Policy-Based-Routing (pbr) package discussion

Did you already test 1,2,1-r95?

It is now available at Stangri's repo
You can setup his repo to upgrade from, to do that execute the following from the command line (SSH):

echo 'https://apk.openwrt.melmac.ca/packages.adb' >> /etc/apk/repositories.d/customfeeds.list
wget https://apk.openwrt.melmac.ca/apk.openwrt.melmac.ca.pem -O /etc/apk/keys/apk.openwrt.melmac.ca.pem
apk update
# for keeping the key between sysupgrades:
echo "/etc/apk/keys/apk.openwrt.melmac.ca.pem" >> /etc/sysupgrade.conf

@Nankey is not wrong, it is better to use an ephemeral port for your WireGuard server e.g. a port not used/reserved.
Note that although WireGuard uses UDP the rule cannot make a distinction between UDP and TCP.
For simple setups like yours it should now work with port 443 using 1.2.1.-r95 but with more elaborate setups it might not.

Yes tested last night and working fine now.

Ok noted, will update my configuration on both end for a different port.

Great thanks for confirming

image786×555 27 KB

IP v6 Support is disabled，but“Service Gateways” show ipv6.

image706×567 25.8 KB

Now,turn on ipv6 support, don’t show ipv6.

image981×387 7.17 KB

Do you experience any actual problem with PBR?

No，But it's bug！ I tried restart device and pbr , it still display like this.

Now，I tried remove and install pbr again , still display this：

image1492×489 58.1 KB

Alright, it's just the UI that shows it this way. IPv6 is properly enabled and displays correctly in the command line.

For those of you who are experiencing or are afraid of leakage of VPN traffic via the wan while the router (re)boots or interfaces go up and down while using PBR (and actually the majority of you might have this)

See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-wan-leak

If it necessary if my local firewall zone only allows traffic to my vpn zone?

If you do not allow any traffic via the wan then you cannot leak via the wan

@stangri
Some Issues installing 1.2.3-r3

Executing package manager

apk add luci-app-pbr

(1/2) Installing pbr (1.2.3-r3)
  Executing pbr-1.2.3-r3.post-install
  * Reinstalling pbr netifd integration... FAIL
  * Installing rc.d symlink for pbr... OK
(2/2) Installing luci-app-pbr (1.2.3-r3)
  Executing luci-app-pbr-1.2.3-r3.post-install
OK: 66.2 MiB in 398 packages

Errors

  * /proc/self/fd/7: readonly: line 34: packageName: is read only
  * Reference error: access to undeclared variable getpid
  * In [anonymous function](), file /lib/pbr/pbr.uc, line 281, byte 74:
  *   called from function [anonymous function] (/lib/pbr/pbr.uc:301:69)
  *   called from function load_environment (/lib/pbr/pbr.uc:1028:49)
  *   called from function start (/lib/pbr/pbr.uc:3319:28)
  *   called from anonymous function (/lib/pbr/cli.uc:16:35)
  * 
  *  `            system('/usr/bin/logger -t ' + shell_quote(state.script_name + ' [' + getpid() + ']') + ' ' + shell_quote(clean));`
  *   Near here ------------------------------------------------------------------------^
  * 
  * 
  * Reference error: access to undeclared variable getpid
  * In [anonymous function](), file /lib/pbr/pbr.uc, line 281, byte 74:
  *   called from function [anonymous function] (/lib/pbr/pbr.uc:292:52)
  *   called from function service_started_actions (/lib/pbr/pbr.uc:3574:59)
  *   called from anonymous function (/lib/pbr/cli.uc:42:37)
  * 
  *  `            system('/usr/bin/logger -t ' + shell_quote(state.script_name + ' [' + getpid() + ']') + ' ' + shell_quote(clean));`
  *   Near here ------------------------------------------------------------------------^
  * 
  * 

After reverting to version 1.2.1-r99 now I lose internet every several minutes on all connected LAN/WLAN devices and in the log I only see.

