And you’re right, when I use case sensitive the PBR works fine for that interface, thanks!!
1 Like
HaHa you are actually the first who has read the smallprint.
Will correct it thanks for reporting 
2 Likes
version openwrt-25.12.2
-
PBR on a static white IP that is manually assigned works perfectly with WireGuard or amneziawg
redirects the domain, which, if opened through a browser, opens the site instantly.
Any settings, interface reboot, PBR reboot don't affect anything, everything just works great. -
A static white IP that comes via DHCP from another provider.
the settings are the same
Everything works, but on the computer the same website opens with a big delay, on the phone it's fast, and rebooting the interface doesn't affect it, everything works fine. -
The ISP is issuing a gray IP address of 100.64.0.0/10.
PBR works after rebooting the router, but it doesn't resolve domains, only IP addresses. If I reboot PBR, the internet connection completely drops.
The only way to restore internet is to reboot the router; there's no other way.
Naturally, I didn't enable PBR on this provider. -
The ISP is issuing a gray IP address of 10.0.0.0/8
The effect is slightly better, the internet doesn't drop after a PBR reboot, but it doesn't resolve domains, and there are big delays if you forward the IP.
It might just fall off and stop working.
By directly entering IP addresses in amneziawg without PBR, everything works fine.
Naturally, I didn't enable PBR on this provider either.
Conclusion: PBR only works on STAT IP.
All settings are identical, one to one.
additional software installed luci-app-https-dns-proxy luci-app-adblock but as I understand it doesn't interfere
I’ve recently upgraded my mt6000 system (snapshot) switched to OpenWrt SNAPSHOT, r34235-a73e378bea including pbr pbr-1.2.2-r14
But right after this, my LAN clients lost their internet connectivity. On the router, connectivity works fine though I can reach out to public internet.
So as soon I disable pbr and reboot, my LAN clients can reach out to internet. Stopping the service didn’t help and for some reason I saw different routes in routing page:
The first one is when PBR is started (or stopped)
The second one is when PBR is disabled on boot:
So I did a service pbr support and here’s its output:
root@mt6000:/etc/init.d# service pbr support
Setting counters and verbosity for diagnostics...
===== dhcp config =====
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option strictorder '1'
list server '192.168.1.3#53'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5059'
list server '127.0.0.1#5053'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '192.168.1.3#53'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_backup_server '/use-application-dns.net/'
list doh_server '127.0.0.1#5059'
list doh_server '127.0.0.1#5053'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option preferred_lifetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '3'
option hostsdir '/tmp/hosts'
option piodir '/tmp/odhcpd-piodir'
config host
option name 'Blackbox'
option ip '192.168.1.210'
option mac '***'
config dhcp 'wan6'
option ndp 'relay'
option interface 'wan6'
option master '1'
option ra 'relay'
option dhcpv6 'relay'
config dhcp 'trlan'
option interface 'trlan'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.1.1,192.168.1.3'
config host
option ip '192.168.1.171'
list mac '***'
config host
option ip '192.168.1.219'
list mac '***'
option name 'whale'
config host
option ip '192.168.1.141'
list mac '***'
option name 'darkstar'
config host
option ip '192.168.1.152'
list mac '***'
option name 'guardian'
config host
option name 'warehouse'
option ip '192.168.1.228'
list mac '***'
config host
option name 'nomad-server-02'
option ip '192.168.1.234'
list mac '***'
config host
option name 'nomad-server-01'
option ip '192.168.1.173'
list mac '***'
config host
option name 'nomad-server-03'
option ip '192.168.1.176'
list mac '***'
config host
option name 'nomad-client-01'
option ip '192.168.1.232'
list mac '***'
config host
option name 'nomad-client-02'
option ip '192.168.1.217'
list mac '***'
config host
option name 'nomad-client-03'
option ip '192.168.1.235'
list mac '***'
===== firewall config =====
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'trlan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'bro'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wireguardvlan'
option src 'wan'
option src_dport '51821'
option dest_ip '192.168.1.52'
option dest_port '51820'
config rule
option name 'redirectbackrule'
option src 'wan'
option dest 'lan'
list dest_ip '192.168.1.51'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'quicvpn'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.10'
option dest_port '443'
list proto 'udp'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ipsec'
option src 'wan'
option src_dport '500'
option dest_ip '192.168.1.141'
option dest_port '500'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ipsec2'
option src 'wan'
option src_dport '4500'
option dest_ip '192.168.1.141'
option dest_port '4500'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wireguardvlantr'
option src 'wan'
option src_dport '51822'
option dest_ip '192.168.1.53'
option dest_port '51820'
===== network config =====
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '***.*.*.*'
config globals 'globals'
option packet_steering '2'
option steering_flows '128'
option dhcp_default_duid '00041fde18598f294c15af4c213e9814f44c'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '***.***.***.*'
option delegate '0'
list ip6class 'wan6'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
list ip6class 'wan6'
option peerdns '0'
list dns '192.168.1.1'
config device
option type 'bridge'
option name 'trbr0'
list ports 'lan5'
config interface 'trlan'
option proto 'static'
option device 'trbr0'
option ipaddr '192.168.136.1'
option netmask '***.***.***.*'
