That seems to contradict with the opkg list-installed output. It's a very busy few weeks for me, I'll try to have a look at the RPC script code again to see what could have gone wrong.
Thanks! Does it make sense to reinstall pbr and all related packages? Maybe i should run some cleanup script?
Sorry for being slightly offtopic, but two questions:
- is there a way to listen to some ubus notification and be immediately informed about interface disconnect? namely OpenVPN.
- what is the best way on OpenWRT to implement a kill-switch?
- Allow forwarding towards vpn zone in firewall from lan.
- Allow output from OpenWrt only towards essential destinations (pppoe/dhcp, dns) and the vpn endpoint.
No, I mean practically, like the easiest one uci command way.
What got me thinking is that fw4 on reload logs about Activating/Deactivating traffic killswitch, so is there a way to just call that killswitch?
That message is coming from pbr as it kills all traffic while setting things up to avoid leaks. There's a setting in config so this can be disabled.
I'm using version 22.03.5 and installed the right packages, however when I route to my vpn wireguard nothing happens. I am using version 1.1.1.1
Hello.
First of all, I want to say that PBR works great and gets the job done. There is one scenario where I have some issues. I have created a new WIFI access point and would like all the traffic from it to be routed via VPN. In the PBR doc it is stated that for src_addr you can use UCI identifiers. So I have tried it but I was not able to get it working, mainly because the identifier was invalid. I have attempted to with @ followed by the ID. Would be able to tell me how to properly configure this ?
Thanks,
Horia
You mean you have created a new wifi-iface on your router? Would be better if you keep following the README and post the config files requested in Getting Help section as well as the wireless config.
Sorry to repeat, but is there a way to listen to some ubus notification and be immediately informed about interface connect/disconnect?
Tried listening to some ubus endpoints but found nothing. Is there a documentation about all ubus endpoints?
Outside of subscribing to interface events in PROCD script and interface hotplug scripts, I'm not aware of any alternatives.
pbr didn't work in my settings. Tried to forward my wifi to wireguard vpn but it always on WAN
Does IPv6 work now when the vpn provider only provides a single IPv6 address e.g. with masquerading?
vpn client name is pbr_privatevpn_new_york
the wifi that I want to be routed through pbr_privatevpn_new_york is called lho_usa
pbr config is called "usa_wifi routing"
{
"kernel": "5.10.161",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Linksys E8450 (UBI)",
"board_name": "linksys,e8450-ubi",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.3",
"revision": "r20028-43d71ad93e",
"target": "mediatek/mt7622",
"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
}
}
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option duid '0001000128BFE57458D349D914F1'
option mac '58:D3:49:D9:14:F1'
config host
option duid '00030001A88FD93976BD'
option mac 'A8:8F:D9:39:76:BD'
config host
option name 'OnePlus-11-5G'
option ip '192.168.1.209'
option mac '82:37:38:09:32:97'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'privatevpn_new_york'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
package pbr
config pbr 'config'
list supported_interface 'privatevpn_new_york'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option enabled '1'
option ipv6_enabled '1'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config policy
option name 'apple_tv'
option interface 'privatevpn_new_york'
option src_addr '192.168.1.198'
config policy
option name 'macbook air horia'
option src_addr '192.168.1.192'
option interface 'privatevpn_new_york'
option enabled '0'
config policy
option name 'usa_wifi routing'
option interface 'privatevpn_new_york'
option src_addr 'lho_usa'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/18000000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'lho'
option key 'xxxxx'
option encryption 'psk2'
config wifi-device 'radio1'
option type 'mac80211'
option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'HE80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'lho'
option key 'xxxxxx'
option encryption 'psk2'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'lho_printer'
option encryption 'psk'
option key 'xxxxxxx'
option network 'lan'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'lho_usa'
option encryption 'psk2'
option key 'xxxxxxx'
option macaddr 'AA:AA:AA:AA:AA:AA'
option ifname 'wlan_usa'
option network 'lan'
============================================================
pbr - environment
pbr 1.1.1-1 running on OpenWrt 22.03.3. WAN (IPv4): wan/wan/85.195.196.1. WAN (IPv6): wan6/wan/2a02:168:2000:6b::4b.
============================================================
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
chain pbr_forward { # handle 29
}
chain pbr_input { # handle 30
}
chain pbr_output { # handle 31
}
chain pbr_prerouting { # handle 32
ip saddr @pbr_privatevpn_new_york_4_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "apple_tv" # handle 15149
ip6 saddr @pbr_privatevpn_new_york_6_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "apple_tv" # handle 15150
}
chain pbr_postrouting { # handle 33
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 { # handle 15141
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 15142
return # handle 15143
}
chain pbr_mark_0x020000 { # handle 15144
counter packets 52 bytes 12274 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 15145
return # handle 15146
}
============================================================
pbr nft sets
set pbr_privatevpn_new_york_4_src_ip_cfg046ff5 { # handle 15147
type ipv4_addr
flags interval
auto-merge
comment "apple_tv"
elements = { 192.168.1.198 }
}
set pbr_privatevpn_new_york_6_src_ip_cfg046ff5 { # handle 15148
type ipv6_addr
flags interval
auto-merge
comment "apple_tv"
}
set pbr_wan_4_src_ip_cfg066ff5 { # handle 15151
type ipv4_addr
flags interval
auto-merge
comment "usa_wifi routing"
}
set pbr_wan_6_src_ip_cfg066ff5 { # handle 15152
type ipv6_addr
flags interval
auto-merge
comment "usa_wifi routing"
}
============================================================
IPv4 table 256 route: default via 85.195.196.1 dev wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.35.14.121 dev ovpnc0
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_privatevpn_new_york
ERROR: Failed to resolve 'lho_usa'!
