Policy-Based-Routing (pbr) package discussion

lycanwrath · December 28, 2022, 7:00am

Ok the info as follows:-

root@ArcherC7:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'
        option start '100'
        option leasetime '12h'
        option limit '150'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option leasetime '12h'
        option limit '150'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@ArcherC7:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wan'
        option forward 'REJECT'

config zone
        option name 'vpn'
        list network 'vpn'
        option output 'ACCEPT'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option dest 'vpn'
        option src 'lan'

root@ArcherC7:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd7f:b723:61ba::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.100.1'
        option ipaddr '192.168.100.2'
        option device 'br-lan'
        option metric '10'
        list dns '103.86.96.100'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'eth1'
        list ports 'eth1.1'

config device
        list ports 'eth0'
        list ports 'eth0.2'
        option type 'bridge'
        option name 'br-wan'
        option macaddr '98:DE:D0:C4:A8:E9'

config interface 'wan'
        option device 'br-wan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        option metric '10'
        list dns '103.86.96.100'

config interface 'vpn'
        option proto 'wireguard'
        list addresses '10.5.0.2'
        option private_key 'OOT3uAgR0cX4Ls+w5Y1hfOpAqIFP97TgU24CslYAoE8='
        list dns '103.86.96.100 103.86.99.100'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config wireguard_vpn
        option public_key '0/x2PdBGfcIGr0ayFPFFjxcEEyhrlBRjR4kMcfwXJTU='
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '62.182.99.232'
        option endpoint_port '51820'

root@ArcherC7:~# cat /etc/config/pbr

config pbr 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        option enabled '1'

config include
        option path '/usr/share/pbr/pbr.user.aws'

config include
        option path '/usr/share/pbr/pbr.user.netflix'

config policy
        option interface 'vpn'
        option name 'Netflix'
        option dest_addr 'amazonaws.com netflix.com nflxext.com nflximg.net nflx                                                                                                                                                                                               so.net nflxvideo.net dvd.netflix.com'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'vpn'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.em                                                                                                                                                                                               by.media app.plex.tv'

config policy
        option interface 'vpn'
        option name 'Prime'
        option dest_addr 'primevideo.com amazonvideo.com'

config policy
        option interface 'vpn'
        option name 'Disney+'
        option dest_addr 'bamtechmedia.com disneystreaming.com disneyplus.com'

config policy
        option name 'Roku'
        option dest_addr 'roku.com'
        option interface 'vpn'

config policy
        option interface 'vpn'
        option name 'Hbomax'
        option dest_addr 'hbomax.com'

config policy
        option name 'WireGuard Server'
        option src_port '51820'
        option chain 'output'
        option proto 'udp'
        option interface 'vpn'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option src_port '8096 8920 32400'
        option enabled '0'
        option interface 'lan'

root@ArcherC7:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.0.1-3 running on OpenWrt 22.03.2. WAN (IPv4): lan/br-lan/192.168.100.1.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no                                                                                                                                                                                               -Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpf                                                                                                                                                                                               ile
============================================================
pbr chains - policies
        chain pbr_forward {
        }
        chain pbr_input {
        }
        chain pbr_output {
        }
        chain pbr_prerouting {
                ip daddr @pbr_vpn_4_dst_ip_cfg046ff5 goto pbr_mark_0x030000 comm                                                                                                                                                                                               ent "Netflix"
                ip daddr @pbr_vpn_4_dst_ip_cfg046ff5 goto pbr_mark_0x030000 comm                                                                                                                                                                                               ent "Netflix"
                ip daddr @pbr_vpn_4_dst_ip_cfg056ff5 goto pbr_mark_0x030000 comm                                                                                                                                                                                               ent "Plex/Emby Remote Servers"
                ip daddr @pbr_vpn_4_dst_ip_cfg066ff5 goto pbr_mark_0x030000 comm                                                                                                                                                                                               ent "Prime"
                ip daddr @pbr_vpn_4_dst_ip_cfg076ff5 goto pbr_mark_0x030000 comm                                                                                                                                                                                               ent "Disney+"
                ip daddr @pbr_vpn_4_dst_ip_cfg086ff5 goto pbr_mark_0x030000 comm                                                                                                                                                                                               ent "Roku"
                ip daddr @pbr_vpn_4_dst_ip_cfg096ff5 goto pbr_mark_0x030000 comm                                                                                                                                                                                               ent "Hbomax"
                ip daddr @pbr_lan_4_dst_ip_user goto pbr_mark_0x010000
                ip saddr @pbr_lan_4_src_ip_user goto pbr_mark_0x010000
                ether saddr @pbr_lan_4_src_mac_user goto pbr_mark_0x010000
                ip daddr @pbr_wan_4_dst_ip_user goto pbr_mark_0x020000
                ip saddr @pbr_wan_4_src_ip_user goto pbr_mark_0x020000
                ether saddr @pbr_wan_4_src_mac_user goto pbr_mark_0x020000
                ip daddr @pbr_vpn_4_dst_ip_user goto pbr_mark_0x030000
                ip saddr @pbr_vpn_4_src_ip_user goto pbr_mark_0x030000
                ether saddr @pbr_vpn_4_src_mac_user goto pbr_mark_0x030000
        }
        chain pbr_postrouting {
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff |                                                                                                                                                                                                0x00010000
                return
        }
        chain pbr_mark_0x020000 {
                counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff |                                                                                                                                                                                                0x00020000
                return
        }
        chain pbr_mark_0x030000 {
                counter packets 3662 bytes 250467 meta mark set meta mark & 0xff                                                                                                                                                                                               03ffff | 0x00030000
                return
        }
============================================================
pbr nft sets
        set pbr_vpn_4_dst_ip_cfg046ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Netflix"
                elements = { 3.251.50.149, 18.236.7.30,
                             34.218.19.240, 34.252.74.1,
                             44.226.113.145, 46.137.171.215,
                             50.17.247.9, 52.31.48.193,
                             54.74.73.31, 54.155.178.5,
                             72.21.206.80, 72.21.210.29,
                             107.20.175.192, 204.236.236.127,
                             207.45.72.201, 207.45.72.215,
                             207.171.166.22 }
        }
        set pbr_vpn_4_dst_ip_cfg056ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Plex/Emby Remote Servers"
                elements = { 18.200.51.241, 34.243.47.112,
                             52.48.60.59, 52.49.138.125,
                             104.18.18.96, 104.18.19.96,
                             173.230.139.54 }
        }
        set pbr_vpn_4_dst_ip_cfg066ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Prime"
                elements = { 18.154.206.17, 18.154.206.47,
                             18.154.206.122, 18.154.206.127 }
        }
        set pbr_vpn_4_dst_ip_cfg076ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Disney+"
                elements = { 34.110.155.89, 34.218.145.143,
                             54.71.61.241, 54.218.188.255,
                             139.104.192.37 }
        }
        set pbr_vpn_4_dst_ip_cfg086ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Roku"
                elements = { 162.159.135.11, 162.159.136.11 }
        }
        set pbr_vpn_4_dst_ip_cfg096ff5 {
                type ipv4_addr
                flags interval
                auto-merge
                comment "Hbomax"
                elements = { 52.2.113.243, 52.24.7.205,
                             52.26.195.38, 52.26.195.185,
                             52.206.133.146, 52.206.158.144 }
        }
        set pbr_lan_4_dst_ip_user {
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_lan_4_src_ip_user {
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_lan_4_src_mac_user {
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_wan_4_dst_ip_user {
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_wan_4_src_ip_user {
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_wan_4_src_mac_user {
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_vpn_4_dst_ip_user {
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_vpn_4_src_ip_user {
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_vpn_4_src_mac_user {
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
============================================================
IPv4 table 256 route: default via 192.168.100.1 dev br-lan
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_lan
IPv4 table 257 route: default via 192.168.1.1 dev br-wan
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_wan
IPv4 table 258 route: default via 10.5.0.2 dev vpn
IPv4 table 258 rule(s):
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_vpn
root@ArcherC7:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'lan/br-lan/192.168.100.1' [✓]
Setting up routing for 'wan/br-wan/192.168.1.1' [✓]
Setting up routing for 'vpn/10.5.0.2' [✓]
Routing 'Netflix' via vpn [✗]
Routing 'Plex/Emby Remote Servers' via vpn [✓]
Routing 'Prime' via vpn [✓]
Routing 'Disney+' via vpn [✓]
Routing 'Roku' via vpn [✓]
Routing 'Hbomax' via vpn [✓]
Deactivating traffic killswitch [✓]
pbr 1.0.1-3 monitoring interfaces: wan vpn
pbr 1.0.1-3 (nft) started with gateways:
lan/br-lan/192.168.100.1
wan/br-wan/192.168.1.1 [✓]
vpn/10.5.0.2
ERROR: Insertion failed for IPv4 for policy Netflix
ERROR:
nft 'add rule inet fw4 pbr_prerouting ip daddr {} goto pbr_mark_0x030000 comment "Netflix"'
root@ArcherC7:~#

