1670

While I have no issue with Onion, why is my pbr and luci-app-pbr versions different?

root@DL-WRX36:~# opkg install pbr luci-app-pbr
Package pbr (1.1.7-r47) installed in root is up to date.
Package luci-app-pbr (1.1.7-53) installed in root is up to date.
1671

Because you did not upgrade pbr ?

1672

Not really. I have even used: opkg update; opkg install --force-reinstall pbr luci-app-pbr and it still doesn't get the latest version of pbr. I have "src/gz stangri_repo https://repo.openwrt.melmac.net" in /etc/opkg/customfeeds.conf as always.
Why it pulled luci-app-pbr v1.1.7-53 and not pbr-1.1.7-53 is what beats me.

1673

I upgraded via the GUI.

root@R7800-1:~# opkg list-installed | grep pbr
luci-app-pbr - 1.1.7-53
luci-i18n-pbr-de - git-24.284.16626-fcbbc75
pbr - 1.1.7-53

But if you want to use the command line try opkg upgrade pbr

1674

Since I am using the same method I have always used to install both, after installing a new SNAPHOST on my DL-WRX36, I cannot guess why it installed different versions so I have decided to let it stay.

1675

About the Ignore local requests policy:

So first off all, great package, which i was happy to find. I want my guest vlan to go over vpn but some iot devices through wan. Which i got done quite quickly, so thanks.

But then i noticed that my firewall rules were not working anymore, and i could not access the devices(heat pumps) from the iot vlan anymore.

Then i found the "ignore local requests" online and thought i was home free. Maybe first newbie comment here would be to have than on by default. It is not clear from docs (also videos) that local firewall rules will be ignored after installing the package.

But still my firewall rules did not work, and only when preparing to reach out, and dumping the pbr config with uci export pbr did i notice that the default rule has 10.0.0.0/24 and not 10.0.0.0/8 as one might expect, since it says local requests.

I am guessing the rules are meant as an "example" or guideline, but the way it is worded it is a really easy mistake to make (the one i did), to think that all rfc private nets would be included.

So i suggest to either include all rfc private nets, or change the rule name to something like "example for private networks so local firewall rules will work"

Since i now fixed my firewall problem, this is just fyi/suggestion from a newbie. Thanks again

1676

Can you post output of

ip route show
ip route show table all
ip rule show

Redact sensitive information like public wan ip address.

That will give some insight, Thanks

1677

One of my applications for pbr is the use of DNS policies, specifically to set ad-blocking DNS servers for some specific clients (some of them are LAN clients, some of them are wireguard clients). However, when I do so I lose LAN DNS resolution (I specify hostnames of wireguard peers and clients connected to each peer's LAN in the /etc/hosts file of the openwrt). Is there a way to configure pbr so that I don't lose LAN resolution while using DNS policies?

1678 
root@Router:~# ip route show
default via 192.168.129.1 dev eth1 proto static src 192.168.129.207 metric 20 
10.20.0.0/16 dev br-lan.20 proto kernel scope link src 10.20.0.1 
10.30.0.0/16 dev br-lan.30 proto kernel scope link src 10.30.0.1 
10.40.0.0/16 dev br-lan.40 proto kernel scope link src 10.40.0.1 
192.168.129.0/24 dev eth1 proto static scope link metric 20 
193.56.113.28 via 192.168.129.1 dev eth1 proto static metric 20 