option delegate '0'
list dns '192.168.1.1'
config device
option name 'eth1'
config interface 'bro'
option proto 'xfrm'
option ifid '199'
option tunlink 'wan'
option mtu '1438'
option defaultroute '0'
option delegate '0'
config rule 'pbr_lan_ipv4'
option in 'lan'
option lookup 'pbr_wan'
option priority '31000'
config rule 'pbr_wan_ipv4'
option priority '30000'
option lookup 'pbr_wan'
option mark '0x010000'
option mask '0x00ff0000'
config rule 'pbr_trlan_ipv4'
option in 'trlan'
option lookup 'pbr_wan'
option priority '31001'
config rule 'pbr_bro_ipv4'
option priority '29999'
option lookup 'pbr_bro'
option mark '0x020000'
option mask '0x00ff0000'
===== pbr config =====
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '0'
option resolver_set 'dnsmasq.nftset'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '10'
option webui_show_ignore_target '0'
option nft_rule_counter '1'
option nft_set_auto_merge '1'
option nft_set_counter '1'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option uplink_ip_rules_priority '30000'
option netifd_strict_enforcement '1'
option netifd_interface_default 'wan'
list netifd_interface_local 'lan'
list netifd_interface_local 'trlan'
option config_compat '25'
option config_version '1.2.2-r14'
list supported_interface 'bro'
option netifd_enabled '1'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
===== ubus call system board =====
{
"kernel": "6.18.25",
"hostname": "mt6000",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r34235-a73e378bea",
"target": "mediatek/filogic",
"description": "OpenWrt SNAPSHOT r34235-a73e378bea",
"builddate": "1777589812"
}
}
===== /etc/init.d/pbr restart =====
Using uplink interface (on_start): wan [✓]
Found uplink gateway (on_start): 192.168.178.1 [✓]
Processing environment (on_start) [✓]
Setting up routing for 'wan/eth1/192.168.178.1' [✓]
Setting up routing for 'bro/192.168.4.224' [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
Setting interface trigger for bro [✓]
pbr 1.2.2-r14 monitoring interfaces: wan bro
pbr 1.2.2-r14 started with gateways:
wan/eth1/192.168.178.1 [✓]
bro/192.168.4.224
===== /etc/init.d/pbr status (after restart) =====
pbr - environment
pbr 1.2.2-r14 on OpenWrt SNAPSHOT r34235-a73e378bea.
Uplink (IPv4): wan/eth1/192.168.178.1.
Dnsmasq version 2.92 Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_dstnat {}
add chain inet fw4 pbr_forward {}
add chain inet fw4 pbr_output {}
add chain inet fw4 pbr_prerouting {}
insert rule inet fw4 dstnat jump pbr_dstnat
add rule inet fw4 mangle_prerouting jump pbr_prerouting
add rule inet fw4 mangle_output jump pbr_output
add rule inet fw4 mangle_forward jump pbr_forward
add rule inet fw4 pbr_forward counter meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_output counter meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_prerouting counter meta mark & 0x00ff0000 != 0 return
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 counter meta mark set (meta mark & 0xff00ffff) | 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 counter meta mark set (meta mark & 0xff00ffff) | 0x020000
add rule inet fw4 pbr_mark_0x020000 return
pbr chains - policies
pbr chains - marking
pbr nft sets
pbr tables & routing
IPv4 table main routes:
default via 192.168.178.1 dev eth1 proto static src 192.168.178.10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.136.0/24 dev trbr0 proto kernel scope link src 192.168.136.1
192.168.178.0/24 dev eth1 proto kernel scope link src 192.168.178.10
IPv4 table main rules:
29998: from all lookup main suppress_prefixlength 1
32766: from all lookup main
IPv4 table 256 (pbr_wan) routes:
default via 192.168.178.1 dev eth1
IPv4 table 256 (pbr_wan) rules:
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 (pbr_bro) routes:
default via 192.168.4.224 dev bro
IPv4 table 257 (pbr_bro) rules:
29999: from all fwmark 0x20000/0xff0000 lookup pbr_bro
For information, bro interface is an IPsec XFRM interface and I was routing 192.168.136.0/24 via that interface. That was my intention. But I had to remove those rules to see if they were creating trouble. But later, even I remove this routing rule, my issue remains the same. I can only connect to internet when pbr is totally disabled at boot.
I’m just wondering what can I do to troubleshoot more.
Can you show the output of:
service firewall restart
service https-dns-proxy info
ip address show
ip route show table all
Here it’s:
Just after seeing the output from the firewall restart, I disabled/stopped https-dns-proxy. Now I have connectivity in my LAN, PBR enabled.
Without PBR:
root@mt6000:~# service firewall restart
In file included from /dev/stdin:237:1-76:
/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft:1:34-34: Error: syntax error, unexpected '{', expecting string or last
chain raw_output_https_dns_proxy {
^
In file included from /dev/stdin:237:1-76:
/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft:2:1-4: Error: syntax error, unexpected type
type filter hook output priority raw; policy accept;
^^^^
In file included from /dev/stdin:237:1-76:
/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft:2:39-44: Error: syntax error, unexpected policy
type filter hook output priority raw; policy accept;
^^^^^^
In file included from /dev/stdin:237:1-76:
/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft:3:1-4: Error: syntax error, unexpected meta
meta l4proto { tcp, udp } th dport { 5059, 5053 } ip daddr 127.0.0.0/8 notrack
^^^^
In file included from /dev/stdin:237:1-76:
/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft:4:1-4: Error: syntax error, unexpected meta
meta l4proto { tcp, udp } th sport { 5059, 5053 } ip saddr 127.0.0.0/8 notrack
^^^^
In file included from /dev/stdin:237:1-76:
/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft:5:1-1: Error: syntax error, unexpected '}'
}
^
The rendered ruleset contains errors, not doing firewall restart.
