Yup that was it. Working removing that option. Thanks @stangri 
Hello everyone.
I'm using pbr with VPN amneziawg-tools (some fork of wireguard), and for some reason Policies for domains don't work , but if I use IP instead policy works perfectly.
Internet access to not policied sites works fine - as well as VPN (when I set its interface as default gateway).
I conclude there's some issue with domain name resolving, because the nft list set looks like that, when I use domain name:
nft list sets
There's no "elements" block
root@OpenWrt:~# nft list sets
table inet fw4 {
set pbr_awg1_4_dst_ip_cfg096ff5 {
type ipv4_addr
flags interval
auto-merge
comment "openwrt.org"
}
}
But nlsookup from console work fine!
root@OpenWrt:~# nslookup openwrt.org
Server: 127.0.0.1
Address: 127.0.0.1:53
Non-authoritative answer:
Name: openwrt.org
Address: 64.226.122.113
Non-authoritative answer:
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1a51:c001
Here's my logs:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "Xiaomi Mi Router 4A (100M Edition)",
"board_name": "xiaomi,mi-router-4a-100m",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ramips/mt76x8",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
root@OpenWrt:~# uci export firewall
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'awg1'
option network 'awg1'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option family 'ipv4'
config forwarding
option name 'awg1-lan'
option dest 'awg1'
option src 'lan'
option family 'ipv4'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda8:5fb8:2ba7::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr '4c:c6:4c:87:49:bb'
config interface 'wan'
option device 'eth0.2'
option proto 'static'
option ipaddr '192.168.1.12'
option netmask '255.255.255.0'
option gateway '192.168.1.254'
list dns '62.112.113.170'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'awg1'
option proto 'amneziawg'
option private_key 'HkJ3AXttC2sMVb9mh6X/asxNEX6rj4gN5awuhZsFhdQ='
option listen_port '51821'
option awg_jc '4'
option awg_jmin '10'
option awg_jmax '50'
option awg_s1 '74'
option awg_s2 '85'
option awg_h1 '2103525303'
option awg_h2 '1462576584'
option awg_h3 '1135140846'
option awg_h4 '74503284'
list addresses '10.8.1.3/32'
list dns '172.29.172.254'
list dns '1.0.0.1'
option defaultroute '0'
config amneziawg_awg1
option name 'awg1_client'
option public_key 'cuBpQRfiafbhasROYusHdL0lHDFYeKOSEl98BADTf20='
option preshared_key 'aiCLXqRaIv3C/oK6iMud3Q39O6Zb9AItROHxfltCiac='
option persistent_keepalive '25'
option endpoint_host '188.166.115.99'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_port '33280'
option route_allowed_ips '1'
root@OpenWrt:~# uci export pbr
package pbr
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_delay '0'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '1'
option nft_set_auto_merge '1'
option nft_set_counter '1'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list supported_interface 'awg1'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.wg_server_and_client'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '1.1.1.1'
option enabled '0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'openwrt.org'
option dest_addr 'openwrt.org'
option interface 'awg1'
root@OpenWrt:~# /etc/init.d/pbr status
pbr - environment
pbr 1.1.6-22 running on OpenWrt 23.05.5.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add set inet fw4 pbr_awg1_4_dst_ip_cfg096ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "openwrt.org"; }
add rule inet fw4 pbr_prerouting ip daddr @pbr_awg1_4_dst_ip_cfg096ff5 goto pbr_mark_0x020000 comment "openwrt.org"
pbr chains - policies
chain pbr_forward { # handle 37
}
chain pbr_input { # handle 38
}
chain pbr_output { # handle 39
}
chain pbr_postrouting { # handle 41
}
chain pbr_prerouting { # handle 40
ip daddr @pbr_awg1_4_dst_ip_cfg096ff5 goto pbr_mark_0x020000 comment "openwrt.org" # handle 2816
}
chain pbr_dstnat { # handle 36
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 2809
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2810
return # handle 2811
}
chain pbr_mark_0x020000 { # handle 2812
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2813
return # handle 2814
}
pbr nft sets
set pbr_awg1_4_dst_ip_cfg096ff5 { # handle 2815
type ipv4_addr
flags interval
auto-merge
comment "openwrt.org"
}
dnsmasq sets
nftset=/openwrt.org/4#inet#fw4#pbr_awg1_4_dst_ip_cfg096ff5 # openwrt.org
IPv4 table 256 route: default via 192.168.1.254 dev eth0.2
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.8.1.3 dev awg1
IPv4 table 257 rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_awg1
root@OpenWrt:~# /etc/init.d/pbr reload
Using wan interface (on_start): wan
Found wan gateway (on_start): 192.168.1.254
Setting up routing for 'wan/eth0.2/192.168.1.254' [β]
Setting up routing for 'awg1/10.8.1.3' [β]
Routing 'openwrt.org' via awg1 [β]
Installing fw4 nft file [β]
pbr 1.1.6-22 monitoring interfaces: wan awg1
Restarting dnsmasq [β]
pbr 1.1.6-22 (fw4 nft file mode) started with gateways:
wan/eth0.2/192.168.1.254 [β]
awg1/10.8.1.3
root@OpenWrt:~# /etc/init.d/pbr status
pbr - environment
pbr 1.1.6-22 running on OpenWrt 23.05.5.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 counter mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 counter mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add set inet fw4 pbr_awg1_4_dst_ip_cfg096ff5 { type ipv4_addr; auto-merge; counter; flags interval; policy performance; comment "openwrt.org"; }
add rule inet fw4 pbr_prerouting ip daddr @pbr_awg1_4_dst_ip_cfg096ff5 counter goto pbr_mark_0x020000 comment "openwrt.org"
