Policy-Based-Routing (pbr) package discussion

Yes, custom user files. They are included with the package and also viewable in the source OpenWrt packages repo.

Due to current nft constraints on OpenWrt, If it's a large list, you may greatly benefit in speed if you prepare an atomic nft file from those IP addresses with all IPs being added to the set in one command.

1 Like

After upgrading to latest version (1.1.4-4) this morning ...
image

But its still installed and running

Package pbr (1.1.4-1) installed in root is up to date.
Package luci-app-pbr (1.1.4-4) installed in root is up to date.

Sorry, I was experimenting with different options of providing variants to solve the issue brought up by @yxtc934 when upgrading and accidentally pushed internal build to my repo.

I believe I've fixed it in pbr 1.1.4-5.

1 Like

No Problemo. Everthing okay now.
Keep on with the good stuff...

Thank you Stan.

1 Like

Hello,
I have an issue; I am unable to split a forwarded DNS query from the client side in PBR.
When I do ping any website from the client's side, it will cause a DNS leak, and my request will go to both DNS servers, one of which is set in my tunnel interface and the other in the local internet interface (wan), so how can I split it? I added it to the record in PBR, and I need to split DNS based on these two policies.
Wan dns is : 85.15.1.15
Tunnel dns is: 8.8.8.8
Also, my router's default network should be on WAN at all times.

logread -f

Sat Feb 17 09:16:17 2024 daemon.info dnsmasq[1]: 127 192.168.50.234/64391 query[A] youtube.com from 192.168.50.234
Sat Feb 17 09:16:17 2024 daemon.info dnsmasq[1]: 127 192.168.50.234/64391 forwarded youtube.com to 8.8.8.8
Sat Feb 17 09:16:17 2024 daemon.info dnsmasq[1]: 127 192.168.50.234/64391 forwarded youtube.com to 85.15.1.15
Sat Feb 17 09:16:17 2024 daemon.info dnsmasq[1]: 127 192.168.50.234/64391 reply youtube.com is 10.10.34.35 <**< This is a response from a local internet provider (which means the YouTube website is blocked).**
Sat Feb 17 09:16:20 2024 daemon.info dnsmasq[1]: 128 192.168.50.234/57505 query[A] wpad.lan from 192.168.50.234
{
        "kernel": "5.15.137",
        "hostname": "OpenWrtLab",
        "system": "Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz",
        "model": "VMware, Inc. VMware Virtual Platform",
        "board_name": "vmware-inc-vmware-virtual-platform",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@OpenWrtLab:~# ip -4 ro list table all
ip -4 rudefault via 192.168.8.1 dev eth1 table pbr_wan
default via 192.168.4.2 dev eth2 table pbr_wan proto static metric 2
8.8.8.8 via 192.168.4.2 dev eth2 table pbr_wan proto static metric 2
192.168.4.0/24 dev eth2 table pbr_wan proto kernel scope link src 192.168.4.40
192.168.50.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.50.1
default via 192.168.4.2 dev eth2 table pbr_Tunnel
default via 192.168.4.2 dev eth2 table pbr_Tunnel proto static metric 2
8.8.8.8 via 192.168.4.2 dev eth2 table pbr_Tunnel proto static metric 2
192.168.4.0/24 dev eth2 table pbr_Tunnel proto kernel scope link src 192.168.4.40
192.168.50.0/24 dev br-lan table pbr_Tunnel proto kernel scope link src 192.168.50.1
default via 192.168.8.1 dev eth1 proto static metric 1
default via 192.168.4.2 dev eth2 proto static metric 2
8.8.8.8 via 192.168.4.2 dev eth2 proto static metric 2
85.15.1.15 via 192.168.8.1 dev eth1 proto static metric 1
192.168.4.0/24 dev eth2 proto kernel scope link src 192.168.4.40
192.168.8.0/24 dev eth1 proto kernel scope link src 192.168.8.80
192.168.50.0/24 dev br-lan proto kernel scope link src 192.168.50.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.4.40 dev eth2 table local proto kernel scope host src 192.168.4.40
broadcast 192.168.4.255 dev eth2 table local proto kernel scope link src 192.168.4.40
local 192.168.8.80 dev eth1 table local proto kernel scope host src 192.168.8.80
broadcast 192.168.8.255 dev eth1 table local proto kernel scope link src 192.168.8.80
local 192.168.50.1 dev br-lan table local proto kernel scope host src 192.168.50.1
broadcast 192.168.50.255 dev br-lan table local proto kernel scope link src 192.168.50.1
cat /etc/config/dhcp