root@mt6000:~# service https-dns-proxy info
{
"https-dns-proxy": {
"instances": {
"instance1": {
"running": true,
"pid": 6978,
"command": [
"/usr/sbin/https-dns-proxy",
"-r",
"https://base.dns.mullvad.net/dns-query",
"-p",
"5059",
"-b",
"1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4",
"-4",
"-u",
"nobody",
"-g",
"nogroup"
],
"term_timeout": 5,
"data": {
"mdns": {
"https-dns-proxy_5059": {
"service": "_https-dns-proxy._udp.local",
"port": 5059,
"txt": [
"DNS over HTTPS proxy"
]
}
}
},
"respawn": {
"threshold": 3600,
"timeout": 5,
"retry": 5
}
},
"instance2": {
"running": true,
"pid": 6979,
"command": [
"/usr/sbin/https-dns-proxy",
"-r",
"https://dns.adguard-dns.com/dns-query",
"-p",
"5053",
"-b",
"1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4",
"-4",
"-u",
"nobody",
"-g",
"nogroup"
],
"term_timeout": 5,
"data": {
"mdns": {
"https-dns-proxy_5053": {
"service": "_https-dns-proxy._udp.local",
"port": 5053,
"txt": [
"DNS over HTTPS proxy"
]
}
}
},
"respawn": {
"threshold": 3600,
"timeout": 5,
"retry": 5
}
}
},
"triggers": [
[
"interface.*",
[
"if",
[
"eq",
"interface",
"wan"
],
[
"run_script",
"/etc/init.d/https-dns-proxy",
"reload",
"on_interface_trigger"
]
],
1000
],
[
"config.change",
[
"if",
[
"eq",
"package",
"https-dns-proxy"
],
[
"run_script",
"/etc/init.d/https-dns-proxy",
"reload",
"on_config_change"
]
],
1000
]
]
}
}
# ip output
root@mt6000:~# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc mq state UP group default qlen 1000
link/ether 94:83:c4:a3:b5:f1 brd ff:ff:ff:ff:ff:ff
inet6 fe80::9683:c4ff:fea3:b5f1/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UP group default qlen 1000
link/ether 94:83:c4:a3:b5:ef brd ff:ff:ff:ff:ff:ff
inet 192.168.178.10/24 brd 192.168.178.255 scope global eth1
valid_lft forever preferred_lft forever
inet 192.168.4.224/32 scope global eth1
valid_lft forever preferred_lft forever
inet6 20c1:1c10:461f:4900:9683:c4ff:fea3:b5ef/64 scope global dynamic noprefixroute
valid_lft 604665sec preferred_lft 604665sec
inet6 20c1:1c10:461f:4900::a9/128 scope global dynamic noprefixroute
valid_lft 3014sec preferred_lft 3014sec
inet6 fe80::9683:c4ff:fea3:b5ef/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether 94:83:c4:a3:b5:f1 brd ff:ff:ff:ff:ff:ff
5: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
link/ether 94:83:c4:a3:b5:f1 brd ff:ff:ff:ff:ff:ff
6: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
link/ether 94:83:c4:a3:b5:f1 brd ff:ff:ff:ff:ff:ff
7: lan5@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master trbr0 state LOWERLAYERDOWN group default qlen 1000
link/ether 94:83:c4:a3:b5:f1 brd ff:ff:ff:ff:ff:ff
8: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether 94:83:c4:a3:b5:f1 brd ff:ff:ff:ff:ff:ff
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 94:83:c4:a3:b5:f1 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fe80::9683:c4ff:fea3:b5f1/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
13: trbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 94:83:c4:a3:b5:f1 brd ff:ff:ff:ff:ff:ff
inet 192.168.136.1/24 brd 192.168.136.255 scope global trbr0
valid_lft forever preferred_lft forever
inet6 fe80::9683:c4ff:fea3:b5f1/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
16: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether 94:83:c4:a3:b5:f2 brd ff:ff:ff:ff:ff:ff
18: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether 94:83:c4:a3:b5:f3 brd ff:ff:ff:ff:ff:ff
22: bro@eth1: <MULTICAST,NOARP,UP,LOWER_UP> mtu 1438 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.4.224/32 scope global bro
valid_lft forever preferred_lft forever
inet6 fe80::f24f:b4e4:30ec:3a5c/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
34: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN group default qlen 32
link/ether 4a:cb:00:ab:a6:7a brd ff:ff:ff:ff:ff:ff
inet6 fe80::48cb:ff:feab:a67a/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
36: phy1-ap1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master trbr0 state UP group default qlen 1000
link/ether 96:83:c4:a3:b5:f3 brd ff:ff:ff:ff:ff:ff permaddr 94:83:c4:a3:b5:f3
root@mt6000:~# ip route show table all
default via 192.168.178.1 dev eth1 proto static src 192.168.178.10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.136.0/24 dev trbr0 proto kernel scope link src 192.168.136.1
192.168.178.0/24 dev eth1 proto kernel scope link src 192.168.178.10
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.4.224 dev eth1 table local proto kernel scope host src 192.168.4.224
local 192.168.4.224 dev bro table local proto kernel scope host src 192.168.4.224
local 192.168.136.1 dev trbr0 table local proto kernel scope host src 192.168.136.1
broadcast 192.168.136.255 dev trbr0 table local proto kernel scope link src 192.168.136.1
local 192.168.178.10 dev eth1 table local proto kernel scope host src 192.168.178.10
broadcast 192.168.178.255 dev eth1 table local proto kernel scope link src 192.168.178.10
default from 20c1:1c10:461f:4900::a9 via fe80::925c:44ff:fe2c:73c1 dev eth1 proto static metric 512 pref medium
default from 20c1:1c10:461f:4900::/64 via fe80::925c:44ff:fe2c:73c1 dev eth1 proto static metric 512 pref medium
default from 20c1:1c10:461f:4920::/59 via fe80::925c:44ff:fe2c:73c1 dev eth1 proto static metric 512 pref medium
20c1:1c10:461f:4900::/56 from 20c1:1c10:461f:4900::a9 via fe80::925c:44ff:fe2c:73c1 dev eth1 proto static metric 512 pref medium
20c1:1c10:461f:4900::/56 from 20c1:1c10:461f:4900::/64 via fe80::925c:44ff:fe2c:73c1 dev eth1 proto static metric 512 pref medium
20c1:1c10:461f:4900::/56 from 20c1:1c10:461f:4920::/59 via fe80::925c:44ff:fe2c:73c1 dev eth1 proto static metric 512 pref medium
20c1:1c10:461f:4900::/64 dev eth1 proto static metric 256 pref medium
unreachable 20c1:1c10:461f:4900::/64 dev lo proto static metric 2147483647 pref medium
unreachable 20c1:1c10:461f:4920::/59 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev bro proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1 proto kernel metric 256 pref medium
fe80::/64 dev trbr0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 20c1:1c10:461f:4900:: dev eth1 table local proto kernel metric 0 pref medium
local 20c1:1c10:461f:4900::a9 dev eth1 table local proto kernel metric 0 pref medium
local 20c1:1c10:461f:4900:9683:c4ff:fea3:b5ef dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev bro table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev trbr0 table local proto kernel metric 0 pref medium
local fe80::48cb:ff:feab:a67a dev ifb4eth1 table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fea3:b5ef dev eth1 table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fea3:b5f1 dev br-lan table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fea3:b5f1 dev eth0 table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fea3:b5f1 dev trbr0 table local proto kernel metric 0 pref medium
local fe80::f24f:b4e4:30ec:3a5c dev bro table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev bro table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb4eth1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev trbr0 table local proto kernel metric 256 pref medium
The problem is not in PBR but in https-dns-proxy which will stop the firewall from loading so also stops the necessary PBR firewall rules from loading.