oot@Router:~# ip route show table all
default via 192.168.129.1 dev eth1 table pbr_wan 
10.20.0.0/16 dev br-lan.20 table pbr_wan proto kernel scope link src 10.20.0.1 
10.30.0.0/16 dev br-lan.30 table pbr_wan proto kernel scope link src 10.30.0.1 
10.40.0.0/16 dev br-lan.40 table pbr_wan proto kernel scope link src 10.40.0.1 
default via 10.14.0.2 dev wg0 table pbr_wg0 
10.20.0.0/16 dev br-lan.20 table pbr_wg0 proto kernel scope link src 10.20.0.1 
10.30.0.0/16 dev br-lan.30 table pbr_wg0 proto kernel scope link src 10.30.0.1 
10.40.0.0/16 dev br-lan.40 table pbr_wg0 proto kernel scope link src 10.40.0.1 
default dev wg0 table default proto static scope link metric 10 
10.10.0.0/16 dev br-lan.10 table default proto static scope link 
10.14.0.0/16 dev wg0 table default proto static scope link metric 10 
default via 192.168.129.1 dev eth1 proto static src 192.168.129.207 metric 20 
10.20.0.0/16 dev br-lan.20 proto kernel scope link src 10.20.0.1 
10.30.0.0/16 dev br-lan.30 proto kernel scope link src 10.30.0.1 
10.40.0.0/16 dev br-lan.40 proto kernel scope link src 10.40.0.1 
192.168.129.0/24 dev eth1 proto static scope link metric 20 
193.56.113.28 via 192.168.129.1 dev eth1 proto static metric 20 
local 10.10.0.1 dev br-lan.10 table local proto kernel scope host src 10.10.0.1 
broadcast 10.10.255.255 dev br-lan.10 table local proto kernel scope link src 10.10.0.1 
local 10.14.0.2 dev wg0 table local proto kernel scope host src 10.14.0.2 
broadcast 10.14.255.255 dev wg0 table local proto kernel scope link src 10.14.0.2 
local 10.20.0.1 dev br-lan.20 table local proto kernel scope host src 10.20.0.1 
broadcast 10.20.255.255 dev br-lan.20 table local proto kernel scope link src 10.20.0.1 
local 10.30.0.1 dev br-lan.30 table local proto kernel scope host src 10.30.0.1 
broadcast 10.30.255.255 dev br-lan.30 table local proto kernel scope link src 10.30.0.1 
local 10.40.0.1 dev br-lan.40 table local proto kernel scope host src 10.40.0.1 
broadcast 10.40.255.255 dev br-lan.40 table local proto kernel scope link src 10.40.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.129.207 dev eth1 table local proto kernel scope host src 192.168.129.207 
broadcast 192.168.129.255 dev eth1 table local proto kernel scope link src 192.168.129.207 

ip6 stuff removed

root@Router:~# ip rule show
0:	from all lookup local
10000:	from 10.14.0.2 lookup default
10000:	from 10.10.0.1 lookup default
20000:	from all to 10.14.0.2/16 lookup default
20000:	from all to 10.10.0.1/16 lookup default
29998:	from all fwmark 0x20000/0xff0000 lookup pbr_wg0
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:	from all lookup main
32767:	from all lookup default
90014:	from all iif lo lookup 10
90014:	from all iif lo lookup default
90017:	from all iif lo lookup default
1 Like
1679

Excuse me for interrupting. Does this information seem related?

1680

Local firewall rules are NOT ignored by merely installing the package.

1681

If you want to use dns policies, the dns requests from the clients you specify in the policy will be routed to the dns server you specify in the policy, if that server doesn't know anything about your LAN clients, it will respond accordingly.

1682

I understand this but I am wondering if there is a way to use dns policy in a more granular way, i.e. exclude/include a specific set of domains from/in dns policy for a specific client.

1683

Is this a resource-constrained device? Sounds like not the entire file downloads and hence cannot be processed.

1684

Morning,

I was hoping someone could provide me an example of how of set up some basic rules on pbr, as I keep getting DNS leaks.

I have a fresh install of openwrt 23.05.5, i have a wireguard "client" connecting to a commercial VPN provider (Mullvad), interface "mv1". I have installed dnsmasq-full as per docs. The default route is currently wan.

I have set all traffic to go through the VPN interface, this policy works. I have also set a specific domain to bypass the VPN and go out via wan an this policy works.

Im using the VPN providers DNS server, which is obviously only available to traffic that goes through the VPN tunnel. I have a public DNS server set to the wan interface.