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dnsmasq 'lan_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.lan'
	option logqueries '1'
	option localservice '0'
	list interface 'lan'

config dhcp 'lan'
	option instance 'lan_dns'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dnsmasq 'wan_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option local '/wan/'
	option domain 'wan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.wan'
	list interface 'wan'
	option localservice '0'
	option logqueries '1'
	option noresolv '1'
	list server '/ir/85.15.1.15'
	list notinterface 'loopback'
	list notinterface 'Tunnel'

config dhcp 'wan'
	option instance 'wan_dns'
	option interface 'wan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dnsmasq 'Tunnel_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option local '/Tunnel/'
	option domain 'Tunnel'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.Tunnel'
	list interface 'Tunnel'
	option localservice '0'
	option logqueries '1'
	list server '8.8.8.8'
	option noresolv '1'
	list notinterface 'loopback'
	list notinterface 'wan'

config dhcp 'Tunnel'
	option instance 'Tunnel_dns'
	option interface 'Tunnel'
	option start '100'
	option limit '150'
	option leasetime '12h'
cat /etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config policy
	option name 'iran'
	option dest_addr 'ir'
	option interface 'wan'

config policy
	option name 'irandcidr'
	option dest_addr '/usr/share/pbr/iran'
	option interface 'wan'
	option enabled '0'

config policy
	option name 'Tunnel'
	option dest_addr '!iran 0.0.0.0/0'
	option interface 'Tunnel'
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4b:32d0:x::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.8.80'
	option netmask '255.255.255.0'
	option gateway '192.168.8.1'
	option defaultroute '0'
	list dns '85.15.1.15'

config interface 'Tunnel'
	option proto 'static'
	option device 'eth2'
	option ipaddr '192.168.4.40'
	option netmask '255.255.255.0'
	option gateway '192.168.4.2'
	option defaultroute '0'
	list dns '8.8.8.8'

config route
	option interface 'wan'
	option target '0.0.0.0/0'
	option gateway '192.168.8.1'
	option metric '1'
	option table 'main'

config route
	option interface 'Tunnel'
	option target '0.0.0.0/0'
	option gateway '192.168.4.2'
	option metric '2'
	option table 'main'

config device
	option name 'eth1'

config device
	option name 'eth2'
	option ipv6 '0'

config route
	option interface 'Tunnel'
	option target '8.8.8.8/32'
	option gateway '192.168.4.2'
	option metric '2'
	option table 'main'

config route
	option interface 'wan'
	option target '85.15.1.15/32'
	option gateway '192.168.8.1'
	option metric '1'

You have two interfaces monitored by pbr - wan and the Wireguard interface.

  1. If you want your LAN to be always going through the WAN, then you need to create a PBR policy that says "route my LAN subnet via WAN". Then you can create other policies that route hosts individually via the Wireguard VPN and you can place those rules above the one that routes everything via WAN. I hope I am right on that.
  2. I am not quite sure about how to split the DNS queries, but why don't you just use the same DNS server on both the tunnel and the WAN? Also if you wanted everything from your LAN to go over the WAN by default, why don't you use the DHCP option 6 to advertise the WAN DNS to all clients? The setting is on Network->Interfaces-> lan->DHCP Server->Advanced Settings->DHCP-Options. Just add 6,85.15.1.15 and save.
    PBR allows you to route all traffic to a particular destination either via the WAN or the tunnel.
  3. I use PBR and what I have done is that I use the same DNS servers on the tunnel and the WAN interface. This helped me with DNS leaks. Now, I have a custom rule that routes traffic to all IPs allocated to my country via the WAN.
    You can find that custom rule at Policy-Based-Routing (pbr) package discussion - #127 by stangri

Well, it's not a wireguard; it was an example. In the real scenario, I am using a GR6 tunnel inside a 6to4 tunnel.
I want my LAN clients to use a WAN interface only for local domains (.ir) and also some cidr ranges list with any TLD < in this case, I need to use 85.15.1.15.
Rest domains and cidr ranges should go via the tunnel interface with 8.8.8.8 DNS.

  • 85.15.1.15 public DNS are controlled by local ISPs and have restrictions on many websites, so they should be used for IR domains only. (I will get a 10.10.34.36 response if I try to open blocked websites.)
  • 8.8.8.8 has a DNS hijack issue inside the country if it isn't used in the tunnel. If I try to use this DNS on the WAN interface, I will get a 10.10.34.36 response (which is a DNS rebind attack).