You can add to the httsp-dns-proxy config /etc/config/https-dns-proxy
option notrack_dns '0'
Or upgrade to the new build from today 2026.03.18-r1
See: https://github.com/openwrt/packages/commit/81f0ef48e1ead04776eb784f4403c95bc471ada5
I also spotted some manual PBR rules, mixing manual rules with the PBR-app could lead to undetermined behaviour. Consider just using the PBR app or doing everything manually 
Nice catch, also removed them.
But right after deleting/disabling https-dns-proxy I found out my pbr rules were not working. So I removed pbr, removed my pbr config, reinstalled from scratch, this time I didn’t enable netifd integration and got everything working again. Also attached a hook to strongswan to reload pbr in case my XFRM interface has changes etc.
Thank you for the guidance, much appreciated!
1 Like
What about this comment - https://github.com/openwrt/packages/commit/81f0ef48e1ead04776eb784f4403c95bc471ada5#commitcomment-184084564
pbr fell off on stat ip, worked for about a week and died
I don’t know why, but since it didn’t work on a dynamic IP initially, I don’t even want to figure it out
@sppmaster I’m as puzzled by it as you are, I’m just guessing it’s a misplaced reply to someone else. 
1 Like
The pbr 1.2.2-r15 has been released to mossdef-org/melmac repos. It includes many IPv4/IPv6 gateway-related fixes from @egc112 and support for punycode domains in policies (the unicode to punycode conversion is deferred and will be implemented in the ucode-based 1.2.3 and newer).
Please test and report so we could create PRs for new version for OpenWrt repos.
1 Like
One way to get the new pbr 1.2.2-r15 is to upload it directly from the source:
You can use the script below to upgrade
Before you are going to upgrade make a backup of your settings!
You do not have to copy and execute line by line but you can copy everything and just paste at the command line:
Master and 25.12 branch (APK)
cd /tmp
wget https://apk.openwrt.melmac.ca/apk.openwrt.melmac.ca.pem -O /etc/apk/keys/apk.openwrt.melmac.ca.pem
#Get packages
wget -O pbr.apk https://github.com/mossdef-org/pbr/releases/download/v1.2.2-15/pbr-1.2.2-15_openwrt-25.12_noarch.apk
wget -O luci-app-pbr.apk https://github.com/mossdef-org/luci-app-pbr/releases/download/v1.2.2-15/luci-app-pbr-1.2.2-15_openwrt-25.12_noarch.apk
service pbr stop
#remove existing
apk del luci-app-pbr pbr
mv /etc/init.d/pbr /etc/init.d/pbr-old >/dev/null 2>&1 # backup old pbr in case it is not removed
apk add --allow-untrusted ./*.apk
service pbr start
Branch 24.10 (IPK)
cd /tmp
wget -O pbr.ipk https://github.com/mossdef-org/pbr/releases/download/v1.2.2-15/pbr-1.2.2-15_openwrt-24.10_all.ipk
wget -O luci-app-pbr.ipk https://github.com/mossdef-org/luci-app-pbr/releases/download/v1.2.2-15/luci-app-pbr-1.2.2-15_openwrt-24.10_all.ipk
service pbr stop
opkg remove luci-app-pbr pbr
mv /etc/init.d/pbr /etc/init.d/pbr-old >/dev/null 2>&1 # backup old pbr in case it is not removed
opkg install ./*.ipk
service pbr start
1 Like
I just downgraded from r15 to r14.
r15 was not showing the default gateway in luci also sometimes policy doesn't work.
r14 is working fine till now.
Anyway below are the output of installation commands.
Thanks for reporting, Can you show the output while on r15 of:
service pbr support
ifconfig
ip route
ip -6 route
ubus call network.interface dump
Thanks
1 Like
root@macbook:~# service pbr support
Setting counters and verbosity for diagnostics...