stangri · December 28, 2022, 7:48am

A lot of the output got cut off.

Bad idea to use domains without dnsmasq.ipset or dnsmasq.nftset support.

I'm guessing the error is from one of the domains which cannot be resolved for some reason. I'll look into the proper error message for such a case in the future.

lycanwrath · December 28, 2022, 8:23am

ok thanks I will try to enable dnsmasq.ipset or dnsmasq.nftset and see how it goes.

Edit: Seems like I am not getting any newer version than dnsmasq-full_2.86-15_mips_24kc.ipk even when manual installing, 2.87 is the required version if I understand correctly.

Am on OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.304.65171-ec905e6

ysc3839 · December 28, 2022, 12:02pm

Hi, can you add support for ipt/nft transparent proxy support?
There's some proxy software supports transparent proxy, for exmple shadowsocks-libev and Tor.
However, there's not a generic package for setting up transparent proxy. shadowsocks-libev has ss-rules for doing this. But it can not be used with other proxy software.
I searched package repo and found pbr has support for Tor transparent proxy: https://github.com/openwrt/packages/blob/71741d1a251cd2d3bf7b17891dbe3d59d3d63c76/net/pbr/files/etc/init.d/pbr.init#L1608
But I can't find any documents for that. Is this feature still working in progress?
Thanks for your great work!

Ping @yousong as he is maintainer of shadowsocks-libev.

stangri · December 29, 2022, 5:11am

Tor support has been fully implemented.

Proxy for what?

lopez67876 · December 29, 2022, 8:39am

Last version is dnsmasq-full_2.88-1 and works fine.
If you are not using a snapshot firmeware, then you have to find this files on snapshots repository of your router and install them:

libubox20220927_2022-09-27-ea560134-1
libubox-lua_2022-09-27-ea560134-1
dnsmasq-full_2.88-1

ysc3839 · December 29, 2022, 8:40am

The "transparent proxy" I said means iptables/nftables REDIRECT or TPROXY.
https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy https://www.kernel.org/doc/html/latest/networking/tproxy.html

I hope you can make the "Tor transparent proxy" function become a generic one. Allowing user specify target port. And it is better to allow policies target set to this transparent proxy.

lycanwrath · December 29, 2022, 9:32am

Thanks I managed to install latest dnsmasq following your steps:-

wget https://downloads.openwrt.org/snapshots/packages/mips_24kc/base/dnsmasq-full_2.88-1_mips_24kc.ipk
wget https://downloads.openwrt.org/snapshots/packages/mips_24kc/base/libubox-lua_2022-09-27-ea560134-1_mips_24kc.ipk
wget https://downloads.openwrt.org/snapshots/packages/mips_24kc/base/libubox20220927_2022-09-27-ea560134-1_mips_24kc.ipk

opkg install libubox20220927_2022-09-27-ea560134-1_mips_24kc.ipk
opkg install libubox-lua_2022-09-27-ea560134-1_mips_24kc.ipk
opkg install dnsmasq-full_2.88-1_mips_24kc.ipk

stangri · December 30, 2022, 6:00pm

I'm open to accepting the PR to support this.

ysc3839 · January 1, 2023, 11:03am

Thanks! I don't know much about firewall, I will have a try.

pesa1234 · January 4, 2023, 5:23pm

@stangri

make menuconfig
tmp/.config-package.in:56630:error: recursive dependency detected!
tmp/.config-package.in:56630:	symbol PACKAGE_luci-app-pbr depends on PACKAGE_luci-app-pbr

Sideeffect · January 4, 2023, 10:43pm

When I try to install those packages it gives me below error with 22.03.2. How did you force install them and did you have any issues with using newer versions?

root@OpenWrt:~# opkg install libubox20220927_2022-09-27-ea560134-1_mips_24kc.ipk
Unknown package 'libubox20220927'.
Collected errors:
 * pkg_hash_fetch_best_installation_candidate: Packages for libubox20220927 found, but incompatible with the architectures configured
 * opkg_install_cmd: Cannot install package libubox20220927.

stangri · January 5, 2023, 5:21am

Any details?

lopez67876 · January 5, 2023, 8:20am

Do you have mips_24kc?
"...you have to find this files on snapshots repository of your router"

pesa1234 · January 5, 2023, 11:12am

Yes, compile openwrt from source, when I type make menuconfig I get that message if PBR selected

odhiambo · January 8, 2023, 1:35pm

I am having problems with Primevideo. My setup is such that my router that does PBR is cascaded to my ISPs router LAN side.
When I connect my laptop to my ISPs router I am able to access PrimeVideo content that is allowed for my country.
On my PBR router, this would be the equivalent of enabling the " Custom User File Includes" for AWS:

However, with that enabled, I am not able to access Primevideo. I get the message that my "device is connected to the Internet using a VPN or proxy service".