pbr chains - policies
chain pbr_forward { # handle 37
}
chain pbr_input { # handle 38
}
chain pbr_output { # handle 39
}
chain pbr_postrouting { # handle 41
}
chain pbr_prerouting { # handle 40
ip daddr @pbr_awg1_4_dst_ip_cfg096ff5 counter packets 0 bytes 0 goto pbr_mark_0x020000 comment "openwrt.org" # handle 2905
}
chain pbr_dstnat { # handle 36
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 2898
counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2899
return # handle 2900
}
chain pbr_mark_0x020000 { # handle 2901
counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2902
return # handle 2903
}
pbr nft sets
set pbr_awg1_4_dst_ip_cfg096ff5 { # handle 2904
type ipv4_addr
flags interval
counter
auto-merge
comment "openwrt.org"
}
dnsmasq sets
nftset=/openwrt.org/4#inet#fw4#pbr_awg1_4_dst_ip_cfg096ff5 # openwrt.org
IPv4 table 256 route: default via 192.168.1.254 dev eth0.2
IPv4 table 256 rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 route: default via 10.8.1.3 dev awg1
IPv4 table 257 rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_awg1
What is the latest tl;dr on using tailscale exit node routing with PBR?
from my own findings.. whenever exit node is enabled, it seems to ignore pbr and all traffic is routed out through tailscale interface. If i do anyhting else with tailscale options of subnet routes, it does not ping out to internet through the interface.
Does anyone have a working setup with PBR + tailscale exit nodes were you have selective rules moving traffic to wan and tailscale accordingly?
looks releted? - How to route only one client through Tailscale exit node? - #4 by SteelRazor47
From the PBR guide: https://docs.openwrt.melmac.net/pbr/
Most of the answers to your question can be found in the PBR guide (see link earlier).
Regarding interface, if you click on the drop down button Λ
you see things like wan or vpn so I think that speaks for itself.
prerouting is used for lan clients (which is the default), output for the router itself (e.g. dnsmasq), never used anything else 
What is it what you want to achieve?
Ok one step back.
You are using WireGuard, what is on the other end of the WireGuard tunnel?
Is it a commercial VPN provider, or another router to which you want to have access to?
So you are actually want to connect two routers with each other?
Do you only want to have access to the fritzbox or do you also want all your traffic to go out via the fritzbox
Take note that WireGuard is a routed solution so all involved subnets need to be different meaning your router, the fritzbox and the WG subnet need to be different.
For you LAN clients use the IP address of your LAN clients as source, choose the VPN as interface and use prerouting as chain it is as simple as that
Upgrading a Linksys MX5300 to 24.10.0-rc7 this morning, and it seems Iβve run into a little trouble with the latest pbr (1.1.8-r6) or rc7. Enabling pbr (even with all policies disabled) causes Wireguard server to become unreachable. A udp OpenVPN server remains reachable. 1.1.8-r4 is ok if I roll back to my rc6 image that contains it. Unfortunately, I don't have a stand-alone 1.1.8-r4 available to try under rc7. Iβve been using this particular config successfully since 1.1.1-7 (on 23.05.x) and through all the 24.10.0-rcx pre-releases until rc7. Anybody see anything wrong with the config that would be incompatible with 1.1.8-r6?
config pbr 'config'
option enabled '1'
option verbosity '0'
option strict_enforcement '0'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '0'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_delay '0'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option procd_wan_interface 'wwan'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list ignored_interface 'tun1'
list ignored_interface 'wg1'
list supported_interface 'wg0'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config policy
option name 'xbox'
option interface 'wg0'
option src_addr '192.168.46.51'
option src_port '3074'
option proto 'tcp udp'
config policy
option name 'lstn'
option interface 'wg0'
option src_addr '192.168.46.61'
option src_port '5500'
option proto 'tcp'
config policy
option name 'wspi'
option interface 'wg0'
option src_addr '192.168.48.11'
option src_port '80 443 46080 46443'
option proto 'tcp'
config policy
option name 'All LANs'
option interface 'wwan'
option src_addr '192.168.46.0/24 192.168.47.0/24 192.168.48.0/24'
1 Like
Or your unfamiliarity with how to use PBR?
Can you do from the command line:
service network restart && sleep 30 && service pbr restart
Wait a minute and check again, from the command line you should see that the listen port of the wgserver is routed out via the wan (55443 in my case):
ip rule show
root@R7800-1:~# ip rule show
0: from all lookup local
29997: from all sport 55443 lookup pbr_wan
29998: from all fwmark 0x20000/0xff0000 lookup pbr_wg_oracle_cloud
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766: from all lookup main
32767: from all lookup default
I ran some test and maybe if the network restarts and the pbr restarts the network is slow and will remove the sport rules for the wireguard server not sure, I have to run some more tests but running out of time
@stangri can you have a look, there is something spooky going on, if I do this:
service network restart && service pbr restart
I see pbr starting up and making the sport rules but after about 5-10 sec the sport rules are gone as if the network is doing things in the background and removing those rules????
