With pbr 1.0.1-21 I'm getting twice the error about the domain name being missing:
Not ideal way to handle domains the way you have pbr configured. Do you have IPv6 support enabled in pbr config?
If not, peruse README->Getting Help before replying.
OpenWrt 22.03.2 r19803-9a599fee93
I am having difficulty changing Service Gateways from WG to wan in Policy Routing.
/etc/config/dhcp
"Permission denied"
/etc/config/firewall
"Permission denied"
/etc/config/network
"Permission denied"
/etc/config/pbr
"Permission denied"
/etc/init.d/pbr status
"Permission denied"
/etc/init.d/pbr reloadwith verbosity setting set to 2
I referred to https://docs.openwrt.melmac.net/pbr/ :
Wireguard tunnel
To unset a Wireguard tunnel as default route, set the following to the appropriate section of your /etc/config/network:
- For your Wireguard (client) config:
option route_allowed_ips '0'
- Routing Wireguard traffic may require setting
net.ipv4.conf.wg0.rp_filter = 2in/etc/sysctl.conf. Please refer to issue #41 for more details.
You don't "run" the config files, to show the content of config file use cat, like: cat /etc/config/dhcp and so on.
You have not provided the output of neither service pbr status nor service pbr reload.
To directly address your question, you do not change Service Gateways within pbr. You do it in your network config file as pre README.
pkg_hash_check_unresolved: cannot find dependency libubus20220601 for pbr
Stan, could you please update dependency for libubus (libubus20220615) ?
Reflash updated snapshot.
Hi!
On my openwrt rpi router i have installed and configured 2 wireguard interfaces. One of them acts like a wireguard client from azirevpn.
The other one is a wireguard "server" and the goal is connect to my Android phone through wireguard app, and have acess to my home network from outside (world).
When i am connetecd to my wifi home i can establish connection among wireguard server and my Android phone. However from outside I can't acess my home network.
As i read, I need policy routing and for this propose the PBR could be useful.
Can you give me any advise how achieve that?
Many thanks.
Yes, start with the README.
Hi thanks to stangri and Community for bringing pbr package.
I am very new to openwrt and come from a windows. I have managed to set up openwrtx86 with Luci/Apps interface with an basic internet connection with everything running over AirVPN Wireguard with some devices on pbr successfully with the help of this guide.
I did read the readme a few times but its a bit above my head with linux lingo atm, I just wished to find out is there a way I can select certain devices on my pbr to use a specific DNS.
Example:
CableTV box = ISP supplied DNS
Desktop PC = AirVPN supplied DNS
At the moment, from following that guide, I have 3 different DNS entries in
(LAN, WAN, DHCP and DNS sections) which oddly I have got running successfully but all devices will detect either my public free DNS like 1.1.1.1 or my AirVPN dns or ISP dns, so I was wondering if there is an easier way to manage devices to use a strict single DNS?
The pbr service doesn't manage the DNS assignments to clients. For now you'd have to do it manually via tag or mac classifiers: https://openwrt.org/docs/guide-user/base-system/dhcp_configuration
2 Likes
Thanks looks like it will be the ticket.
I did however come across this post here I followed Neos fixed post suggestion of adding
6,followed by my ISP dns under Interface>LAN>DHCP server>DHCP-Options and also Interfaces>WAN>Advanced setting>Use DNS servers advertised by peer>ticked
saved it, rebooted it and restarted my WG interfaces, WAN, LAN interfaces several times and its spot on no more DNS leaks all devices that are meant to be on WG AirVPN use the correct VPN dns and pbr devices also use the ISP DNS it looks like I did not require to add 1.1.1.1 per the guide instructions for pbr.
I will give it a good testing over the next few weeks, if not will try to learn Tagging.
1 Like
People who (still) use OpenVPN, could you please test pbr 1.1.0-3 and luci-app-pbr 1.1.0-3 from my repo?
