458 
root@OpenWrt:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'wan/85.195.196.1/2a02:168:2000:6b:daec:5eff:fe44:3da/64
2a02:168:2000:6b::44/128' [✓]
Setting up routing for 'privatevpn_new_york/ovpnc0/10.35.14.131/::/0' [✓]
Routing 'apple_tv' via privatevpn_new_york [✓]
Routing 'usa_wifi routing' via privatevpn_new_york [✓]
Deactivating traffic killswitch [✓]
pbr 1.1.1-5 monitoring interfaces: wan privatevpn_new_york 
pbr 1.1.1-5 (nft) started with gateways:
wan/85.195.196.1/2a02:168:2000:6b:daec:5eff:fe44:3da/64
2a02:168:2000:6b::44/128 [✓]
privatevpn_new_york/ovpnc0/10.35.14.131/::/0
root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-5 running on OpenWrt 22.03.3. WAN (IPv4): wan/wan/85.195.196.1. WAN (IPv6): wan6/wan/2a02:168:2000:6b::44.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward { # handle 29
	}
	chain pbr_input { # handle 30
	}
	chain pbr_output { # handle 31
	}
	chain pbr_prerouting { # handle 32
		ip saddr @pbr_privatevpn_new_york_4_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "apple_tv" # handle 46048
		ip6 saddr @pbr_privatevpn_new_york_6_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "apple_tv" # handle 46049
		iifname "wlan_usa" goto pbr_mark_0x020000 comment "usa_wifi routing" # handle 46050
		iifname "wlan_usa" goto pbr_mark_0x020000 comment "usa_wifi routing" # handle 46051
	}
	chain pbr_postrouting { # handle 33
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 { # handle 46040
		counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 46041
		return # handle 46042
	}
	chain pbr_mark_0x020000 { # handle 46043
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 46044
		return # handle 46045
	}
============================================================
pbr nft sets
	set pbr_privatevpn_new_york_4_src_ip_cfg046ff5 { # handle 46046
		type ipv4_addr
		flags interval
		auto-merge
		comment "apple_tv"
		elements = { 192.168.1.198 }
	}
	set pbr_privatevpn_new_york_6_src_ip_cfg046ff5 { # handle 46047
		type ipv6_addr
		flags interval
		auto-merge
		comment "apple_tv"
	}
============================================================
IPv4 table 256 route: default via 85.195.196.1 dev wan 
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.35.14.131 dev ovpnc0 
IPv4 table 257 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_privatevpn_new_york
root@OpenWrt:~#
459

Looks like the nftables rules were created properly. I'd try the @wlanx-x name instead. Also, how are you testing if it works?

460

I removed wlan_usa from the Wireless config. The default interface name is now wlan1-1. I updated PBR config, reloaded but is not working.

To test I connect to lho_usa wifi and run a speed test and use iplocation website: the speed is the WAN speed, too high for VPN and the location/IP are the ones from my country.

wlan1-1   Link encap:Ethernet  HWaddr DA:EC:5E:44:03:DD  
          inet6 addr: fe80::d8ec:5eff:fe44:3dd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:996451 errors:0 dropped:152 overruns:0 frame:0
          TX packets:1149751 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1094559797 (1.0 GiB)  TX bytes:1459677741 (1.3 GiB)