The trouble I have is if i set a DNS policy to force all traffic to go through the vpn dns server it can't resolve the traffic that is going though the wan interface as the vpn dns server is private.

However if i disable this rule i get DNS leaks for traffic on the VPN interface, in that it also shows the wan dns resolver.

1
11195×851 75 KB

{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.5",
	"board_name": "raspberrypi,4-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}


 uci export dhcp
package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'



config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'mv1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb5:7c80:032b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth1'
	option username '###'
	option password '###'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.1'

config interface 'mv1'
	option proto 'wireguard'
	option private_key '###'
	option listen_port '51820'
	list addresses '###'
	option delegate '0'
	option force_link '1'
	option defaultroute '0'
	list dns '100.64.0.4'

config wireguard_mv1
	option description '###'
	option public_key '###'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '####
	option endpoint_port '51820'

uci export pbr
package pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list supported_interface 'mv1'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
	option enabled '0'

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '192.168.0.0/24'
	option dest_dns 'mv1'
	option enabled '0'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'

config policy
	option name 'iptest'
	option dest_addr 'dnsleaktest.com'
	option interface 'wan'

config policy
	option name 'lan'
	option src_addr '192.168.0.0/24'
	option interface 'mv1'


pbr - environment
pbr 1.1.6-22 running on OpenWrt 23.05.5.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip daddr { 10.0.0.0/24, 10.0.1.0/24, 192.168.100.0/24, 192.168.1.0/24 }  return comment "Ignore Local Requests"
add set inet fw4 pbr_wan_4_dst_ip_cfg076ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		  comment "iptest"; }
add rule inet fw4 pbr_prerouting ip daddr @pbr_wan_4_dst_ip_cfg076ff5  goto pbr_mark_0x010000 comment "iptest"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.0/24 }  goto pbr_mark_0x020000 comment "lan"

pbr chains - policies
	chain pbr_forward { # handle 30
	}
	chain pbr_input { # handle 31
	}
	chain pbr_output { # handle 32
	}
	chain pbr_postrouting { # handle 34
	}
	chain pbr_prerouting { # handle 33
		ip daddr { 10.0.0.0/23, 192.168.1.0/24, 192.168.100.0/24 } return comment "Ignore Local Requests" # handle 595
		ip daddr @pbr_wan_4_dst_ip_cfg076ff5 goto pbr_mark_0x010000 comment "iptest" # handle 597
		ip saddr 192.168.0.0/24 goto pbr_mark_0x020000 comment "lan" # handle 598
	}
	chain pbr_dstnat { # handle 29
	}

pbr chains - marking
	chain pbr_mark_0x010000 { # handle 588
		meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 589
		return # handle 590
	}
	chain pbr_mark_0x020000 { # handle 591
		meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 592
		return # handle 593
	}

pbr nft sets
	set pbr_wan_4_dst_ip_cfg076ff5 { # handle 596
		type ipv4_addr
		flags interval
		auto-merge
		comment "iptest"
		elements = { ######### }
	}

dnsmasq sets
nftset=/dnsleaktest.com/4#inet#fw4#pbr_wan_4_dst_ip_cfg076ff5 # iptest

IPv4 table 256 route: default via 1####### dev pppoe-wan 
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.###### dev mv1 
IPv4 table 257 rule(s):
29998:	from all fwmark 0x20000/0xff0000 lookup pbr_mv1

 /etc/init.d/pbr reload
Using wan interface (on_start): wan 
Found wan gateway (on_start): 1#######
Setting up routing for 'wan/pppoe-wan/1########' [✓]
Setting up routing for 'mv1/10.#######' [✓]
Routing 'Ignore Local Requests' via ignore [✓]
Routing 'iptest' via wan [✓]
Routing 'lan' via mv1 [✓]
Installing fw4 nft file [✓]
pbr 1.1.6-22 monitoring interfaces: wan mv1 
Restarting dnsmasq [✓]
pbr 1.1.6-22 (fw4 nft file mode) started with gateways:
wan/pppoe-wan/1######[✓]
mv1/10.#####
1685

My bad. I don't know how i managed to test this 3 times yesterday, every time it always seemed to work only when i switched the "ignore local" on. Now off course it works as you say. Which makes sense, so great.