If I don't split the DNS query and if I try to open blocked websites, I will get 10.10.34.36 in response, and I also don't want that ISP's to trace my activity via the DNS query report. In this case, my request is going to both the tunnel and WAN DNS servers..

Also, router internet interface should be "wan" at all for inside or outside of the country.

For my clients, I have used 192.168.50.1 as a DNS server. I need to manage the DNS traffic on the router side, not set DHCP option 6 with public DNS servers.

For your LAN clients to use the WAN interface only for local domains (.ir) might be tricky. Does that mean there is no ".ir" domain hosted outside Iran? I don't know. But what I am sure you can do is to let the clients use the WAN for all the IP addresses allocated to Iran. In that case, you need to modify the above script as follows:

TARGET_URL="https://www.ipdeny.com/ipblocks/data/countries/ir.zone"
TARGET_DL_FILE="/var/pbr_tmp_ir_ip_ranges"
TARGET_NFT_FILE="/var/pbr_tmp_ir_ip_ranges.nft"

You can save the script as: /usr/share/pbr/pbr.user.ir.lst
Then under policy routing service custom user files you add and enable it:


That will do what you want.

For the clients you want to use 85.15.1.15, you can configure them with DNS manually, but if you are using a /24 subnet, I am not sure how you will use CIDR ranges. What I know is that you could specify them individually.

Start thinking about managing the clients individually or creating vlans and routing the vlans as you wish.
Bye.

1 Like

Thank you for your reply, but this is not the problem at this time.
The problem is that even if I set one policy in PBR like this:

config policy
	option name 'Tunnel'
	option dest_addr '0.0.0.0/0'
	option interface 'Tunnel'

Then still, when the client does a ping, the DNS query goes to both DNS servers under both interfaces, and it should not be like this. I need to see in logs if the client is using the WAN interface, then pbr and dnsmasq should use 85.15.1.15 as dns; otherwise, it should use 8.8.8.8 via the tunnel interface.

About the IR domain, the important thing is that just the IR domain and the Iran IP CIDR range should go via the WAN interface. It's not important if under the IR domain is a German server or whatever, but still, it should go via the WAN interface. The priority is the IR TLD and Iran Server CIDR range. and the rest of the traffic should go via the tunnel interface.

This issue is outside of the scope of pbr. You'll need to use encrypted DNS requests or configure dnsmasq to perform according to your expectations.

1 Like

Ok, thank you. My question is now about PBR routing.
I need 3 policies.
first priority IR domains via the WAN interface
second priority Iran cidr IP via the WAN interface
third prirority 0.0.0.0/0 rest IP ranges and domains in the world

config policy
	option name 'irandomain'
	option dest_addr 'ir'
	option interface 'wan'

config policy
	option name 'irandcidr'
	option dest_addr '/usr/share/pbr/iran'
	option interface 'wan'

config policy
	option name 'Tunnel'
	option dest_addr '0.0.0.0/0'
	option interface 'Tunnel'

I tried this, and I also tried to add a custom file from this post.

Policy-Based-Routing (pbr) package discussion - #127 by stangri

the Iranian cidr range with the com domain still goes via the tunnel interface instead of

Check README->Getting Help section and provide the required information if you want a meaningful feedback.

In addition, post the content of /usr/share/pbr/iran.

1 Like

The ipnumberia .com IP is 185.142.159.194 and it's in the 185.142.156.0/22 range, but when I check my ip on this website's, it's showing Tunnel Public IP instead of Wan Public IP.

.ir domains from the client side should be routed via the WAN interface.
Rest things from the client side should Routes via tunnel (ipv4gre6) interface.
The default router interface should be WAN only (for all IPs and domains).

The last configuration I'm using is this(custom user file):

/usr/share/pbr/pbr.user.irancidr

#!/bin/sh

TARGET_SET='pbr_Wan_4_dst_ip_user'
TARGET_IPSET='pbr_Wan_4_dst_net_user'
TARGET_TABLE='inet fw4'
TARGET_URL="https://www.ipdeny.com/ipblocks/data/countries/ir.zone"
TARGET_DL_FILE="/var/pbr_tmp_ir_ip_ranges"
TARGET_NFT_FILE="/var/pbr_tmp_ir_ip_ranges.nft"
[ -z "$nft" ] && nft="$(command -v nft)"
_ret=1

