@Scope what's the output of service pbr status with the -18?
No , you can ignore it, at least that is what I am doing 
and it works for me
Output from 1.1.6-18
root@RPi5:~# service pbr status
pbr - environment
pbr 1.1.6-18 running on OpenWrt SNAPSHOT.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
pbr chains - policies
chain pbr_forward { # handle 40
}
chain pbr_input { # handle 41
}
chain pbr_output { # handle 42
}
chain pbr_postrouting { # handle 44
}
chain pbr_prerouting { # handle 43
ip saddr 192.168.2.0/24 goto pbr_mark_0x020000 comment "Route R7800 through Wireguard" # handle 837
ip saddr 192.168.3.0/24 goto pbr_mark_0x020000 comment "Route AC68U through Wireguard" # handle 838
}
chain pbr_dstnat_lan { # handle 39
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 831
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 832
return # handle 833
}
chain pbr_mark_0x020000 { # handle 834
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 835
return # handle 836
}
pbr nft sets
IPv4 table 256 route: default via 84.XX.XX.1 dev pppoe-wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.8.0.5 dev wg0
IPv4 table 257 rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_wg0
Uhm, still not forcing the nft file mode, I've pushed a hidden update to do it and it seems you've installed 1.1.6-18 build before I did that.
I'll artificially bump PKG_RELEASE to 19 now.
Thank you. This one works very well.
Output using latest (-19) release:
root@RPi5:~# service pbr status
pbr - environment
pbr 1.1.6-19 running on OpenWrt SNAPSHOT.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.2.0/24 } goto pbr_mark_0x020000 comment "Route R7800 through Wireguard"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.3.0/24 } goto pbr_mark_0x020000 comment "Route AC68U through Wireguard"
pbr chains - policies
chain pbr_forward { # handle 40
}
chain pbr_input { # handle 41
}
chain pbr_output { # handle 42
}
chain pbr_postrouting { # handle 44
}
chain pbr_prerouting { # handle 43
ip saddr 192.168.2.0/24 goto pbr_mark_0x020000 comment "Route R7800 through Wireguard" # handle 1345
ip saddr 192.168.3.0/24 goto pbr_mark_0x020000 comment "Route AC68U through Wireguard" # handle 1346
}
chain pbr_dstnat_lan { # handle 39
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 1339
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1340
return # handle 1341
}
chain pbr_mark_0x020000 { # handle 1342
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1343
return # handle 1344
}
pbr nft sets
IPv4 table 256 route: default via 84.XX.XX.1 dev pppoe-wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.8.0.5 dev wg0
IPv4 table 257 rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_wg0
Great, this is expected output. When ran this way, pbr does not need to be reloaded on firewall reload/restart.
I installed pbr_1.1.6-19_all.ipk / luci-app-pbr_1.1.6-19_all.ipk.
the policy with two mac-addresses failed:
root@GT-AC5300:/etc/config# service pbr restart
Removing routing for 'wan/pppoe-wan/152.255.XXX.XXX' [✓]
Removing routing for 'wanb/usb0/0.0.0.0' [✓]
Removing routing for 'wg0/10.2.0.2' [✓]
Removing routing for 'wg1/10.5.0.2' [✓]
Restarting dnsmasq [✓]
pbr 1.1.6-19 (fw4 nft file mode) stopped [✓]
Using wan interface (on_start): wan
Found wan gateway (on_start): 152.255.XXX.XXX
Setting up routing for 'wan/pppoe-wan/152.255.XXX.XXX' [✓]
Setting up routing for 'wanb/usb0/0.0.0.0' [✓]
Setting up routing for 'wg0/10.2.0.2' [✓]
Setting up routing for 'wg1/10.5.0.2' [✓]
Routing 'default' via ignore [✓]
Routing 'stb-nextfx' via wg0 [✗]
Routing 'hub-usb-exboom' via wg0 [✓]
Routing 'cel-s23fe' via wg0 [✓]
Routing 'pc-topton' via wg0 [✗]
Routing 'pc-positivo' via wg0 [✓]
Routing 'youtube' via wan [✓]
Installing fw4 nft file [✓]
pbr 1.1.6-19 monitoring interfaces: wan wanb wg0 wg1
pbr 1.1.6-19 (fw4 nft file mode) started with gateways:
wan/pppoe-wan/152.255.XXX.XXX [✓]
wanb/usb0/0.0.0.0
wg0/10.2.0.2
wg1/10.5.0.2
ERROR: Skipping IPv6 policy 'stb-nextfx' as IPv6 support is disabled!