Which leaves me with my own mystery. It seems the wan or wg reboots and whan that happens the fw and routing seems not to work as should. Off course a house full of people start shouting then and so i hit reset and don't investigate too long. But it seemed last time only wg worked, not wan.

Is there any known factors with pbr that cause wan/wg crashes?
I had "not strictly enforce" on, should that not reroute to wan if wg goes down?

1686

Can you clarify that, you set a DNS policy for your lan client which are using the VPN already so they should be able to use that same VPN DNS server

1687

If a set the DNS policy rule named "redirect local IP DNS" as in my example above.

The result is all the DNS requests are sent through the VPN tunnel to the VPN providers DNS server. I get no DNS leaks.

However if the aforementioned rule is enabled. Any DNS requests sent over the wan interface are not resolved. Despite having a public DNS server listed in the wan interface.

I hope that makes sense.

1688

It is /usr/share/pbr/pbr.user.netflix with facebook ASN changed

1689

I've encountered a problem with PBR on the latest snapshot. When dnsmasq nft set is used domain name-based policies no longer work. Everything works as intended though when the resolver set option is switched back to none. I've flushed the DNS cache before every try and disabled the DoH proxy built into the web browser.

Any tips will be much appreciated. I've collected all the diagnostic info below.

{
	"kernel": "6.6.59",
	"hostname": "router",
	"system": "ARMv8 Processor rev 0",
	"model": "Bananapi BPI-R4",
	"board_name": "bananapi,bpi-r4",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r28034-ca53f2d430",
		"target": "mediatek/filogic",
		"description": "OpenWrt SNAPSHOT r28034-ca53f2d430",
		"builddate": "1731082951"
	}
}
package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	list server '/use-application-dns.net/'
	list server '127.0.0.1#5053'
	list server '127.0.0.1#5054'
	option doh_backup_noresolv '-1'
	option noresolv '1'
	list doh_backup_server '/mask.icloud.com/'
	list doh_backup_server '/mask-h2.icloud.com/'
	list doh_backup_server '/use-application-dns.net/'
	list doh_backup_server '127.0.0.1#5053'
	list doh_backup_server '127.0.0.1#5054'
	list doh_server '127.0.0.1#5053'
	list doh_server '127.0.0.1#5054'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'tun0'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdca:8fab:878e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth2'
	option macaddr '46:9b:8a:36:18:fb'

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'guest'
	option proto 'static'
	option device 'phy1-ap1'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'tun0'
	option proto 'none'
	option device 'tun0'
	option defaultroute '0'

package pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '10'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	option procd_boot_delay '20'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'facebook.com'
	option dest_addr 'facebook.com static.xx.fbcdn.net fbcdn.com meta.com'
	option interface 'tun0'

config policy
	option name 'instagram.com'
	option dest_addr 'instagram.com'
	option interface 'tun0'

config policy
	option interface 'tun0'
	option name 'twitter.com'
	option dest_addr 'twitter.com x.com twimg.com '

config policy
	option name 'digitalocean.com'
	option dest_addr 'digitalocean.com'
	option interface 'tun0'

config policy
	option name 'openvpn.net'
	option dest_addr 'openvpn.net'
	option interface 'tun0'

config policy
	option name 'chatgpt.com'
	option dest_addr 'chatgpt.com'
	option interface 'tun0'

config policy
	option name 'discord.com'
	option dest_addr 'dis.gd discord.co discord.com discord.design discord.dev discord.gg discord.gift discord.gifts discord.media discord.new discord.store discordactivities.com discordapp.com discordapp.net discordmerch.com discordpartygames.com discordsays.com discordstatus.com discordcdn.com '
	option interface 'tun0'

config policy
	option name 'protonmail.com'
	option dest_addr 'protonmail.com proton.me'
	option interface 'tun0'