[Feb 19, 2026, 18:12:05 GMT+2] user.notice: pbr [32665]: Processing environment (on_interface_reload) [✓]
[Feb 19, 2026, 18:12:05 GMT+2] user.notice: pbr [32665]: Setting up routing for 'wan/xxxxxx.1/xxxxxxx:fxx1:xx30' [✓]
[Feb 19, 2026, 18:12:05 GMT+2] user.notice: pbr [32665]: Setting up routing for 'xxxxxxxxxxxxxxxxxxxxx' [✓]
[Feb 19, 2026, 18:12:06 GMT+2] user.notice: pbr [32665]: Setting up routing for 'wg0/xxxxxxxxxxxxxx/::/0' [✓]
[Feb 19, 2026, 18:12:06 GMT+2] user.notice: pbr [32665]: Setting up routing for 'wg1/1xxxxxxx/xxxxxxxxxxxxxxxxxx/128' [✓]
[Feb 19, 2026, 18:12:06 GMT+2] user.notice: pbr [32665]: Setting up routing for 'wg2/xxxxxx2/xxxxxxxxx/128' [✓]
[Feb 19, 2026, 18:12:07 GMT+2] user.notice: pbr [32665]: Setting up routing for 'wg3/xxxxx.2/fxxxxxxxxxxxxxxxxx/128' [✓]
[Feb 19, 2026, 18:12:07 GMT+2] user.notice: pbr [32665]: Setting up routing for 'wg5/xxxxxxxx.2/::/0' [✓]
[Feb 19, 2026, 18:12:07 GMT+2] user.notice: pbr [32665]: Setting up routing for 'wg4/xxxxxxxxxxxxxxxxxxxxxxxxx/128' [✓]
[Feb 19, 2026, 18:12:08 GMT+2] user.notice: pbr [32665]: Routing 'Guest redirect 0' via wan [✓]
[Feb 19, 2026, 18:12:08 GMT+2] user.notice: pbr [32665]: Routing 'Guest redirect 1' via wan [✓]
[Feb 19, 2026, 18:12:09 GMT+2] user.notice: pbr [32665]: Routing 'Guest redirect 3' via wg0 [✓]
[Feb 19, 2026, 18:12:09 GMT+2] user.notice: pbr [32665]: Routing 'Sites Redirect'' via wg2 [✓]
[Feb 19, 2026, 18:12:09 GMT+2] user.notice: pbr [32665]: Routing 'MACxxx' via wg0 [✓]
[Feb 19, 2026, 18:12:09 GMT+2] user.notice: pbr [32665]: Routing 'MACxy' via wg0 [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Installing fw4 nft file [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Setting interface trigger for wan [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Setting interface trigger for wan6 [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Setting interface trigger for wg0 [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Setting interface trigger for wg1 [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Setting interface trigger for wg2 [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Setting interface trigger for wg3 [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Setting interface trigger for wg5 [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: Setting interface trigger for wg4 [✓]
[Feb 19, 2026, 18:12:10 GMT+2] user.notice: pbr [32665]: pbr 1.2.1-r99 monitoring interfaces: wan wan6 wg0 wg1 wg2 wg3 wg5 wg4

I use my old config that worked previously without issues.
Then I restart pbr and that restores the access until the next Processing environment (on_interface_reload) [✓] event. Reboot doesn't help.

When you have it again do service firewall restart and see if that helps

Seeking a little help on newer versions of pbr..

I can’t seem to pbr anything to any other internal network aside from the ‘main’ lan. I guess this has been ‘broken’ on my system for a while and I just didn’t notice. I was running version r45 for some time until I noticed that nothing was routing to the alternate lan. I upgraded to the latest version (at that time r87), but that didn’t route to the alternate lan either. I ended up going backward until I found that version 1.2.0-r8 worked properly. I have been successfully running with r8 for several days.

Is there something I’m missing on the newer versions, like having to declare lan interfaces in the config or similar..?

There is a lan_device setting which defaults to br-lan not sure if that is what you are looking for, but if you want you can share your configs so that we can have a look.

