Makes sense, thanks for clearing that up. I had mistakenly assumed that these 2 interfaces were some unidirectional implementation of setting up wireguard with openwrt which confused me as it's all peers on wireguard anyway and that doesn't really make sense for a VPN.
Can you also explain the openwrt firewall bit about the wireguard client setup more. Or point me to a detailed resource on openwrt firewall zones/forwarding with wireguard.
Am trying to figure out how to selectively route traffic incoming on a specific port from VPN to a specific host on LAN, and redirect any response out of said LAN host through vpn to return to the client. Without the policy/VPN affecting any other network traffic from said host on other ports. I'll admit my knowledge in this space is a little bit lacking but I believe this "should" be possible.
The only concern I have is if the service I am trying to host on said LAN host receives a connection request, how does it appear to the LAN host's application: from the VPN IP, or from the actual client IP? If it is from the VPN IP then it seems as though it would be impossible for the VPN to forward to the right client once the VPN recieves it. Alternatively if it is from the client IP, then the application on the host will be able to correctly address the response but does that mean PBR will intercept this outgoing response packet and route it through the VPN? which would be invisible from the LAN host's perspective.
Please feel free to leave some of the above unanswered as I understand it isn't entirely relevant to the thread but I'm just trying to understand if it is possible and how it would work. Thanks
To try and represent the mess of text above more concisely I'll just create an ASCII representation of what I'm desiring.
Request:
ClientIP:123 -> VPN IP:123
OpenWRT (sees said traffic is on port 123 of VPN interface and forwards it to LAN host?) -> LAN IP:123
Response:
LAN IP:123 -> ClientIP:123
OpenWRT (filters outgoing packet based on port to be sent over VPN interface vs WAN)
Once I get this working I'd be happy to provide screenshots from luci to aid in others setting up wireguard with pbr.
@stangri I’m trying to use PBR to selectively route a named device to one of two WANs but I'm finding strict enforcement is not honoured when the device has an ipv6 address and there is a v6 on only one WAN.
Setup
OpenWRT 22.03.2 x86, luci-app-pbr 0.9.9-9
Two WANs - wan/eth0/pppoe-wan and van/eth1. wan is both ipv4 and ipv6, while van has network.van.ipv6='0'.
Partial output of ip address
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 80:61:5f:0e:68:33 brd ff:ff:ff:ff:ff:ff
inet 86.16.59.XXX/22 brd 86.16.59.QQQ scope global eth1
valid_lft forever preferred_lft forever
11: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 81.187.168.XXX peer 81.187.81.YYY/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
inet6 2001:8b0:1111:1111:0:ffff:51bb:a8f9/128 scope global dynamic noprefixroute
valid_lft 5495sec preferred_lft 1895sec
Which shows no ipv6 address on van/eth1
However luci-app-pbr status shows an ipv6 gateway on van - which is a repeat of those on wan.
Issue
When I create a named device rule, forcing a device to use van, it works correctly when I set the device to be link-local ipv6, but when it has a globally routable address, then traffic goes over wan even when strict enforcement is enabled.
I have a BTHH5A running OpenWRT 22.03.2. firewall4 is default for this firmware version. However pbr tries to install firewall4 and there is a conflict. I tried --nodeps option and pbr was installed successfully. ( Before that I had to remove vpn-policy-routing )
During the post-install pbr showed :
:~# opkg install pbr --nodeps
Installing pbr (0.9.9-9) to root...
Downloading https://repo.openwrt.melmac.net/pbr_0.9.9-9_all.ipk
Configuring pbr.