ERROR: Skipping IPv6 policy 'stb-nextfx' as IPv6 support is disabled!
ERROR: Skipping IPv6 policy 'pc-topton' as IPv6 support is disabled!
ERROR: Skipping IPv6 policy 'pc-topton' as IPv6 support is disabled!
the policies are:
config policy
option name 'stb-nextfx'
option src_addr '7C:A7:XX:XX:XX:XX 78:D9:5E:YY:YY:YY'
option interface 'wg0'
config policy
option name 'pc-topton'
option src_addr 'c8:8a:9a:d4:xx:xx 00:e0:4d:e1:xx:xx'
option interface 'wg0'
Status:
root@GT-AC5300:/etc/config# service pbr status
pbr - environment
pbr 1.1.6-19 running on OpenWrt 23.05.4.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add chain inet fw4 pbr_mark_0x030000
add rule inet fw4 pbr_mark_0x030000 mark set mark and 0xff00ffff xor 0x030000
add rule inet fw4 pbr_mark_0x030000 return
add chain inet fw4 pbr_mark_0x040000
add rule inet fw4 pbr_mark_0x040000 mark set mark and 0xff00ffff xor 0x040000
add rule inet fw4 pbr_mark_0x040000 return
add rule inet fw4 pbr_prerouting ip daddr { 192.168.100.0/24 } return comment "default"
add rule inet fw4 pbr_prerouting ether saddr { 00:e0:4c:68:xx:xx } goto pbr_mark_0x030000 comment "hub-usb-exboom"
add rule inet fw4 pbr_prerouting ether saddr { 06:23:45:BA:xx:xx } goto pbr_mark_0x030000 comment "cel-s23fe"
add rule inet fw4 pbr_prerouting ether saddr { 00:25:D3:1A:xx:xx } goto pbr_mark_0x030000 comment "pc-positivo"
add set inet fw4 pbr_wan_4_dst_ip_cfg156ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "youtube"; }
add rule inet fw4 pbr_prerouting ip daddr @pbr_wan_4_dst_ip_cfg156ff5 goto pbr_mark_0x010000 comment "youtube"
pbr chains - policies
chain pbr_forward { # handle 37
}
chain pbr_input { # handle 38
}
chain pbr_output { # handle 39
}
chain pbr_postrouting { # handle 41
}
chain pbr_prerouting { # handle 40
ip daddr 192.168.100.0/24 return comment "default" # handle 1593
ether saddr 00:e0:4c:68:xx:xx goto pbr_mark_0x030000 comment "hub-usb-exboom" # handle 1594
ether saddr 06:23:45:ba:xx:xx goto pbr_mark_0x030000 comment "cel-s23fe" # handle 1595
ether saddr 00:25:d3:1a:xx:xx goto pbr_mark_0x030000 comment "pc-positivo" # handle 1596
ip daddr @pbr_wan_4_dst_ip_cfg156ff5 goto pbr_mark_0x010000 comment "youtube" # handle 1598
}
chain pbr_dstnat_lan { # handle 1006
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 1581
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1582
return # handle 1583
}
chain pbr_mark_0x020000 { # handle 1584
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1585
return # handle 1586
}
chain pbr_mark_0x030000 { # handle 1587
meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 1588
return # handle 1589
}
chain pbr_mark_0x040000 { # handle 1590
meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 1591
return # handle 1592
}
pbr nft sets
set pbr_wan_4_dst_ip_cfg156ff5 { # handle 1597
type ipv4_addr
flags interval
auto-merge
comment "youtube"
}
dnsmasq sets
nftset=/eligibility-panelresearch.googlevideo.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/eligibility-panelresearch.googlevideo.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/www3.l.google.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/www3.l.google.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/redirector.googlevideo.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/redirector.googlevideo.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/www.google.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/www.google.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/clients1.google.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/clients1.google.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/clients.l.google.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
nftset=/clients.l.google.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg156ff5 # youtube
