OK, @egc. Later, after work, I will create the output of these commands and show it to you.
Hi, @egc! First 4 commands output
root@OpenWrt:~# /etc/init.d/pbr reload
Using wan interface (on_start): wan
Found wan gateway (on_start): 192.168.1.254
Setting up routing for 'wan/br-wan/192.168.1.254' [?]
Setting up routing for 'openconnect/vpn-openconnect/10.10.10.114' [?]
Routing 'XBOX' via openconnect [?]
Routing 'MY-PC' via openconnect [?]
Routing 'MY-PC' via openconnect [?]
Installing fw4 nft file [?]
pbr 1.1.7-57 monitoring interfaces: wan openconnect
pbr 1.1.7-57 (fw4 nft file mode) started with gateways:
wan/br-wan/192.168.1.254 [?]
openconnect/vpn-openconnect/10.10.10.114
root@OpenWrt:~# /etc/init.d/pbr status
pbr - environment
pbr 1.1.7-57 running on OpenWrt SNAPSHOT.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.216 } tcp sport { 0-65535 } tcp dport { 0-65535 } goto pbr_mark_0x020000 comment "XBOX"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.216 } udp sport { 0-65535 } udp dport { 0-65535 } goto pbr_mark_0x020000 comment "XBOX"
add set inet fw4 pbr_openconnect_4_dst_ip_cfg036ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "MY-PC";}
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.112 } ip daddr @pbr_openconnect_4_dst_ip_cfg036ff5 tcp sport { 0-65535 } tcp dport { 0-65535 } goto pbr_mark_0x020000 comment "MY-PC"
add set inet fw4 pbr_openconnect_4_dst_ip_cfg036ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "MY-PC";}
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.112 } ip daddr @pbr_openconnect_4_dst_ip_cfg036ff5 udp sport { 0-65535 } udp dport { 0-65535 } goto pbr_mark_0x020000 comment "MY-PC"
add set inet fw4 pbr_openconnect_4_dst_ip_cfg046ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "MY-PC";}
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.112 } ip daddr @pbr_openconnect_4_dst_ip_cfg046ff5 tcp sport { 0-65535 } tcp dport { 0-65535 } goto pbr_mark_0x020000 comment "MY-PC"
add set inet fw4 pbr_openconnect_4_dst_ip_cfg046ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "MY-PC";}
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.112 } ip daddr @pbr_openconnect_4_dst_ip_cfg046ff5 udp sport { 0-65535 } udp dport { 0-65535 } goto pbr_mark_0x020000 comment "MY-PC"
pbr chains - policies
chain pbr_forward { # handle 37
}
chain pbr_input { # handle 38
}
chain pbr_output { # handle 39
}
chain pbr_postrouting { # handle 41
}
chain pbr_prerouting { # handle 40
ip saddr 192.168.0.216 tcp sport 0-65535 tcp dport 0-65535 goto pbr_mark_0x020000 comment "XBOX" # handle 892
ip saddr 192.168.0.216 udp sport 0-65535 udp dport 0-65535 goto pbr_mark_0x020000 comment "XBOX" # handle 893
ip saddr 192.168.0.112 ip daddr @pbr_openconnect_4_dst_ip_cfg036ff5 tcp sport 0-65535 tcp dport 0-65535 goto pbr_mark_0x020000 comment "MY-PC" # handle 895
ip saddr 192.168.0.112 ip daddr @pbr_openconnect_4_dst_ip_cfg036ff5 udp sport 0-65535 udp dport 0-65535 goto pbr_mark_0x020000 comment "MY-PC" # handle 896
ip saddr 192.168.0.112 ip daddr @pbr_openconnect_4_dst_ip_cfg046ff5 tcp sport 0-65535 tcp dport 0-65535 goto pbr_mark_0x020000 comment "MY-PC" # handle 898
ip saddr 192.168.0.112 ip daddr @pbr_openconnect_4_dst_ip_cfg046ff5 udp sport 0-65535 udp dport 0-65535 goto pbr_mark_0x020000 comment "MY-PC" # handle 899
}
chain pbr_dstnat { # handle 36
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 886
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 887
return # handle 888
}
chain pbr_mark_0x020000 { # handle 889
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 890
return # handle 891
}
pbr nft sets
set pbr_openconnect_4_dst_ip_cfg036ff5 { # handle 894
type ipv4_addr
flags interval
auto-merge
comment "MY-PC"
}
set pbr_openconnect_4_dst_ip_cfg046ff5 { # handle 897
type ipv4_addr
flags interval
auto-merge
comment "MY-PC"
}
dnsmasq sets
nftset=/2ip.io/4#inet#fw4#pbr_openconnect_4_dst_ip_cfg036ff5 # MY-PC
nftset=/2ip.io/4#inet#fw4#pbr_openconnect_4_dst_ip_cfg036ff5 # MY-PC
