Policy Based Routing Plex

Hi again all, hoping to get some advice/eyes on my config files. I have a wireguard vpn connection on my router (Surfshark, UK server) that all traffic runs through. I have a Synology NAS with Plex Media Server on it, and with advice given to me last month here I installed Policy Based Routing and DNSmasq to allow me to access the NAS outside of the local network.

I have setup port forward in firewall, and policies in PBR. I can access my NAS via IP, etc but I cannot access my Plex server anymore either locally on the plex app, or outside of my network. I figure I have misconfigured something here but I can't work out what! I am sure I am missing something very obvious, sorry! I have pasted my config files below if anyone is able to see what I'm missing? Thanks in advance

Policy Based Routing:

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'
	option resolver_set 'dnsmasq.ipset'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'

Firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name ‘NAS NAME’
	list proto 'tcp'
	option src 'wan'
	option src_dport '32400'
	option dest_port '32400'
	option dest_ip '192.168.1.148'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'
	option input 'REJECT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

DHCP:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option Mac 'MAC ADDRESS'
	option ip '192.168.1.148'
	option leasetime 'infinite'

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd53:f1b3:b39a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'ea:9f:80:1a:04:10'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username ‘USERNAME’
	option password ‘PASSWORD
	option ipv6 'auto'
	option peerdns '0'
	list dns ‘DNS1’
	list dns ‘DNS2'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'wg0'
	option proto 'wireguard'
	list addresses ‘ADDRESS’
	option peerdns '0'
	list dns ‘DNS 1’
	list dns ‘DNS2'
	option private_key ‘PRIVATE KEY’

config wireguard_wg0
	option description 'UK'
	option public_key ‘PUBLIC KEY’
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_port '51820'
	option private_key ‘PRIVATE KEY
	option endpoint_host ‘ENDPOINT HOST’

I struggled with source port routing also.
What worked for me is using ip rule add sport

So just a long shot, what you can try is to do from CLI:

ip rule add sport 8096  table pbr-wan
ip rule add sport 8920  table pbr-wan
ip rule add sport 32400 table pbr-wan

Check with: ip ru

Note if you restart your network or reboot it is gone so then you have to redo it.
If that works we can discuss a persistent setting.

Thank you so much for your help, I just tried this and I am getting an error of:

Error: argument "pbr-wan" is wrong: invalid table ID

Usually the pbr package has made table pbr-wan

Can you do:
ip route show table all
ip ru

To show what you have

perfect did that and it was pbr_wan so I changed the rules and implemented them,

I am getting now when I enter ip ru:

0:	from all lookup local
29997:	from all sport 32400 lookup pbr_wan
29998:	from all sport 8920 lookup pbr_wan
29999:	from all sport 8096 lookup pbr_wan
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_wg0
32766:	from all lookup main
32767:	from all lookup default

The plex still isn't showing the NAS, driving me crazy lol

Well too bad this at least should always route the plex port via the wan.

But where the real problem lies I do not know

thanks so much for your help, I really appreciate it. Still not sure what the issue is, Plex is telling me in the logs that it cannot access https (443), really not sure what to look at next

I do not use plex but for remote access you also need port forward etc see: