I'm currently trying to reach the domain www.wieistmeineip.de with a different IP. But it always remains my standard IP. Does anyone know what I'm doing wrong?
The ip should actually be an NL ip. The tunnel works.
I'm currently trying to reach the domain www.wieistmeineip.de with a different IP. But it always remains my standard IP. Does anyone know what I'm doing wrong?
The ip should actually be an NL ip. The tunnel works.
First of all you need a recent 1.1.8.r10 or higher version of PBR. If you do not have it I recommend upgrading, see:
If you are using nftset for resolving the domains then it will only work if your client uses DNSMasq for resolving the address.
Furthermore DNS is cached so either flush DNS on router and client or reboot both router and client.
Oh and I recommend using ipleak.net
which also tracks DNS
If that does not help we need to see your configs and need to know how DNS resolution is implemented on your router and what kind of VPN you are using.
And that's one of the reason why video is the worst of all educational material.
With text, you could easily look up such a detail.
/unrelatedrant
Neither can I and it is not important what he is using but what you are using
Did you reboot the router and client already?
Are you using PBR build 1.1.8-r10 or higher?
Did you check that the clients you are using are not using private DNS?
Otherwise it might help if you show us your configs, Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
cat /etc/config/pbr
service pbr reload
service pbr status
# for ipset/nftset reboot and after reboot contact the domains first before getting output of the following items:
nft list ruleset
cat /tmp/dnsmasq.d/pbr
ls -d /tmp/dns*
cat $(ls -d /tmp/dns*)/pbr
Yes, of course.
Version 1.1.8-r16 - Running (fw4 nft file mode).
search lan
nameserver 192.168.10.1
root@HTMGateWay:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "HTMGateWay",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "AVM FRITZ!Box 7530",
"board_name": "avm,fritzbox-7530",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ipq40xx/generic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@HTMGateWay:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'j'
option ds_snr_offset '-30'
option tone 'bv'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option delegate '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config device
option name 'dsl0'
option macaddr '3C:37:12:7B:5F:B3'
config interface 'wan'
option device 'dsl0'
option proto 'pppoe'
option username ''
option password ''
option ipv6 '0'
config interface 'HTMGuest'
option proto 'static'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
config interface 'PVPN_NL'
option proto 'wireguard'
option private_key '***'
list addresses '10.2.0.2/32'
list dns '10.2.0.1'
config wireguard_PVPN_NL
option description 'Imported peer configuration'
option public_key '***'
list allowed_ips '0.0.0.0/0'
option endpoint_host '185.183.33.219'
option endpoint_port '51820'
option route_allowed_ips '1'
config interface 'MLVAD_CH'
option proto 'wireguard'
option private_key '***'
list dns '10.64.0.1'
list addresses '10.67.244.31/32'
option auto '0'
config wireguard_MLVAD_CH
option description 'Imported peer configuration'
option public_key '***'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host '146.70.134.98'
option endpoint_port '51820'
option route_allowed_ips '1'
config interface 'IPVAN_CH'
option proto 'wireguard'
option private_key '***'
list addresses '100.96.9.152/32'
list dns '198.18.0.1'
list dns '198.18.0.2'
config wireguard_IPVAN_CH
option description 'Imported peer configuration'
option public_key '***'
list allowed_ips '0.0.0.0/0'
option endpoint_host '216.131.108.26'
option endpoint_port '51820'
option route_allowed_ips '1'
root@HTMGateWay:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option force '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'HTM-Flur-Ruedi'
option ip '192.168.10.2'
list mac 'F4:B5:20:15:0C:6B'
config host
option name 'TobiAcerWohnen'
list mac '0C:84:DC:02:EC:35'
option ip '192.168.10.3'
config host
option name 'Nettop-Wohnen'
list mac 'F4:96:34:CB:E0:8A'
option ip '192.168.10.4'
config host
option name 'HPOfficeJet8010'
list mac '48:9E:BD:AC:B2:35'
option ip '192.168.10.5'
config host
option name 'GT-I9505'
list mac '40:0E:85:38:C4:17'
option ip '192.168.10.6'
config host
option name 'pi3schlafen'
list mac 'B8:27:EB:E4:28:D6'
option ip '192.168.10.7'
config host
option name 'pi1essen'
list mac 'A0:47:D7:20:47:56'
option ip '192.168.10.8'
config host
option name 'Alexa'
list mac 'AC:41:6A:56:8C:30'
option ip '192.168.10.9'
config host