nftset=/dnsleaktest.com/4#inet#fw4#pbr_openconnect_4_dst_ip_cfg046ff5 # MY-PC
nftset=/dnsleaktest.com/4#inet#fw4#pbr_openconnect_4_dst_ip_cfg046ff5 # MY-PC
IPv4 table 256 route: default via 192.168.1.254 dev br-wan
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.10.10.114 dev vpn-openconnect
IPv4 table 257 rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_openconnect
root@OpenWrt:~# cat /var/run/pbr.nft
#!/usr/sbin/nft -f
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.216 } tcp sport { 0-65535 } tcp dport { 0-65535 } goto pbr_mark_0x020000 comment "XBOX"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.216 } udp sport { 0-65535 } udp dport { 0-65535 } goto pbr_mark_0x020000 comment "XBOX"
add set inet fw4 pbr_openconnect_4_dst_ip_cfg036ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "MY-PC";}
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.112 } ip daddr @pbr_openconnect_4_dst_ip_cfg036ff5 tcp sport { 0-65535 } tcp dport { 0-65535 } goto pbr_mark_0x020000 comment "MY-PC"
add set inet fw4 pbr_openconnect_4_dst_ip_cfg036ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "MY-PC";}
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.112 } ip daddr @pbr_openconnect_4_dst_ip_cfg036ff5 udp sport { 0-65535 } udp dport { 0-65535 } goto pbr_mark_0x020000 comment "MY-PC"
add set inet fw4 pbr_openconnect_4_dst_ip_cfg046ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "MY-PC";}
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.112 } ip daddr @pbr_openconnect_4_dst_ip_cfg046ff5 tcp sport { 0-65535 } tcp dport { 0-65535 } goto pbr_mark_0x020000 comment "MY-PC"
add set inet fw4 pbr_openconnect_4_dst_ip_cfg046ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "MY-PC";}
add rule inet fw4 pbr_prerouting ip saddr { 192.168.0.112 } ip daddr @pbr_openconnect_4_dst_ip_cfg046ff5 udp sport { 0-65535 } udp dport { 0-65535 } goto pbr_mark_0x020000 comment "MY-PC"
root@OpenWrt:~# nft -c -f /var/run/pbr.nft
root@OpenWrt:~#
And output after reboot from this command:
nft list ruleset
cat /tmp/dnsmasq.d/pbr
root@OpenWrt:~# nft list ruleset
table inet fw4 {
flowtable ft {
hook ingress priority filter
devices = { eth1, eth2, lan1, lan2, lan3, phy0-ap0, phy1-ap0, phy2-ap0, wan }
flags offload
counter
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept comment "!fw4: Accept traffic from loopback"
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle inbound flows"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "br-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "vpn-openconnect" jump input_openconnect comment "!fw4: Handle openconnect IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
meta l4proto { tcp, udp } flow add @ft
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "br-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "vpn-openconnect" jump forward_openconnect comment "!fw4: Handle openconnect IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "br-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "vpn-openconnect" jump output_openconnect comment "!fw4: Handle openconnect IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_openconnect comment "!fw4: Accept lan to openconnect forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 243 bytes 22831 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 35 bytes 5260 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 1 bytes 36 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 5 bytes 392 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second burst 5 packets counter packets 5 bytes 352 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
oifname "br-wan" counter packets 275 bytes 47755 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "br-wan" counter packets 158 bytes 48184 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "br-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain input_openconnect {
jump reject_from_openconnect
}
chain output_openconnect {
jump accept_to_openconnect
}
chain forward_openconnect {
jump reject_to_openconnect
}