IPv4 table 256 route: default via 152.255.xxx.xxx dev pppoe-wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: unreachable default
IPv4 table 257 rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_wanb
IPv4 table 258 route: default via 10.2.0.2 dev wg0
IPv4 table 258 rule(s):
29996: from all fwmark 0x30000/0xff0000 lookup pbr_wg0
IPv4 table 259 route: default via 10.5.0.2 dev wg1
IPv4 table 259 rule(s):
29994: from all fwmark 0x40000/0xff0000 lookup pbr_wg1
I just tried it and it works for me, still testing
What is the output of:
uci set pbr.config.verbosity='2
uci commit pbr
/etc/init.d/pbr reload
/etc/init.d/pbr status
cat /var/run/pbr.nft
nft -c -f /var/run/pbr.nft
Edit: I think I found it, you probably have IPv6 support disabled in PBR?
Edit 2: if you just put in one MAC address, so make multiple rules it should work for now
For @stangri
If IPv6 is not enabled there is a check for IPv6 source and if there is an IPv6 source the rule is skipped
1334:
if [ -z "$ipv6_enabled" ] && { is_ipv6 "$src_addr" || is_ipv6 "$dest_addr"; }; then
processPolicyError='true'
state add 'errorSummary' 'errorPolicyProcessNoIpv6' "$name"
return 1
fi
It checks with is_ipv6
324:
is_ipv6() { ! is_mac_address "$1" && str_contains "$1" ':'; }
This also checks for MAC address
326:
is_mac_address() { expr "$1" : '[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]$' >/dev/null; }
It looks like the check for MAC address fails if there are two (or more) addresses.
1 Like
Thank you @powtrix for bringing it up and @egc for pointing out a problematic line, the issue is fixed in pbr 1.1.6-20.
2 Likes
please help
i have some more troubleshooting.
If dest_addr = IP address, it routes properly to the VPN regardless of if I traceroute the IP address or the domain name.
if dest_addr = domain name, it will not route to the VPN if I traceroute the IP address or the domain name.
Follow instructions from the README->Getting Help section.
1 Like
ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Xiaomi Mi Router 3G",
"board_name": "xiaomi,mi-router-3g",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@OpenWrt:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
list interface 'br-lan'
option cachesize '1000'
list server '/youtube.com/127.0.0.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra_management '1'
list dhcp_option '6, 8.8.8.8,8.8.4.4'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config zone
option name 'YOUTUBE'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'YOUTUBE'
config forwarding
option src 'YOUTUBE'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'YOUTUBE'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd56:ba6b:d562::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'tap_tap'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr 'x.x.x.x'
option netmask '255.255.255.224'
option gateway 'x.x.x.x'
list dns '1.1.1.1'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'YOUTUBE'
option proto 'l2tp'
option server 'x.x.x.x'
option username 'xxx'
option password 'xxx'
option ipv6 'auto'
option defaultroute '0'
root@OpenWrt:~# uci export pbr
package pbr
config policy
option dest_addr 'youtube.com'
option interface 'YOUTUBE'
option name 'youtube'
config policy
option dest_addr 'youtu.be'
option interface 'YOUTUBE'
option enabled '0'
config policy
option dest_addr 'ytimg.com'
option interface 'YOUTUBE'
option enabled '0'
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option resolver_set 'dnsmasq.ipset'
option ipv6_enabled '0'
option boot_timeout '30'
option rule_create_option 'insert'
option procd_reload_delay '1'
option webui_protocol_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_chain_column '1'
option dest_ipset '1'
