Hello! I installed all packages as it possible and i have owrt 22.03.3 x86-64, but i still dont have option nft set. What im doing wrong?
Could you please tell me packages name?
I already have dnsmasq-full and ipset installed.
Perhaps like this,
opkg install XXXX
Thanks
1 Like
Haha, absolutely same problem. Docs are unclear and overloaded.
Exactly, I was expecting a simple answer like someone would tell just packages names so that alert would be gone.
1 Like
Did you try to restart services, luci, and reboot? If I understand properly your problem is that the DNSMASQ nft set doesn't show up in the drop down list, which might as well be a cache issue.
@Openwrtfunboy @amanjuman if you find that documentation is lacking, you're welcome to contribute to it: https://github.com/stangri/docs.openwrt.melmac.net
There's no simple answer to installation of dnsmasq-full which supports nft sets yet. The information is available elsewhere on the forum.
1 Like
I can see DNSmasq ipset available, however no Dnsmasq nft set yet even though I installed dnsmasq-full using image builder.
1 Like
yes, it was clean install and i tried from different browsers, of course there was many reboots of everything
"Either way make sure that your DNS requests are not routed via VPN Tunnel!" - solved it for me.
By default, I route all traffic via the tunnel, then exclude what I need to.
I will keep on reading that section 
Wasn't this already answered a bit above? See here. I didn't test it yet, but I assumed that was why the option for nft set isn't showing because the latest build of PBR expects a newer build of DNSMasq than is currently in 22.03.2 firmware.
Edit - Nvm I see you're on 22.03.3 now I will have to update also.
Hi, newbie here. Can anyone record a video (or snapshots) with the procedures to specify policies to a specific devices use a WireFuard VPN tunnel? Itβs already set and functional in my lan, but I just need some devices using VPN, all the rest I want connected directly through ISP.
Thanks a lot
-
On the Wireguard interface, do not check "Use default gateway", so that the default route remains your regular ISP connection
-
In Policy Based Routing, add rules (with the Add button) matching devices you want to go through VPN (by MAC address, or IP address if you assigned a static DHCP lease), and associate it with the Wireguard interface
(you can specify several addresses per rule, using space as separator IIRC)
3 Likes
@Fiouz , precise, concise and exactly what I needed. Thanks a lot!
@Fiouz , I noticed that are dns leaks through this routing policy: I double checked the dns leaking test with this policy enabled and disabled, when disabled there are no dns leaks.
There is a way to prevent dns leaks through pbr?
Advertise to the lan hosts the nameserver of the VPN provider (dhcp option 6 or dhcp6/RA for IPv6).
Alternatively you can set the dnsmasq to resolve everything from the nameserver of the VPN provider. There is a catch here though. If the nameserver of the VPN provider will accept queries from the internet to resolve the tunnel endopoints. Then you might need to add an exception for these addresses.
1 Like
Could you please provide some screenshoots to this settings?
1- "Advertise to the lan hosts the nameserver of the VPN provider (dhcp option 6 or dhcp6/RA for IPv6)."
And
2- "set the dnsmasq to resolve everything from the nameserver of the VPN provider."
3 - " There is a catch here though. If the nameserver of the VPN provider will accept queries from the internet to resolve the tunnel endopoints. Then you might need to add an exception for these addresses."
Thanks a lot
An easy workaround is to delegate all your DNS queries (even from devices that don't go through VPN) to a "trusted" resolver (e.g. Google, Cloudflare, Quad9, etc.), over HTTPS, by installing https-dns-proxy from the same author as pbr.
Obviously, you need to trust the chosen resolver.
Main advantage is ease of setup (no need to fiddle with dnsmasq DHCP options), but it's not exactly what you request; at least, your ISP won't appear as your DNS.
1 Like
I did something similar. To avoid DNS leaks on a virtual machine with bridged IP I set the DNS servers manually within the OS to my VPN DNS servers. For my backup browser which is using DSCP tagging for routing I enabled DNS over HTTPS (DoH) within the browser using Clouflare as the resolver. That then allows me to use AdGuard home as my main DNS server for everything else.
For anyone who is interested DSCP tagging does work really well in Windows with PBR for per app routing, but for some reason the settings don't persist Windows restarts. I made the following simple PowerShell script that is basic but does the job.
The PowerShell script removes the existing named polices and replaces them with the app location and the DSCP tag which is in this case 8.
QoS.ps1
Remove-NetQosPolicy Opera -A
Remove-NetQosPolicy qBT -A
New-NetQosPolicy -Name "Opera" -AppPathNameMatchCondition "E:\Opera\opera.exe" -IPProtocol Both -DSCPAction 8
New-NetQosPolicy -Name "qBT" -AppPathNameMatchCondition %ProgramFiles%\qBittorrent\qbittorrent.exe -IPProtocol Both -DSCPAction 8
Get-NetQosPolicy
pause
This batch file runs the script. It needs to run as administrator. This can be done as needed or I guess with a startup task.
QoS.bat
PowerShell -NoProfile -ExecutionPolicy Unrestricted -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Unrestricted -File ""E:\Documents\Side Apps\QoS\QoS.ps1""' -Verb RunAs}";
You might also need to allow local PowerShell scripts to run without signing in System\Privacy & Security\PowerShell\Change Execution policy.
Then you just need to set the DSCP tagging to 8 for the required interface within PBR.
1 Like
First of all I want to say, great work on this package! I'm new to OpenWRT since I've always used pfSense/OPNsense as router, but needed a low power solution with decent performance. OpenWRT / Linux seem to perform much better on low end old hardware than FreeBSD. So I decided to switch to OpenWRT a few weeks ago and so far pretty happy with it.
Now I wanted to replicate the routing policies I had on OPNsense for wan / wireguard vpn, which this package seems to be perfect for. Unfortunately I can't really get it to work reliably, pbr is reloading every few minutes with the following log file:
user.notice pbr: Reloading pbr due to includes of firewall
This causes the connection getting interrupted for a few sec, resulting in major packet loss. Is there a way to debug what triggers this? I already figured out that putting 'exit 0' on top of /usr/share/pbr/pbr.firewall.include will stop this reloading behavior, but then the nft rules are then no longer being added. I'm using dnsmasq-full 2.88 with dnsmasq nft set, but had the same behavior with dnsmasq ipset on dnsmasq-full 2.86. I thought that upgrading to the latest greatest might solve my issue, but unfortunately it makes no difference.
You can disable secure_reload to prevent traffic killswitch while pbr reloads.
No need to debug, the cause is right there in the log message -- pbr is being reloaded due to the firewall restart/reload.
You do need to figure out why the firewall is getting restarted/reloaded every few minutes, this is not normal.