root@OpenWrt:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'wan/85.195.196.1/2a02:168:2000:6b:daec:5eff:fe44:3da/64
2a02:168:2000:6b::44/128' [✓]
Setting up routing for 'privatevpn_new_york/ovpnc0/10.35.14.131/::/0' [✓]
Routing 'apple_tv' via privatevpn_new_york [✓]
Routing 'usa_wifi routing' via privatevpn_new_york [✓]
Deactivating traffic killswitch [✓]
pbr 1.1.1-5 monitoring interfaces: wan privatevpn_new_york 
pbr 1.1.1-5 (nft) started with gateways:
wan/85.195.196.1/2a02:168:2000:6b:daec:5eff:fe44:3da/64
2a02:168:2000:6b::44/128 [✓]
privatevpn_new_york/ovpnc0/10.35.14.131/::/0
root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-5 running on OpenWrt 22.03.3. WAN (IPv4): wan/wan/85.195.196.1. WAN (IPv6): wan6/wan/2a02:168:2000:6b::44.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward { # handle 29
	}
	chain pbr_input { # handle 30
	}
	chain pbr_output { # handle 31
	}
	chain pbr_prerouting { # handle 32
		ip saddr @pbr_privatevpn_new_york_4_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "apple_tv" # handle 51550
		ip6 saddr @pbr_privatevpn_new_york_6_src_ip_cfg046ff5 goto pbr_mark_0x020000 comment "apple_tv" # handle 51551
		iifname "wlan1-1" goto pbr_mark_0x020000 comment "usa_wifi routing" # handle 51552
		iifname "wlan1-1" goto pbr_mark_0x020000 comment "usa_wifi routing" # handle 51553
	}
	chain pbr_postrouting { # handle 33
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 { # handle 51542
		counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 51543
		return # handle 51544
	}
	chain pbr_mark_0x020000 { # handle 51545
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 51546
		return # handle 51547
	}
============================================================
pbr nft sets
	set pbr_privatevpn_new_york_4_src_ip_cfg046ff5 { # handle 51548
		type ipv4_addr
		flags interval
		auto-merge
		comment "apple_tv"
		elements = { 192.168.1.198 }
	}
	set pbr_privatevpn_new_york_6_src_ip_cfg046ff5 { # handle 51549
		type ipv6_addr
		flags interval
		auto-merge
		comment "apple_tv"
	}
============================================================
IPv4 table 256 route: default via 85.195.196.1 dev wan 
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.35.14.131 dev ovpnc0 
IPv4 table 257 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_privatevpn_new_york
461

Are you sure wlan1-1 is the one you intended to target? I'm not seeing anything in the iwinfo output you pasted to indicate that.

If it is a correct network, I'd delete the nftables entries by their handle numbers and try to insert the same ones but with the counters to see if any traffic matches them.

462

I moved to Wireguard from VPN but that it should not make any difference. Listing below are the 2 wifi interfaces, one for 2 Ghz and one for 5 Ghz. In PBR config there is a routing entry for each network.

I don't know how to delete the nftables but I'll try to figure it out.

	chain pbr_prerouting { # handle 32
		ip saddr @pbr_wg0_4_src_ip_cfg046ff5 goto pbr_mark_0x030000 comment "apple_tv" # handle 661
		iifname "wlan0-1" goto pbr_mark_0x030000 comment "wifi 2Ghz" # handle 662
		iifname "wlan1" goto pbr_mark_0x030000 comment "wifi 5Ghz" # handle 663
	}

iwinfo .....

wlan0-1   ESSID: "lho"
          Access Point: DA:EC:5E:44:03:DC
          Mode: Master  Channel: 1 (2.412 GHz)  HT Mode: HT20
          Center Channel 1: 1 2: unknown
          Tx-Power: 20 dBm  Link Quality: unknown/70
          Signal: unknown  Noise: -86 dBm
          Bit Rate: unknown
          Encryption: WPA2 PSK (CCMP)
          Type: nl80211  HW Mode(s): 802.11b/g/n
          Hardware: 14C3:7622 14C3:7622 [MediaTek MT7622]
          TX power offset: none
          Frequency offset: none
          Supports VAPs: yes  PHY name: phy0

wlan1     ESSID: "lho"
          Access Point: D8:EC:5E:44:03:DD
          Mode: Master  Channel: 36 (5.180 GHz)  HT Mode: HE80
          Center Channel 1: 42 2: unknown
          Tx-Power: 20 dBm  Link Quality: 53/70
          Signal: -57 dBm  Noise: unknown
          Bit Rate: 1058.6 MBit/s
          Encryption: WPA2 PSK (CCMP)
          Type: nl80211  HW Mode(s): 802.11ac/ax/n
          Hardware: 14C3:7915 14C3:7915 [MediaTek MT7915E]
          TX power offset: none
          Frequency offset: none
          Supports VAPs: yes  PHY name: phy1
463

I have a security/privacy question:

If a webpage uses cross-site images where HTML goes through a VPN but due to another PBR policy accesses the HTML images over WAN. Does that compromise security/privacy?

1 Like
464

Yes, if you're visiting a malicious site which passes a unique session ID when requesting external resources, so your session at the site can be linked to the requests of external resources from a different IP, it may compromise your security/privacy.

Otherwise, the site request will come from one IP and the external resources request will just come from a different IP with no way of linking two requests.

