Policy-Based-Routing (PBR) without WAN

vinadre · May 28, 2025, 10:37pm

Hello,

I want to use PBR to make a route for netflix without my openvpn connexion.
I'm using a Zyxel AP with only one ethernet port.

I can't start PBR service without a wan interface, there are any trick to skip this part ?
I already try to use option procd_wan_interface 'lan' but i need this interface in pbr and she's missing.

Update
It's work with the manual declaration of fake wan and force lan interface:

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        list resolver_instance '*'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list supported_interface 'openvpn br-lan br-lan10'
        **option procd_lan_device 'lan'**
        **option procd_wan_interface 'openvpn'**

I need to found now why the route "ipaddress.my" don't pass (vpn is ok):

config policy
        option name 'ipaddress.my'
        option src_addr '192.168.74.0/24'
        option dest_addr 'ipaddress.my'
        option interface 'lan'

config policy
        option name 'LAN10-TO-VPN'
        option src_addr '192.168.74.0/24'
        option interface 'openvpn'


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdfb:6880:7bf9::/48'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.112'
        option gateway '192.168.1.1'
        option ipv6 '0'
        option delegate '0'
        list dns '8.8.8.8'
        option defaultroute '0'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'openvpn'
        option proto 'none'
        option device 'tun0'

config device
        option name 'tun0'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'lan'
        option mtu '1500'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'lan'
        option vid '10'
        option name 'lan.10'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-lan10'
        list ports 'lan.10'
        option ipv6 '0'

config interface 'lan10'
        option proto 'static'
        option device 'br-lan10'
        option ipaddr '192.168.74.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'

nft -a list ruleset :

chain pbr_prerouting { # handle 40
                ip saddr 192.168.74.0/24 ip daddr { 104.21.18.144, 172.67.182.83 } goto pbr_mark_0x010000 comment "ipaddress.my" # handle 1448
                ip saddr 192.168.74.0/24 goto pbr_mark_0x020000 comment "LAN10-TO-VPN" # handle 1449
        }

        chain pbr_postrouting { # handle 41
        }

        chain pbr_mark_0x010000 { # handle 1349
                meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1441
                return # handle 1442
        }

        chain pbr_mark_0x020000 { # handle 1352
                meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1443
                return # handle 1444
        }

        chain pbr_mark_0x030000 { # handle 1355
                meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 1445
                return # handle 1446
        }

ip rule:

29996:  from all fwmark 0x30000/0xff0000 lookup pbr_lan10
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_openvpn
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_lan
32766:  from all lookup main
32767:  from all lookup default

ip route list table pbr_lan10
default via 192.168.74.1 dev br-lan10
 ip route list table pbr_openvpn
default via 10.32.4.153 dev tun0
 ip route list table pbr_lan
default via 192.168.1.1 dev br-lan

vinadre · June 2, 2025, 10:05pm

I haven't found why there is a limit with the routing with the same source.

But i found another method, with an exception like this:

chain pbr_prerouting { 
                ip saddr 192.168.74.0/24 ip daddr != 8.8.8.8 goto goto pbr_mark_0x020000
}

After that I try to fix AWS script for importing IP list into nft

There are 2 problem in othe riginal script:
-Too more ip to import in one time
-subnet are overlapping

Just to solve the first problem, i start dividing the list:

#!/bin/sh
# shellcheck disable=SC2015,SC3003,SC3060
_ret=1
TARGET_TABLE='inet fw4'
TARGET_URL='https://ip-ranges.amazonaws.com/ip-ranges.json'
TARGET_DL_FILE='/tmp/ip-ranges-amazon.json.gz'

#dl file
uclient-fetch --no-check-certificate -qO- "$TARGET_URL" | gzip  > "$TARGET_DL_FILE"
[ -s "$TARGET_DL_FILE" ] || return 1

#create the SET
nft add set $TARGET_TABLE amazon-list { type ipv4_addr\; flags interval\; comment \"redirect all packets from these hosts\" \; }

#filter ip v4
zcat ip-ranges-amazon.json.gz | jsonfilter -e @.prefixes[*].ip_prefix > ipv4-ranges-amazon-list.txt

#split txt file
 awk -vc=1 'NR%1000==0{++c}{print $0 > c".txt"}' ipv4-ranges-amazon-list.txt

=> Need a loop
I=1
FILE=$I.txt
while [ -f $FILE ]; 
do
        params=`cat $FILE`
        nft add element $TARGET_TABLE amazon-list { ${params//$'\n'/, } }
        I++
done

#update nftable

idnft=`nft -a list ruleset  | grep "ip saddr 192.168.74.0/24 ip daddr != 8.8.8.8 goto pbr_mark_0x020000" | awk '$13 ~ /^handle/ {print $14}'`
nft replace rule inet fw4 pbr_prerouting handle $idnft  ip saddr 192.168.74.0/24 ip daddr != @amazon-list goto pbr_mark_0x020000

I still need to find out how to remove the duplicates to avoid overlapping subnets.

Now I can access AmazonVideo without my VPN with the default route.

AlanDias17 · June 2, 2025, 11:07pm

Did you set an option procd_wan_interface "lan" in the global section of your /etc/config/pbr file? PBR service should then start. In PBR policy for Netflix, select the interface that PBR now designates as its WAN. This "wan" will correspond to your "lan" interface.

vinadre · June 3, 2025, 9:49am

I've already tried and it doesn't work (option procd_wan_interface 'lan')
But it's work fine now with my new configuration

        **option procd_lan_device 'lan'**
        **option procd_wan_interface 'openvpn'**