I find this strange since anything to do with AMZN should be routed via the WAN (equivalent to connecting directly to my ISPs router).
Does anyone have clues as to what could be the issue??

I am using 22.03.2 with pbr-1.0.1-3 using nft.

root@Belkin-RT3200:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'wan/192.168.1.1' [✓]
Setting up routing for 'vpnclient0/0.0.0.0' [✓]
Setting up routing for 'vpnclient1/0.0.0.0' [✓]
Setting up routing for 'vpnclient2/0.0.0.0' [✓]
Setting up routing for 'wgc0/10.5.0.2' [✓]
Routing 'KE' via wan [✓]
Routing 'HASS-PiHole' via wan [✓]
Running /usr/share/pbr/pbr.user.aws [✓]
Running /usr/share/pbr/pbr.user.ke.lst [✓]
Deactivating traffic killswitch [✓]
pbr 1.0.1-3 monitoring interfaces: wan vpnclient0 vpnclient1 vpnclient2 wgc0
pbr 1.0.1-3 (nft) started with gateways:
wan/192.168.1.1
vpnclient0/0.0.0.0
vpnclient1/0.0.0.0
vpnclient2/0.0.0.0
wgc0/10.5.0.2 [✓]
root@Belkin-RT3200:~#

config pbr 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list supported_interface 'vpnclient0 vpnclient1 vpnclient2'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        option enabled '1'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '1'

config include
        option path '/usr/share/pbr/pbr.user.ke.lst'
        option enabled '1'

config include
        option path '/usr/share/pbr/pbr.user.netflix'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'WireGuard Server'
        option interface 'wan'
        option src_port '51820'
        option chain 'output'
        option proto 'udp'
        option enabled '0'

config policy
        option name 'amzn'
        option dest_addr 'amazon.com amazon.co.uk amazonvideo.com primevideo.com'
        option interface 'wan'
        option enabled '0'

config policy
        option name 'KE'
        option interface 'wan'
        option dest_addr '197.232.105.66 41.212.32.14 gw.titan.co.ke earnapp.com mail.panafcon.net jumia.co.ke facebook.com'

config policy
        option name 'HASS-PiHole'
        option interface 'wan'
        option src_addr '172.16.17.106'

config policy
        option name 'FireTVCube'
        option src_addr '172.16.18.99'
        option interface 'wan'
        option enabled '0'