===== dhcp config =====
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option noresolv '1'
list server '127.0.0.1#5353'
list server '::1#5353'
option serversfile '/var/run/adblock-fast/dnsmasq.servers'
list addnmount '/var/run/pbr.dnsmasq'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_preference 'medium'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'
===== firewall config =====
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'proton'
list network 'wgcf'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
===== network config =====
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '0004992b856ca37f466db072e2144ac73d8f'
option ula_prefix '***::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.1.1/24'
option multipath 'off'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'proton'
option proto 'wireguard'
option private_key '********************************************'
list addresses '10.2.0.2/32'
list addresses '***::2:2/128'
list dns '10.2.0.1'
list dns '***::2:1'
option multipath 'off'
config wireguard_proton
option description 'Imported peer configuration'
option public_key '********************************************'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '25'
option endpoint_host '***.***.***.**'
option endpoint_port '51820'
config interface 'wgcf'
option proto 'wireguard'
option private_key '********************************************'
list addresses '172.16.0.2/32'
list addresses '***/128'
list dns '*.*.*.*'
list dns '*.*.*.*'
list dns '***'
list dns '***'
option multipath 'off'
option mtu '1280'
config wireguard_wgcf
option description 'wgcf-profile.conf'
option public_key '********************************************'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host '******.****************.***'
option endpoint_port '2408'
option persistent_keepalive '25'
===== pbr config =====
config pbr 'config'
option enabled '1'
option fw_mask '00ff0000'
option ipv6_enabled '1'
option nft_rule_counter '1'
option nft_set_auto_merge '1'
option nft_set_counter '1'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
option nft_user_set_counter '0'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '0'
option resolver_set 'dnsmasq.nftset'
option strict_enforcement '1'
option uplink_interface 'wan'
option uplink_interface6 'wan6'
option uplink_ip_rules_priority '30000'
option uplink_mark '00010000'
option verbosity '2'
list ignored_interface 'vpnserver'
list lan_device 'br-lan'
list resolver_instance '*'
option config_compat '25'
option config_version '1.2.2-r15'
option rule_create_option 'add'
option webui_show_ignore_target '0'
config policy
option name 'Ph'
option dest_addr ''
option interface 'proton'
config policy
option name 'Ph'
option dest_addr 'whatsapp.com whatsapp.net wa.me facebook.com facebook.net fbcdn.net **.***.*.*/16 **.***.*.*/16 ***.***.*.*/16 **.**.**.*/18'
option interface 'wgcf'
config policy
option name 'Xv'
option dest_addr ''
option interface 'wgcf'
config policy
option name 'Phh'
option dest_addr ''
option interface 'wgcf'
i hide some domains
===== ubus call system board =====
{
"kernel": "6.12.85",
"hostname": "macbook",
"system": "ARMv8 Processor rev 4",
"model": "Linksys E8450 (UBI)",
"board_name": "linksys,e8450-ubi",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.3",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32912-6639b15f62",
"target": "mediatek/mt7622",
"description": "OpenWrt 25.12.3 r32912-6639b15f62",
"builddate": "1777933845"
}
}
===== /etc/init.d/pbr restart =====
Forwarding is disabled
Resetting routing [✓]
Resetting resolver [✓]
Restarting dnsmasq [✓]
pbr 1.2.2-r15 (fw4 nft file mode) stopped [✓]
Processing environment (on_start) [✓]
Setting up routing for 'wan/10.0.0.2/::/0' [✓]
Setting up routing for 'wan6/10.0.0.2/::/0' [✓]
Setting up routing for 'proton/0.0.0.0/::/0' [✓]
Setting up routing for 'wgcf/0.0.0.0/::/0' [✓]
Routing 'Ph' via proton [✓]
Routing 'Ph' via wgcf [✓]
Routing 'Xv' via wgcf [✓]
Routing 'Phh' via wgcf [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
Setting interface trigger for wan6 [✓]
Setting interface trigger for proton [✓]
Setting interface trigger for wgcf [✓]
pbr 1.2.2-r15 monitoring interfaces: wan wan6 proton wgcf
Forwarding is enabled
Restarting dnsmasq [✓]
pbr 1.2.2-r15 started with gateways:
wan/10.0.0.2/::/0 [✓]
wan6/10.0.0.2/::/0
proton/0.0.0.0/::/0
wgcf/0.0.0.0/::/0
ERROR: Unknown Gateway for device 'wan'!
ERROR: Unknown Gateway for device 'wan'!
ERROR: Unknown Gateway for device 'wan'!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.2/#error-messages-details!
===== /etc/init.d/pbr status (after restart) =====
pbr - environment
pbr 1.2.2-r15 on OpenWrt 25.12.3 r32912-6639b15f62.
Uplink (IPv4): wan/wan/10.0.0.2.
Uplink (IPv6): wan6/wan/::/0.