option ip '192.168.10.10'
list mac 'D4:24:DD:D5:1B:90'
option name 'FileSyncServer'
config host
option name 'WAPExtender1'
list mac 'B4:75:0E:89:2F:35'
option ip '192.168.10.11'
config dhcp 'HTMGuest'
option interface 'HTMGuest'
option start '100'
option limit '150'
option leasetime '12h'
config host
option name 'pi1keller'
list mac '04:0C:73:A0:EA:18'
option ip '192.168.10.12'
config host
option name 'UncleTomKeller'
list mac '3C:D9:2B:72:81:93'
option ip '192.168.10.13'
config host
option name 'HTM-Lenovo-Ruedi'
list mac 'B0:FC:36:BA:F0:AB'
option ip '192.168.10.14'
root@HTMGateWay:~# ip route show
default dev IPVAN_CH proto static scope link
185.183.33.219 via 212.37.63.165 dev pppoe-wan proto static
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
192.168.11.0/24 dev phy0-ap1 proto kernel scope link src 192.168.11.1
212.37.63.165 dev pppoe-wan proto kernel scope link src 88.208.136.235
216.131.108.26 via 212.37.63.165 dev pppoe-wan proto static
root@HTMGateWay:~# ip route show
default dev IPVAN_CH proto static scope link
185.183.33.219 via 212.37.63.165 dev pppoe-wan proto static
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
192.168.11.0/24 dev phy0-ap1 proto kernel scope link src 192.168.11.1
212.37.63.165 dev pppoe-wan proto kernel scope link src 88.208.136.235
216.131.108.26 via 212.37.63.165 dev pppoe-wan proto static
root@HTMGateWay:~# ip route show table all
default via 212.37.63.165 dev pppoe-wan table pbr_wan
192.168.10.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.10.1
192.168.11.0/24 dev phy0-ap1 table pbr_wan proto kernel scope link src 192.168.11.1
default via 10.2.0.2 dev PVPN_NL table pbr_PVPN_NL
unreachable default table pbr_MLVAD_CH
192.168.10.0/24 dev br-lan table pbr_MLVAD_CH proto kernel scope link src 192.168.10.1
192.168.11.0/24 dev phy0-ap1 table pbr_MLVAD_CH proto kernel scope link src 192.168.11.1
default via 100.96.9.152 dev IPVAN_CH table pbr_IPVAN_CH
default dev IPVAN_CH proto static scope link
185.183.33.219 via 212.37.63.165 dev pppoe-wan proto static
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
192.168.11.0/24 dev phy0-ap1 proto kernel scope link src 192.168.11.1
212.37.63.165 dev pppoe-wan proto kernel scope link src 88.208.136.235
216.131.108.26 via 212.37.63.165 dev pppoe-wan proto static
local 10.2.0.2 dev PVPN_NL table local proto kernel scope host src 10.2.0.2
local 88.208.136.235 dev pppoe-wan table local proto kernel scope host src 88.208.136.235
local 100.96.9.152 dev IPVAN_CH table local proto kernel scope host src 100.96.9.152
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.10.1 dev br-lan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local proto kernel scope link src 192.168.10.1
local 192.168.11.1 dev phy0-ap1 table local proto kernel scope host src 192.168.11.1
broadcast 192.168.11.255 dev phy0-ap1 table local proto kernel scope link src 192.168.11.1
fe80::/64 dev eth0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
local fe80::3e37:12ff:fe7b:5fb6 dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev PVPN_NL table local proto kernel metric 256 pref medium
multicast ff00::/8 dev IPVAN_CH table local proto kernel metric 256 pref medium
root@HTMGateWay:~# cat /etc/config/pbr
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.10.0/24'
option dest_dns '1.1.1.1'
option enabled '0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'HTM'
option src_addr '192.168.10.0/24'
option interface 'IPVAN_CH'
config policy
option name 'HTMGuest'
option interface 'PVPN_NL'
option src_addr '192.168.11.0/24'
config policy
option name 'WagasWorld'
option dest_addr 'wieistmeineip.de'
option interface 'PVPN_NL'
root@HTMGateWay:~# service pbr reload
Using uplink interface (on_start): wan [β]
Found uplink gateway (on_start): 212.37.63.165 [β]
Setting up routing for 'wan/pppoe-wan/212.37.63.165' [β]
Setting up routing for 'PVPN_NL/10.2.0.2' [β]
Setting up routing for 'MLVAD_CH/0.0.0.0' [β]
Setting up routing for 'IPVAN_CH/100.96.9.152' [β]
Routing 'HTM' via IPVAN_CH [β]
Routing 'HTMGuest' via PVPN_NL [β]
Routing 'WagasWorld' via PVPN_NL [β]
Installing fw4 nft file [β]
Restarting dnsmasq [β]
Setting interface trigger for wan [β]
Setting interface trigger for PVPN_NL [β]
Setting interface trigger for MLVAD_CH [β]
Setting interface trigger for IPVAN_CH [β]
pbr 1.1.8-r16 monitoring interfaces: wan PVPN_NL MLVAD_CH IPVAN_CH
pbr 1.1.8-r16 (fw4 nft file mode) started with gateways:
wan/pppoe-wan/*******
PVPN_NL/10.2.0.2
MLVAD_CH/0.0.0.0
IPVAN_CH/100.96.9.152 [β]
root@HTMGateWay:~#
root@HTMGateWay:~# service pbr status
pbr - environment
pbr 1.1.8-r16 running on OpenWrt 24.10.0.