============================================================
pbr - environment
pbr 1.0.1-3 running on OpenWrt 22.03.3. WAN (IPv4): wan/wan/192.168.1.1.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward {
	}
	chain pbr_input {
	}
	chain pbr_output {
	}
	chain pbr_prerouting {
		ip daddr @pbr_wan_4_dst_ip_cfg096ff5 goto pbr_mark_0x010000 comment "KE"
		ip saddr @pbr_wan_4_src_ip_cfg0a6ff5 goto pbr_mark_0x010000 comment "HASS-PiHole"
		ip daddr @pbr_wan_4_dst_ip_user goto pbr_mark_0x010000
		ip saddr @pbr_wan_4_src_ip_user goto pbr_mark_0x010000
		ether saddr @pbr_wan_4_src_mac_user goto pbr_mark_0x010000
		ip daddr @pbr_vpnclient0_4_dst_ip_user goto pbr_mark_0x020000
		ip saddr @pbr_vpnclient0_4_src_ip_user goto pbr_mark_0x020000
		ether saddr @pbr_vpnclient0_4_src_mac_user goto pbr_mark_0x020000
		ip daddr @pbr_vpnclient1_4_dst_ip_user goto pbr_mark_0x030000
		ip saddr @pbr_vpnclient1_4_src_ip_user goto pbr_mark_0x030000
		ether saddr @pbr_vpnclient1_4_src_mac_user goto pbr_mark_0x030000
		ip daddr @pbr_vpnclient2_4_dst_ip_user goto pbr_mark_0x040000
		ip saddr @pbr_vpnclient2_4_src_ip_user goto pbr_mark_0x040000
		ether saddr @pbr_vpnclient2_4_src_mac_user goto pbr_mark_0x040000
		ip daddr @pbr_wgc0_4_dst_ip_user goto pbr_mark_0x050000
		ip saddr @pbr_wgc0_4_src_ip_user goto pbr_mark_0x050000
		ether saddr @pbr_wgc0_4_src_mac_user goto pbr_mark_0x050000
	}
	chain pbr_postrouting {
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 {
		counter packets 222 bytes 122302 meta mark set meta mark & 0xff01ffff | 0x00010000
		return
	}
	chain pbr_mark_0x020000 {
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
		return
	}
	chain pbr_mark_0x030000 {
		counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000
		return
	}
	chain pbr_mark_0x040000 {
		counter packets 0 bytes 0 meta mark set meta mark & 0xff04ffff | 0x00040000
		return
	}
	chain pbr_mark_0x050000 {
		counter packets 0 bytes 0 meta mark set meta mark & 0xff05ffff | 0x00050000
		return
	}
============================================================
pbr nft sets
	set pbr_wan_4_dst_ip_cfg096ff5 {
		type ipv4_addr
		flags interval
		auto-merge
		comment "KE"
		elements = { 41.212.32.14, 41.222.14.206,
			     102.132.96.35, 104.16.109.55,
			     104.16.110.55, 104.22.74.214,
			     104.22.75.214, 172.67.25.47,
			     197.232.25.162, 197.232.105.66 }
	}
	set pbr_wan_4_src_ip_cfg0a6ff5 {
		type ipv4_addr
		flags interval
		auto-merge
		comment "HASS-PiHole"
		elements = { 172.16.17.106 }
	}
	set pbr_wan_4_dst_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
		elements = { 3.0.0.0-3.2.0.255, 3.2.2.0/23,
			     3.2.8.0/21, 3.2.32.0/24,
			     3.2.33.64-3.2.34.63, 3.2.34.128-3.2.36.127,
			     3.2.37.0/26, 3.2.37.128/26,
			     3.2.38.0/26, 3.2.38.128-3.2.39.191,
			     3.2.40.0/25, 3.2.41.0-3.2.42.127,
			     3.2.42.192-3.2.43.127, 3.2.47.0/25,
			     3.2.47.192-3.2.50.255, 3.3.0.0-3.3.2.255,
			     3.3.5.0-3.3.31.255, 3.4.0.0-3.4.4.255,
			     3.4.6.0-3.4.8.255, 3.4.16.0/20,
			     3.5.0.0-3.5.59.255, 3.5.64.0-3.5.73.255,
			     3.5.76.0-3.5.87.255, 3.5.128.0-3.5.169.255,
			     3.5.208.0-3.5.213.255, 3.5.216.0-3.32.255.255,
			     3.33.34.0/23, 3.33.44.0/22,
			     3.33.128.0-3.39.255.255, 3.64.0.0-3.99.255.255,
			     3.101.0.0/16, 3.104.0.0-3.115.255.255,
			     3.120.0.0-3.151.255.255, 3.160.0.0/14,
			     3.208.0.0-3.239.255.255, 3.248.0.0/13,
			     13.32.0.0/15, 13.34.0.128/26,
			     13.34.1.0/26, 13.34.2.0/26,
			     13.34.2.128/26, 13.34.3.128/25,
			     13.34.4.64/26, 13.34.5.0/24,
			     13.34.6.192-13.34.7.127, 13.34.7.192/26,
			     13.34.8.64/26, 13.34.9.0/26,
			     13.34.9.76, 13.34.10.128/26,
			     13.34.11.0/26, 13.34.11.128/25,
			     13.34.12.64/26, 13.34.12.192-13.34.13.63,
			     13.34.13.128/26, 13.34.14.128-13.34.15.63,
			     13.34.15.128/26, 13.34.16.64-13.34.17.127,
			     13.34.18.128/25, 13.34.19.64/26,
			     13.34.19.192-13.34.20.127, 13.34.20.192/26,
			     13.34.21.64-13.34.21.223, 13.34.22.88-13.34.23.255,
			     13.34.24.64-13.34.24.223, 13.34.25.64-13.34.25.223,
			     13.34.25.248-13.34.26.223, 13.34.27.0-13.34.27.159,
			     13.34.28.0-13.34.32.191, 13.34.33.0-13.34.38.191,
			     13.34.39.0-13.34.68.191, 13.34.69.0-13.34.86.63,
			     13.34.86.96-13.34.88.191, 13.35.0.0-13.43.255.255,
			     13.48.0.0-13.59.255.255, 13.112.0.0/14,
			     13.124.0.0/14, 13.184.0.0/13,
			     13.200.0.0-13.215.255.255, 13.224.0.0/12,
			     13.244.0.0-13.248.73.255, 13.248.96.0-13.251.255.255,
			     15.152.0.0/16, 15.156.0.0-15.158.255.255,
			     15.160.0.0/15, 15.164.0.0/15,
			     15.168.0.0/16, 15.177.0.0-15.177.94.255,
			     15.177.96.0-15.177.100.255, 15.181.0.0-15.181.254.255,
			     15.184.0.0/15, 15.188.0.0/16,
			     15.190.0.0/22, 15.190.8.0/22,
			     15.190.16.0/20, 15.190.48.0/20,
			     15.193.0.0/19, 15.197.0.0-15.197.39.255,
			     15.197.128.0/17, 15.200.0.0/16,
			     15.205.0.0-15.207.255.255, 15.220.0.0-15.220.207.255,
			     15.220.208.128/26, 15.220.216.0-15.221.53.255,
			     15.221.128.0/22, 15.222.0.0/15,
			     15.228.0.0/15, 15.230.0.4-15.230.0.9,
			     15.230.0.12-15.230.0.14, 15.230.4.19,
			     15.230.4.152-15.230.4.167, 15.230.4.176/28,
			     15.230.5.0-15.230.6.255, 15.230.9.10-15.230.9.15,
			     15.230.9.44/30, 15.230.9.248,
			     15.230.9.252/31, 15.230.14.12,
			     15.230.14.17-15.230.14.23, 15.230.14.248/31,
			     15.230.14.252/31, 15.230.16.0,
			     15.230.16.12, 15.230.16.17-15.230.16.23,
			     15.230.16.196/30, 15.230.16.252/31,
			     15.230.18.0/24, 15.230.19.12,