Dnsmasq version 2.91 Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no -Lua TFTP conntrack no-ipset nftset auth DNSSEC no-ID loop-detect inotify dumpfi le
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_dstnat {}
add chain inet fw4 pbr_forward {}
add chain inet fw4 pbr_output {}
add chain inet fw4 pbr_prerouting {}
insert rule inet fw4 dstnat jump pbr_dstnat
add rule inet fw4 mangle_prerouting jump pbr_prerouting
add rule inet fw4 mangle_output jump pbr_output
add rule inet fw4 mangle_forward jump pbr_forward
add rule inet fw4 pbr_forward counter meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_output counter meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_prerouting counter meta mark & 0x00ff0000 != 0 return
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 counter meta mark set (meta mark & 0xff00fff f) | 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 counter meta mark set (meta mark & 0xff00fff f) | 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add chain inet fw4 pbr_mark_0x030000
add rule inet fw4 pbr_mark_0x030000 counter meta mark set (meta mark & 0xff00fff f) | 0x030000
add rule inet fw4 pbr_mark_0x030000 return
add set inet fw4 pbr_proton_4_dst_ip_cfg026ff5 { type ipv4_addr; auto-merge; counter; flags interval; policy performance; comment "Ph";}
add set inet fw4 pbr_proton_6_dst_ip_cfg026ff5 { type ipv6_addr; auto-merge; counter; flags interval; policy performance; comment "Ph";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_proton_4_dst_ip_cfg026ff5 counter goto pbr_mark_0x020000 comment "Ph"
add rule inet fw4 pbr_prerouting ip6 daddr @pbr_proton_6_dst_ip_cfg026ff5 counte r goto pbr_mark_0x020000 comment "Ph"
add set inet fw4 pbr_wgcf_4_dst_ip_cfg036ff5 { type ipv4_addr; auto-merge; counter; flags interval; policy performance; comment "Ph";}
add set inet fw4 pbr_wgcf_6_dst_ip_cfg036ff5 { type ipv6_addr; auto-merge; counter; flags interval; policy performance; comment "Ph";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_wgcf_4_dst_ip_cfg036ff5 counter g oto pbr_mark_0x030000 comment "Ph"
add rule inet fw4 pbr_prerouting ip6 daddr @pbr_wgcf_6_dst_ip_cfg036ff5 counter goto pbr_mark_0x030000 comment "Ph"
add rule inet fw4 pbr_prerouting ip daddr { 57.144.0.0/16, 57.145.0.0/16, 157.24 0.0.0/16, 31.13.64.0/18 } counter goto pbr_mark_0x030000 comment "Ph"
add set inet fw4 pbr_wgcf_4_dst_ip_cfg046ff5 { type ipv4_addr; auto-merge; counter; flags interval; policy performance; comment "Xv";}
add set inet fw4 pbr_wgcf_6_dst_ip_cfg046ff5 { type ipv6_addr; auto-merge; counter; flags interval; policy performance; comment "Xv";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_wgcf_4_dst_ip_cfg046ff5 counter g oto pbr_mark_0x030000 comment "Xv"
add rule inet fw4 pbr_prerouting ip6 daddr @pbr_wgcf_6_dst_ip_cfg046ff5 counter goto pbr_mark_0x030000 comment "Xv"
add set inet fw4 pbr_wgcf_4_dst_ip_cfg056ff5 { type ipv4_addr; auto-merge; counter; flags interval; policy performance; comment "Phh";}
add set inet fw4 pbr_wgcf_6_dst_ip_cfg056ff5 { type ipv6_addr; auto-merge; counter; flags interval; policy performance; comment "Phh";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_wgcf_4_dst_ip_cfg056ff5 counter g oto pbr_mark_0x030000 comment "Phh"
add rule inet fw4 pbr_prerouting ip6 daddr @pbr_wgcf_6_dst_ip_cfg056ff5 counter goto pbr_mark_0x030000 comment "Phh"
pbr chains - policies
chain pbr_forward { # handle 69
counter packets 96 bytes 11096 meta mark & 0x00ff0000 != 0x00000 000 return # handle 1423
}
chain pbr_output { # handle 70
counter packets 71 bytes 14328 meta mark & 0x00ff0000 != 0x00000 000 return # handle 1424
}
chain pbr_prerouting { # handle 71
counter packets 617 bytes 133129 meta mark & 0x00ff0000 != 0x000 00000 return # handle 1425
ip daddr @pbr_proton_4_dst_ip_cfg026ff5 counter packets 0 bytes 0 goto pbr_mark_0x020000 comment "Ph" # handle 1434
ip6 daddr @pbr_proton_6_dst_ip_cfg026ff5 counter packets 0 bytes 0 goto pbr_mark_0x020000 comment "Ph" # handle 1435
ip daddr @pbr_wgcf_4_dst_ip_cfg036ff5 counter packets 0 bytes 0 goto pbr_mark_0x030000 comment "Ph" # handle 1438
ip6 daddr @pbr_wgcf_6_dst_ip_cfg036ff5 counter packets 0 bytes 0 goto pbr_mark_0x030000 comment "Ph" # handle 1439
ip daddr { 31.13.64.0/18, 57.144.0.0/15, 157.240.0.0/16 } counte r packets 27 bytes 3250 goto pbr_mark_0x030000 comment "Ph" # handle 1441
ip daddr @pbr_wgcf_4_dst_ip_cfg046ff5 counter packets 0 bytes 0 goto pbr_mark_0x030000 comment "Xv" # handle 1444
ip6 daddr @pbr_wgcf_6_dst_ip_cfg046ff5 counter packets 0 bytes 0 goto pbr_mark_0x030000 comment "Xv" # handle 1445
ip daddr @pbr_wgcf_4_dst_ip_cfg056ff5 counter packets 0 bytes 0 goto pbr_mark_0x030000 comment "Phh" # handle 1448
ip6 daddr @pbr_wgcf_6_dst_ip_cfg056ff5 counter packets 0 bytes 0 goto pbr_mark_0x030000 comment "Phh" # handle 1449
}
chain pbr_dstnat { # handle 68
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 79
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1426
return # handle 1427
}
chain pbr_mark_0x020000 { # handle 82
counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1428
return # handle 1429
}
chain pbr_mark_0x030000 { # handle 85
counter packets 27 bytes 3250 meta mark set meta mark & 0xff03ff ff | 0x00030000 # handle 1430
return # handle 1431
}
pbr nft sets
set pbr_proton_4_dst_ip_cfg026ff5 { # handle 1432
type ipv4_addr
flags interval
counter
auto-merge
comment "Ph"
}
set pbr_proton_6_dst_ip_cfg026ff5 { # handle 1433
type ipv6_addr
flags interval
counter
auto-merge
comment "Ph"
}
set pbr_wgcf_4_dst_ip_cfg036ff5 { # handle 1436
type ipv4_addr
flags interval
counter
auto-merge
comment "Ph"
}