In that case please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show #only if you have WireGuard
cat /etc/config/pbr
service pbr restart
service pbr status

Thank you for looking at this.

ubus call system board

       "kernel": "6.12.66",
        "hostname": "gater",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys MX5300",
        "board_name": "linksys,mx5300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0-rc4",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32534-12374d88b9",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt 25.12.0-rc4 r32534-12374d88b9",
                "builddate": "1769726182"

ip route show

0.0.0.0/1 dev wg0 proto static scope link
default via 192.168.0.1 dev 5G_1 proto static src 192.168.0.130
10.0.46.0/24 dev wg1 proto kernel scope link src 10.0.46.1
10.8.46.0/24 dev tun1 proto kernel scope link src 10.8.46.1
128.0.0.0/1 dev wg0 proto static scope link
public_ip via 192.168.0.1 dev 5G_1 proto static
192.168.0.0/24 dev 5G_1 proto kernel scope link src 192.168.0.130
192.168.46.0/24 dev br-lan proto kernel scope link src 192.168.46.1
192.168.47.0/24 dev br-gst proto kernel scope link src 192.168.47.1
192.168.48.0/24 dev br-iso proto kernel scope link src 192.168.48.1

ip -6 route show (ipv6 disabled / not in use)

unreachable fdb2:fe2d:b2be::/48 dev lo proto static metric 2147483647 pref medium
f0e0::/64 dev gre4t-tnk proto kernel metric 256 pref medium
f0e0::/64 dev tun1 proto kernel metric 256 pref medium
f0e0::/64 dev 5G_1 proto kernel metric 256 pref medium

ip route show table all

default via 192.168.0.1 dev 5G_1 table pbr_wwan
default via 10.13.128.81 dev wg0 table pbr_wg0
0.0.0.0/1 dev wg0 proto static scope link
default via 192.168.0.1 dev 5G_1 proto static src 192.168.0.130
10.0.46.0/24 dev wg1 proto kernel scope link src 10.0.46.1
10.8.46.0/24 dev tun1 proto kernel scope link src 10.8.46.1
128.0.0.0/1 dev wg0 proto static scope link
public_ip via 192.168.0.1 dev 5G_1 proto static
192.168.0.0/24 dev 5G_1 proto kernel scope link src 192.168.0.130
192.168.46.0/24 dev br-lan proto kernel scope link src 192.168.46.1
192.168.47.0/24 dev br-gst proto kernel scope link src 192.168.47.1
192.168.48.0/24 dev br-iso proto kernel scope link src 192.168.48.1
local 10.0.46.1 dev wg1 table local proto kernel scope host src 10.0.46.1
broadcast 10.0.46.255 dev wg1 table local proto kernel scope link src 10.0.46.1
local 10.8.46.1 dev tun1 table local proto kernel scope host src 10.8.46.1
broadcast 10.8.46.255 dev tun1 table local proto kernel scope link src 10.8.46.1
local 10.13.128.81 dev wg0 table local proto kernel scope host src 10.13.128.81
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.0.130 dev 5G_1 table local proto kernel scope host src 192.168.0.130
broadcast 192.168.0.255 dev 5G_1 table local proto kernel scope link src 192.168.0.130
local 192.168.46.1 dev br-lan table local proto kernel scope host src 192.168.46.1
broadcast 192.168.46.255 dev br-lan table local proto kernel scope link src 192.168.46.1
local 192.168.47.1 dev br-gst table local proto kernel scope host src 192.168.47.1
broadcast 192.168.47.255 dev br-gst table local proto kernel scope link src 192.168.47.1
local 192.168.48.1 dev br-iso table local proto kernel scope host src 192.168.48.1
broadcast 192.168.48.255 dev br-iso table local proto kernel scope link src 192.168.48.1
unreachable fdb3:febd:bebe::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev gre4t-tnk proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev 5G_1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fe80:: dev tun1 table local proto kernel metric 0 pref medium
anycast fe80:: dev gre4t-tnk table local proto kernel metric 0 pref medium
anycast fe80:: dev 5G_1 table local proto kernel metric 0 pref medium
local fe80::28c:c2ff:fe63:2173 dev 5G_1 table local proto kernel metric 0 pref medium
local fe80::5c07:eaff:fec3:6981 dev gre4t-tnk table local proto kernel metric 0 pref medium
local fe80::5e9a:af3f:28bd:824b dev tun1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev gre4t-tnk table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev 5G_1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium

ip rule show

0:      from all lookup local
29997:  from all lookup main suppress_prefixlength 1
29998:  from all sport 51820 lookup pbr_wwan
29999:  from all fwmark 0x20000/0xff0000 lookup pbr_wg0
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wwan
32766:  from all lookup main
32767:  from all lookup default

wg show

interface: wg1
  public key: characters
  private key: (hidden)
  listening port: 51820

peer: characters
  preshared key: (hidden)
  allowed ips: 10.0.46.2/32
  persistent keepalive: every 25 seconds

peer: characters
  preshared key: (hidden)
  allowed ips: 10.0.46.3/32
  persistent keepalive: every 25 seconds

peer: characters
  preshared key: (hidden)
  allowed ips: 10.0.46.4/32
  persistent keepalive: every 25 seconds

peer: characters
  preshared key: (hidden)
  allowed ips: 10.0.46.5/32
  persistent keepalive: every 25 seconds

peer: characters
  preshared key: (hidden)
  allowed ips: 10.0.46.6/32
  persistent keepalive: every 25 seconds

peer: characters
  preshared key: (hidden)
  allowed ips: 10.0.46.7/32
  persistent keepalive: every 25 seconds

interface: wg0
  public key: characters
  private key: (hidden)
  listening port: 57111

peer: characters
  endpoint: ip_address:1443
  allowed ips: 0.0.0.0/1, 128.0.0.0/1
  latest handshake: 9 seconds ago
  transfer: 362.59 KiB received, 258.75 KiB sent
  persistent keepalive: every 25 seconds

service pbr status

pbr - environment
pbr 1.2.2-r3 on OpenWrt 25.12.0-rc4 r32534-12374d88b9.
Uplink (IPv4): wwan/5G_1/192.168.0.1.

Dnsmasq version 2.91  Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_dstnat {}
add chain inet fw4 pbr_forward {}
add chain inet fw4 pbr_output {}
add chain inet fw4 pbr_prerouting {}

add rule inet fw4 dstnat jump pbr_dstnat
add rule inet fw4 mangle_prerouting jump pbr_prerouting
add rule inet fw4 mangle_output jump pbr_output
add rule inet fw4 mangle_forward jump pbr_forward

add rule inet fw4 pbr_forward meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_output meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_prerouting meta mark & 0x00ff0000 != 0 return
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  meta mark set (meta mark & 0xff00ffff) | 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  meta mark set (meta mark & 0xff00ffff) | 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.46.51 } tcp sport { 3074 }  goto pbr_mark_0x020000 comment "Xbox Live - ybox"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.46.51 } udp sport { 3074 }  goto pbr_mark_0x020000 comment "Xbox Live - ybox"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.46.61 } tcp sport { 5500 }  goto pbr_mark_0x020000 comment "VNC listen - bltp"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.48.11 } tcp sport { 2080, 2443 }  goto pbr_mark_0x020000 comment "Web server - wspi"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.46.0/24, 192.168.47.0/24, 192.168.48.0/24 }  goto pbr_mark_0x010000 comment "Redirect all LANs"

pbr chains - policies
        chain pbr_forward { # handle 117
                meta mark & 0x00ff0000 != 0x00000000 return # handle 2074
        }
        chain pbr_output { # handle 118
                meta mark & 0x00ff0000 != 0x00000000 return # handle 2075
        }
        chain pbr_prerouting { # handle 119
                meta mark & 0x00ff0000 != 0x00000000 return # handle 2076
                ip saddr 192.168.46.51 tcp sport 3074 goto pbr_mark_0x020000 comment "Xbox Live - ybox" # handle 2081
                ip saddr 192.168.46.51 udp sport 3074 goto pbr_mark_0x020000 comment "Xbox Live - ybox" # handle 2082
                ip saddr 192.168.46.61 tcp sport 5500 goto pbr_mark_0x020000 comment "VNC listen - bltp" # handle 2083
                ip saddr 192.168.48.11 tcp sport { 2080, 2443 } goto pbr_mark_0x020000 comment "Web server - wspi" # handle 2085
                ip saddr { 192.168.46.0-192.168.48.255 } goto pbr_mark_0x010000 comment "Redirect all LANs" # handle 2087
        }
        chain pbr_dstnat { # handle 116
        }