config include
option path '/etc/pbr.netflix.user'
option enabled '0'
config include
option path '/etc/pbr.aws.user'
option enabled '0'
config policy
option dest_addr 'ggpht.com'
option interface 'YOUTUBE'
option enabled '0'
config policy
option dest_addr 'googlevideo.com'
option interface 'YOUTUBE'
option enabled '0'
config policy
option interface 'YOUTUBE'
option src_addr '192.168.1.243'
root@OpenWrt:~# /etc/init.d/pbr status
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.4. WAN (IPv4): wan/wan/x.x.x.x.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr chains - policies
chain pbr_forward { # handle 42
}
chain pbr_input { # handle 43
}
chain pbr_output { # handle 44
}
chain pbr_prerouting { # handle 45
ip daddr @pbr_YOUTUBE_4_dst_ip_cfg016ff5 goto pbr_mark_0x020000 comment "youtube" # handle 324
ip saddr @pbr_YOUTUBE_4_src_ip_cfg096ff5 goto pbr_mark_0x020000 comment "Untitled" # handle 326
}
chain pbr_postrouting { # handle 46
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 317
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 318
return # handle 319
}
chain pbr_mark_0x020000 { # handle 320
counter packets 46 bytes 24434 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 321
return # handle 322
}
pbr nft sets
set pbr_YOUTUBE_4_dst_ip_cfg016ff5 { # handle 323
type ipv4_addr
flags interval
counter
auto-merge
comment "youtube"
elements = { 142.250.147.91 counter packets 0 bytes 0, 142.250.147.93 counter packets 0 bytes 0,
142.250.147.136 counter packets 0 bytes 0, 142.250.147.190 counter packets 0 bytes 0 }
}
set pbr_YOUTUBE_4_src_ip_cfg096ff5 { # handle 325
type ipv4_addr
flags interval
counter
auto-merge
comment "Untitled"
elements = { 192.168.1.243 counter packets 47 bytes 24512 }
}
IPv4 table 256 route: default via x.x.x.x dev wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 192.168.20.1 dev l2tp-YOUTUBE
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_YOUTUBE
root@OpenWrt:~# /etc/init.d/pbr reload
Activating traffic killswitch [✓]
Setting up routing for 'wan/x.x.x.x' [✓]
Setting up routing for 'YOUTUBE/l2tp-YOUTUBE/192.168.20.1' [✓]
Routing 'youtube' via YOUTUBE [✓]
Routing 'Untitled' via YOUTUBE [✓]
Deactivating traffic killswitch [✓]
pbr 1.1.1-7 monitoring interfaces: wan YOUTUBE
pbr 1.1.1-7 (nft) started with gateways:
wan/x.x.x.x [✓]
YOUTUBE/l2tp-YOUTUBE/192.168.20.1
root@OpenWrt:~# /etc/init.d/pbr status
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.4. WAN (IPv4): wan/wan/x.x.x.x.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr chains - policies
chain pbr_forward { # handle 42
}
chain pbr_input { # handle 43
}
chain pbr_output { # handle 44
}
chain pbr_prerouting { # handle 45
ip daddr @pbr_YOUTUBE_4_dst_ip_cfg016ff5 goto pbr_mark_0x020000 comment "youtube" # handle 336
ip saddr @pbr_YOUTUBE_4_src_ip_cfg096ff5 goto pbr_mark_0x020000 comment "Untitled" # handle 338
}
chain pbr_postrouting { # handle 46
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 329
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 330
return # handle 331
}
chain pbr_mark_0x020000 { # handle 332
counter packets 3 bytes 2356 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 333
return # handle 334
}
pbr nft sets
set pbr_YOUTUBE_4_dst_ip_cfg016ff5 { # handle 335
type ipv4_addr
flags interval
counter
auto-merge
comment "youtube"
elements = { 142.250.147.91 counter packets 0 bytes 0, 142.250.147.93 counter packets 0 bytes 0,
142.250.147.136 counter packets 0 bytes 0, 142.250.147.190 counter packets 0 bytes 0 }
}
set pbr_YOUTUBE_4_src_ip_cfg096ff5 { # handle 337
type ipv4_addr
flags interval
counter
auto-merge
comment "Untitled"
elements = { 192.168.1.243 counter packets 3 bytes 2356 }
}
IPv4 table 256 route: default via x.x.x.x dev wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 192.168.20.1 dev l2tp-YOUTUBE