set pbr_wgcf_6_dst_ip_cfg036ff5 { # handle 1437
type ipv6_addr
flags interval
counter
auto-merge
comment "Ph"
}
set pbr_wgcf_4_dst_ip_cfg046ff5 { # handle 1442
type ipv4_addr
flags interval
counter
auto-merge
comment "Xv"
}
set pbr_wgcf_6_dst_ip_cfg046ff5 { # handle 1443
type ipv6_addr
flags interval
counter
auto-merge
comment "Xv"
}
set pbr_wgcf_4_dst_ip_cfg056ff5 { # handle 1446
type ipv4_addr
flags interval
counter
auto-merge
comment "Phh"
}
set pbr_wgcf_6_dst_ip_cfg056ff5 { # handle 1447
type ipv6_addr
flags interval
counter
auto-merge
comment "Phh"
}
dnsmasq nft sets in /var/run/pbr.dnsmasq
nftset=/pornhub.com/4#inet#fw4#pbr_proton_4_dst_ip_cfg026ff5,6#inet#fw4#pbr_prot on_6_dst_ip_cfg026ff5 # Ph
nftset=/whatsapp.com/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg036ff5,6#inet#fw4#pbr_wgcf_ 6_dst_ip_cfg036ff5 # Ph
nftset=/whatsapp.net/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg036ff5,6#inet#fw4#pbr_wgcf_ 6_dst_ip_cfg036ff5 # Ph
nftset=/wa.me/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg036ff5,6#inet#fw4#pbr_wgcf_6_dst_i p_cfg036ff5 # Ph
nftset=/facebook.com/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg036ff5,6#inet#fw4#pbr_wgcf_ 6_dst_ip_cfg036ff5 # Ph
nftset=/facebook.net/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg036ff5,6#inet#fw4#pbr_wgcf_ 6_dst_ip_cfg036ff5 # Ph
nftset=/fbcdn.net/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg036ff5,6#inet#fw4#pbr_wgcf_6_d st_ip_cfg036ff5 # Ph
nftset=/xvideos.com/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg046ff5,6#inet#fw4#pbr_wgcf_6 _dst_ip_cfg046ff5 # Xv
nftset=/xvideos-cdn.com/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg046ff5,6#inet#fw4#pbr_wg cf_6_dst_ip_cfg046ff5 # Xv
nftset=/static-xvideos.com/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg046ff5,6#inet#fw4#pbr _wgcf_6_dst_ip_cfg046ff5 # Xv
nftset=/xv-cdn.com/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg046ff5,6#inet#fw4#pbr_wgcf_6_ dst_ip_cfg046ff5 # Xv
nftset=/phncdn.com/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg056ff5,6#inet#fw4#pbr_wgcf_6_ dst_ip_cfg056ff5 # Phh
nftset=/phprcdn.com/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg056ff5,6#inet#fw4#pbr_wgcf_6 _dst_ip_cfg056ff5 # Phh
nftset=/phcdn.net/4#inet#fw4#pbr_wgcf_4_dst_ip_cfg056ff5,6#inet#fw4#pbr_wgcf_6_d st_ip_cfg056ff5 # Phh
pbr tables & routing
IPv4 table main routes:
default via 10.0.0.2 dev wan proto static src 10.0.7.210
10.0.0.0/8 dev wan proto kernel scope link src 10.0.7.210
10.0.1.0/24 dev br-lan proto kernel scope link src 10.0.1.1
162.159.192.1 via 10.0.0.2 dev wan proto static
185.177.126.14 via 10.0.0.2 dev wan proto static
IPv4 table main rules:
29997: from all lookup main suppress_prefixlength 1
32766: from all lookup main
IPv6 table main routes:
2606:4700:110:83ac:7ddc:a97d:3e7b:551c dev wgcf proto kernel metric 256 pref medium
2a07:b944::2:2 dev proton proto kernel metric 256 pref medium
fd05:6db5:1849::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd05:6db5:1849::/48 dev lo proto static metric 2147483647 pref m edium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev ifb-wan proto kernel metric 256 pref medium
IPv6 table main rules:
29997: from all lookup main suppress_prefixlength 1
32766: from all lookup main
IPv4 table 256 (pbr_wan) routes:
default via 10.0.0.2 dev wan
IPv4 table 256 (pbr_wan) rules:
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 routes:
unreachable default dev lo metric 1024 pref medium
IPv6 table 256 rules:
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 (pbr_proton) routes:
default dev proton scope link
IPv4 table 257 (pbr_proton) rules:
29999: from all fwmark 0x20000/0xff0000 lookup pbr_proton
IPv6 table 257 routes:
default dev proton metric 128 pref medium
IPv6 table 257 rules:
29999: from all fwmark 0x20000/0xff0000 lookup pbr_proton
IPv4 table 258 (pbr_wgcf) routes:
default dev wgcf scope link
IPv4 table 258 (pbr_wgcf) rules:
29998: from all fwmark 0x30000/0xff0000 lookup pbr_wgcf
IPv6 table 258 routes:
default dev wgcf metric 128 pref medium
IPv6 table 258 rules:
29998: from all fwmark 0x30000/0xff0000 lookup pbr_wgcf
root@macbook:~# ifconfig
br-lan Link encap:Ethernet HWaddr E8:9F:80:67:5D:57
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fd05:6db5:1849::1/60 Scope:Global
inet6 addr: fe80::ea9f:80ff:fe67:5d57/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21631 errors:0 dropped:0 overruns:0 frame:0
TX packets:45963 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3350563 (3.1 MiB) TX bytes:59369833 (56.6 MiB)
eth0 Link encap:Ethernet HWaddr E8:9F:80:67:5D:57
inet6 addr: fe80::ea9f:80ff:fe67:5d57/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1504 Metric:1
RX packets:248743 errors:0 dropped:0 overruns:0 frame:0
TX packets:79097 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:125700116 (119.8 MiB) TX bytes:64773214 (61.7 MiB)
Interrupt:126
ifb-wan Link encap:Ethernet HWaddr 62:3A:B4:A7:A8:CC
inet6 addr: fe80::603a:b4ff:fea7:a8cc/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:212208 errors:0 dropped:0 overruns:0 frame:0
TX packets:212208 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:118746265 (113.2 MiB) TX bytes:118746265 (113.2 MiB)
lan1 Link encap:Ethernet HWaddr E8:9F:80:67:5D:57
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:4 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lan2 Link encap:Ethernet HWaddr E8:9F:80:67:5D:57
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lan3 Link encap:Ethernet HWaddr E8:9F:80:67:5D:57
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22317 errors:0 dropped:0 overruns:0 frame:0
TX packets:45963 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3686505 (3.5 MiB) TX bytes:59369833 (56.6 MiB)