if [ ! -s "$TARGET_DL_FILE" ]; then
	uclient-fetch --no-check-certificate -qO- "$TARGET_URL" 2>/dev/null > "$TARGET_DL_FILE"
fi

if [ -s "$TARGET_DL_FILE" ]; then
	if ipset -q list "$TARGET_IPSET" >/dev/null 2>&1; then
		if awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_DL_FILE" | ipset restore -!; then
			_ret=0
		fi
	elif [ -n "$nft" ] && [ -x "$nft" ] && "$nft" list set "$TARGET_TABLE" "$TARGET_SET" >/dev/null 2>&1; then
		printf "add element %s %s { " "$TARGET_TABLE" "$TARGET_SET" > "$TARGET_NFT_FILE"
		awk '{printf $1 ", "}' "$TARGET_DL_FILE" >> "$TARGET_NFT_FILE"
		printf " } " >> "$TARGET_NFT_FILE"
		if "$nft" -f "$TARGET_NFT_FILE"; then
			rm -f "$TARGET_NFT_FILE"
			_ret=0
		fi
	fi
fi

return $_ret
root@OpenWrt:~# ubus call system board
{
        "kernel": "6.1.77",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T",
        "board_name": "xiaomi,mi-router-ax3000t",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r25233-6da308f4de",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r25233-6da308f4de"
        }
}
root@OpenWrt:~# uci export dhcp
package dhcp

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dnsmasq 'lan_dns'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases.lan'
        list interface 'lan'
        option localservice '0'
        option noresolv '1'
        option logqueries '1'
        list server '/*.ir/85.15.1.15'
        list server '8.8.8.8'

config dhcp 'lan'
        option instance 'lan_dns'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
root@OpenWrt:~# uci export firewall
package firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'Wan'
        list network 'Modem'
        list network '6to4'
        list network 'gre6'
        list network 'ipv4gre6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
root@OpenWrt:~# uci export firewall
package firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'Wan'
        list network 'Modem'
        list network '6to4'
        list network 'gre6'
        list network 'ipv4gre6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'passwall2'
        option type 'script'
        option path '/var/etc/passwall2.include'
        option reload '1'

config include 'passwall2_server'
        option type 'script'
        option path '/var/etc/passwall2_server.include'
        option reload '1'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'
root@OpenWrt:~# uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd79:x:x::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.31.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'a4:a9:30:x:x:x'

config interface 'Modem'
        option proto 'static'
        option device 'wan'
        option ipaddr '192.168.1.150'
        option netmask '255.255.255.0'
        option defaultroute '0'
        option gateway '192.168.1.1'

config interface 'Wan'
        option proto 'pppoe'
        option device 'wan'
        option ipv6 'auto'
        option username 'x'
        option password 'x'
        option defaultroute '0'
        option peerdns '0'

config route
        option interface 'Wan'
        option target '0.0.0.0/0'
        option metric '2'
        option table 'main'
        option gateway '172.18.15.x'

config interface '6to4'
        option proto '6in4'
        option peeraddr '91.107.x.x'
        option ip6addr 'fc00:x::2/64'
        option mtu '1480'

config interface 'gre6'
        option proto 'grev6'
        option peer6addr 'fc00:x::1'
        option ip6addr 'fc00:x::2'
        option mtu '1436'

config interface 'ipv4gre6'
        option proto 'static'
        option device '@gre6'
        option ipaddr '192.168.154.2'
        option netmask '255.255.255.252'
        option gateway '192.168.154.1'
        option defaultroute '0'

config route
        option interface 'ipv4gre6'
        option target '0.0.0.0/0'
        option gateway '192.168.154.1'
        option metric '3'
        option table 'main'

config route
        option interface 'ipv4gre6'
        option target '8.8.8.8/32'
        option gateway '192.168.154.1'
        option metric '5'
        option table 'main'

config route
        option interface 'Wan'
        option target '85.15.1.15/32'
        option gateway '172.18.15.x'
        option metric '4'
        option table 'main'
config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list supported_interface 'ipv4gre6'

config include
        option enabled '1'
        option path '/usr/share/pbr/pbr.user.irancidr'

config policy
        option name 'IranDomain'
        option dest_addr 'ir'
        option interface 'Wan'

config policy
        option name 'Tunnel'
        option dest_addr '0.0.0.0/0'
        option interface 'ipv4gre6'

I don't know why some Cidr ranges in the list were converted to IP range format.

