I have a rule in pbr that's routing all of a device's traffic to a VPN. However, I want to also include a rule that allows for traffic to specific domains to go over my regular WAN interface. It seems that either the rule is ignored, and it's sent over the VPN interface anyway, OR the traffic simply times out.
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_delay '0'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_file_mode '1'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list supported_interface 'lan'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.wg_server_and_client'
option enabled '0'
config policy
option name 'Forward Subtitle Indexers Through ISP'
option dest_addr 'yifysubtitles.ch,api.opensubtitles.com,www.tvsubtitles.net'
option interface 'wan'
option src_addr '192.168.1.5'
option chain 'output'
config policy
option name 'Forward TorrentBox Through Mullvad'
option src_addr '192.168.1.5'
option interface 'mullvad_wg'
option dest_addr '!api.opensubtitles.com'
This is my pbr config. As you can see, I also tried to see if I could use the '!' operator to exclude any traffic to api.opensubtitles.com within the rule that routes all of the devices traffic, and also a rule above it that should send all traffic from that device going to those host-names over the wan interface instead. But neither of these seem to work...
Either I can these results, clearly showing the data still going through Mullvad (10.64.0.1 is mullvad_wg's gateway). The only other result I get is just pure timeouts.
traceroute to api.opensubtitles.com (172.67.217.148), 30 hops max, 60 byte packets
1 OpenWrt.lan (192.168.1.1) 0.582 ms 4.577 ms 4.562 ms
2 10.64.0.1 (10.64.0.1) 33.305 ms 33.423 ms 33.596 ms
3 unn-138-199-43-126.datapacket.com (138.199.43.126) 34.510 ms 35.370 ms 35.420 ms
4 six1.as13335.com (206.81.81.10) 39.294 ms * *
5 108.162.243.29 (108.162.243.29) 37.362 ms 108.162.243.39 (108.162.243.39) 39.301 ms 108.162.243.49 (108.162.243.49) 59.523 ms
6 172.67.217.148 (172.67.217.148) 35.554 ms 32.508 ms 32.623 ms
I tried playing around with the routing chain spot, putting it in postrouting, forward, and output thinking maybe that would help, but that was really a shot in the dark so here I am to ask for help.
Shoot, I forgot that I had added a firewall rule...
config rule
option name 'Restrict Torrentbox'
option src 'lan'
list src_mac '08:00:27:1C:16:41'
option dest 'wan'
option target 'DROP'
list proto 'all'
option enabled '0'
So that's what was blocking it. Working now with that disabled.
However, I added that rule because pbr was frequently stopping, and not restarting, which made its killswitch not work. I have not had that problem for a while, but I'm still a little hesitant to delete this rule because it's the only thing stopping the device from just connecting through WAN if pbr stops again for some reason in the future. Kind of a fail-safe killswitch.
But as m95d pointed out, I don't think I can use hosts in the normal traffic rules? So I couldn't modify that rule to not count traffic destined for those hosts like I can with pbr, so not sure how to maintain this rule and also make this work.
Okay, is that because of the limitation referenced in this post (How to use nftset with dnsmasq? - #16 by VA1DER) where it's said the IPs won't be added to the set unless dnsmasq is sent a query to resolve them? So I would have to run nslookup on the domains I wanted first?
Just making sure. These "sets" are a totally new concept to me.
Following the guide I referred to had me a little confused too, because it doesn't show the firewall rule that it suggests one makes--well, it shows how to make a firewall zone, but I'm interested in creating a rule for a single device. But I'm guessing that the IP set can then be referred to in a firewall rule by dereferencing its name with an '@' first? So for example if I created the ipset "subtitle_sites" I should be able to write a rule such as....
config rule
option name 'Allow TorrentBox to reach subtitle_sites through WAN'
option src 'lan'
list src_mac '08:00:27:1C:16:41'
option dst_ip '@subtitle_sites'
option dest 'wan'
option target 'ACCEPT'
list proto 'all'
option enabled '0'
Or will this not work with the OpenWRT config files? I am wondering if I might need to use nft itself?
Something like...
nft insert rule inet fw4 192.168.1.5 ip daddr @subtitle_sites accept