465

I'm not sure if I'll have the time to test similar setup on my router within a week, I'll post back if I do.

1 Like
466

I figured as much :upside_down_face:

If you run TorBrowser once in a while, you can run into the cross-site scripting popup. Or in Thunderbird when accessing email that famous "remote content" block/warning.

Could something like that be used to mitigate this?
(because they feel quite similar)

467

Something like what? Mitigate what?

468

If you want to avoid cross-sites leaks, just keep one policy for that device. Anything else may or may not work effectively.

469

Cross-sites leaks

Thanks, I will look into that.

470

Excuse me, I have got "Failed to set up any gateway!". May anyone help please? Thanks.

HGC and HKT are two different WAN.
WIREGUARD is the WireGuard "server".
WG_TOKYO is the WireGuard "client" connecting to a VPN service provider.

# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "openwrt",
	"system": "11th Gen Intel(R) Core(TM) i3-1115G4 @ 3.00GHz",
	"model": "Default string Default string",
	"board_name": "default-string-default-string",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "x86/64",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}

# uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '0'
	option cachesize '1000'
	option rebind_protection '0'
	option port '54'
	list server '192.168.50.1'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.50.1'
	list dhcp_option '3,192.168.50.1'
	list dns '2404:c805:3800:3c00::1'
	list dns 'fda9:d315:7406::1'
	option start '150'
	option limit '50'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac '00:E0:4C:02:27:36'
	option name 'telephone-booth'
	option dns '1'
	option ip '192.168.50.2'
	option duid '0004be4320d10f9bd85edfba76315d0ad707'

config host
	option mac 'FC:34:97:C5:BE:57'
	option name 'the-core'
	option dns '1'
	option ip '192.168.50.3'
	option duid '000407de092b0fc1a52b9c467e8732f4f25c'

config host
	option mac '44:E4:EE:63:39:9E'
	option name 'LSPX-S2'
	option dns '1'
	option ip '192.168.50.4'

config host
	option mac '00:B0:2C:00:15:CB'
	option name 'Karaoke'
	option dns '1'
	option ip '192.168.50.5'

config host
	option mac '48:B0:2D:2D:D3:C3'
	option name 'Nvidia-Shield'
	option dns '1'
	option ip '192.168.50.6'

config host
	option mac 'EC:0D:E4:84:6D:3C'
	option name 'FireTV'
	option dns '1'
	option ip '192.168.50.7'

config host
	option mac '4C:53:FD:37:D0:39'
	option name 'FireHD-10'
	option dns '1'
	option ip '192.168.50.8'

config host
	option mac 'D8:BE:65:E2:7D:0B'
	option name 'FireHD-8'
	option dns '1'
	option ip '192.168.50.9'

config host
	option ip '192.168.50.10'
	option name 'DeskMini'
	option mac '08:26:AE:3C:7E:98'

config host
	option mac '38:1A:52:2E:17:8D'
	option dns '1'
	option ip '192.168.50.11'
	option name 'EPSON-XP4101'

config host
	option mac '94:83:C4:0E:59:D2'
	option name 'GL-AR150'
	option dns '1'
	option ip '192.168.50.50'

config host
	option mac 'EC:0B:AE:23:DF:57'
	option name 'BroadLink'
	option dns '1'
	option ip '192.168.50.51'

config host
	option mac 'A0:43:B0:72:9E:1C'
	option name 'BroadLink'
	option dns '1'
	option ip '192.168.50.52'

config host
	option mac '44:5D:5E:02:79:84'
	option name 'SOnOff-SwitchBotHub'
	option dns '1'
	option ip '192.168.50.53'

config host
	option mac '94:B9:7E:DA:95:90'
	option name 'ESP32-SwitchBotHub'
	option dns '1'
	option ip '192.168.50.54'

config host
	option mac '38:56:10:C9:98:6B'
	option ip '192.168.50.55'
	option name 'Sesame'

config host
	option mac '7C:DD:E9:02:49:33'
	option name 'ATOM-3603'
	option dns '1'
	option ip '192.168.50.60'

config host
	option mac 'EC:71:DB:37:E1:42'
	option name 'Reolink-Entrance'
	option dns '1'
	option ip '192.168.50.61'

config host
	option mac '7C:DD:E9:03:04:61'
	option name 'ATOM-ENTRANCE'
	option dns '1'
	option ip '192.168.50.62'