root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt SNAPSHOT. WAN (IPv4): Wan/pppoe-Wan/172.18.15.x.
============================================================
Dnsmasq version 2.89  Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
        chain pbr_forward { # handle 29
        }
        chain pbr_input { # handle 30
        }
        chain pbr_output { # handle 31
        }
        chain pbr_prerouting { # handle 32
                ip daddr @pbr_Wan_4_dst_ip_cfg036ff5 goto pbr_mark_0x010000 comment "IranDomain" # handle 4922
                ip daddr @pbr_ipv4gre6_4_dst_ip_cfg046ff5 goto pbr_mark_0x020000 comment "Tunnel" # handle 4924
                ip daddr @pbr_Wan_4_dst_ip_user goto pbr_mark_0x010000 # handle 4926
                ip saddr @pbr_Wan_4_src_ip_user goto pbr_mark_0x010000 # handle 4928
                ether saddr @pbr_Wan_4_src_mac_user goto pbr_mark_0x010000 # handle 4930
                ip daddr @pbr_ipv4gre6_4_dst_ip_user goto pbr_mark_0x020000 # handle 4932
                ip saddr @pbr_ipv4gre6_4_src_ip_user goto pbr_mark_0x020000 # handle 4934
                ether saddr @pbr_ipv4gre6_4_src_mac_user goto pbr_mark_0x020000 # handle 4936
        }
        chain pbr_postrouting { # handle 33
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 { # handle 4915
                counter packets 16 bytes 2927 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 4916
                return # handle 4917
        }
        chain pbr_mark_0x020000 { # handle 4918
                counter packets 195910 bytes 172560117 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 4919
                return # handle 4920
        }
============================================================
pbr nft sets
        set pbr_Wan_4_dst_ip_cfg036ff5 { # handle 4921
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "IranDomain"
                elements = { 79.127.127.35 counter packets 16 bytes 2927 }
        }
        set pbr_ipv4gre6_4_dst_ip_cfg046ff5 { # handle 4923
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "Tunnel"
                elements = { 0.0.0.0/0 counter packets 195944 bytes 172563874 }
        }
        set pbr_Wan_4_dst_ip_user { # handle 4925
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
                elements = { 2.57.3.0/24, 2.144.0.0/14,
                             185.98.112.0/22, 185.99.212.0/22,
                             185.100.44.0/22, 185.101.39.0/24,
                             185.101.228.0/22, 185.103.84.0/22,
                             185.103.128.0/22, 185.103.244.0-185.103.251.255,
                             185.104.228.0-185.104.235.255, 185.104.240.0/22,
                             185.105.100.0/22, 185.105.120.0/22,
                             185.105.184.0/22, 185.105.236.0/22,
                             185.106.136.0/22, 185.106.144.0/22,
                             185.106.200.0/22, 185.106.228.0/22,
                             185.107.28.0-185.107.35.255, 185.107.244.0-185.107.251.255,
                             185.108.96.0/22, 185.108.164.0/22,
                             185.109.60.0/22, 185.109.72.0/22,
                             185.109.80.0/22, 185.109.128.0/22,
                             185.109.244.0-185.109.251.255, 185.110.28.0/22,
                             185.110.216.0/22, 185.110.228.0/22,
                             185.110.236.0/22, 185.110.244.0/22,
                             185.110.252.0/22, 185.111.8.0/21,
                             185.111.64.0/22, 185.111.80.0/22,
                             185.111.136.0/22, 185.112.32.0/21,
                             185.129.212.0-185.129.219.255, 185.129.228.0-185.129.243.255,
                             185.130.50.0/24, 185.130.76.0/22,
                             185.131.28.0/22, 185.131.84.0-185.131.95.255,
                             185.165.40.0/22, 185.165.100.0/22,
                             185.165.116.0/22, 185.165.204.0/22,
                             185.166.60.0/22, 185.166.104.0/22,
                             185.166.112.0/22, 185.167.72.0/22,
                             185.167.100.0/22, 185.167.124.0/22,
                             185.169.6.0/24, 185.169.20.0/22,
                             185.169.36.0/22, 185.170.8.0/24,
                             185.170.236.0/22, 185.171.52.0/22,
                             185.172.0.0/22, 185.172.68.0/22,
                             185.172.212.0/22, 185.173.104.0/22,
                             185.173.129.0-185.173.130.255, 185.173.168.0/22,
                             185.174.132.0/24, 185.174.134.0/24,
                             185.174.200.0/22, 185.174.248.0/22,
                             185.175.76.0/22, 185.175.240.0/22,
                             185.176.32.0/22, 185.176.56.0/22,
                             185.177.24.0/22, 185.177.156.0/22,
                             185.177.232.0/22, 185.178.104.0/22,
                             185.178.220.0/22, 185.179.90.0/24,
                             185.179.168.0/22, 185.179.220.0/22,
                             185.180.52.0/22, 185.180.128.0/22,
                             185.181.180.0/22, 185.182.220.0/22,
                             185.182.248.0/22, 185.184.32.0/22,
                             185.184.48.0/22, 185.185.16.0/22,