lan4 Link encap:Ethernet HWaddr E8:9F:80:67:5D:57
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2078 errors:0 dropped:0 overruns:0 frame:0
TX packets:2078 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:242278 (236.5 KiB) TX bytes:242278 (236.5 KiB)
proton Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00
inet addr:10.2.0.2 P-t-P:10.2.0.2 Mask:255.255.255.255
inet6 addr: 2a07:b944::2:2/128 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:117 errors:0 dropped:0 overruns:0 frame:0
TX packets:159 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:119536 (116.7 KiB) TX bytes:22720 (22.1 KiB)
wan Link encap:Ethernet HWaddr E8:9F:80:67:5D:56
inet addr:10.0.7.210 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::ea9f:80ff:fe67:5d56/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:226426 errors:0 dropped:122 overruns:0 frame:0
TX packets:30109 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:121018639 (115.4 MiB) TX bytes:4538278 (4.3 MiB)
wgcf Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00
inet addr:172.16.0.2 P-t-P:172.16.0.2 Mask:255.255.255.255
inet6 addr: 2606:4700:110:83ac:7ddc:a97d:3e7b:551c/128 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:8052 errors:0 dropped:0 overruns:0 frame:0
TX packets:3720 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9002713 (8.5 MiB) TX bytes:577824 (564.2 KiB)
root@macbook:~# ip route
default via 10.0.0.2 dev wan proto static src 10.0.7.210
10.0.0.0/8 dev wan proto kernel scope link src 10.0.7.210
10.0.1.0/24 dev br-lan proto kernel scope link src 10.0.1.1
162.159.192.1 via 10.0.0.2 dev wan proto static
185.177.126.14 via 10.0.0.2 dev wan proto static
root@macbook:~# ip -6 route
2606:4700:110:83ac:7ddc:a97d:3e7b:551c dev wgcf proto kernel metric 256 pref med ium
2a07:b944::2:2 dev proton proto kernel metric 256 pref medium
fd05:6db5:1849::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd05:6db5:1849::/48 dev lo proto static metric 2147483647 pref mediu m
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev ifb-wan proto kernel metric 256 pref medium
root@macbook:~# ubus call network.interface dump
{
"interface": [
{
"interface": "lan",
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 1004,
"l3_device": "br-lan",
"proto": "static",
"device": "br-lan",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.0.1.1",
"mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
{
"address": "fd05:6db5:1849::",
"mask": 60,
"local-address": {
"address": "fd05:6db5:1849::1",
"mask": 60
}
}
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
},
{
"interface": "loopback",
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 1004,
"l3_device": "lo",
"proto": "static",
"device": "lo",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "127.0.0.1",
"mask": 8
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
},
{
"interface": "proton",
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 992,
"l3_device": "proton",
"proto": "wireguard",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.2.0.2",
"mask": 32
}
],
"ipv6-address": [
{
"address": "2a07:b944::2:2",
"mask": 128
}
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
],
"dns-server": [
"10.2.0.1",
"2a07:b944::2:1"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
},
{
"interface": "wan",
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 993,
"l3_device": "wan",
"proto": "dhcp",
"device": "wan",
"updated": [
"addresses",
"routes",
"data"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "10.0.7.210",
"mask": 8
}
],
"ipv6-address": [
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "0.0.0.0",
"mask": 0,
"nexthop": "10.0.0.2",
"source": "10.0.7.210/32"
}
],
"dns-server": [
"86.51.35.24",
"86.51.34.24",
"86.51.35.24",
"86.51.34.24",
"8.8.8.8",
"8.8.4.4"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
"dhcpserver": "10.0.0.2",
"leasetime": 2593800
}
},
{
"interface": "wan6",
"up": false,
"pending": true,
"available": true,
"autostart": true,
"dynamic": false,
"proto": "dhcpv6",
"device": "wan",
"data": {
}
},
{
"interface": "wgcf",
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 991,
"l3_device": "wgcf",
"proto": "wireguard",
"updated": [
"addresses"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
{
"address": "172.16.0.2",
"mask": 32
}
],
"ipv6-address": [
{
"address": "2606:4700:110:83ac:7ddc:a97d :3e7b:551c",
"mask": 128
}
],
"ipv6-prefix": [
],
"ipv6-prefix-assignment": [
],
"route": [
],
"dns-server": [
"1.1.1.1",
"1.0.0.1",
"2606:4700:4700::1111",
"2606:4700:4700::1001"
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}
]
}
root@macbook:~#
Thanks the problem seems to be that you do not have a working IPv6 on your wan (wan6)
if PBR-r14 could not get a gateway for your wan it just made one up, that was of course not working but it did not give an error.
r15 gives an error if there is no valid gateway (meaning no valid route).
You can ignore the error and everything should work nonetheless apart from a working IPv6 on your wan of course but you might need to disable strict enforcement on PBR.
But the main problem is that you have ipv6 enabled but you do not have a working IPv6 on your wan interface.
Not sure what is upstream of this router and if you ever had working IPv6, if not just consider disabling IPv6
1 Like
Thanks for the explanation. The strange thing is that my IPv6 interface is still showing RX/TX traffic, so it looks like there is at least some IPv6 activity on the interface.
Do you think it would be better if I simply disable the IPv6 interface completely? Would that be the recommended approach in this case?