rt_tables
#
# reserved values
#
128 prelocal
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
258 pbr_ovpn_nordvpn
259 pbr_wan
260 pbr_wg_nordvpn
ovpn_nordvpn interface is stopped.
http://linux-ip.net/html/routing-tables.html
Kernels supporting multiple routing tables refer to routing tables by unique integer slots between 0 and 255
@trendy, I believe newer kernels support table numbers higher than 255, at least that's been the recipe on the wiki manual policy routing with netifd, so this pbr package uses similar code.
@Sideeffect can you please post the output of:
. /etc/init.d/pbr
tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0
wan_tid=$(($(get_rt_tables_next_id)-tableCount))
i=0
echo "$wan_tid - $tableCount - $i"
echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)))"
echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)"
1 Like
I have never seen anyone using more than the 255 available, hence my surprise to see more than 256 
Okay thanks for your help. The error was from 258 pbr_ovpn_nordvpn because the interface was down. I keep it down because I probably won't be using it much. I guess I should add it to Ignored Interfaces for the most part.
When I put the interface up and connect to it the error disappears.
/etc/init.d/pbr status
root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.0.0-2 running on OpenWrt 22.03.2. WAN (IPv4): wan/pppoe-wan/172.16.15.209.
============================================================
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
ip daddr @pbr_wan_4_dst_ip_user goto pbr_mark_0x010000
ip saddr @pbr_wan_4_src_ip_user goto pbr_mark_0x010000
ether saddr @pbr_wan_4_src_mac_user goto pbr_mark_0x010000
ip dscp cs1 goto pbr_mark_0x020000
ip daddr @pbr_wg_nordvpn_4_dst_ip_user goto pbr_mark_0x020000
ip saddr @pbr_wg_nordvpn_4_src_ip_user goto pbr_mark_0x020000
ether saddr @pbr_wg_nordvpn_4_src_mac_user goto pbr_mark_0x020000
ip daddr @pbr_ovpn_nordvpn_4_dst_ip_user goto pbr_mark_0x030000
ip saddr @pbr_ovpn_nordvpn_4_src_ip_user goto pbr_mark_0x030000
ether saddr @pbr_ovpn_nordvpn_4_src_mac_user goto pbr_mark_0x030000
ip saddr @pbr_wg_nordvpn_4_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "VMWare RAMint"
ip saddr @pbr_wg_nordvpn_4_src_ip_cfg056ff5 goto pbr_mark_0x020000 comment "Pi-qBT"
}
chain pbr_postrouting {
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 {
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
return
}
chain pbr_mark_0x020000 {
counter packets 4 bytes 359 meta mark set meta mark & 0xff02ffff | 0x00020000
return
}
chain pbr_mark_0x030000 {
counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000
return
}
============================================================
pbr nft sets
set pbr_wan_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wg_nordvpn_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wg_nordvpn_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wg_nordvpn_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_ovpn_nordvpn_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_ovpn_nordvpn_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_ovpn_nordvpn_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wg_nordvpn_4_src_ip_cfg046ff5 {
type ipv4_addr
flags interval
auto-merge
comment "VMWare RAMint"
elements = { 192.168.1.140 }
}
set pbr_wg_nordvpn_4_src_ip_cfg056ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Pi-qBT"
elements = { 192.168.1.177 }
}
============================================================
IPv4 table 258 route: default via 10.8.3.2 dev ovpn_nordvpn
IPv4 table 258 rule(s):
30002: from all fwmark 0x30000/0xff0000 lookup pbr_ovpn_nordvpn
IPv4 table 259 route: default via 172.16.15.209 dev pppoe-wan
IPv4 table 259 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 260 route: default via 10.5.0.2 dev wg_nordvpn
IPv4 table 260 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_wg_nordvpn
Hi everyone, I've recently upgraded to 22.03 and now using pbr instead of VPN pbr. Previously I've created custom user files as per (https://github.com/vantechcorner/OpenWRT-VPN-Policy-Based-Routing) but when I now place them in /usr/share/pbr it causes a "TypeError_(...).(formate is not a function)" in the pbr GUI preventing it from loading up. Would anyone please mind telling me what is the correct procedure and template to use for your own customer user files? Thank you
For the error: upgrade both pbr and luci-app-pbr to version 1.0.1-1 and clear your browser cache.