pbr chains - marking
        chain pbr_mark_0x010000 { # handle 127
                meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2077
                return # handle 2078
        }
        chain pbr_mark_0x020000 { # handle 130
                meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2079
                return # handle 2080
        }

pbr nft sets

pbr tables & routing
IPv4 table main routes:
    0.0.0.0/1 dev wg0 proto static scope link
    default via 192.168.0.1 dev 5G_1 proto static src 192.168.0.130
    10.0.46.0/24 dev wg1 proto kernel scope link src 10.0.46.1
    10.8.46.0/24 dev tun1 proto kernel scope link src 10.8.46.1
    128.0.0.0/1 dev wg0 proto static scope link
    public_ip via 192.168.0.1 dev 5G_1 proto static
    192.168.0.0/24 dev 5G_1 proto kernel scope link src 192.168.0.130
    192.168.46.0/24 dev br-lan proto kernel scope link src 192.168.46.1
    192.168.47.0/24 dev br-gst proto kernel scope link src 192.168.47.1
    192.168.48.0/24 dev br-iso proto kernel scope link src 192.168.48.1
IPv4 table main rules:
    29997:      from all lookup main suppress_prefixlength 1
    32766:      from all lookup main

IPv4 table 256 (pbr_wwan) routes:
    default via 192.168.0.1 dev 5G_1
IPv4 table 256 (pbr_wwan) rules:
    29998:      from all sport 51820 lookup pbr_wwan
    30000:      from all fwmark 0x10000/0xff0000 lookup pbr_wwan

IPv4 table 257 (pbr_wg0) routes:
    default via 10.13.128.81 dev wg0
IPv4 table 257 (pbr_wg0) rules:
    29999:      from all fwmark 0x20000/0xff0000 lookup pbr_wg0

service pbr restart

Resetting routing Resetting resolver pbr 1.2.2-r3 (fw4 nft file mode) stopped Processing environment (on_start) pbr.cfg0b6ff5.name=Plex/Emby Local Server validates as string with true
pbr.cfg0b6ff5.enabled=0 validates as bool with true
pbr.cfg0b6ff5.interface=wan validates as or("ignore", "tor", regex("xray_.*"), uci("network", "@interface")) with false
pbr.cfg0b6ff5.proto is unset and defaults to or(string) (null)
pbr.cfg0b6ff5.chain is unset and defaults to or("", "forward", "output", "prerouting") prerouting
pbr.cfg0b6ff5.src_addr is unset and defaults to list(neg(or(host,network,macaddr,string))) (null)
pbr.cfg0b6ff5.src_port=8096 8920 32400 validates as list(neg(or(portrange,string))) with true
pbr.cfg0b6ff5.dest_addr is unset and defaults to list(neg(or(host,network,string))) (null)
pbr.cfg0b6ff5.dest_port is unset and defaults to list(neg(or(portrange,string))) (null)
pbr.cfg0c6ff5.name=Plex/Emby Remote Servers validates as string with true
pbr.cfg0c6ff5.enabled=0 validates as bool with true
pbr.cfg0c6ff5.interface=wan validates as or("ignore", "tor", regex("xray_.*"), uci("network", "@interface")) with false
pbr.cfg0c6ff5.proto is unset and defaults to or(string) (null)
pbr.cfg0c6ff5.chain is unset and defaults to or("", "forward", "output", "prerouting") prerouting
pbr.cfg0c6ff5.src_addr is unset and defaults to list(neg(or(host,network,macaddr,string))) (null)
pbr.cfg0c6ff5.src_port is unset and defaults to list(neg(or(portrange,string))) (null)
pbr.cfg0c6ff5.dest_addr=plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media validates as list(neg(or(host,network,string))) with true
pbr.cfg0c6ff5.dest_port is unset and defaults to list(neg(or(portrange,string))) (null)
Installing fw4 nft file pbr 1.2.2-r3 started with gateways:
wwan/5G_1/192.168.0.1 [✓]
wg0/10.13.128.81