Doing:
service network restart && sleep 30 && service pbr restart
Does work and I get and keep the sport rules
As you do not want default route via the VPN (you disabled Route Allowed IPs), but you do want not only to connect from your LAN clients to the other side but also have internet access via the other side (correct me if I am wrong), start by making one rule to route the LAN clients you want to route via the VPN:
For you LAN clients use the IP address of your LAN clients as source, choose the VPN as interface and use prerouting as chain.
After saving and apply either reboot the router to make sure everything is setup or do from the command line:
service network restart && sleep 20 && service pbr restart
Wait about 30 sec before testing it could take some time to make all the routes.
Test from you LAN clients with:
- Ping the router at the other side and try to browse to it to see if you have got a route via the VPN.
traceroute/tracert 8.8.8.8to see the routing which should go via the VPN and also useipleak.netin your browser it should indicate the WAN IP address from the other side, this should indicate you do have internet access via the other side.
The problem is that the other side is not running OpenWRT so is more or less a black box so curious if that side will provide internet
1 Like
pbr 1.1.8-r6 need to be restarted to work correctly
pbr 1.1.8-r4 works perfectly with a boot timeout of 30 seconds
1 Like
I am having an issue where PBR starts spamming these logs after running it for few days
PBR Logs
Fri Jan 31 07:50:03 2025 daemon.err dnsmasq[2057]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:25 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:25 2025 daemon.err dnsmasq[2072]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:25 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:25 2025 daemon.err dnsmasq[2076]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:26 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:26 2025 daemon.err dnsmasq[2081]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:26 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:26 2025 daemon.err dnsmasq[2082]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2084]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2086]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2088]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2088]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2088]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2088]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2091]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2091]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2091]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2091]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2092]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2092]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2092]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2092]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2093]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2093]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2093]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:27 2025 daemon.err dnsmasq[2093]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:29 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:29 2025 daemon.err dnsmasq[2100]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:30 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:31 2025 daemon.err dnsmasq[2114]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:31 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:31 2025 daemon.err dnsmasq[2115]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:35 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:35 2025 daemon.err dnsmasq[1]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:35 2025 daemon.err dnsmasq[2120]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
Fri Jan 31 07:50:35 2025 daemon.err dnsmasq[2120]: nftset inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 netlink: Error: cache initialization failed: Protocol error
And here are all my details:
ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Linksys EA8100",
"board_name": "linksys,ea8100-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '0'
option ednspacket_max '1232'
option dnsforwardmax '1000'
option localise_queries '1'
list server '192.168.1.104'
option filter_aaaa '1'
option nonegcache '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GST'
option interface 'GST'
option start '100'
option limit '150'
option leasetime '24h'
uci export firewall
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan2'
config forwarding
option src 'lan'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Tailscale'
list proto 'udp'
option src 'wan'
option src_dport '41641'
option dest_port '41641'
option dest_ip '192.168.1.104'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'DNS Hijack'
option src 'lan'
option src_ip '!192.168.1.104'
option src_dport '53'
option dest_ip '192.168.1.1'
option dest_port '53'
config forwarding
option src 'gst'
option dest 'wan'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg6_surfus'
list network 'wg_xray'
config zone
option name 'gst'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'GST'
config rule
option name 'Allow-gst-DNS'
option src 'gst'
option dest_port '53'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Allow-gst-DHCP'
list proto 'udp'
option src 'gst'
option dest_port '67-68'
option target 'ACCEPT'
config zone
option name 'flashfiber'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'flashfiber'
config forwarding
option src 'lan'
option dest 'flashfiber'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'DNS Hijack Guest'
option src 'gst'
option src_ip '!192.168.1.104'
option src_dport '53'
option dest_ip '192.168.1.1'