                             185.185.240.0/22, 185.186.48.0/22}
        }
        set pbr_Wan_4_src_ip_user { # handle 4927
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_Wan_4_src_mac_user { # handle 4929
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_ipv4gre6_4_dst_ip_user { # handle 4931
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_ipv4gre6_4_src_ip_user { # handle 4933
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_ipv4gre6_4_src_mac_user { # handle 4935
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
============================================================
dnsmasq sets
nftset=/ir/4#inet#fw4#pbr_Wan_4_dst_ip_cfg036ff5 # IranDomain
============================================================
IPv4 table 256 route: default via 172.18.15.x dev pppoe-Wan
default via 172.18.15.x dev pppoe-Wan proto static metric 2
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_Wan
IPv4 table 257 route: default via 192.168.154.1 dev gre6-gre6
default via 172.18.15.x dev pppoe-Wan proto static metric 2
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_ipv4gre6
root@OpenWrt:~# /etc/init.d/pbr reload
Activating traffic killswitch [✗]
Setting up routing for 'Wan/pppoe-Wan/172.18.15.x' [✓]
Setting up routing for 'ipv4gre6/gre6-gre6/192.168.154.1' [✓]
Routing 'IranDomain' via Wan [✓]
Routing 'Tunnel' via ipv4gre6 [✓]
Running /usr/share/pbr/pbr.user.irancidr [✓]
Deactivating traffic killswitch [✓]
pbr 1.1.1-7 monitoring interfaces: ipv4gre6
pbr 1.1.1-7 (nft) started with gateways:
Wan/pppoe-Wan/172.18.15.x[✓]
ipv4gre6/gre6-gre6/192.168.154.1
root@OpenWrt:~# /etc/init.d/pbr status
============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt SNAPSHOT. WAN (IPv4): Wan/pppoe-Wan/172.18.15.x.
============================================================
Dnsmasq version 2.89  Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
        chain pbr_forward { # handle 29
        }
        chain pbr_input { # handle 30
        }
        chain pbr_output { # handle 31
        }
        chain pbr_prerouting { # handle 32
                ip daddr @pbr_Wan_4_dst_ip_cfg036ff5 goto pbr_mark_0x010000 comment "IranDomain" # handle 4945
                ip daddr @pbr_ipv4gre6_4_dst_ip_cfg046ff5 goto pbr_mark_0x020000 comment "Tunnel" # handle 4947
                ip daddr @pbr_Wan_4_dst_ip_user goto pbr_mark_0x010000 # handle 4949
                ip saddr @pbr_Wan_4_src_ip_user goto pbr_mark_0x010000 # handle 4951
                ether saddr @pbr_Wan_4_src_mac_user goto pbr_mark_0x010000 # handle 4953
                ip daddr @pbr_ipv4gre6_4_dst_ip_user goto pbr_mark_0x020000 # handle 4955
                ip saddr @pbr_ipv4gre6_4_src_ip_user goto pbr_mark_0x020000 # handle 4957
                ether saddr @pbr_ipv4gre6_4_src_mac_user goto pbr_mark_0x020000 # handle 4959
        }
        chain pbr_postrouting { # handle 33
        }
============================================================
pbr chains - marking
        chain pbr_mark_0x010000 { # handle 4938
                counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 4939
                return # handle 4940
        }
        chain pbr_mark_0x020000 { # handle 4941
                counter packets 3194 bytes 1526877 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 4942
                return # handle 4943
        }
============================================================
pbr nft sets
        set pbr_Wan_4_dst_ip_cfg036ff5 { # handle 4944
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "IranDomain"
        }
        set pbr_ipv4gre6_4_dst_ip_cfg046ff5 { # handle 4946
                type ipv4_addr
                flags interval
                counter
                auto-merge
                comment "Tunnel"
                elements = { 0.0.0.0/0 counter packets 3222 bytes 1533352 }
        }
        set pbr_Wan_4_dst_ip_user { # handle 4948
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
                elements = { 2.57.3.0/24, 2.144.0.0/14,
                             185.98.112.0/22, 185.99.212.0/22,
                             185.100.44.0/22, 185.101.39.0/24,
                             185.101.228.0/22, 185.103.84.0/22,
                             185.103.128.0/22, 185.103.244.0-185.103.251.255,
                             185.104.228.0-185.104.235.255, 185.104.240.0/22,
                             185.105.100.0/22, 185.105.120.0/22,
                             185.105.184.0/22, 185.105.236.0/22,
                             185.106.136.0/22, 185.106.144.0/22,
                             185.106.200.0/22, 185.106.228.0/22,
                             185.107.28.0-185.107.35.255, 185.107.244.0-185.107.251.255,
                             185.108.96.0/22, 185.108.164.0/22,
                             185.109.60.0/22, 185.109.72.0/22,
                             185.109.80.0/22, 185.109.128.0/22,
                             185.109.244.0-185.109.251.255, 185.110.28.0/22,
                             185.110.216.0/22, 185.110.228.0/22,
                             185.110.236.0/22, 185.110.244.0/22,
                             185.110.252.0/22, 185.111.8.0/21,
                             185.111.64.0/22, 185.111.80.0/22,
                             185.111.136.0/22, 185.112.32.0/21,