config policy
	option name 'DUT1'
	option src_addr '192.168.1.217'
	option interface 'tun0'
	option enabled '0'

config policy
	option name 'DUT2'
	option src_addr '192.168.1.147'
	option interface 'tun0'
	option enabled '0'


pbr - environment
pbr 1.1.7-47 running on OpenWrt SNAPSHOT.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return

pbr chains - policies
	chain pbr_forward { # handle 37
	}
	chain pbr_input { # handle 38
	}
	chain pbr_output { # handle 39
	}
	chain pbr_postrouting { # handle 41
	}
	chain pbr_prerouting { # handle 40
	}
	chain pbr_dstnat { # handle 36
	}

pbr chains - marking
	chain pbr_mark_0x010000 { # handle 577
		meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1074
		return # handle 1075
	}
	chain pbr_mark_0x020000 { # handle 580
		meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1076
		return # handle 1077
	}

pbr nft sets

IPv4 table 256 route: default via 192.168.1.1 dev eth2 
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.8.0.5 dev tun0 
IPv4 table 257 rule(s):
29998:	from all fwmark 0x20000/0xff0000 lookup pbr_tun0

pbr - environment
pbr 1.1.7-47 running on OpenWrt SNAPSHOT.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add set inet fw4 pbr_tun0_4_dst_ip_cfg046ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		 		 comment "facebook.com";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_tun0_4_dst_ip_cfg046ff5  goto pbr_mark_0x020000 comment "facebook.com"
add set inet fw4 pbr_tun0_4_dst_ip_cfg056ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		 		 comment "instagram.com";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_tun0_4_dst_ip_cfg056ff5  goto pbr_mark_0x020000 comment "instagram.com"
add set inet fw4 pbr_tun0_4_dst_ip_cfg066ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		 		 comment "twitter.com";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_tun0_4_dst_ip_cfg066ff5  goto pbr_mark_0x020000 comment "twitter.com"
add set inet fw4 pbr_tun0_4_dst_ip_cfg076ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		 		 comment "digitalocean.com";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_tun0_4_dst_ip_cfg076ff5  goto pbr_mark_0x020000 comment "digitalocean.com"
add set inet fw4 pbr_tun0_4_dst_ip_cfg086ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		 		 comment "openvpn.net";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_tun0_4_dst_ip_cfg086ff5  goto pbr_mark_0x020000 comment "openvpn.net"
add set inet fw4 pbr_tun0_4_dst_ip_cfg096ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		 		 comment "chatgpt.com";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_tun0_4_dst_ip_cfg096ff5  goto pbr_mark_0x020000 comment "chatgpt.com"
add set inet fw4 pbr_tun0_4_dst_ip_cfg0a6ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		 		 comment "discord.com";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_tun0_4_dst_ip_cfg0a6ff5  goto pbr_mark_0x020000 comment "discord.com"
add set inet fw4 pbr_tun0_4_dst_ip_cfg0b6ff5 { type ipv4_addr;  		 auto-merge; 		 		 flags interval; 		 		 policy performance; 		 		 comment "protonmail.com";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_tun0_4_dst_ip_cfg0b6ff5  goto pbr_mark_0x020000 comment "protonmail.com"

pbr chains - policies
	chain pbr_forward { # handle 37
	}
	chain pbr_input { # handle 38
	}
	chain pbr_output { # handle 39
	}
	chain pbr_postrouting { # handle 41
	}
	chain pbr_prerouting { # handle 40
		ip daddr @pbr_tun0_4_dst_ip_cfg046ff5 goto pbr_mark_0x020000 comment "facebook.com" # handle 1202
		ip daddr @pbr_tun0_4_dst_ip_cfg056ff5 goto pbr_mark_0x020000 comment "instagram.com" # handle 1204
		ip daddr @pbr_tun0_4_dst_ip_cfg066ff5 goto pbr_mark_0x020000 comment "twitter.com" # handle 1206
		ip daddr @pbr_tun0_4_dst_ip_cfg076ff5 goto pbr_mark_0x020000 comment "digitalocean.com" # handle 1208
		ip daddr @pbr_tun0_4_dst_ip_cfg086ff5 goto pbr_mark_0x020000 comment "openvpn.net" # handle 1210
		ip daddr @pbr_tun0_4_dst_ip_cfg096ff5 goto pbr_mark_0x020000 comment "chatgpt.com" # handle 1212
		ip daddr @pbr_tun0_4_dst_ip_cfg0a6ff5 goto pbr_mark_0x020000 comment "discord.com" # handle 1214
		ip daddr @pbr_tun0_4_dst_ip_cfg0b6ff5 goto pbr_mark_0x020000 comment "protonmail.com" # handle 1216
	}
	chain pbr_dstnat { # handle 36
	}