option dest_port '53'
config forwarding
option src 'gst'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'vpn'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
option ipv6 '0'
config device
option name 'lan1'
option macaddr '30:23:03:76:99:74'
config device
option name 'lan2'
option macaddr '30:23:03:76:99:74'
config device
option name 'lan3'
option macaddr '30:23:03:76:99:74'
config device
option name 'lan4'
option macaddr '30:23:03:76:99:76'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
list dns '192.168.1.1'
config device
option name 'wan'
option macaddr '30:23:03:76:99:74'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option password ''
option ipv6 'auto'
option peerdns '0'
option username ''
list dns '192.168.1.1'
config interface 'wan2'
option device 'lan4'
option proto 'pppoe'
option password ''
option ipv6 'auto'
option peerdns '0'
option defaultroute '0'
option username ''
list dns '192.168.1.1'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan1:t'
config interface 'GST'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
list dns '192.168.1.1'
config interface 'flashfiber'
option proto 'static'
option device 'wan'
option ipaddr '192.168.0.2'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
option defaultroute '0'
config interface 'wg6_surfus'
option proto 'wireguard'
option private_key ''
list addresses '10.14.0.2/16'
option disabled '1'
config wireguard_wg6_surfus
option description 'Imported peer configuration'
option public_key ''
list allowed_ips '0.0.0.0/0'
option endpoint_host ''
option endpoint_port '51820'
config route 'tailscale'
option interface 'lan'
option target '100.64.0.0/10'
option gateway '192.168.1.104'
config interface 'wg_xray'
option proto 'wireguard'
option private_key ''
list addresses '10.13.13.2/32'
option mtu '1420'
config wireguard_wg_xray
option description 'xray'
option public_key ''
option endpoint_host '192.168.1.104'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
uci export pbr
package pbr
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '0'
option resolver_set 'dnsmasq.nftset'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_delay '0'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '1'
option nft_set_auto_merge '1'
option nft_set_counter '1'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option wan_dscp '46'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config policy
option name 'pbr_ips'
option interface 'wg_xray'
option dest_addr ' 91.108.20.0/22 91.108.20.0/23 91.108.12.0/22 149.154.172.0/22 91.108.16.0/22 91.108.56.0/23 149.154.168.0/22 91.108.4.0/22 91.108.8.0/22 91.108.56.0/22 95.161.64.0/20 149.154.160.0/22 149.154.160.0/23 149.154.162.0/23 149.154.164.0/22 149.154.164.0/23 149.154.166.0/23 91.105.192.0/23 185.76.151.0/24 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22'
config policy
option name 'pbr_domains'
option interface 'wg_xray'
option dest_addr 'alislam.org telegram.org signal.art signal.org signalusers.org whispersystems.org sc-cdn.net snap-dev.net snap.com snapchat.com snapkit.co reddit.com redd.it redditmedia.com redditstatic.com twitter.com twimg.com ads-twitter.com pscp.tv t.co x.com api.twitter.com pbs.twimg.com video.twimg.com api-stream.twitter.com tpop-api.twitter.com knowyourmeme.com tenor.com docker.io auth.docker.io registry-1.docker.io cloudflare.docker.com production.cloudflare.docker.com instagram.com facebook.com fbsbx.com fbcdn.net cdninstagram.com www.facebook.com facebook.com fbcdn.net fbsbx.com whatsapp.com whatsapp.net g.whatsapp.net graph.whatsapp.com cdn.whatsapp.net fna.whatsapp.net mmg.whatsapp.net c.whatsapp.net static.whatsapp.net g-fallback.whatsapp.net pps.whatsapp.net e1.whatsapp.net e2.whatsapp.net e3.whatsapp.net e4.whatsapp.net e5.whatsapp.net e6.whatsapp.net e7.whatsapp.net e8.whatsapp.net e9.whatsapp.net e10.whatsapp.net e11.whatsapp.net e12.whatsapp.net e13.whatsapp.net e14.whatsapp.net e15.whatsapp.net e16.whatsapp.net'
config policy
option name 'wan2'
option src_addr '192.168.1.104'
option interface 'wan2'
There are more outputs below. I had to split the post due to character limits 
/etc/init.d/pbr status
pbr - environment
pbr 1.1.8-r4 running on OpenWrt 23.05.5.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add rule inet fw4 pbr_prerouting ip dscp 46 goto pbr_mark_0x010000
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add chain inet fw4 pbr_mark_0x030000
add rule inet fw4 pbr_mark_0x030000 mark set mark and 0xff00ffff xor 0x030000
add rule inet fw4 pbr_mark_0x030000 return
add rule inet fw4 pbr_prerouting ip daddr { 91.108.20.0/22, 91.108.20.0/23, 91.108.12.0/22, 149.154.172.0/22, 91.108.16.0/22, 91.108.56.0/23, 149.154.168.0/22, 91.108.4.0/22, 91.108.8.0/22, 91.108.56.0/22, 95.161.64.0/20, 149.154.160.0/22, 149.154.160.0/23, 149.154.162.0/23, 149.154.164.0/22, 149.154.164.0/23, 149.154.166.0/23, 91.105.192.0/23, 185.76.151.0/24, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/13, 104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22 } goto pbr_mark_0x030000 comment "pbr_ips"
add set inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "pbr_domains";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_wg_xray_4_dst_ip_cfg056ff5 goto pbr_mark_0x030000 comment "pbr_domains"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.104 } goto pbr_mark_0x020000 comment "wan2"
pbr chains - policies
chain pbr_forward { # handle 929
}
chain pbr_input { # handle 930
}
chain pbr_output { # handle 931
}
chain pbr_postrouting { # handle 933
}
chain pbr_prerouting { # handle 932
ip dscp ef goto pbr_mark_0x010000 # handle 2772
ip daddr { 91.105.192.0/23, 91.108.4.0-91.108.23.255, 91.108.56.0/22, 95.161.64.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 104.16.0.0-104.27.255.255, 108.162.192.0/18, 131.0.72.0/22, 141.101.64.0/18, 149.154.160.0/20, 162.158.0.0/15, 172.64.0.0/13, 173.245.48.0/20, 185.76.151.0/24, 188.114.96.0/20, 190.93.240.0/20, 197.234.240.0/22, 198.41.128.0/17 } goto pbr_mark_0x030000 comment "pbr_ips" # handle 2780