config host
	option mac '7C:DD:E9:03:0B:74'
	option name 'ATOM-FRONT'
	option dns '1'
	option ip '192.168.50.63'

config host
	option mac '7C:DD:E9:03:0B:88'
	option name 'ATOM-REAR'
	option dns '1'
	option ip '192.168.50.64'

config host
	option mac '7C:DD:E9:01:B0:A8'
	option name 'ATOM-DESK'
	option dns '1'
	option ip '192.168.50.65'

config host
	option mac '08:E9:F6:92:90:58'
	option ip '192.168.50.81'
	option name 'Atmoph'
	option dns '1'

config host
	option mac '08:E9:F6:92:7B:96'
	option name 'Atmoph'
	option dns '1'
	option ip '192.168.50.82'

config host
	option mac '08:E9:F6:92:0B:0C'
	option name 'Atmoph'
	option dns '1'
	option ip '192.168.50.83'

# uci export firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WireGuard'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'HKT4'
	list network 'HKT6'
	list network 'HGC4'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'WGZONE'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WG_TOKYO'

config forwarding
	option src 'lan'
	option dest 'WGZONE'

# uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda9:d315:7406::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'
	list ports 'eth5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.50.1'

config interface 'HKT4'
	option proto 'dhcp'
	option device 'eth0'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'HKT6'
	option proto 'dhcpv6'
	option device '@HKT4'
	option reqaddress 'try'
	option reqprefix 'auto'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config interface 'HGC4'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key 'DUMMY'
	option listen_port '51820'
	list addresses '10.0.0.1/24'

config wireguard_WireGuard
	option description 'Xperia1III'
	option public_key 'DUMMY'
	option private_key 'DUMMY'
	list allowed_ips '10.0.0.0/24'

config interface 'WG_TOKYO'
	option proto 'wireguard'
	option private_key 'DUMMY'
	list addresses '10.65.66.208/32'
	list addresses 'fc00:bbbb:bbbb:bb01::2:42cf/128'

config wireguard_WG_TOKYO
	option description 'MULLVAD-TOKYO-202'
	option public_key 'DUMMY'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host '146.70.201.2'
	option endpoint_port '51820'
	option persistent_keepalive '25'

# uci export pbr
package pbr

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'
	option ipv6_enabled '1'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 22.03.5. WAN (IPv4): HGC4/eth1/223.18.138.1. WAN (IPv6): HKT6/eth0/2404:c800:9138:131::/64.
============================================================
Dnsmasq version 2.86  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward { # handle 36
	}
	chain pbr_input { # handle 37
	}
	chain pbr_output { # handle 38
	}
	chain pbr_prerouting { # handle 39
	}
	chain pbr_postrouting { # handle 40
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 { # handle 903
		counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 904
		return # handle 905
	}
	chain pbr_mark_0x020000 { # handle 906
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 907
		return # handle 908
	}
	chain pbr_mark_0x030000 { # handle 909
		counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 910
		return # handle 911
	}
============================================================
pbr nft sets
============================================================
Error: ipv4: FIB table does not exist.
Dump terminated
IPv4 table 261 route: 
IPv4 table 261 rule(s):
Error: ipv6: FIB table does not exist.
Dump terminated
IPv6 table 261 route: 
IPv6 table 261 rule(s):
Error: ipv6: FIB table does not exist.
Dump terminated
IPv4 table 262 route: default via 223.18.138.1 dev eth1 
IPv4 table 262 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_HGC4
IPv6 table 262 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 262 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 263 route: default via 10.0.0.1 dev WireGuard 
IPv4 table 263 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_WireGuard
IPv6 table 263 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 263 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 264 route: default via 10.65.66.208 dev WG_TOKYO 
IPv4 table 264 rule(s):
30002:	from all fwmark 0x30000/0xff0000 lookup pbr_WG_TOKYO
IPv6 table 264 route: 
IPv6 table 264 rule(s):
fc00:bbbb:bbbb:bb01::2:42cf dev WG_TOKYO proto kernel metric 256 pref medium

# /etc/init.d/pbr reload
Activating traffic killswitch [✗]
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
Setting up routing for 'HGC4/eth1/223.18.138.1/::/0' [✗]
Setting up routing for 'WireGuard/10.0.0.1/::/0' [✗]
Setting up routing for 'WG_TOKYO/10.65.66.208/fc00:bbbb:bbbb:bb01::2:42cf/128' [✗]
Deactivating traffic killswitch [✓]
pbr 1.1.1-7 monitoring interfaces: WireGuard WG_TOKYO 
ERROR: Failed to set up 'HGC4/eth1/223.18.138.1/::/0'!
ERROR: Failed to set up 'WireGuard/10.0.0.1/::/0'!
ERROR: Failed to set up 'WG_TOKYO/10.65.66.208/fc00:bbbb:bbbb:bb01::2:42cf/128'!
ERROR: Failed to set up any gateway!

