and head to the section labeled "A Word About Default Routing". It will tell you how to do it for your type of VPN.