Policy-Based-Routing (pbr) package discussion

Hi, can I leave out these messages?

make menuconfig
Collecting package info: done
tmp/.config-package.in:56656:error: recursive dependency detected!
tmp/.config-package.in:56656:	symbol PACKAGE_luci-app-pbr depends on PACKAGE_luci-app-pbr
For a resolution refer to Documentation/kbuild/kconfig-language.rst
subsection "Kconfig recursive dependency limitations"

configuration written to .config

*** End of the configuration.
*** Execute 'make' to start the build or try 'make help'.

If the custom user file includes are set, the service will load and execute them after setting up routing and the sets and processing policies. This allows, for example, to add large numbers of domains/IP addresses to ipsets or nft sets without manually adding all of them to the config file.

Two example custom user-files are provided: /usr/share/pbr/pbr.user.aws and /usr/share/pbr/pbr.user.netflix. They are provided to pull the AWS and Netflix IP addresses into the default WAN IPv4 sets the service sets up, indicated in the TARGET_IPSET variable at the top of each script.

The pbr package can be configure to utilize dnsmasq ’s nft sets support, which requires the dnsmasq-full package with nft sets support to be installed.

Hello! I installed all packages as it possible and i have owrt 22.03.3 x86-64, but i still dont have option nft set. What im doing wrong?


изображение

Could you please tell me packages name?
I already have dnsmasq-full and ipset installed.
Perhaps like this,

opkg install XXXX

Thanks

1 Like

Haha, absolutely same problem. Docs are unclear and overloaded.

Exactly, I was expecting a simple answer like someone would tell just packages names so that alert would be gone.

1 Like

Did you try to restart services, luci, and reboot? If I understand properly your problem is that the DNSMASQ nft set doesn't show up in the drop down list, which might as well be a cache issue.

@Openwrtfunboy @amanjuman if you find that documentation is lacking, you're welcome to contribute to it: https://github.com/stangri/docs.openwrt.melmac.net

There's no simple answer to installation of dnsmasq-full which supports nft sets yet. The information is available elsewhere on the forum.


I can see DNSmasq ipset available, however no Dnsmasq nft set yet even though I installed dnsmasq-full using image builder.

1 Like

yes, it was clean install and i tried from different browsers, of course there was many reboots of everything

"Either way make sure that your DNS requests are not routed via VPN Tunnel!" - solved it for me.
By default, I route all traffic via the tunnel, then exclude what I need to.
I will keep on reading that section :slight_smile:

Wasn't this already answered a bit above? See here. I didn't test it yet, but I assumed that was why the option for nft set isn't showing because the latest build of PBR expects a newer build of DNSMasq than is currently in 22.03.2 firmware.

Edit - Nvm I see you're on 22.03.3 now I will have to update also.

Hi, newbie here. Can anyone record a video (or snapshots) with the procedures to specify policies to a specific devices use a WireFuard VPN tunnel? It’s already set and functional in my lan, but I just need some devices using VPN, all the rest I want connected directly through ISP.
Thanks a lot

  • On the Wireguard interface, do not check "Use default gateway", so that the default route remains your regular ISP connection

  • In Policy Based Routing, add rules (with the Add button) matching devices you want to go through VPN (by MAC address, or IP address if you assigned a static DHCP lease), and associate it with the Wireguard interface


    (you can specify several addresses per rule, using space as separator IIRC)

3 Likes

@Fiouz , precise, concise and exactly what I needed. Thanks a lot!

@Fiouz , I noticed that are dns leaks through this routing policy: I double checked the dns leaking test with this policy enabled and disabled, when disabled there are no dns leaks.
There is a way to prevent dns leaks through pbr?

Advertise to the lan hosts the nameserver of the VPN provider (dhcp option 6 or dhcp6/RA for IPv6).
Alternatively you can set the dnsmasq to resolve everything from the nameserver of the VPN provider. There is a catch here though. If the nameserver of the VPN provider will accept queries from the internet to resolve the tunnel endopoints. Then you might need to add an exception for these addresses.

1 Like

Could you please provide some screenshoots to this settings?

1- "Advertise to the lan hosts the nameserver of the VPN provider (dhcp option 6 or dhcp6/RA for IPv6)."

And

2- "set the dnsmasq to resolve everything from the nameserver of the VPN provider."

3 - " There is a catch here though. If the nameserver of the VPN provider will accept queries from the internet to resolve the tunnel endopoints. Then you might need to add an exception for these addresses."

Thanks a lot

An easy workaround is to delegate all your DNS queries (even from devices that don't go through VPN) to a "trusted" resolver (e.g. Google, Cloudflare, Quad9, etc.), over HTTPS, by installing https-dns-proxy from the same author as pbr.

Obviously, you need to trust the chosen resolver.

Main advantage is ease of setup (no need to fiddle with dnsmasq DHCP options), but it's not exactly what you request; at least, your ISP won't appear as your DNS.

1 Like

I did something similar. To avoid DNS leaks on a virtual machine with bridged IP I set the DNS servers manually within the OS to my VPN DNS servers. For my backup browser which is using DSCP tagging for routing I enabled DNS over HTTPS (DoH) within the browser using Clouflare as the resolver. That then allows me to use AdGuard home as my main DNS server for everything else.

For anyone who is interested DSCP tagging does work really well in Windows with PBR for per app routing, but for some reason the settings don't persist Windows restarts. I made the following simple PowerShell script that is basic but does the job.

The PowerShell script removes the existing named polices and replaces them with the app location and the DSCP tag which is in this case 8.

QoS.ps1

Remove-NetQosPolicy Opera -A
Remove-NetQosPolicy qBT -A
New-NetQosPolicy -Name "Opera" -AppPathNameMatchCondition "E:\Opera\opera.exe" -IPProtocol Both -DSCPAction 8
New-NetQosPolicy -Name "qBT" -AppPathNameMatchCondition %ProgramFiles%\qBittorrent\qbittorrent.exe -IPProtocol Both -DSCPAction 8
Get-NetQosPolicy
pause

This batch file runs the script. It needs to run as administrator. This can be done as needed or I guess with a startup task.
QoS.bat

PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Unrestricted -File ""E:\Documents\Side Apps\QoS\QoS.ps1""' -Verb RunAs}";

You might also need to allow local PowerShell scripts to run without signing in System\Privacy & Security\PowerShell\Change Execution policy.

Then you just need to set the DSCP tagging to 8 for the required interface within PBR.

1 Like