Since OpenVPN is one of the more widely used VPN tunnels which is not netifd-compliant, it causes major headaches for fast restarts and single interface reloads. If the OpenVPN tunnel is incorrectly defined, the order of the tunnels can shift if one of the OpenVPN tunnels goes down. The version 1.1.0-3 shows an error message if it encounters an incorrectly defined OpenVPN tunnel.
If this works well, next step is support for atomic nft, which would drastically change/improve overall efficiency.
1 Like
Do you know what is going on?
root@OpenWrt:/tmp# ls
BF_MIMO_Ctrl_Field_Output.txt hosts resolv.conf.d
TZ lib run
adb_runtime.json lock shm
adblock-Backup log state
board.json luci-app-pbr_1.1.0-1_all.ipk syscfg
cache luci-indexcache.c766b40c.json sysinfo
dhcp.leases opkg-lists tmp
dnsmasq.d overlay usr
etc pbr_1.0.1-16_all.ipk wireguard
extroot resolv.conf
root@OpenWrt:/tmp# opkg install pbr_1.0.1-16_all.ipk
Installing pbr (1.0.1-16) to root...
Configuring pbr.
Installing rc.d symlink for pbr... OK
ERROR: The pbr service is currently disabled!
root@OpenWrt:/tmp#
TOR interface does not getting detected.
Policies with wg interface output through specific wan(2) interface don't work.
Hi I noticed an pbr error I receive when ever I reboot my openwrtx86 router build.
It says Failed to set up WG/10, regardless of error all pbr devices work correct ie isp or wg and so does internet with no dns leaks.
I have 2 WG interfaces under my interfaces tab, one is the primary and the 2nd is a backup in case the primary VPN should ever go down.
If I click Restart button in pbr it fixes it to the right WG gate way though with a tick, can I just ignore this pbr gateway error since everything seems to work fine?
Is something unclear about the error message?
It's not the first time you've posted, you already know what to do, don't you?
The output of logread -epbr and service pbr info while in the error state would be super-helpful.
Could you please tell me, what do I have to do?
README Getting Help has information what's needed from your system to provide any meaningful reply if it's a user error or to be a starting point for a bug investigation.
I understand that. I'm afraid I would like to avoid posting any logs no more. I'm sorry.
It's just my feedback what I have noticed so far. I've been waiting with this until you beautified things in pbr.
The TOR interface also does not getting detected in the web UI.
...
pbr.cfg176ff5.name=TOR validates as string with true
pbr.cfg176ff5.enabled is unset and defaults to bool 1
pbr.cfg176ff5.interface=tor validates as or(uci("network", "@interface"),"ignore") with false
pbr.cfg176ff5.proto is unset and defaults to or(string) (null)
pbr.cfg176ff5.chain is unset and defaults to or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING") prerouting
pbr.cfg176ff5.src_addr is unset and defaults to list(neg(or(host,network,macaddr,string))) (null)
pbr.cfg176ff5.src_port is unset and defaults to list(neg(or(portrange,string))) (null)
...
Routing 'TOR' via [✗]
...
ERROR: Failed to set up 'tor/53->9053/80,443->9040'!
ERROR: Policy 'TOR' has no assigned interface!
My config worked fine with vpn pbr 3.4.8, iptables, ipset and fw3. And I didn't change anything since then.
If you please could confirm that pbr is fully compatible with fw4, nftables, dnsmasq + nftset (no ipset, iptables packages installed). But as far as I can remember, I had the same issues with 22.03 + fw4 + dnsmasq + iptables/ipset.
If so, there might be an issue in pbr. Is there maybe any config for nftset in firewall missing?
I think TOR based policies never worked with fw4 so far.
But my 2nd and new problem with pbr is this
Thank you for doing troubleshooting for me!
Please update both pbr and luci-app-pbr to version 1.1.0-4 from my repo. It should get rid of the validation error, not sure what the issue is setting up TOR.
Can't help without details.