ERROR:
usa_wifi routing
ERROR:
nft add rule inet fw4 pbr_prerouting ip saddr lho_usa goto pbr_mark_0x010000 comment "usa_wifi routing"
ERROR:
nft add rule inet fw4 pbr_prerouting ip6 saddr lho_usa goto pbr_mark_0x010000 comment "usa_wifi routing"
============================================================
pbr - environment
pbr 1.1.1-1 running on OpenWrt 22.03.3. WAN (IPv4): wan/wan/85.195.196.1. WAN (IPv6): wan6/wan/2a02:168:2000:6b::4b.
============================================================
Dnsmasq version 2.86 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
chain pbr_forward { # handle 29
}
chain pbr_input { # handle 30
}
chain pbr_output { # handle 31
}
chain pbr_prerouting { # handle 32
ip saddr @pbr_privatevpn_new_york_4_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "apple_tv" # handle 15163
ip6 saddr @pbr_privatevpn_new_york_6_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "apple_tv" # handle 15164
}
chain pbr_postrouting { # handle 33
}
============================================================
pbr chains - marking
chain pbr_mark_0x010000 { # handle 15155
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 15156
return # handle 15157
}
chain pbr_mark_0x020000 { # handle 15158
counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 15159
return # handle 15160
}
============================================================
pbr nft sets
set pbr_privatevpn_new_york_4_src_ip_cfg046ff5 { # handle 15161
type ipv4_addr
flags interval
auto-merge
comment "apple_tv"
elements = { 192.168.1.198 }
}
set pbr_privatevpn_new_york_6_src_ip_cfg046ff5 { # handle 15162
type ipv6_addr
flags interval
auto-merge
comment "apple_tv"
}
set pbr_wan_4_src_ip_cfg066ff5 { # handle 15165
type ipv4_addr
flags interval
auto-merge
comment "usa_wifi routing"
}
set pbr_wan_6_src_ip_cfg066ff5 { # handle 15166
type ipv6_addr
flags interval
auto-merge
comment "usa_wifi routing"
}
============================================================
IPv4 table 256 route: default via 85.195.196.1 dev wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.35.14.121 dev ovpnc0
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_privatevpn_new_york
Hey,
I got PBR working fine for the devices on my network except for the traffic originating from the router itself.
I would like the traffic from the router to follow the rules in PBR because I would like the DHCP Server on the router to use different VPN for the different DNS Server that I have configured in DNSMASQ for some domain.
Is that possible?
That's the SSID, not the interface name.
I would try option src_addr '@wlan_usa' and if that still doesn't work try putting @wlan1-2 (or whatever interface name the iwinfo reports for the SSID lho_usa).
why are the pbr_ routes for ipv6 not created?
The routing rules seem to have been created correctly.
Is this intended or a bug?
When I manually create a route with
target ::/0
interface wgc0
table pbr_wgc0
it works fine.
In LUCI/PBR rule @wlan_usa is not accepted but I was able to add it by manually editing /etc/config/pbr which now has the following entry:
config policy
option name 'usa_wifi routing'
option interface 'privatevpn_new_york'
option src_addr '@wlan_usa
root@OpenWrt:~# iwinfo wlan_usa info
wlan_usa ESSID: "lho_usa"
Access Point: AA:AA:AA:AA:AA:AA
Mode: Master Channel: 36 (5.180 GHz) HT Mode: HE80
Center Channel 1: 42 2: unknown
Tx-Power: 20 dBm Link Quality: unknown/70
Signal: unknown Noise: unknown
Bit Rate: unknown
Encryption: WPA2 PSK (CCMP)
Type: nl80211 HW Mode(s): 802.11ac/ax/n
Hardware: 14C3:7915 14C3:7915 [MediaTek MT7915E]
TX power offset: none
Frequency offset: none
Supports VAPs: yes PHY name: phy1
So the config is loaded successfully but routing is not working properly, it probably goes via WAN instead of VPN.
@stangri
I saw you did a commit to fix ipv6.
But this still doesn't work.
Because the target of the pbr_wgc/ovpn route is not ::/0.
The route created uses the tunnel address, which doesn't work and it is basically just a replica of the default route.
I need to see the output of reload and status commands options to pbr
pbr does not create any new routes, it carries over existing routes into the pbr tables.