For the user file, the new user files have to support both ipset and nftset and have to be rewritten. Also the targeted set names have changed as well. Use the two user files shipped with the package as an example.
1 Like
Thank you I'll play around with the custom user files.
Sorry my Luci console only shows 1.0.0.2 as the latest version. I've searched above to see that you have a github repo but I cannot seem to find the method to install 1.0.1-1. Please can you help me with this? Many thanks.
Download pbr_1.0.1-2_all and luci-app-pbr_1.0.1-2_all from https://github.com/stangri/repo.openwrt.melmac.net.
Install on system/software/upload package.
2 Likes
In pbr 1.0.1-3 I've attempted to reduce reported rt_tables file corruption by only modifying it when change is actually needed and syncing cache.
@stangri
when I type make menuconfig
I get these warning...
tmp/.config-package.in:62089:error: recursive dependency detected!
tmp/.config-package.in:62089: symbol PACKAGE_luci-app-pbr depends on PACKAGE_luci-app-pbr
For a resolution refer to Documentation/kbuild/kconfig-language.rst
subsection "Kconfig recursive dependency limitations"
Where I am wrong?
or can I ignore?
Just merged changes which would hopefully resolve this: https://github.com/openwrt/packages/pull/20158 https://github.com/openwrt/packages/pull/20160.
Given lack of information, most likely cause is the wrong chain for the policy.
1 Like
Hello, I am trying to configure PBR to only use my VPN (to USA) for services like Netflix, Disney, Prime, Plex
I have successfully been able to make Plex go through the VPN but not quite succeeding with Netflix and others.
Can you help me please (missing urls, configuration, doable with pbr)?
I am getting "insertion failed for ipv4 for policy Netflix"
The easiest method would be to let everything go out via the VPN and only exempt traffic local to your country from the VPN.
Let the VPN be the default gateway, then refer to this post:
https://forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/127
Go to https://www.ipdeny.com/ipblocks/ and it's possible that you will find your country listed. Use that link for TARGET_URL and for TARGET_DL_FILE and TARGET_NFT_FILE you can name the files appropriately.
You will then create a file - /usr/share/pbr/pbr.user.CC.lst - using the above details and you can use this file under "Custom User File Includes". When enabled, all your country traffic will get routed via the WAN, while everything else gets routed via the VPN..
If you get anything else that you do not want to be routed via the VPN, then of course you add rules the same way you added for Plex.
Ciao
Thanks for the suggestion, I am still interested in forcing only specific traffic trough the vpn.
The output of pbr reload is as follows:
root@ArcherC7:/tmp# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'lan/br-lan/192.168.100.1' [✓]
Setting up routing for 'wan/br-wan/192.168.1.1' [✓]
Setting up routing for 'vpn/10.5.0.2' [✓]
Routing 'Netflix' via vpn [✗]
Routing 'Plex/Emby Remote Servers' via vpn [✓]
Routing 'Prime' via vpn [✓]
Routing 'Disney+' via vpn [✓]
Routing 'Roku' via vpn [✓]
Routing 'Hbomax' via vpn [✓]
Deactivating traffic killswitch [✓]
pbr 1.0.1-3 monitoring interfaces: wan vpn
pbr 1.0.1-3 (nft) started with gateways:
lan/br-lan/192.168.100.1
wan/br-wan/192.168.1.1 [✓]
vpn/10.5.0.2
ERROR: Insertion failed for IPv4 for policy Netflix
ERROR:
nft 'add rule inet fw4 pbr_prerouting ip daddr {} goto pbr_mark_0x030000 comment "Netflix"'
Netflix Policy
config policy
option interface 'vpn'
option name 'Netflix'
option dest_addr 'amazonaws.com netflix.com nflxext.com nflximg.net nflxso.net nflxvideo.net dvd.netflix.com'
Find the package README, check the section for getting help, follow it.