pbr chains - marking
	chain pbr_mark_0x010000 { # handle 1195
		meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1196
		return # handle 1197
	}
	chain pbr_mark_0x020000 { # handle 1198
		meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1199
		return # handle 1200
	}

pbr nft sets
	set pbr_tun0_4_dst_ip_cfg046ff5 { # handle 1201
		type ipv4_addr
		flags interval
		auto-merge
		comment "facebook.com"
	}
	set pbr_tun0_4_dst_ip_cfg056ff5 { # handle 1203
		type ipv4_addr
		flags interval
		auto-merge
		comment "instagram.com"
	}
	set pbr_tun0_4_dst_ip_cfg066ff5 { # handle 1205
		type ipv4_addr
		flags interval
		auto-merge
		comment "twitter.com"
	}
	set pbr_tun0_4_dst_ip_cfg076ff5 { # handle 1207
		type ipv4_addr
		flags interval
		auto-merge
		comment "digitalocean.com"
	}
	set pbr_tun0_4_dst_ip_cfg086ff5 { # handle 1209
		type ipv4_addr
		flags interval
		auto-merge
		comment "openvpn.net"
	}
	set pbr_tun0_4_dst_ip_cfg096ff5 { # handle 1211
		type ipv4_addr
		flags interval
		auto-merge
		comment "chatgpt.com"
	}
	set pbr_tun0_4_dst_ip_cfg0a6ff5 { # handle 1213
		type ipv4_addr
		flags interval
		auto-merge
		comment "discord.com"
	}
	set pbr_tun0_4_dst_ip_cfg0b6ff5 { # handle 1215
		type ipv4_addr
		flags interval
		auto-merge
		comment "protonmail.com"
	}

dnsmasq sets
nftset=/facebook.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg046ff5 # facebook.com
nftset=/static.xx.fbcdn.net/4#inet#fw4#pbr_tun0_4_dst_ip_cfg046ff5 # facebook.com
nftset=/fbcdn.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg046ff5 # facebook.com
nftset=/meta.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg046ff5 # facebook.com
nftset=/instagram.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg056ff5 # instagram.com
nftset=/twitter.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg066ff5 # twitter.com
nftset=/twimg.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg066ff5 # twitter.com
nftset=/digitalocean.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg076ff5 # digitalocean.com
nftset=/openvpn.net/4#inet#fw4#pbr_tun0_4_dst_ip_cfg086ff5 # openvpn.net
nftset=/chatgpt.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg096ff5 # chatgpt.com
nftset=/dis.gd/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.co/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.design/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.dev/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.gg/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.gift/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.gifts/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.media/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.new/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discord.store/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discordactivities.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discordapp.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discordapp.net/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discordmerch.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discordpartygames.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discordsays.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discordstatus.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/discordcdn.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0a6ff5 # discord.com
nftset=/protonmail.com/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0b6ff5 # protonmail.com
nftset=/proton.me/4#inet#fw4#pbr_tun0_4_dst_ip_cfg0b6ff5 # protonmail.com

IPv4 table 256 route: default via 192.168.1.1 dev eth2 
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.8.0.5 dev tun0 
IPv4 table 257 rule(s):
29998:	from all fwmark 0x20000/0xff0000 lookup pbr_tun0