chain accept_to_openconnect {
oifname "vpn-openconnect" counter packets 9 bytes 1549 accept comment "!fw4: accept openconnect IPv4/IPv6 traffic"
}
chain reject_from_openconnect {
iifname "vpn-openconnect" counter packets 8 bytes 1481 jump handle_reject comment "!fw4: reject openconnect IPv4/IPv6 traffic"
}
chain reject_to_openconnect {
oifname "vpn-openconnect" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject openconnect IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
jump pbr_dstnat comment "Jump into pbr dstnat chain"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "br-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "vpn-openconnect" jump srcnat_openconnect comment "!fw4: Handle openconnect IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain srcnat_openconnect {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 openconnect traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
jump pbr_prerouting comment "Jump into pbr prerouting chain"
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname "br-wan" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
oifname "vpn-openconnect" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone openconnect IPv4/IPv6 egress MTU fixing"
jump pbr_postrouting comment "Jump into pbr postrouting chain"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
jump pbr_input comment "Jump into pbr input chain"
}
chain mangle_output {
type route hook output priority mangle; policy accept;
jump pbr_output comment "Jump into pbr output chain"
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "br-wan" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
iifname "vpn-openconnect" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone openconnect IPv4/IPv6 ingress MTU fixing"
jump pbr_forward comment "Jump into pbr forward chain"
}
chain pbr_dstnat {
}
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
ip saddr 192.168.0.216 tcp sport 0-65535 tcp dport 0-65535 goto pbr_mark_0x020000 comment "XBOX"
ip saddr 192.168.0.216 udp sport 0-65535 udp dport 0-65535 goto pbr_mark_0x020000 comment "XBOX"
ip saddr 192.168.0.112 ip daddr 188.40.167.81 tcp sport 0-65535 tcp dport 0-65535 goto pbr_mark_0x020000 comment "MY-PC"
ip saddr 192.168.0.112 ip daddr 188.40.167.81 udp sport 0-65535 udp dport 0-65535 goto pbr_mark_0x020000 comment "MY-PC"
ip saddr 192.168.0.112 ip daddr 23.239.16.110 tcp sport 0-65535 tcp dport 0-65535 goto pbr_mark_0x020000 comment "MY-PC"
ip saddr 192.168.0.112 ip daddr 23.239.16.110 udp sport 0-65535 udp dport 0-65535 goto pbr_mark_0x020000 comment "MY-PC"
}
chain pbr_postrouting {
}
chain pbr_mark_0x010000 {
meta mark set meta mark & 0xff01ffff | 0x00010000
return
}
chain pbr_mark_0x020000 {
meta mark set meta mark & 0xff02ffff | 0x00020000
return
}
}
root@OpenWrt:~# cat /tmp/dnsmasq.d/pbr
nftset=/2ip.io/4#inet#fw4#pbr_openconnect_4_dst_ip_cfg036ff5 # MY-PC
nftset=/2ip.io/4#inet#fw4#pbr_openconnect_4_dst_ip_cfg036ff5 # MY-PC
nftset=/dnsleaktest.com/4#inet#fw4#pbr_openconnect_4_dst_ip_cfg046ff5 # MY-PC
nftset=/dnsleaktest.com/4#inet#fw4#pbr_openconnect_4_dst_ip_cfg046ff5 # MY-PC
root@OpenWrt:~#
After reboot policies work fine!!! Why? Its fantastic!
A few items guys:
- So if you absolutely have to use the snapshot images for your device and want to keep up-to-date with the most recent versions of pbr, I have set up a site where you can grab the pre-compiled APK binaries for my packages in active development: https://dev.melmac.net/apk/. Issue with the luci apps is fixed, was totally my fault!
- The netifd flavour was short-lived, after chatting with @egc who has authored a lot of netifd-related fixes and provided excellent feedback on the netifd-compatible functionality in pbr, it was decided that the netifd, while being an interesting concept, doesn't quite fit the pbr package functionality right now. So I've stopped making/removed netifd flavor binary for now and will look into removing netifd-related code within a week or so.
@1.1.7-59
Tor based policies work fine.