1 Like
Ok the info as follows:-
root@ArcherC7:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
option start '100'
option leasetime '12h'
option limit '150'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option leasetime '12h'
option limit '150'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@ArcherC7:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'lan'
option forward 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'wan'
option forward 'REJECT'
config zone
option name 'vpn'
list network 'vpn'
option output 'ACCEPT'
option masq '1'
option input 'REJECT'
option forward 'REJECT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config forwarding
option dest 'vpn'
option src 'lan'
root@ArcherC7:~# cat /etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd7f:b723:61ba::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.100.1'
option ipaddr '192.168.100.2'
option device 'br-lan'
option metric '10'
list dns '103.86.96.100'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config device
option type 'bridge'
option name 'br-lan'
list ports 'eth1'
list ports 'eth1.1'
config device
list ports 'eth0'
list ports 'eth0.2'
option type 'bridge'
option name 'br-wan'
option macaddr '98:DE:D0:C4:A8:E9'
config interface 'wan'
option device 'br-wan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.2'
option gateway '192.168.1.1'
option metric '10'
list dns '103.86.96.100'
config interface 'vpn'
option proto 'wireguard'
list addresses '10.5.0.2'
option private_key 'OOT3uAgR0cX4Ls+w5Y1hfOpAqIFP97TgU24CslYAoE8='
list dns '103.86.96.100 103.86.99.100'
list dns '103.86.96.100'
list dns '103.86.99.100'
config wireguard_vpn
option public_key '0/x2PdBGfcIGr0ayFPFFjxcEEyhrlBRjR4kMcfwXJTU='
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
option endpoint_host '62.182.99.232'
option endpoint_port '51820'
root@ArcherC7:~# cat /etc/config/pbr
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option enabled '1'
config include
option path '/usr/share/pbr/pbr.user.aws'
config include
option path '/usr/share/pbr/pbr.user.netflix'
config policy
option interface 'vpn'
option name 'Netflix'
option dest_addr 'amazonaws.com netflix.com nflxext.com nflximg.net nflx so.net nflxvideo.net dvd.netflix.com'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'vpn'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.em by.media app.plex.tv'
config policy
option interface 'vpn'
option name 'Prime'
option dest_addr 'primevideo.com amazonvideo.com'
config policy
option interface 'vpn'
option name 'Disney+'
option dest_addr 'bamtechmedia.com disneystreaming.com disneyplus.com'
config policy
option name 'Roku'
option dest_addr 'roku.com'
option interface 'vpn'
config policy
option interface 'vpn'
option name 'Hbomax'
option dest_addr 'hbomax.com'
config policy
option name 'WireGuard Server'
option src_port '51820'
option chain 'output'
option proto 'udp'
option interface 'vpn'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option src_port '8096 8920 32400'
option enabled '0'
option interface 'lan'
root@ArcherC7:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.0.1-3 running on OpenWrt 22.03.2. WAN (IPv4): lan/br-lan/192.168.100.1.
============================================================
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no -Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpf ile
============================================================
pbr chains - policies
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
ip daddr @pbr_vpn_4_dst_ip_cfg046ff5 goto pbr_mark_0x030000 comm ent "Netflix"
ip daddr @pbr_vpn_4_dst_ip_cfg046ff5 goto pbr_mark_0x030000 comm ent "Netflix"
ip daddr @pbr_vpn_4_dst_ip_cfg056ff5 goto pbr_mark_0x030000 comm ent "Plex/Emby Remote Servers"
ip daddr @pbr_vpn_4_dst_ip_cfg066ff5 goto pbr_mark_0x030000 comm ent "Prime"
ip daddr @pbr_vpn_4_dst_ip_cfg076ff5 goto pbr_mark_0x030000 comm ent "Disney+"
ip daddr @pbr_vpn_4_dst_ip_cfg086ff5 goto pbr_mark_0x030000 comm ent "Roku"
ip daddr @pbr_vpn_4_dst_ip_cfg096ff5 goto pbr_mark_0x030000 comm ent "Hbomax"
ip daddr @pbr_lan_4_dst_ip_user goto pbr_mark_0x010000
ip saddr @pbr_lan_4_src_ip_user goto pbr_mark_0x010000
ether saddr @pbr_lan_4_src_mac_user goto pbr_mark_0x010000
ip daddr @pbr_wan_4_dst_ip_user goto pbr_mark_0x020000