ip daddr @pbr_wg_xray_4_dst_ip_cfg056ff5 goto pbr_mark_0x030000 comment "pbr_domains" # handle 2782
ip saddr 192.168.1.104 goto pbr_mark_0x020000 comment "wan2" # handle 2783
}
chain pbr_dstnat { # handle 928
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 2769
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2770
return # handle 2771
}
chain pbr_mark_0x020000 { # handle 2773
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2774
return # handle 2775
}
chain pbr_mark_0x030000 { # handle 2776
meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 2777
return # handle 2778
}
pbr nft sets
set pbr_wg_xray_4_dst_ip_cfg056ff5 { # handle 2781
type ipv4_addr
flags interval
auto-merge
comment "pbr_domains"
elements = { 0.0.0.0, 3.6.167.101,
3.33.221.48, 3.33.252.61,
3.90.122.13, 3.94.224.37,
3.94.245.242, 3.109.96.156,
3.109.142.224, 3.109.224.175,
3.110.7.191, 3.163.237.4,
3.163.238.4, 3.163.243.4,
3.209.124.67, 3.210.25.111,
3.211.129.248, 3.211.135.225,
3.212.195.239, 3.213.65.77,
3.213.105.149, 3.218.77.77,
3.219.23.148, 3.220.223.56,
3.222.33.75, 3.222.161.63,
3.222.252.193, 3.223.5.248,
3.224.210.167, 3.227.185.194,
3.228.97.124, 3.233.9.63,
3.234.63.40, 13.126.216.44,
13.200.78.219, 13.214.124.192/30,
13.214.124.197-13.214.124.199, 13.214.124.201-13.214.124.203,
13.233.249.99, 13.235.198.147,
13.248.212.111, 15.197.206.217,
15.197.210.208, 18.138.10.149,
18.138.12.90, 18.139.21.86,
23.21.224.18, 23.22.119.47,
31.13.72.35, 31.13.73.34,
31.13.80.35, 31.13.82.7,
31.13.82.35, 31.13.82.51-31.13.82.52,
31.13.84.35, 31.13.91.40,
31.13.94.34, 31.13.95.39,
34.98.105.85, 34.120.159.232,
34.192.72.184, 34.192.187.27,
34.197.69.128, 34.208.114.71,
34.209.32.43, 34.210.47.102,
34.214.50.142, 34.214.168.204,
34.230.250.51, 34.233.45.132,
35.80.238.128, 35.83.219.245,
35.153.89.28, 35.154.120.180,
35.154.121.126, 35.154.211.128,
35.160.5.75, 35.162.0.6,
35.167.60.146, 35.168.81.158,
35.168.229.134, 35.169.106.211,
35.171.171.34, 35.175.72.178,
35.190.43.134, 35.241.16.93,
40.122.45.194, 43.204.188.144,
43.204.201.253, 44.193.103.136,
44.199.23.232, 44.202.21.0-44.202.21.10,
44.202.21.12-44.202.21.19, 44.202.21.21-44.202.21.43,
44.202.21.45-44.202.21.56, 44.202.21.58,
44.202.21.60, 44.206.103.239,
44.208.254.194, 44.216.92.245,
44.220.123.85, 44.221.37.199,
44.231.68.111, 44.241.49.190,
44.241.124.82, 50.17.193.184,
50.19.235.179, 52.0.156.163,
52.3.33.142, 52.4.144.129,
52.7.90.178, 52.7.98.3,
52.10.250.154, 52.13.215.163,
52.22.149.38, 52.24.36.248,
52.24.185.220, 52.34.140.94,
52.39.177.186, 52.44.227.212,
52.54.39.173, 52.54.92.139,
52.66.29.98, 52.66.98.152,
52.66.122.100, 52.71.107.240,
52.72.186.177, 52.201.39.149,
52.206.58.144, 54.149.242.154,
54.152.141.238, 54.156.14.194,
54.156.140.159, 54.156.169.13,
54.160.108.154, 54.173.230.57,
54.197.185.21, 54.198.86.24,
54.204.222.79, 54.205.83.108,
54.208.73.48, 54.209.194.40,
54.209.212.191, 54.224.33.202,
54.224.131.131, 54.224.183.33,
54.225.63.46, 54.227.20.253,
54.234.147.110, 54.235.218.99,
54.236.113.205, 54.243.165.84,
57.144.100.192, 57.144.104.5,
57.144.110.5, 57.144.112.192,
57.144.122.5, 57.144.134.5,
57.144.142.5, 57.144.144.3,
57.144.144.9, 57.144.144.128-57.144.144.130,
57.144.144.141, 57.144.144.145,
57.144.144.192, 57.144.145.32/31,
57.144.148.8/31, 57.144.148.36,
57.144.148.141, 57.144.148.144/31,
57.144.148.192, 57.144.149.32/31,
57.144.150.3, 57.144.150.9,
57.144.150.128/31, 57.144.150.141,
57.144.150.145, 57.144.150.192,
57.144.151.32, 57.144.152.1,
57.144.152.3, 57.144.152.8/31,
57.144.152.36, 57.144.152.128-57.144.152.130,
57.144.152.141, 57.144.152.144/31,
57.144.152.192, 57.144.153.32/31,
57.144.160.1, 57.144.160.3,
57.144.160.8/31, 57.144.160.36,
57.144.160.128, 57.144.160.141,
57.144.160.144/31, 57.144.160.192,
57.144.161.32/31, 57.144.172.5,
57.144.182.5, 65.0.222.182,
69.195.160.128, 69.195.162.128,
69.195.163.128, 69.195.166.128,
69.195.168.128, 69.195.169.128,
69.195.174.128, 69.195.176.128,
69.195.177.128, 69.195.178.128,
69.195.179.128, 69.195.180.128,
69.195.181.128, 69.195.182.128,
69.195.184.128, 69.195.185.128,
69.195.186.128, 69.195.187.128,
75.101.144.42, 76.223.92.165,
98.85.153.80, 100.26.12.76,
100.29.167.200, 102.132.97.18,
102.132.97.27, 102.132.97.30,
102.132.97.33, 102.132.97.35,
102.132.97.63, 102.132.101.39,
102.132.103.35, 102.132.103.37,
103.83.31.212, 103.83.31.224,
103.113.100.87, 103.151.42.148,
103.151.42.163, 103.162.137.211,
104.16.97.215, 104.16.98.215,
104.16.99.215, 104.16.100.215,
104.16.101.215, 104.18.26.44,
104.18.27.44, 104.18.37.127,
104.18.37.148, 104.18.43.97,
104.244.42.1-104.244.42.3, 104.244.42.8,
104.244.42.65-104.244.42.67, 104.244.42.72,
104.244.42.130/31, 104.244.42.136,
104.244.42.193-104.244.42.195, 104.244.43.131,
104.244.45.3, 108.139.79.49,
108.139.79.67, 108.139.79.79,
108.139.79.121, 111.119.184.209,
111.119.184.224/31, 119.30.107.20,
119.152.6.146, 119.152.6.163-119.152.6.164,
119.152.6.226, 119.160.88.81,
121.91.40.83, 121.91.40.99-121.91.40.100,
121.91.41.83, 121.91.41.99-121.91.41.100,
124.29.210.81, 127.0.0.1,
142.250.67.234, 142.250.70.42,
142.250.70.74, 142.250.70.106,
142.250.71.106, 142.250.77.42,
142.250.181.10, 142.250.181.42,
142.250.181.74, 142.250.181.106,
142.250.181.138, 142.250.182.202,
142.250.182.234, 142.250.183.10,
142.250.192.42, 142.250.192.74,
142.250.192.106, 142.250.192.138,
142.251.42.10, 142.251.42.42,
142.251.42.74, 142.251.42.97,
151.101.1.140, 151.101.65.140,
151.101.120.158/31, 151.101.122.164,
151.101.129.140, 151.101.193.140,
157.240.1.40, 157.240.7.16,
157.240.7.26, 157.240.7.32,
157.240.7.35, 157.240.7.40,
157.240.7.52-157.240.7.54, 157.240.8.34,
157.240.12.34, 157.240.13.14/31,
157.240.13.19, 157.240.13.32,
157.240.13.35, 157.240.13.52,
157.240.13.54/31, 157.240.13.175,