Output chain based policies still take no effect.
config policy
option src_port '51820'
option dest_addr '123.180.30.155'
option interface 'wan4'
option name 'INIT_VPN4_WG'
option dest_port '30020'
option chain 'output'
chain pbr_output {
ip daddr 123.180.30.155 udp sport 51820 udp dport 30020 goto pbr_mark_0x020000 comment "INIT_VPN4_WG"
}
chain pbr_mark_0x020000 {
meta mark set meta mark & 0xff02ffff | 0x00020000
return
}
It is possible that sport and dport do not work in combination with fwmark.
This has nothing to do with pbr it seems nft related.
For sport and dport use an include script with an ip rule, I use that to send the sport of my wgserver back via the wan.
I also see that your wan is renamed to wan4.
You might need to set that as wan interface in the pbr settings.
My config worked fine with pbr 1.1.4-3.
@stangri
The only difference from the earlier version I see so far is that daddr uses an ip instead of a named set.
What happens if you only use the destination address and not use sport and dport ?
Edit I just tried it with a single IP address
chain pbr_output {
ip daddr 172.67.68.101 goto pbr_mark_0x010000 comment "ipchick-ip"
and that works in my setup
I'm just as puzzled as @egc. If that's the only difference -- have you tried to delete the nft rule the newer versions create and manually insert one with the named set as in an earlier version?
Tested. No change. Still didn't work.
The counter for the policy is running, but the policy is not using the specific wan interface.
I have several VPN connections - wg0, wg1, etc.
Of course there are different policy rules set.
Is it possible to use strict enforcement (with failover) so if the wg0 gateway is down then before completely blocking the network (wan gateway) for the clients just to try different (wg1 or wg2 tunnel) and if it is down too then to block the network completely (default wan).
"Problem" with WireGuard is that if the WG server stops responding the interface and routing stays up so using metrics does not work.
I solved it by using a watchdog script with fail-over but there might be other solutions:
I've tried to install pbr apk packages but got an error
You might need --allow-untrusted
see: The future is now: opkg vs apk
root@QNAP:~# apk add --allow-untrusted /tmp/pbr-1.1.7-r59.apk
(1/1) Installing pbr (1.1.7-r59)
Executing pbr-1.1.7-r59.post-install
Installing rc.d symlink for pbr... OK
OK: 68 MiB in 386 packages
root@QNAP:~# apk add --allow-untrusted /tmp/luci-app-pbr-1.1.7-r59.apk
(1/1) Installing luci-app-pbr (1.1.7-r59)
Executing luci-app-pbr-1.1.7-r59.post-install
OK: 68 MiB in 387 packages
root@QNAP:~#
@egc beat me to it, but the instructions at https://docs.openwrt.melmac.net/ have been updated. Specifically the https://docs.openwrt.melmac.net/#OnyourOpenWrtdevicewithapk instructions.
Good day and thanks for this package!
If I turn on the strict enforcement option instead of do not enforce, my ESET goes haywire even though the default gateway is the WAN and not the VPN. ESET throws error that it is not able to reach its servers while they are pingable from Windows Command prompt. It does this several times randomly during the day and would fix itself in sometime.
If I add all IPs to the list under and set it to WAN, that seems to fix it OR if I turn off the strict enforcement, this issue does not happen.
If default is the WAN, and the interface is up, why is this causing issues?
Secondly, is it possible to use a Shadowsocks VPN with PBR somehow?
I do not know what ESET is but I assume it is your VPN provider.
It is not uncommon that servers of VPN providers are overcrowded or down for maintenance etc. so that they are temporarily not responding (although they can be perfectly pingable).
PBR does nothing more than setup the routing and once setup should remain the same, so maybe it is something on the ESET side, you can ask ESET but many providers do not acknowledge problems on their side
As this is a common problem there are users who are using scripts with failover to switch to a different server maybe that is something for you?
The supported protocols are in the doc:
No, the issue is not with the VPN provider because I am not routing ESET through VPN but its supposed to be on the default/WAN so it is confusing...
Especially as we have no idea what ESET is (other than an antivirus/security application for Windows) or how it fits in or what problems it is causing.
So sorry cannot help you because of lack of knowledge of ESET