ip saddr @pbr_wan_4_src_ip_user goto pbr_mark_0x020000
ether saddr @pbr_wan_4_src_mac_user goto pbr_mark_0x020000
ip daddr @pbr_vpn_4_dst_ip_user goto pbr_mark_0x030000
ip saddr @pbr_vpn_4_src_ip_user goto pbr_mark_0x030000
ether saddr @pbr_vpn_4_src_mac_user goto pbr_mark_0x030000
}
chain pbr_postrouting {
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 {
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000
return
}
chain pbr_mark_0x020000 {
counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000
return
}
chain pbr_mark_0x030000 {
counter packets 3662 bytes 250467 meta mark set meta mark & 0xff 03ffff | 0x00030000
return
}
============================================================
pbr nft sets
set pbr_vpn_4_dst_ip_cfg046ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Netflix"
elements = { 3.251.50.149, 18.236.7.30,
34.218.19.240, 34.252.74.1,
44.226.113.145, 46.137.171.215,
50.17.247.9, 52.31.48.193,
54.74.73.31, 54.155.178.5,
72.21.206.80, 72.21.210.29,
107.20.175.192, 204.236.236.127,
207.45.72.201, 207.45.72.215,
207.171.166.22 }
}
set pbr_vpn_4_dst_ip_cfg056ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Plex/Emby Remote Servers"
elements = { 18.200.51.241, 34.243.47.112,
52.48.60.59, 52.49.138.125,
104.18.18.96, 104.18.19.96,
173.230.139.54 }
}
set pbr_vpn_4_dst_ip_cfg066ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Prime"
elements = { 18.154.206.17, 18.154.206.47,
18.154.206.122, 18.154.206.127 }
}
set pbr_vpn_4_dst_ip_cfg076ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Disney+"
elements = { 34.110.155.89, 34.218.145.143,
54.71.61.241, 54.218.188.255,
139.104.192.37 }
}
set pbr_vpn_4_dst_ip_cfg086ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Roku"
elements = { 162.159.135.11, 162.159.136.11 }
}
set pbr_vpn_4_dst_ip_cfg096ff5 {
type ipv4_addr
flags interval
auto-merge
comment "Hbomax"
elements = { 52.2.113.243, 52.24.7.205,
52.26.195.38, 52.26.195.185,
52.206.133.146, 52.206.158.144 }
}
set pbr_lan_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_lan_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_lan_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_wan_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_vpn_4_dst_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_vpn_4_src_ip_user {
type ipv4_addr
policy memory
flags interval
auto-merge
comment ""
}
set pbr_vpn_4_src_mac_user {
type ether_addr
policy memory
flags interval
auto-merge
comment ""
}
============================================================
IPv4 table 256 route: default via 192.168.100.1 dev br-lan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_lan
IPv4 table 257 route: default via 192.168.1.1 dev br-wan
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_wan
IPv4 table 258 route: default via 10.5.0.2 dev vpn
IPv4 table 258 rule(s):
30002: from all fwmark 0x30000/0xff0000 lookup pbr_vpn
root@ArcherC7:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'lan/br-lan/192.168.100.1' [✓]
Setting up routing for 'wan/br-wan/192.168.1.1' [✓]
Setting up routing for 'vpn/10.5.0.2' [✓]
Routing 'Netflix' via vpn [✗]
Routing 'Plex/Emby Remote Servers' via vpn [✓]
Routing 'Prime' via vpn [✓]
Routing 'Disney+' via vpn [✓]
Routing 'Roku' via vpn [✓]
Routing 'Hbomax' via vpn [✓]
Deactivating traffic killswitch [✓]
pbr 1.0.1-3 monitoring interfaces: wan vpn
pbr 1.0.1-3 (nft) started with gateways:
lan/br-lan/192.168.100.1
wan/br-wan/192.168.1.1 [✓]
vpn/10.5.0.2
ERROR: Insertion failed for IPv4 for policy Netflix
ERROR:
nft 'add rule inet fw4 pbr_prerouting ip daddr {} goto pbr_mark_0x030000 comment "Netflix"'
root@ArcherC7:~#
A lot of the output got cut off.
Bad idea to use domains without dnsmasq.ipset or dnsmasq.nftset support.
I'm guessing the error is from one of the domains which cannot be resolved for some reason. I'll look into the proper error message for such a case in the future.
ok thanks I will try to enable dnsmasq.ipset or dnsmasq.nftset and see how it goes.
Edit: Seems like I am not getting any newer version than dnsmasq-full_2.86-15_mips_24kc.ipk even when manual installing, 2.87 is the required version if I understand correctly.
Am on OpenWrt 22.03.2 r19803-9a599fee93 / LuCI openwrt-22.03 branch git-22.304.65171-ec905e6