IPv4 table 257 rule(s):
30001: from all fwmark 0x20000/0xff0000 lookup pbr_YOUTUBE
root@OpenWrt:~#
You're not using 22.03 tho, you're using:
"version": "23.05.4",
There are many issues with your config, I'd recommend you remove the following:
As per https://docs.openwrt.melmac.net/pbr/#OpenWrt23.05releaseandthispackage, the following:
Needs to be:
option resolver_set 'dnsmasq.nftset'
After this, reboot your router and all your LAN devices. Even with these necessary changes, you may not be able to fool YouTube, this section of the README is probably applicable to YouTube.
Also, I'm not a big fan of setting per-interface DNS, so if I were you, I'd replace:
With the DNS servers set up for the first dnsmasq instance.
there is no effect
root@OpenWrt:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
list interface 'br-lan'
option cachesize '1000'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option ra_management '1'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# uci export pbr
package pbr
config policy
option dest_addr 'youtube.com'
option interface 'YOUTUBE'
option name 'youtube'
config policy
option dest_addr 'youtu.be'
option interface 'YOUTUBE'
option enabled '0'
config policy
option dest_addr 'ytimg.com'
option interface 'YOUTUBE'
option enabled '0'
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option resolver_set 'dnsmasq.nftset'
option ipv6_enabled '0'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_protocol_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_chain_column '1'
option dest_ipset '1'
config include
option path '/etc/pbr.netflix.user'
option enabled '0'
config include
option path '/etc/pbr.aws.user'
option enabled '0'
config policy
option dest_addr 'ggpht.com'
option interface 'YOUTUBE'
option enabled '0'
config policy
option dest_addr 'googlevideo.com'
option interface 'YOUTUBE'
option enabled '0'
config policy
option interface 'YOUTUBE'
option src_addr '192.168.1.243'
config policy
option dest_addr 'mds.com'
option interface 'YOUTUBE'
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd56:ba6b:d562::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'tap_tap'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'YOUTUBE'
option proto 'l2tp'
option server 'x.x.x.x'
option username 'xxx'
option password 'xxx'
option ipv6 'auto'
option defaultroute '0'
The fact that you didn't include post-update pbr status output nor confirmed other steps taken which were necessary to affect the change makes me suspect you only followed up on half of the instructions.
i made clean installition with router reset.It worked for time.later I disabled domain rule and enabled it. it become working just a the next day.Yesterday I disabled domain rule and enabled it again, now is not working , router was rebooted few times
If you're playing with enabling/disabling domain-based policies, it's not just the router which needs to be rebooted, but the LAN clients as well, hence my earlier quote:
If you've disabled the domain based policy and the LAN device/client you're testing on, cached the DNS response, after you re-enabled the policy the client will not poll your OpenWrt router for the DNS resolution, hence dnsmasq will not resolve the domain and will not update the relevant nft set. The easiest way to delete the DNS resolution cache on most devices is to reboot them.
I'm pretty sure it's covered in the README. Also, have you read/understood another section of the README I linked in my initial reply to you?
PS. Please learn how to use formatting of large text on the forum instead of pasting everything as normal text -- it makes it so much harder to read/help you.
1 Like
pc shutdown every night , also ipconfig /flushdns