                             185.129.212.0-185.129.219.255, 185.129.228.0-185.129.243.255,
                             185.130.50.0/24, 185.130.76.0/22,
                             185.131.28.0/22, 185.131.84.0-185.131.95.255,
                             185.165.40.0/22, 185.165.100.0/22,
                             185.165.116.0/22, 185.165.204.0/22,
                             185.166.60.0/22, 185.166.104.0/22,
                             185.166.112.0/22, 185.167.72.0/22,
                             185.167.100.0/22, 185.167.124.0/22,
                             185.169.6.0/24, 185.169.20.0/22,
                             185.169.36.0/22, 185.170.8.0/24,
                             185.170.236.0/22, 185.171.52.0/22,
                             185.172.0.0/22, 185.172.68.0/22,
                             185.172.212.0/22, 185.173.104.0/22,
                             185.173.129.0-185.173.130.255, 185.173.168.0/22,
                             185.174.132.0/24, 185.174.134.0/24,
                             185.174.200.0/22, 185.174.248.0/22,
                             185.175.76.0/22, 185.175.240.0/22,
                             185.176.32.0/22, 185.176.56.0/22,
                             185.177.24.0/22, 185.177.156.0/22,
                             185.177.232.0/22, 185.178.104.0/22,
                             185.178.220.0/22, 185.179.90.0/24,
                             185.179.168.0/22, 185.179.220.0/22,
                             185.180.52.0/22, 185.180.128.0/22,
                             185.181.180.0/22, 185.182.220.0/22,
                             185.182.248.0/22, 185.184.32.0/22,
                             185.184.48.0/22, 185.185.16.0/22,
                             185.185.240.0/22, 185.186.48.0/22}
        }
        set pbr_Wan_4_src_ip_user { # handle 4950
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_Wan_4_src_mac_user { # handle 4952
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_ipv4gre6_4_dst_ip_user { # handle 4954
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_ipv4gre6_4_src_ip_user { # handle 4956
                type ipv4_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
        set pbr_ipv4gre6_4_src_mac_user { # handle 4958
                type ether_addr
                policy memory
                flags interval
                auto-merge
                comment ""
        }
============================================================
dnsmasq sets
nftset=/ir/4#inet#fw4#pbr_Wan_4_dst_ip_cfg036ff5 # IranDomain
============================================================
IPv4 table 256 route: default via 172.18.15.x dev pppoe-Wan
default via 172.18.15.x dev pppoe-Wan proto static metric 2
IPv4 table 256 rule(s):
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_Wan
IPv4 table 257 route: default via 192.168.154.1 dev gre6-gre6
default via 172.18.15.x dev pppoe-Wan proto static metric 2
IPv4 table 257 rule(s):
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_ipv4gre6
root@OpenWrt:~# ip -4 ro list table all
default via 172.18.15.x dev pppoe-Wan table pbr_Wan
default via 172.18.15.x dev pppoe-Wan table pbr_Wan proto static metric 2
85.15.1.15 via 172.18.15.x dev pppoe-Wan table pbr_Wan proto static metric 4
91.107.x.x via 172.18.15.x dev pppoe-Wan table pbr_Wan proto static metric 2
172.18.15.x dev pppoe-Wan table pbr_Wan proto kernel scope link src 151.242.x.x
192.168.1.0/24 dev wan table pbr_Wan proto kernel scope link src 192.168.1.150
192.168.31.0/24 dev br-lan table pbr_Wan proto kernel scope link src 192.168.31.1
default via 192.168.154.1 dev gre6-gre6 table pbr_ipv4gre6
default via 172.18.15.x dev pppoe-Wan table pbr_ipv4gre6 proto static metric 2
85.15.1.15 via 172.18.15.x dev pppoe-Wan table pbr_ipv4gre6 proto static metric 4
91.107.x.x via 172.18.15.x dev pppoe-Wan table pbr_ipv4gre6 proto static metric 2
172.18.15.x dev pppoe-Wan table pbr_ipv4gre6 proto kernel scope link src 151.242.x.x
192.168.1.0/24 dev wan table pbr_ipv4gre6 proto kernel scope link src 192.168.1.150
192.168.31.0/24 dev br-lan table pbr_ipv4gre6 proto kernel scope link src 192.168.31.1
default via 172.18.15.x dev pppoe-Wan proto static metric 2
default via 192.168.154.1 dev gre6-gre6 proto static metric 3
8.8.8.8 via 192.168.154.1 dev gre6-gre6 proto static metric 5
85.15.1.15 via 172.18.15.x dev pppoe-Wan proto static metric 4
91.107.x.x via 172.18.15.x dev pppoe-Wan proto static metric 2
172.18.15.x dev pppoe-Wan proto kernel scope link src 151.242.x.x
192.168.1.0/24 dev wan proto kernel scope link src 192.168.1.150
192.168.31.0/24 dev br-lan proto kernel scope link src 192.168.31.1
192.168.154.0/30 dev gre6-gre6 proto kernel scope link src 192.168.154.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 151.242.x.x dev pppoe-Wan table local proto kernel scope host src 151.242.x.x
local 192.168.1.150 dev wan table local proto kernel scope host src 192.168.1.150
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.150
local 192.168.31.1 dev br-lan table local proto kernel scope host src 192.168.31.1
broadcast 192.168.31.255 dev br-lan table local proto kernel scope link src 192.168.31.1
local 192.168.154.2 dev gre6-gre6 table local proto kernel scope host src 192.168.154.2
broadcast 192.168.154.3 dev gre6-gre6 table local proto kernel scope link src 192.168.154.2