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '0'
	option ula_prefix 'characters'
	option dhcp_default_duid 'characters'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.46.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option defaultroute '0'

config interface 'wwan'
	option proto 'dhcp'
	option hostname '*'
	option delegate '0'
	option peerdns '0'

config device
	option type 'bridge'
	option name 'br-iso'
	option bridge_empty '1'
	option ipv6 '0'
	list ports '@tnk.48'

config interface 'iso'
	option proto 'static'
	option device 'br-iso'
	option ipaddr '192.168.48.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config device
	option type 'bridge'
	option name 'br-gst'
	option bridge_empty '1'
	option ipv6 '0'
	list ports '@tnk.47'

config interface 'gst'
	option proto 'static'
	option device 'br-gst'
	option ipaddr '192.168.47.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config interface 'tnk'
	option proto 'gretap'
	option force_link '1'
	option ipaddr '192.168.46.1'
	option defaultroute '0'
	option delegate '0'
	option tunlink 'lan'
	option mtu '1458'
	option df '0'
	option peeraddr 'bridger'

config interface 'tun1'
	option proto 'none'
	option device 'tun1'
	option defaultroute '0'
	option delegate '0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'key'
	option delegate '0'
	option mtu '1390'
	option defaultroute '0'
	list addresses '10.13.128.81/32'

config wireguard_wg0
	option description 'commercial_provider'
	option public_key 'key'
	option persistent_keepalive '25'
	option endpoint_host 'ip_address'
	option endpoint_port '1443'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/1'
	list allowed_ips '128.0.0.0/1'
	option private_key 'key'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'key'
	option listen_port '51820'
	list addresses '10.0.46.1/24'
	option mtu '1360'
	option delegate '0'
	option defaultroute '0'

firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'tun1'
	list network 'wg1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'
	list network 'wwan'

config zone
	option name 'iso'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iso'
	option mtu_fix '1'

config zone
	option name 'gst'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'gst'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iso'

config forwarding
	option src 'iso'
	option dest 'wan'

config forwarding
	option src 'gst'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option limit '60/minute'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	list proto 'udp'
	option src '*'
	option dest_port '5353'
	option target 'ACCEPT'
	option name 'Allow-mDNS'
	option src_port '5353'
	list dest_ip '224.0.0.251'

config rule
	option src 'wan'
	option dest_port '20483'
	option target 'ACCEPT'
	option name 'Allow-OVPN'
	list proto 'udp'

config rule
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	list proto 'udp'
	option src 'gst'
	option dest_port '67'
	option target 'ACCEPT'
	option name 'gst-Allow-DHCP'

config rule
	option name 'gst-Allow-NTP'
	list proto 'udp'
	option src 'gst'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'gst-Allow-officejet'
	option src 'gst'
	option dest 'lan'
	list dest_ip '192.168.46.41'
	option target 'ACCEPT'
	list proto 'all'

config rule
	option name 'gst-Deny-Upstream-LANs'
	option src 'gst'
	option dest '*'
	option target 'REJECT'
	list proto 'all'
	list dest_ip '192.168.0.0/16'

config rule
	list proto 'udp'
	option src 'iso'
	option dest_port '67'
	option target 'ACCEPT'
	option name 'iso-Allow-DHCP'

config rule
	option name 'iso-Allow-DNS'
	list proto 'udp'
	option src 'iso'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'iso-Allow-NTP'
	list proto 'udp'
	option src 'iso'
	option dest_port '123'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '5500'
	option dest_ip '192.168.46.61'
	option name 'UVNC'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option name 'Xbox Live'
	option src 'wan'
	option src_dport '3074'
	option dest_ip '192.168.46.51'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option name 'HTTP web server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2080'
	option dest_ip '192.168.48.11'
	option dest 'iso'