			     15.230.19.18/31, 15.230.19.248-15.230.19.253,
			     15.230.21.0-15.230.32.255, 15.230.35.0-15.230.43.255,
			     15.230.49.0-15.230.63.6, 15.230.64.0-15.230.79.191,
			     15.230.80.0/20, 15.230.129.0-15.230.133.24,
			     15.230.133.26-15.230.133.31, 15.230.134.0-15.230.138.255,
			     15.230.140.0-15.230.145.255, 15.230.148.0-15.230.149.1,
			     15.230.149.4/31, 15.230.149.8/30,
			     15.230.150.0-15.230.169.7, 15.230.170.0/23,
			     15.230.173.0-15.230.174.255, 15.230.176.0-15.230.177.4,
			     15.230.178.0-15.230.179.23, 15.230.180.0-15.230.186.255,
			     15.230.188.0-15.230.190.255, 15.230.192.0-15.230.199.15,
			     15.230.200.0-15.230.202.3, 15.230.203.0-15.230.204.3,
			     15.230.205.0-15.230.208.255, 15.230.210.0-15.230.215.255,
			     15.230.217.0-15.230.223.5, 15.230.240.0-15.230.251.6,
			     15.230.252.0-15.230.254.4, 15.230.255.0/24,
			     15.236.0.0/15, 15.248.8.0/22,
			     15.248.16.0-15.248.43.255, 15.248.48.0/21,
			     15.248.64.0/21, 15.251.0.0/28,
			     15.251.0.20-15.251.0.29, 15.253.0.0-15.254.255.255,
			     16.12.0.0-16.12.2.255, 16.12.4.0-16.12.20.255,
			     16.12.24.0-16.12.41.255, 16.12.48.0-16.12.58.255,
			     16.16.0.0/16, 16.24.0.0/14,
			     16.50.0.0-16.55.255.255, 16.62.0.0/15,
			     16.78.0.0/15, 16.154.0.0-16.159.255.255,
			     16.162.0.0/15, 16.168.0.0/14,
			     16.176.0.0/14, 16.182.0.0/16,
			     18.34.0.0-18.34.79.255, 18.34.232.0-18.34.255.255,
			     18.60.0.0/15, 18.64.0.0-18.68.255.255,
			     18.88.0.0/18, 18.88.128.0/18,
			     18.89.0.0/18, 18.100.0.0-18.102.255.255,
			     18.116.0.0/14, 18.130.0.0/16,
			     18.132.0.0-18.136.255.255, 18.138.0.0-18.145.255.255,
			     18.153.0.0-18.173.255.255, 18.175.0.0-18.185.255.255,
			     18.188.0.0-18.239.255.255, 18.244.0.0-18.246.255.255,
			     18.252.0.0-18.254.255.255, 23.20.0.0/14,
			     27.0.0.0/22, 34.192.0.0/10,
			     35.71.64.0-35.71.75.255, 35.71.96.0-35.71.121.255,
			     35.71.128.0-35.95.255.255, 35.152.0.0-35.183.255.255,
			     36.103.232.0-36.103.232.191, 40.176.0.0-40.181.255.255,
			     41.57.96.0/20, 41.72.160.0/19,
			     41.75.144.0/20, 41.76.168.0/21,
			     41.76.184.0/21, 41.78.24.0/22,
			     41.79.8.0/22, 41.79.168.0/22,
			     41.79.228.0/22, 41.79.252.0-41.81.255.255,
			     41.89.0.0-41.90.255.255, 41.138.240.0/20,
			     41.139.128.0/17, 41.191.192.0/21,
			     41.203.208.0/20, 41.204.160.0/19,
			     41.206.32.0/19, 41.207.64.0/18,
			     41.209.0.0/18, 41.212.0.0/17,
			     41.215.0.0-41.215.143.255, 41.217.220.0/22,
			     41.220.112.0/20, 41.222.8.0/21,
			     41.222.160.0/21, 41.223.56.0/22,
			     41.223.148.0/22, 41.242.0.0/21,
			     43.192.0.0-43.193.127.255, 43.194.0.0-43.196.255.255,
			     43.198.0.0-43.211.255.255, 43.218.0.0/16,
			     43.249.44.0/22, 43.250.192.0/23,
			     44.192.0.0/10, 46.51.128.0-46.51.211.255,
			     46.51.216.0-46.51.255.255, 46.137.0.0/16,
			     47.128.0.0/14, 50.16.0.0/14,
			     50.112.0.0/16, 51.16.0.0/15,
			     51.20.0.0-51.31.255.255, 51.44.0.0/14,
			     51.84.0.0/14, 51.92.0.0-51.101.255.255,
			     51.112.0.0/15, 51.118.0.0/15,
			     52.0.0.0-52.46.159.255, 52.46.164.0-52.46.187.255,
			     52.46.192.0-52.46.243.255, 52.46.249.0-52.82.169.31,
			     52.82.170.0/23, 52.82.176.0-52.82.185.255,
			     52.82.187.0-52.93.5.255, 52.93.8.0/22,
			     52.93.12.12/31, 52.93.14.18/31,
			     52.93.16.0/23, 52.93.18.178/31,
			     52.93.19.236/31, 52.93.20.0/24,
			     52.93.21.14/31, 52.93.32.176,
			     52.93.32.179-52.93.32.180, 52.93.32.183-52.93.32.184,
			     52.93.34.40, 52.93.34.42,
			     52.93.34.56/31, 52.93.34.120/29,
			     52.93.35.212/31, 52.93.37.222/31,
			     52.93.38.0/24, 52.93.43.0/24,
			     52.93.48.0/24, 52.93.50.128-52.93.50.195,
			     52.93.51.28/31, 52.93.55.144-52.93.55.149,
			     52.93.55.152-52.93.55.167, 52.93.56.0/23,
			     52.93.58.32/28, 52.93.59.0-52.93.60.255,
			     52.93.62.0-52.93.64.255, 52.93.66.0/23,
			     52.93.69.0/24, 52.93.71.27-52.93.71.32,
			     52.93.71.37-52.93.71.47, 52.93.73.0/26,
			     52.93.75.0-52.93.76.255, 52.93.78.0/24,
			     52.93.80.0/23, 52.93.87.96/27,
			     52.93.91.96-52.93.91.115, 52.93.92.64-52.93.92.75,
			     52.93.96.0/22, 52.93.112.0/24,
			     52.93.115.0/24, 52.93.116.148/31,
			     52.93.116.250/31, 52.93.120.176/30,
			     52.93.121.187-52.93.121.190, 52.93.121.195-52.93.121.198,
			     52.93.122.131, 52.93.122.202/31,
			     52.93.122.218, 52.93.122.255,
			     52.93.123.6, 52.93.123.11,
			     52.93.123.98/31, 52.93.123.136,
			     52.93.123.255, 52.93.124.14/31,
			     52.93.124.96/31, 52.93.124.210-52.93.124.213,
			     52.93.125.42/31, 52.93.126.76,
			     52.93.126.122/31, 52.93.126.130-52.93.126.139,
			     52.93.126.144/30, 52.93.126.198/31,
			     52.93.126.204/30, 52.93.126.212/30,
			     52.93.126.234/31, 52.93.126.244/31,
			     52.93.126.250/31, 52.93.127.17-52.93.127.19,
			     52.93.127.24/30, 52.93.127.68/30,
			     52.93.127.92-52.93.127.133, 52.93.127.138/31,
			     52.93.127.146-52.93.127.149, 52.93.127.152-52.93.127.169,
			     52.93.127.172-52.93.127.185, 52.93.127.194-52.93.127.207,
			     52.93.127.216-52.93.127.221, 52.93.127.232,
			     52.93.127.237-52.93.127.239, 52.93.127.244-52.93.127.255,
			     52.93.129.95, 52.93.131.217,
			     52.93.133.127, 52.93.133.129,
			     52.93.133.131, 52.93.133.133,
			     52.93.133.153, 52.93.133.155,
			     52.93.133.175, 52.93.133.177,
			     52.93.133.179, 52.93.133.181,
			     52.93.134.181, 52.93.135.195,