157.240.15.1, 157.240.15.13,
157.240.15.19, 157.240.15.34/31,
157.240.15.40, 157.240.15.60/31,
157.240.15.63, 157.240.17.39,
157.240.19.34, 157.240.26.33,
157.240.29.41, 157.240.31.5,
157.240.31.60, 157.240.31.63,
157.240.192.38, 157.240.198.38,
157.240.199.17, 157.240.199.22,
157.240.200.38, 157.240.201.38,
157.240.205.38, 157.240.208.63,
157.240.209.38, 157.240.211.63,
157.240.212.38, 157.240.215.38,
157.240.221.63, 157.240.222.38,
157.240.223.39, 157.240.227.1-157.240.227.3,
157.240.227.13, 157.240.227.19,
157.240.227.21, 157.240.227.34-157.240.227.37,
157.240.227.40, 157.240.227.60/31,
157.240.227.63, 157.240.227.173-157.240.227.175,
157.240.229.39, 157.240.233.39,
157.240.235.1-157.240.235.2, 157.240.235.15,
157.240.235.39-157.240.235.40, 157.240.235.60/31,
157.240.235.63, 157.240.236.8,
157.240.236.60, 157.240.236.63,
157.240.242.60, 157.240.243.41,
157.240.249.41, 157.240.251.6,
157.240.251.60/31, 157.240.251.63,
157.240.252.3, 157.240.252.10,
157.240.252.13-157.240.252.14, 157.240.252.17,
157.240.252.34-157.240.252.37, 157.240.252.60/31,
157.240.252.63, 157.240.252.174/31,
162.159.140.229, 163.70.130.36,
163.70.132.1, 163.70.132.4,
163.70.132.10, 163.70.132.20,
163.70.132.23, 163.70.132.34-163.70.132.36,
163.70.132.38/31, 163.70.132.60/31,
163.70.132.63, 163.70.132.174/31,
163.70.137.2/31, 163.70.137.35,
163.70.137.37, 163.70.137.60/31,
163.70.137.63, 163.70.144.61,
163.70.158.7, 163.70.158.35,
163.70.158.63, 163.70.159.7,
163.70.159.13, 163.70.159.20,
163.70.159.35-163.70.159.36, 163.70.159.63,
172.64.144.159, 172.64.150.108,
172.64.150.129, 172.66.0.227,
172.217.17.42, 172.217.17.74,
172.217.19.10, 172.217.19.170,
172.217.19.202, 172.217.19.234,
172.217.21.42, 179.60.195.51,
182.176.35.98, 182.176.36.81,
182.176.36.97-182.176.36.98, 185.60.217.63,
185.60.219.2/31, 185.60.219.32,
185.60.219.35, 185.60.219.63,
199.59.148.54, 199.232.45.140,
199.232.56.157-199.232.56.159, 199.232.58.164,
199.232.168.157-199.232.168.159, 199.232.188.158/31,
209.237.192.128, 209.237.193.128,
209.237.194.128, 209.237.195.128,
209.237.196.128, 209.237.197.128,
209.237.198.128, 209.237.199.128,
209.237.200.128, 209.237.201.128,
209.237.203.128, 209.237.204.128,
211.239.213.223, 216.58.208.234,
216.58.208.243, 216.239.36.126 }
}
dnsmasq sets
nftset=/alislam.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/telegram.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/signal.art/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/signal.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/signalusers.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/whispersystems.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/sc-cdn.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/snap-dev.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/snap.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/snapchat.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/snapkit.co/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/reddit.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/redd.it/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/redditmedia.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/redditstatic.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/twimg.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/ads-twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/pscp.tv/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/t.co/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/x.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/api.twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/pbs.twimg.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/video.twimg.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/api-stream.twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/tpop-api.twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/knowyourmeme.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/tenor.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/docker.io/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/auth.docker.io/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/registry-1.docker.io/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/cloudflare.docker.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/production.cloudflare.docker.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/instagram.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/facebook.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fbsbx.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fbcdn.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/cdninstagram.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/www.facebook.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/facebook.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fbcdn.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fbsbx.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/whatsapp.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/g.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/graph.whatsapp.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/cdn.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fna.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/mmg.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/c.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/static.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/g-fallback.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/pps.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e1.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e2.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e3.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e4.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e5.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e6.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e7.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e8.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e9.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e10.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e11.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e12.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e13.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e14.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e15.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e16.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