config redirect
	option target 'DNAT'
	option name 'HTTPS web server'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2443'
	option dest_ip '192.168.48.11'
	option dest 'iso'

config redirect
	option target 'DNAT'
	option src 'gst'
	option src_dport '53'
	option dest_ip '208.67.220.123'
	option name 'gst-DNS redirect'
	option dest 'wan'

config nat
	option name 'Masquerade-WireGuard'
	option src '*'
	option target 'MASQUERADE'
	option src_ip '10.0.46.0/24'
	list proto 'all'

config nat
	option name 'Masquerade-OpenVPN'
	option src '*'
	option src_ip '10.8.46.0/24'
	option target 'MASQUERADE'
	list proto 'all'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

pbr


config pbr 'config'
	option enabled '1'
	option verbosity '0'
	option strict_enforcement '0'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '0'
	option rule_create_option 'add'
	option procd_boot_trigger_delay '5000'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list ignored_interface 'wg1'
	list ignored_interface 'tun1'
	option uplink_interface 'wwan'

config include
	option path '/usr/share/pbr/pbr.user.dnsprefetch'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '192.168.1.5'
	option dest_dns '1.1.1.1'
	option enabled '0'

config policy
	option name 'Xbox Live - ybox'
	option interface 'wg0'
	option src_addr '192.168.46.51'
	option src_port '3074'
	option proto 'tcp udp'

config policy
	option name 'VNC listen - bltp'
	option interface 'wg0'
	option src_addr '192.168.46.61'
	option src_port '5500'
	option proto 'tcp'

config policy
	option name 'Web server - wspi'
	option interface 'wg0'
	option src_addr '192.168.48.11'
	option src_port '2080 2443'
	option proto 'tcp'

config policy
	option name 'Redirect all LANs'
	option interface 'wwan'
	option src_addr '192.168.46.0/24 192.168.47.0/24 192.168.48.0/24'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

Set option route_allowed_ips '1' to 0 (=disable)

Now all traffic will use the wwan by default.

So you can remove the following rule:

Make a PBR policy rule with as source your own PC and route it via interface wg0.
Reboot and check from your PC by surfing to ipleak.net that you have the ip address of the VPN

Also delete wg1 from the ignored interfaces , a WireGuard server (which has a listen-port) will be taken care of automatically

Furthermore about the following rules, If your goal is seamless access from the connected wireguard peers to your lan and other interfaces then I would specify the interfaces and not use all (*)

Are you running master build?

There are some known problems with master builds at this moment related to the kernel control groups not working.

You can maybe trigger the problem with service pbr on_interface_reload wan6
Then look at the firewall nft list ruleset | more lots of rules missing:

        chain forward {
                type filter hook forward priority filter; policy drop;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
        }

service firewall reload will solve the problem

Not sure if this is specific for Master builds but looks like relate to the split wan/wan6

Thanks for the tips!

It somewhat works now with new caveats.

I have the ‘route ips’ set on the commercial wireguard interface (wg0) (and the subsequent pbr rule to re-route all lans) to allow my ovpn and wireguard servers to listen via the commercial wireguard (wg0) interface. If I unset it, routing to the ‘alternate’ lan does indeed work, but I can no longer connect to either VPN. Is there a tactic to get them to listen/communicate on the wg0 interface without ‘route ips’?

I'm on master and it's broken. Hope it'll be fixed soon.
@egc Do you know what exactly is currently broken.

So your OVPN and WG servers are using the endpoint of the commercial WG client to connect?
Which commercial WG client do you have and how did you deal with the port forwarding?

If so you probably do this because you do not have a public ip address on the WAN?

You are correct, my OVPN and WG servers are using the endpoint of the commercial WG client to connect.

TorGuard is the commercial provider (up to 20 port forwards above #2048). They have facility for permanent port forwarding to static ip service. Local forwarding via openwrt and pbr (configs above). Working with pbr versions 1.1.8, 1.1.9 and 1.2.0, but not 1.2.1 or above. Also works with pbr disabled, but then all traffic ends up on the VPN, which is undesirable.

Your conclusion is correct too. No public IP on the WAN.