//usr/lib/opkg/info/pbr.postinst: /usr/lib/opkg/info/pbr.postinst-pkg: line 5: fw4: not found
Installing rc.d symlink for pbr... OK
Migrating vpn-policy-routing config file.
uci: Entry not found
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Activating traffic killswitch [✓]
Error: No such file or directory
list table inet fw4
^^^
Error: No such file or directory
list table inet fw4
^^^
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
Setting up routing for 'wan/dsl0.101/266.755.99.100' [✓]
Setting up routing for 'tun0if/tun0/10.73.8.96' [✓]
Setting up routing for 'WG0IF/10.23.0.76' [✓]
Routing 'SkyQ' via wan [✓]
Routing 'wifi' via tun0if [✓]
Routing 'eth-lan-2-wg' via WG0IF [✓]
Deactivating traffic killswitch [✓]
pbr 0.9.9-9 monitoring interfaces: wan tun0if WG0IF
pbr 0.9.9-9 (iptables) started with gateways:
wan/dsl0.101/266.755.99.100 [✓]
tun0if/tun0/10.73.8.96
WG0IF/10.23.0.76
My firewall package is firewall - 2022-02-17-4cd7d4f3-3
Having said that, the pbr is routing all 3 traffics ( OpenVPN, WireGuard and WAN ) exactly as expected.
Thank you for a robust app. Do I need to update it to the next version when available?
The error message will be fixed in 0.9.9-10. However, if you're on 22.03, I don't understand how you would not have the fw4 table.
If you're not using dnsmasq.ipset, you may want to set the resolver_set option to none to force service to nft mode. However, given the issues you've reported, I don't really understand what and how is running on your system.
I inferred you mean wireguard when you said VPN from your previous posts, however next time please be more specific. With the wireguard (based on UDP) it's not possible. If you set up an OpenVPN server and switch its protocol to tcp, it might be possible with the combination of pbr and firewall configs. I would not be able to help you with those, but there are other users on the forum who might.
Yes. I did an inplace upgrade using attended sysupgrade. Then reset to factory default and then imported the config. I don't know when/where firewall4 is replaced with with old firewall package. As such 22.03.2 is shipped with firewall4.
Actually, my settings are carried from 19.07.#. Then the Network --> Interfaces --> Devices tab did not exist. I too do not have any idea of how the things work.
I think I should start with a blank slate. If something goes wrong, I have a working current config backed up anyway.
As far as I understand IPv6 and current implementation in 22.03, this is intentional, if you use the global address, there's no masquerading, so pbr policies cannot be applied.
Thanks - my understanding of ipv6 is very hazy but keen to help get this working if I can!
I tried
uci set network.wan6.sourcefilter="0" # provide default route for all prefixes
uci set firewall.@zone[1].masq6='1' # enable masquerade for ipv6
Which gave partial success - the device now appears behind the router’s ipv6 confirming that the router is in the middle, and in some cases traffic is now going over the correct interface when there is a PBR rule to override the default but things like ipleaktest.com can still route via the ‘wrong’ interface.
Two things I’m wondering:
In the Luci app PBR reports v6 addresses on the v4 only interface. Not sure how it is discovering those but they aren’t correct so maybe that confusion is
Could go the whole hog and remove GUAs from the system making it like a classic v4 firewall/nat66 setup - which is a shame for the other devices in the network that I want to use the default route, but will give it a go.
It may be. This needs to be investigated further, I'll try to reach out in the coming days/week with some commands to run on your router so I could figure out why pbr things one of your interfaces has an IPv6 address from another interface.
The reason for using the -iptables variant is to avoid the build system from pulling nftables into the firmware (waiting for dnsmasq with nftset support before switching to fw4).
I was able to successfully use iptables DNAT/SNAT rules on my vpn server to route specific traffic to my local machine through the vpn, running on said local machine.
I now have said vpn client running in openwrt but don't understand exactly how to use openwrt/pbr/nf rules to route the traffic incoming on the vpn interface to the local machine on lan, similarly I don't know how to create rules to route the outgoing traffic from the local machine from lan to vpn for said port.
Here is my current config (though I'm sure it's not right).
The VPN (wireguard) "client" IP in this case is 10.7.0.2 and the local machine LAN IP is 192.168.2.218, the vpn interface is named client3, I believe the vpn gateway is 10.7.0.1?
Any guidance or tips as to how to "debug" or inspect/log incoming packets to openwrt on client3 interface and their path would be much appreciated as I'm pretty lost. Thanks!
