Hello,
I want to use PBR to make a route for netflix without my openvpn connexion.
I'm using a Zyxel AP with only one ethernet port.
I can't start PBR service without a wan interface, there are any trick to skip this part ?
I already try to use option procd_wan_interface 'lan' but i need this interface in pbr and she's missing.
Update
It's work with the manual declaration of fake wan and force lan interface:
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '0'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list supported_interface 'openvpn br-lan br-lan10'
**option procd_lan_device 'lan'**
**option procd_wan_interface 'openvpn'**
I need to found now why the route "ipaddress.my" don't pass (vpn is ok):
config policy
option name 'ipaddress.my'
option src_addr '192.168.74.0/24'
option dest_addr 'ipaddress.my'
option interface 'lan'
config policy
option name 'LAN10-TO-VPN'
option src_addr '192.168.74.0/24'
option interface 'openvpn'
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdfb:6880:7bf9::/48'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.112'
option gateway '192.168.1.1'
option ipv6 '0'
option delegate '0'
list dns '8.8.8.8'
option defaultroute '0'
config device
option name 'eth0'
option ipv6 '0'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
config device
option name 'tun0'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-lan'
list ports 'lan'
option mtu '1500'
option ipv6 '0'
config device
option type '8021q'
option ifname 'lan'
option vid '10'
option name 'lan.10'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-lan10'
list ports 'lan.10'
option ipv6 '0'
config interface 'lan10'
option proto 'static'
option device 'br-lan10'
option ipaddr '192.168.74.1'
option netmask '255.255.255.0'
list dns '8.8.8.8'
nft -a list ruleset :
chain pbr_prerouting { # handle 40
ip saddr 192.168.74.0/24 ip daddr { 104.21.18.144, 172.67.182.83 } goto pbr_mark_0x010000 comment "ipaddress.my" # handle 1448
ip saddr 192.168.74.0/24 goto pbr_mark_0x020000 comment "LAN10-TO-VPN" # handle 1449
}
chain pbr_postrouting { # handle 41
}
chain pbr_mark_0x010000 { # handle 1349
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1441
return # handle 1442
}
chain pbr_mark_0x020000 { # handle 1352
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1443
return # handle 1444
}
chain pbr_mark_0x030000 { # handle 1355
meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 1445
return # handle 1446
}
ip rule:
29996: from all fwmark 0x30000/0xff0000 lookup pbr_lan10
29998: from all fwmark 0x20000/0xff0000 lookup pbr_openvpn
30000: from all fwmark 0x10000/0xff0000 lookup pbr_lan
32766: from all lookup main
32767: from all lookup default
ip route list table pbr_lan10
default via 192.168.74.1 dev br-lan10
ip route list table pbr_openvpn
default via 10.32.4.153 dev tun0
ip route list table pbr_lan
default via 192.168.1.1 dev br-lan