			     52.93.137.0/24, 52.93.138.12,
			     52.93.138.252/31, 52.93.139.248-52.93.139.250,
			     52.93.139.252/31, 52.93.141.212-52.93.141.245,
			     52.93.146.5, 52.93.149.0-52.93.151.255,
			     52.93.153.80, 52.93.153.148/31,
			     52.93.153.168-52.93.153.179, 52.93.156.0/22,
			     52.93.178.128-52.93.178.235, 52.93.182.128/26,
			     52.93.193.192-52.93.193.203, 52.93.198.0/25,
			     52.93.229.148/31, 52.93.236.0/23,
			     52.93.240.146-52.93.240.205, 52.93.245.0/24,
			     52.93.247.0/25, 52.93.248.0/22,
			     52.93.254.0/24, 52.94.0.0-52.94.20.255,
			     52.94.22.0-52.94.30.255, 52.94.32.0-52.94.69.255,
			     52.94.72.0-52.94.146.255, 52.94.148.0/22,
			     52.94.152.3, 52.94.152.9,
			     52.94.152.11-52.94.152.12, 52.94.152.44,
			     52.94.152.60-52.94.152.69, 52.94.152.176/29,
			     52.94.160.0-52.94.198.159, 52.94.199.0-52.94.201.63,
			     52.94.204.0-52.94.248.239, 52.94.249.32-52.94.250.63,
			     52.94.252.0-52.95.29.63, 52.95.30.0/23,
			     52.95.34.0-52.95.42.255, 52.95.48.0-52.95.190.255,
			     52.95.192.0-52.95.219.255, 52.95.224.0-52.95.230.255,
			     52.95.235.0/24, 52.95.239.0-52.95.255.159,
			     52.119.128.0-52.119.199.255, 52.119.205.0-52.119.249.255,
			     52.119.252.0/22, 52.124.128.0/17,
			     52.144.133.32/27, 52.144.192.0-52.144.193.191,
			     52.144.194.0-52.144.195.63, 52.144.196.192/26,
			     52.144.197.128/25, 52.144.199.128/26,
			     52.144.200.64-52.144.200.191, 52.144.201.64-52.144.201.191,
			     52.144.205.0/26, 52.144.208.0/30,
			     52.144.208.64-52.144.211.203, 52.144.212.64/26,
			     52.144.212.192/26, 52.144.213.64/26,
			     52.144.214.128/26, 52.144.215.0/30,
			     52.144.215.192-52.144.215.203, 52.144.216.0-52.144.216.11,
			     52.144.218.0/25, 52.144.223.64-52.144.223.191,
			     52.144.224.64-52.144.225.191, 52.144.227.64/26,
			     52.144.227.192-52.144.228.3, 52.144.228.64-52.144.229.127,
			     52.144.230.0/26, 52.144.230.204-52.144.230.211,
			     52.144.231.64/26, 52.144.233.64/29,
			     52.144.233.128/29, 52.144.233.192/26,
			     52.192.0.0-52.219.19.255, 52.219.24.0-52.219.47.255,
			     52.219.56.0-52.219.75.255, 52.219.80.0-52.219.149.255,
			     52.219.152.0-52.219.161.255, 52.219.164.0-52.219.200.255,
			     52.219.202.0-52.219.218.255, 52.219.220.0/23,
			     52.219.224.0-52.219.235.255, 52.220.0.0-52.223.127.255,
			     54.20.0.0/15, 54.46.0.0/15,
			     54.64.0.0/11, 54.116.0.0/15,
			     54.144.0.0-54.222.39.255, 54.222.48.0/21,
			     54.222.57.0-54.222.58.15, 54.222.58.32/27,
			     54.222.59.0/24, 54.222.64.0/21,
			     54.222.76.0-54.222.99.255, 54.222.112.0-54.239.39.255,
			     54.239.40.152/29, 54.239.48.0-54.239.71.255,
			     54.239.96.0/24, 54.239.98.0-54.239.101.255,
			     54.239.102.162/31, 54.239.102.232-54.239.102.237,
			     54.239.103.128/26, 54.239.104.0-54.239.113.255,
			     54.239.115.0/25, 54.239.116.0-54.239.223.255,
			     54.240.17.0/24, 54.240.128.0-54.240.200.255,
			     54.240.202.0-54.240.223.255, 54.240.225.0-54.240.235.255,
			     54.240.236.1-54.240.236.2, 54.240.236.5-54.240.236.6,
			     54.240.236.9-54.240.236.10, 54.240.236.13-54.240.236.14,
			     54.240.236.17-54.240.236.18, 54.240.236.21-54.240.236.22,
			     54.240.236.25-54.240.236.26, 54.240.236.29-54.240.236.30,
			     54.240.236.33-54.240.236.34, 54.240.236.37-54.240.236.38,
			     54.240.236.41-54.240.236.42, 54.240.236.45-54.240.236.46,
			     54.240.236.49-54.240.236.50, 54.240.236.53-54.240.236.54,
			     54.240.236.57-54.240.236.58, 54.240.236.61-54.240.236.62,
			     54.240.236.65-54.240.236.66, 54.240.236.69-54.240.236.70,
			     54.240.236.73-54.240.236.74, 54.240.236.77-54.240.236.78,
			     54.240.236.81-54.240.236.82, 54.240.236.85-54.240.236.86,
			     54.240.236.89-54.240.236.90, 54.240.236.93-54.240.236.94,
			     54.240.241.0/24, 54.240.244.0-54.255.255.255,
			     56.156.0.0/15, 57.104.0.0/13,
			     57.180.0.0/14, 58.254.138.0-58.254.138.191,
			     62.8.64.0/19, 62.12.112.0/21,
			     62.24.96.0/19, 63.32.0.0/14,
			     63.246.112.0/22, 63.246.119.0-63.246.127.255,
			     64.187.128.0/20, 64.252.64.0-64.252.191.255,
			     65.0.0.0/14, 65.8.0.0-65.9.191.255,
			     67.202.0.0/18, 67.220.224.0/19,
			     68.66.112.0/20, 68.79.0.0/18,
			     69.107.3.176/28, 69.107.6.112/28,
			     69.107.6.160/28, 69.107.6.200-69.107.6.231,
			     69.107.7.0-69.107.7.23, 69.107.7.32-69.107.7.143,
			     69.230.192.0/18, 69.231.128.0/18,
			     69.234.192.0/18, 69.235.128.0/18,
			     70.132.0.0/18, 70.224.192.0/18,
			     70.232.64.0/18, 71.131.192.0-71.132.63.255,
			     71.136.64.0/18, 71.137.0.0/18,
			     71.141.0.0/20, 71.152.0.0/17,
			     72.21.192.0/19, 72.41.0.0/20,
			     72.44.32.0/19, 75.2.0.0/17,
			     75.79.0.0/16, 75.101.128.0/17,
			     76.223.0.0/17, 76.223.168.0/24,
			     76.223.170.0/28, 76.223.172.0/22,
			     77.220.0.0/19, 79.125.0.0/17,
			     80.72.96.0/20, 80.88.4.0/23,
			     87.238.80.0/21, 87.255.96.0/19,
			     91.233.121.0/24, 96.0.0.0-96.0.93.255,
			     96.0.96.0-96.0.101.255, 96.127.0.0/17,
			     98.80.0.0/12, 98.130.0.0/15,
			     99.77.0.0/18, 99.77.128.0/18,
			     99.77.233.0-99.77.254.255, 99.78.128.0-99.78.172.255,
			     99.78.176.0-99.78.199.255, 99.78.208.0/20,
			     99.78.228.0-99.81.255.255, 99.82.128.0/18,
			     99.83.64.0-99.83.102.255, 99.83.112.0-99.83.123.255,
			     99.83.128.0-99.84.255.255, 99.86.0.0-99.87.35.255,
			     99.150.0.0/17, 99.151.64.0-99.151.159.255,
			     99.151.168.0/21, 99.151.184.0-99.151.189.255,