I'm pretty sure that's incorrect. And when fixed may clash with the pbr policy.

There's a bunch of other issues with the config files, namely:

  1. You only have one dnsmasq instance, so I don't understand why did you need to name it and add a bunch of other dhcp-related settings (which again I'm not sure if they are legit).
  2. Why did you need to rename wan to Wan.
  3. What's in the passwall firewall include scripts.
  4. Custom routes for different interfaces in the network config.

Based on the fact that the pbr_Wan_4_dst_ip_user set is filled with entries and that the counters are not empty for marking chains, it seems that pbr is working. Why is it not working as expected (and what exactly is not working as expected, I don't understand what "the Iranian cidr range with the com domain still goes via the tunnel interface instead of" even means) in your specific case -- I can't help you with, as I do not have time/knowledge to marry your config with the pbr functions (although maybe someone else on this forum will).

If I were you, I'd start with the clean slate in terms of dhcp config and routes in network config and try again.

1 Like

Hello. I'm running a VPN gateway on another Linux machine (192.168.1.2) and want to route traffic from some LAN devices (excluding OpenWrt and the VPN client itself to avoid loop) to it without changing the gateway setting on other devices manually to 192.168.1.2. How to configure PBR?

The VPN gateway also acts as a DNS server. DNS quests from devices routed to it should also redirect to 192.168.1.2, while other devices continue to use dnsmasq.

pbr can't help you.

Hello, can we use masks for domain names in future versions?
There are many domain names that only vary in a number, for example cdn1.contoso.com, cdn2.contoso.com... ... .

That would be great. Thanks!

You already can, see ipset/nftset in the manual

Can you translate this to me?

if domain.com is added to the policy, this policy will affect all *.domain.com subdomains. This also works for top-level domains as well, a policy targeting the at for example, will affect all the *.at domains.

Does that mean that if I add cdn2.contoso.com to the domain rule, it will also work for cdn1.contoso.com and cdn3.contoso.com and so on? Otherwise, I couldn't find the part where it says I can use '*' masks

if you add contoso.com to the nftset it will also cover all subdomains e.g. XXX.contoso.com