Yes! I am interested in hearing about your solution using p2p interfaces. I guess the outgoing doesn't need an IP but the return path for the VPN does? But it doesn't matter because in both cases it's the same router?
Was a bit worried if I go back I'd break everything, so decided to not mess with it. Now my friend got the same error while configuring and here is the output of the command you've asked.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet <ip> brd <ip> scope global wan
valid_lft forever preferred_lft forever
14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.8.2.1/24 brd 10.8.2.255 scope global tun0
valid_lft forever preferred_lft forever
inet 10.8.2.1/30 brd 10.8.2.3 scope global tun0
valid_lft forever preferred_lft forever
It is strange that the tun interface has two ip addresses.
Could indicate something wrong in your config file.
Do you have any topology net30 or topology subnet in your config?
About MTU you can set MTU in the config file e.g.: tun-mtu 1400
I understand that the new PBR release requires the default route to go through "wan", therefore in case we use a different interface this must be configured in /etc/config/pbr with:
option procd_wan_interface 'my_alternate_wan'
However my main router has a WAN interface going through ethernet to the fibre and a WWAN (Wireless WAN) which is used as a backup through which the router will have to fail over in case of loss of connectivity through WAN.
If you have your main/default routing table via the WAN/WWAN I think it does not matter, you can simply use MWAN3 or set both routes and use metrics etc.
As far as I can tell, PBR does not do anything with the default table.
it uses the wan to create a pbr_wan table which might not work in case WWAN is the wan, but if you do not use that table then it should not matter.
Just my two cents.
Otherwise I would probably create a hotplug script which sets the correct wan in the PBR config and restarts it
I tried mwan3 and pbr packages together and routing gets messed up. It looks like they get in conflict. So it is either pbr or mwan3. I tried also with mwan3 (without pbr) to route specific subnets/interfaces through wireguard VPNs but it does not work whilst this works fine with pbr.
So I would need mwan3 for load balancing and pbr for VPN routing, but having both installed on the same router does not work.
If I could understand how to load balance wans (WAN and WWAN) with PBR, like I do with mwan3 I would solve the problem.
That is also one of the reasons I run VPNs on satellite routers that have only PBR installed.
config device
option name 'tun0'
option mtu '1500'
config interface 'tun0'
option device 'tun0'
option proto 'static'
option ipaddr '10.8.2.1'
option netmask '255.255.255.0'
Before I've changed an MTU there was no device in this config only interface. I suspect that by changing MTU through GUI and saving it I've updated the config adding this tun0 device, which fixed things. Perhaps it also restarted something which I didn't know it did, cause I've done changes from the GUI.
The interesting part is that we configured both me and my friend the same way. And tun0 with pbr started working for him as well, but then got broken couple of days later. Nothing seemed to fix the problem until he again changed MTU, but now for IPv6 in the GUI and saved.
For me tun0 and pbr is still working and here is my output for ip -4 a list (I've redacted redundant interfaces). As you can see I indeed have only single "instance" of tun0.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
inet 192.168.0.10/24 brd 192.168.0.255 scope global wan
valid_lft forever preferred_lft forever
57: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.8.2.1/24 brd 10.8.2.255 scope global tun0
valid_lft forever preferred_lft forever
The tun interface usually has no ipaddress and netmask as that is set in the openvpn config (or pushed by the openvpn server)
So an OpenVPN interface usually shows like:
config interface 'ovpnclient'
option proto 'none'
option device 'tun0'
I am pretty sure this is in the PBR readme
The openvpn executable will setup the device, if there is no device specified other then dev tun it will use the first available which is tun0
(So when you have multiple OpenVPN tunnels better specify the device like dev tunX where X is an unique integer, adjust the interface accordingly
The IP address is usually pushed by the server and can/should change every time you make a connection, one of things which make logging more difficult
It isn't OpenVPN though and I didn't know the setup for OpenVPN is similar to read about it in the docs. Was configuring this stuff trying to combine various guides from the internet about setting things up and hook it up with pbr (that's on my own, though).
Anyway, that's probably the problem, will try to run with new settings. Appreciate your help!
Hi there!
I am trying to setup PBR on a fresh router having the latest OpenWRT on it.
Upon pbr startup it gives me this:
root@OpenWrt:~# service pbr start
Using wan interface (on_start): wan
pbr 1.1.6-20 waiting for wan gateway...
ERROR: The pbr 1.1.6-20 service failed to discover WAN gateway!
As a result, the service doesn't start.
The thing is, I don't have Ethernet cable connected to WAN port. I am using either wifi client connection or LTE modem. Ideally I would like to be able to use both, plus couple of tun* interfaces, but not the Ethernet cable.
What would you suggest in order to make this work?
Thanks
Could I ask a favor of those better at coding please? I use PBR to route Plex traffic to the WAN interface but have noticed that whenever the IPs of plex.tv changes that remote access will stop working, at least for a while.
From what I have tested this seems to be because it's slow to update/resolve with the new IPs when they change, perhaps due to the Dnsmasq nft resolver.
Is it possible to create a script or a policy that would get the IPs of plex.tv with something like a nslookup and add them to the nft tables in a way that would work better than it does now?
Just updated to 1.1.7-5 from 1.1.6-20 and now getting Unknown packet mark for interface 'wg0'. Otherwise didn't change anything in my config. What the problem may be?