/etc/iproute2/rt_tables:

#
# reserved values
#
128     prelocal
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
261 pbr_HKT4
262 pbr_HGC4
263 pbr_WireGuard
264 pbr_WG_TOKYO

All of the interfaces listed are UP. But "HKT6" is missing from the list.

471

Hi. Posted elsewhere but will try here too: Trying to get pbr to work with sub-domains without having to enumerate every one. As in I want to set a dest_addr of example.com and have that match a.example.com and b.example.com etc. I've got 22.03.5 with dnsmasq-full 2.89 which has nftsets compiled-in. Anyway it doesn't work. I just get requests for example.com going through the vpn interface. A and b.example.com still go through the default gateway. I'm just listing example.com in a dest_addr rule in the pbr config. Do I need to define a nftset someplace?

472

I'm facing this annoying issue where my ISP has moved to really short dhcp leases (1hr). Every time the lease renews, firewall reloads with "Reloading firewall due to ifupdate of wan (eth1)". This in turn causes pbr to reload, and it disrupts all existing connections (like ssh connections). Is there a workaround for this ?

473

Are you sure this is because of the short lease time?
Or some problem with IPv6?
I know my ISP has some weird IPv6 thing going on, making the firewall and pbr reload every minute or so, which can be fixed by adding a check for "$IFUPDATE_DATA" in both the firewall and pbr hotplug script.

Someone else has this problem with dnsmasq?

daemon.err dnsmasq[290]: nftset inet fw4 pbr_wgc0_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error

Seems like a dnsmasq upstream issue?

474

I do see the ipv6 log spam too, but as far as I can tell, this is not actually affecting pbr as I don't have ipv6 enabled in pbr. I see "user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth1)" messages too, but there is no impact of these. The main issue seems to be the ipv4 dhcp renewals. Do you mind linking the changes to the scripts ? Which files are these and what changes do I add ?

475

I have to correct my statement from above the check for $IFUPDATE_DATA needs to be removed from the firewall script.

Subject: [PATCH] package: fw3: prevent unnecessary restarts

---
 package/network/config/firewall/files/firewall.hotplug | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/network/config/firewall/files/firewall.hotplug b/package/network/config/firewall/files/firewall.hotplug
index f1eab001d4..84fcaaf4f2 100644
--- a/package/network/config/firewall/files/firewall.hotplug
+++ b/package/network/config/firewall/files/firewall.hotplug
@@ -1,7 +1,7 @@
 #!/bin/sh

 [ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
-[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
+[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" ] && exit 0

 /etc/init.d/firewall enabled || exit 0

--
2.34.1

And for pbr I added the checks from the firewall scripts into the pbr hotplug script like this:

Subject: [PATCH] pbr: fix unnecessary reloads

---
 net/pbr/files/etc/hotplug.d/iface/70-pbr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/pbr/files/etc/hotplug.d/iface/70-pbr b/net/pbr/files/etc/hotplug.d/iface/70-pbr
index bcb0faa7b..a58f1f3f7 100644
--- a/net/pbr/files/etc/hotplug.d/iface/70-pbr
+++ b/net/pbr/files/etc/hotplug.d/iface/70-pbr
@@ -1,5 +1,6 @@
 #!/bin/sh
 # shellcheck disable=SC1091,SC3060
+[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" ] && exit 0
 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
        logger -t pbr "Reloading pbr $INTERFACE interface routing due to $ACTION of $INTERFACE ($DEVICE)"
        /etc/init.d/pbr on_interface_reload "$INTERFACE"
--
2.34.1

If you use the iptables version you may also have to edit the hotplug script in the firewall folder.

2 Likes
476

Do you want to send a PR to my (or OpenWrt) repo for this code change?

477

I don't know, this seems more like a edge case of the ISPs doing weird things.