pbr tables & routing
IPv4 table 256 pbr_wan route:
default via PUBLIC_GATEWAY_REMOVED dev pppoe-wan
IPv4 table 256 pbr_wan rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 pbr_wan2 route:
default via PUBLIC_GATEWAY_REMOVED dev pppoe-wan2
IPv4 table 257 pbr_wan2 rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_wan2
IPv4 table 258 pbr_wg_xray route:
default via 10.13.13.2 dev wg_xray
IPv4 table 258 pbr_wg_xray rule(s):
29996: from all fwmark 0x30000/0xff0000 lookup pbr_wg_xray
/etc/init.d/pbr reload
Using wan interface (on_start): wan
Found wan gateway (on_start): PUBLIC_GATEWAY_REMOVED
Setting up routing for 'wan/pppoe-wan/PUBLIC_GATEWAY_REMOVED' [β]
Setting up routing for 'wan2/pppoe-wan2/PUBLIC_GATEWAY_REMOVED' [β]
Setting up routing for 'wg_xray/10.13.13.2' [β]
Routing 'pbr_ips' via wg_xray [β]
Routing 'pbr_domains' via wg_xray [β]
Routing 'wan2' via wan2 [β]
Installing fw4 nft file [β]
pbr 1.1.8-r4 monitoring interfaces: wan wan2 wg_xray
pbr 1.1.8-r4 (fw4 nft file mode) started with gateways:
wan/pppoe-wan/PUBLIC_GATEWAY_REMOVED [β]
wan2/pppoe-wan2/PUBLIC_GATEWAY_REMOVED
wg_xray/10.13.13.2
/etc/init.d/pbr status
pbr - environment
pbr 1.1.8-r4 running on OpenWrt 23.05.5.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 counter mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add rule inet fw4 pbr_prerouting ip dscp 46 counter goto pbr_mark_0x010000
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 counter mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add chain inet fw4 pbr_mark_0x030000
add rule inet fw4 pbr_mark_0x030000 counter mark set mark and 0xff00ffff xor 0x030000
add rule inet fw4 pbr_mark_0x030000 return
add rule inet fw4 pbr_prerouting ip daddr { 91.108.20.0/22, 91.108.20.0/23, 91.108.12.0/22, 149.154.172.0/22, 91.108.16.0/22, 91.108.56.0/23, 149.154.168.0/22, 91.108.4.0/22, 91.108.8.0/22, 91.108.56.0/22, 95.161.64.0/20, 149.154.160.0/22, 149.154.160.0/23, 149.154.162.0/23, 149.154.164.0/22, 149.154.164.0/23, 149.154.166.0/23, 91.105.192.0/23, 185.76.151.0/24, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/13, 104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22 } counter goto pbr_mark_0x030000 comment "pbr_ips"
add set inet fw4 pbr_wg_xray_4_dst_ip_cfg056ff5 { type ipv4_addr; auto-merge; counter; flags interval;
policy performance; comment "pbr_domains";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_wg_xray_4_dst_ip_cfg056ff5 counter goto pbr_mark_0x030000 comment "pbr_domains"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.104 } counter goto pbr_mark_0x020000 comment "wan2"
pbr chains - policies
chain pbr_forward { # handle 929
}
chain pbr_input { # handle 930
}
chain pbr_output { # handle 931
}
chain pbr_postrouting { # handle 933
}
chain pbr_prerouting { # handle 932
ip dscp ef counter packets 131 bytes 7652 goto pbr_mark_0x010000 # handle 2965
ip daddr { 91.105.192.0/23, 91.108.4.0-91.108.23.255, 91.108.56.0/22, 95.161.64.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 104.16.0.0-104.27.255.255, 108.162.192.0/18, 131.0.72.0/22, 141.101.64.0/18, 149.154.160.0/20, 162.158.0.0/15, 172.64.0.0/13, 173.245.48.0/20, 185.76.151.0/24, 188.114.96.0/20, 190.93.240.0/20, 197.234.240.0/22, 198.41.128.0/17 } counter packets 0 bytes 0 goto pbr_mark_0x030000 comment "pbr_ips" # handle 2973
ip daddr @pbr_wg_xray_4_dst_ip_cfg056ff5 counter packets 0 bytes 0 goto pbr_mark_0x030000 comment "pbr_domains" # handle 2975
ip saddr 192.168.1.104 counter packets 2021 bytes 1510536 goto pbr_mark_0x020000 comment "wan2" # handle 2976
}
chain pbr_dstnat { # handle 928
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 2962
counter packets 132 bytes 7704 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2963
return # handle 2964
}
chain pbr_mark_0x020000 { # handle 2966
counter packets 2053 bytes 1531292 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2967
return # handle 2968
}
chain pbr_mark_0x030000 { # handle 2969
counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 2970
return # handle 2971
}
pbr nft sets
set pbr_wg_xray_4_dst_ip_cfg056ff5 { # handle 2974
type ipv4_addr
flags interval
counter
auto-merge
comment "pbr_domains"
}
dnsmasq sets
nftset=/alislam.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/telegram.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/signal.art/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/signal.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/signalusers.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/whispersystems.org/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/sc-cdn.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/snap-dev.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/snap.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/snapchat.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/snapkit.co/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/reddit.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/redd.it/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/redditmedia.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/redditstatic.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/twimg.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/ads-twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/pscp.tv/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/t.co/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/x.