			     100.20.0.0-100.31.255.255, 102.0.0.0/13,
			     102.22.108.0/22, 102.22.208.0/21,
			     102.23.136.0/22, 102.67.152.0/22,
			     102.68.20.0/23, 102.68.76.0/22,
			     102.68.141.0-102.68.142.255, 102.69.224.0-102.69.235.255,
			     102.69.239.0/24, 102.130.102.0/24,
			     102.134.129.0/24, 102.135.168.0/21,
			     102.140.192.0/18, 102.164.52.0-102.164.63.255,
			     102.166.0.0/15, 102.176.180.0/22,
			     102.213.92.0/22, 102.213.208.0/22,
			     102.213.216.0/22, 102.213.241.0-102.213.242.255,
			     102.213.248.0/22, 102.214.16.0/22,
			     102.214.72.0/21, 102.214.84.0/22,
			     102.214.96.0/22, 102.214.140.0/23,
			     102.214.156.0/22, 102.214.252.0/22,
			     102.215.4.0/22, 102.215.12.0/22,
			     102.215.32.0/22, 102.215.40.0/22,
			     102.215.76.0/22, 102.215.116.0-102.215.123.255,
			     102.215.188.0/22, 102.216.64.0/21,
			     102.216.84.0/22, 102.216.116.0/23,
			     102.216.119.0/24, 102.216.154.0/23,
			     102.217.4.0/22, 102.217.54.0/23,
			     102.217.64.0/22, 102.217.100.0/22,
			     102.217.120.0-102.217.135.255, 102.217.144.0/22,
			     102.217.156.0/22, 102.217.172.0/23,
			     102.217.244.0/22, 102.218.32.0/22,
			     102.218.124.0/22, 102.218.208.0/22,
			     102.218.232.0/22, 102.219.23.0/24,
			     102.219.139.0/24, 102.219.190.0-102.219.193.255,
			     102.219.208.0/22, 102.219.248.0/22,
			     102.220.12.0/22, 102.220.20.0/24,
			     102.220.22.0/23, 102.220.36.0/22,
			     102.220.116.0/23, 102.220.119.0/24,
			     102.220.168.0/22, 102.220.180.0/22,
			     102.220.221.0/24, 102.220.228.0/22,
			     102.220.236.0/22, 102.220.251.0/24,
			     102.221.32.0/22, 102.221.73.0/24,
			     102.221.98.0/23, 102.221.124.0/22,
			     102.221.192.0/22, 102.222.4.0/22,
			     102.222.44.0/22, 102.222.144.0/22,
			     102.222.220.0/22, 102.222.244.0/22,
			     102.223.32.0/22, 102.223.84.0/22,
			     102.223.204.0/23, 103.4.8.0/21,
			     103.8.172.0/22, 103.246.148.0/22,
			     104.255.56.11-104.255.56.12, 104.255.59.81-104.255.59.83,
			     104.255.59.85-104.255.59.88, 104.255.59.91,
			     104.255.59.101-104.255.59.106, 104.255.59.114/31,
			     104.255.59.118/31, 104.255.59.122-104.255.59.127,
			     104.255.59.130-104.255.59.139, 105.48.0.0/12,
			     105.160.0.0/13, 105.230.0.0/15,
			     107.20.0.0/14, 107.176.0.0/15,
			     108.128.0.0-108.139.255.255, 108.156.0.0/14,
			     108.166.224.0/19, 108.175.48.0/20,
			     116.129.226.0-116.129.226.191, 118.193.97.64-118.193.97.255,
			     119.147.182.0-119.147.182.191, 120.52.12.64/26,
			     120.52.22.96/27, 120.52.39.128/27,
			     120.52.153.192/26, 120.232.236.0-120.232.236.191,
			     120.253.240.192/26, 120.253.241.160/27,
			     120.253.245.128-120.253.245.223, 122.248.192.0/18,
			     130.176.0.0-130.176.239.255, 130.176.254.0/23,
			     136.8.0.0/15, 136.18.18.0-136.18.23.255,
			     136.18.50.0/23, 140.179.0.0/16,
			     142.4.160.0-142.4.161.15, 142.4.177.0/24,
			     143.204.0.0/16, 144.220.0.0/16,
			     150.222.0.0/24, 150.222.2.0/24,
			     150.222.3.176-150.222.3.255, 150.222.5.0-150.222.7.255,
			     150.222.8.240/30, 150.222.10.0-150.222.11.1,
			     150.222.11.74-150.222.11.81, 150.222.11.84-150.222.11.97,
			     150.222.12.0/23, 150.222.14.72/31,
			     150.222.15.124-150.222.15.133, 150.222.27.12,
			     150.222.27.18/31, 150.222.27.234/31,
			     150.222.28.17-150.222.28.19, 150.222.28.104-150.222.28.143,
			     150.222.51.160-150.222.51.255, 150.222.66.0/23,
			     150.222.69.0-150.222.85.255, 150.222.87.0-150.222.102.255,
			     150.222.104.0-150.222.106.255, 150.222.108.0-150.222.110.255,
			     150.222.112.0/21, 150.222.120.20/31,
			     150.222.120.62/31, 150.222.120.224-150.222.120.235,
			     150.222.120.240-150.222.120.252, 150.222.120.255-150.222.121.255,
			     150.222.122.92-150.222.122.117, 150.222.129.19-150.222.129.21,
			     150.222.129.62-150.222.129.67, 150.222.129.69,
			     150.222.129.110-150.222.129.159, 150.222.129.224/30,
			     150.222.129.240-150.222.129.252, 150.222.129.255,
			     150.222.133.0-150.222.136.255, 150.222.138.0/24,
			     150.222.139.116-150.222.139.127, 150.222.140.0/22,
			     150.222.164.208/30, 150.222.164.220-150.222.164.222,
			     150.222.176.0-150.222.180.255, 150.222.196.0/24,
			     150.222.199.0/25, 150.222.202.0-150.222.207.255,
			     150.222.208.64-150.222.208.97, 150.222.210.0/24,
			     150.222.212.0/24, 150.222.213.40/31,
			     150.222.214.0/23, 150.222.217.12,
			     150.222.217.17, 150.222.217.226-150.222.217.235,
			     150.222.217.248/30, 150.222.218.0-150.222.224.255,
			     150.222.226.0-150.222.229.255, 150.222.230.51,
			     150.222.230.92-150.222.230.131, 150.222.231.0/24,
			     150.222.232.51, 150.222.232.88,
			     150.222.232.93-150.222.232.126, 150.222.232.128-150.222.232.227,
			     150.222.233.0-150.222.234.87, 150.222.234.96-150.222.234.143,
			     150.222.235.0-150.222.237.255, 150.222.239.0/24,
			     150.222.242.84/31, 150.222.242.214/31,
			     150.222.245.122/31, 150.222.252.244-150.222.252.251,
			     151.148.8.0/21, 151.148.32.0-151.148.41.255,
			     154.70.0.0/18, 154.76.0.0/14,
			     154.115.160.0/19, 154.122.0.0/15,
			     154.152.0.0/13, 156.0.232.0/23,
			     157.152.0.0/16, 157.175.0.0/16,
			     157.241.0.0/16, 160.1.0.0/16,
			     160.119.216.0/22, 160.119.244.0/23,
			     161.188.128.0-161.188.161.255, 161.189.0.0/16,
			     162.213.232.0/22, 162.222.148.0/22,
			     162.250.236.0/22, 165.90.0.0/19,
			     169.239.160.0/22, 169.239.168.0/22,