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/api.twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/pbs.twimg.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/video.twimg.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/api-stream.twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/tpop-api.twitter.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/knowyourmeme.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/tenor.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/docker.io/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/auth.docker.io/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/registry-1.docker.io/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/cloudflare.docker.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/production.cloudflare.docker.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/instagram.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/facebook.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fbsbx.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fbcdn.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/cdninstagram.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/www.facebook.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/facebook.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fbcdn.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fbsbx.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/whatsapp.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/g.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/graph.whatsapp.com/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/cdn.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/fna.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/mmg.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/c.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/static.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/g-fallback.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/pps.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e1.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e2.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e3.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e4.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e5.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e6.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e7.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e8.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e9.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e10.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e11.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e12.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e13.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e14.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e15.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
nftset=/e16.whatsapp.net/4#inet#fw4#pbr_wg_xray_4_dst_ip_cfg056ff5 # pbr_domains
pbr tables & routing
IPv4 table 256 pbr_wan route:
default via PUBLIC_GATEWAY_REMOVED dev pppoe-wan
IPv4 table 256 pbr_wan rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 pbr_wan2 route:
default via PUBLIC_GATEWAY_REMOVED dev pppoe-wan2
IPv4 table 257 pbr_wan2 rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_wan2
IPv4 table 258 pbr_wg_xray route:
default via 10.13.13.2 dev wg_xray
IPv4 table 258 pbr_wg_xray rule(s):
29996: from all fwmark 0x30000/0xff0000 lookup pbr_wg_xray
and finally this is the script i am using to populate the PBR domains/IPs
I understand i have a pretty messy setup
I do have 1.1.8-r4 if you want.
See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/pbr
Thank you again @egc -the patron saint of opensource WRT projects, for getting me on the correct track.
My issue is resolved for the most part. Iβll try to explain what happened in case anyone else has a similar experience..
This scenario has an OpenWRT router behind private address space wifi as a client via WWAN. Thereβs a need to be able to reach the network it hosts from the Internet. There is a WG tunnel attached to a commercial provider with ports forwarded for WG and (udp)OVPN servers. The commercial WG tunnel is set up as the default gateway. PBR is used to direct a few ports to the commercial provider then redirects all the LANs back to the regular (W)WAN. This allows hosting a (udp)OVPN and WG server through a WG commercial tunnel possible, or did until the 1.1.8 releases. According to the README for v 1.1.8, all WG tunnels are indiscriminately forced to go to (W)WAN. I did not re-read the README for 1.1.8 and had been using this configuration since 1.1.1-7 on 23.05.x releases. Apparently, the forcing of WG tunnels to the (W)WAN is broken in 1.1.8-r4, the first version of the 1.1.8 releases that I had used in the 24.10.0-rcx releases - making me think βall is wellβ. Apparently, 1.1.8-r6 corrected that and does indeed force the WG server to the (W)WAN rather than the commercial tunnel as was desired.
I was able to work-around the forcing of the WG tunnels to the (W)WAN by adjusting the PBR script a bit.
This is probably a bit of an edge case, but any chance of adding functionality to selectively disable the forcing of all WG tunnels to (W)WAN?
Thanks @bd0426 for you analysis, I see your problem.
The line of thought is that traffic for the WG server is coming in via the WAN and should go out via the WAN even if default route is via another tunnel, in your case this is not true you want the WG server via your tunnel.
(You can see things in action with:ip rule show which will show your WG servers listen port routed via the wan)
Maybe if @stangri can make it so that if you place the WG server on the ignored interfaces list this is not happening?
I will think about it and maybe make a pull request for it