			     169.239.252.0/22, 169.255.9.0/24,
			     169.255.104.0/22, 172.96.97.0-172.96.98.255,
			     172.96.110.0/24, 174.129.0.0/16,
			     175.41.128.0/17, 176.32.64.0-176.32.123.255,
			     176.32.124.128-176.32.125.255, 176.34.0.0/16,
			     177.71.128.0/17, 177.72.240.0/21,
			     178.236.0.0/20, 180.163.57.0-180.163.57.191,
			     184.32.0.0/12, 184.72.0.0/15,
			     184.169.128.0/17, 185.48.120.0/22,
			     185.143.16.0/24, 192.26.25.0/24,
			     193.109.66.0/23, 194.9.64.0/23,
			     194.9.82.0/23, 195.17.0.0/24,
			     195.202.64.0/19, 196.1.4.0/24,
			     196.1.116.0/23, 196.1.131.0-196.1.132.255,
			     196.3.58.0/23, 196.6.202.0/23,
			     196.6.215.0/24, 196.6.220.0/24,
			     196.6.229.0/24, 196.11.88.0/23,
			     196.11.190.0/23, 196.13.121.0/24,
			     196.13.136.0/23, 196.13.173.0/24,
			     196.13.202.0/24, 196.13.209.0/24,
			     196.13.255.0/24, 196.22.131.0/24,
			     196.28.11.0/24, 196.32.226.0/23,
			     196.41.68.0/24, 196.41.87.0/24,
			     196.41.89.0/24, 196.43.192.0/24,
			     196.43.202.0/24, 196.43.205.0/24,
			     196.43.211.0-196.43.212.255, 196.43.220.0/24,
			     196.43.228.0/24, 196.43.239.0/24,
			     196.43.246.0/24, 196.43.248.0/24,
			     196.45.236.0/22, 196.46.16.0/24,
			     196.49.22.0/24, 196.60.2.0/24,
			     196.60.12.0/24, 196.60.14.0/24,
			     196.60.36.0/24, 196.60.66.0/24,
			     196.60.68.0/24, 196.60.80.0/24,
			     196.60.114.0/24, 196.61.52.0/22,
			     196.96.0.0/12, 196.200.16.0-196.200.47.255,
			     196.201.128.0/19, 196.201.208.0-196.201.227.255,
			     196.202.160.0-196.202.223.255, 196.207.16.0/20,
			     196.207.128.0/18, 196.216.128.0/22,
			     196.216.222.0/23, 196.216.242.0/23,
			     196.216.245.0/24, 196.223.21.0/24,
			     196.223.160.0/20, 196.223.253.0-196.223.255.255,
			     196.250.208.0/21, 196.251.144.0/22,
			     197.136.0.0/14, 197.156.128.0/18,
			     197.157.228.0/22, 197.159.96.0/20,
			     197.176.0.0/13, 197.211.0.0/19,
			     197.220.96.0/19, 197.231.176.0/21,
			     197.232.0.0/16, 197.234.236.0/22,
			     197.237.0.0/16, 197.248.0.0/16,
			     197.254.0.0/17, 198.99.2.0/24,
			     199.127.232.0/22, 203.83.220.0/22,
			     204.45.0.0/16, 204.236.128.0/17,
			     204.246.160.0/19, 205.251.192.0-205.251.254.255,
			     207.171.160.0/19, 208.86.88.0/22,
			     208.110.48.0/20, 209.54.176.0/20,
			     212.22.160.0/19, 212.49.64.0/19,
			     216.137.32.0/19, 216.182.224.0/20,
			     217.199.144.0/20, 223.71.11.0/27,
			     223.71.71.96-223.71.71.255 }
	}
	set pbr_wan_4_src_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_wan_4_src_mac_user {
		type ether_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient0_4_dst_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient0_4_src_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient0_4_src_mac_user {
		type ether_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient1_4_dst_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient1_4_src_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient1_4_src_mac_user {
		type ether_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient2_4_dst_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient2_4_src_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_vpnclient2_4_src_mac_user {
		type ether_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_wgc0_4_dst_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_wgc0_4_src_ip_user {
		type ipv4_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
	set pbr_wgc0_4_src_mac_user {
		type ether_addr
		policy memory
		flags interval
		auto-merge
		comment ""
	}
============================================================
IPv4 table 10 route: 
IPv4 table 10 rule(s):
IPv4 table 11 route: 
IPv4 table 11 rule(s):
IPv4 table 12 route: default via 192.168.1.1 dev wan 
IPv4 table 12 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 13 route: unreachable default 
IPv4 table 13 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_vpnclient0
IPv4 table 14 route: unreachable default 
IPv4 table 14 rule(s):
30002:	from all fwmark 0x30000/0xff0000 lookup pbr_vpnclient1
IPv4 table 15 route: unreachable default 
IPv4 table 15 rule(s):
30003:	from all fwmark 0x40000/0xff0000 lookup pbr_vpnclient2
IPv4 table 16 route: default via 10.5.0.2 dev wgc0 
IPv4 table 16 rule(s):
30004:	from all fwmark 0x50000/0xff0000 lookup pbr_wgc0

stangri · January 8, 2023, 11:06pm

Make sure to read that section in its entirety.

amanjuman · January 9, 2023, 7:25am

Compiled firmware using image builder with the following:
make -j4 image PROFILE=router_profile PACKAGES="luci luci-theme-material luci-app-sqm luci-app-wireguard luci-app-pbr dnsmasq-full ipset nano -luci-theme-bootstrap -dnsmasq" FILES=files/

and now I'm still seeing

The adguardhome.ipset is not supported on this system.
The dnsmasq.nftset is not supported on this system.
Please check the README before changing this option.

I'm skipping "The adguardhome.ipset is not supported on this system." as I'm not going to use it however, why I'm still seeing the others?

Can someone rewrite my compile command to make it correct?

amanjuman · January 9, 2023, 7:30am

I have been using this script since 22.03.2

#!/bin/sh

TARGET_IPSET='wan'
TARGET_FNAME="/etc/my-ipv4.list"

_ret=1

if [ -s "$TARGET_FNAME" ]; then
	awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
fi

return $_ret

Now, this script seems not to be working with the new version. Any changes I need to make?

stangri · January 9, 2023, 8:43am

So, did you check README?

With which package?