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add chain inet fw4 pbr_mark_0x030000
add rule inet fw4 pbr_mark_0x030000 mark set mark and 0xff00ffff xor 0x030000
add rule inet fw4 pbr_mark_0x030000 return
add chain inet fw4 pbr_mark_0x040000
add rule inet fw4 pbr_mark_0x040000 mark set mark and 0xff00ffff xor 0x040000
add rule inet fw4 pbr_mark_0x040000 return
add rule inet fw4 pbr_prerouting ip saddr { 192.168.10.0/24 } goto pbr_mark_0x040000 comment "HTM"
add rule inet fw4 pbr_prerouting ip saddr { 192.168.11.0/24 } goto pbr_mark_0x020000 comment "HTMGuest"
add set inet fw4 pbr_PVPN_NL_4_dst_ip_cfg0a6ff5 { type ipv4_addr; auto-merge; flags interval; policy performance; comment "WagasWorld";}
add rule inet fw4 pbr_prerouting ip daddr @pbr_PVPN_NL_4_dst_ip_cfg0a6ff5 goto pbr_mark_0x020000 comment "WagasWorld"
pbr chains - policies
chain pbr_forward { # handle 55
}
chain pbr_input { # handle 56
}
chain pbr_output { # handle 57
}
chain pbr_postrouting { # handle 59
}
chain pbr_prerouting { # handle 58
ip saddr 192.168.10.0/24 goto pbr_mark_0x040000 comment "HTM" # handle 938
ip saddr 192.168.11.0/24 goto pbr_mark_0x020000 comment "HTMGuest" # handle 939
ip daddr @pbr_PVPN_NL_4_dst_ip_cfg0a6ff5 goto pbr_mark_0x020000 comment "WagasWorld" # handle 941
}
chain pbr_dstnat { # handle 54
}
pbr chains - marking
chain pbr_mark_0x010000 { # handle 926
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 927
return # handle 928
}
chain pbr_mark_0x020000 { # handle 929
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 930
return # handle 931
}
chain pbr_mark_0x030000 { # handle 932
meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 933
return # handle 934
}
chain pbr_mark_0x040000 { # handle 935
meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 936
return # handle 937
}
pbr nft sets
set pbr_PVPN_NL_4_dst_ip_cfg0a6ff5 { # handle 940
type ipv4_addr
flags interval
auto-merge
comment "WagasWorld"
}
dnsmasq sets
nftset=/wagasworld.com/4#inet#fw4#pbr_PVPN_NL_4_dst_ip_cfg0a6ff5 # WagasWorld
pbr tables & routing
IPv4 table 256 pbr_wan route:
default via *** dev pppoe-wan
IPv4 table 256 pbr_wan rule(s):
30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv4 table 257 pbr_PVPN_NL route:
default via 10.2.0.2 dev PVPN_NL
IPv4 table 257 pbr_PVPN_NL rule(s):
29998: from all fwmark 0x20000/0xff0000 lookup pbr_PVPN_NL
IPv4 table 258 pbr_MLVAD_CH route:
unreachable default
IPv4 table 258 pbr_MLVAD_CH rule(s):
29996: from all fwmark 0x30000/0xff0000 lookup pbr_MLVAD_CH
IPv4 table 259 pbr_IPVAN_CH route:
default via 100.96.9.152 dev IPVAN_CH
IPv4 table 259 pbr_IPVAN_CH rule(s):
29994: from all fwmark 0x40000/0xff0000 lookup pbr_IPVAN_CH
root@HTMGateWay:~# nft list ruleset
table inet fw4 {
set pbr_PVPN_NL_4_dst_ip_cfg0a6ff5 {
type ipv4_addr
flags interval
auto-merge
comment "WagasWorld"
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept comment "!fw4: Accept traffic from loopback"
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle inbound flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "phy0-ap1" jump input_HTMGuest comment "!fw4: Handle HTMGuest IPv4/IPv6 input traffic"
iifname "PVPN_NL" jump input_PVPN_NL comment "!fw4: Handle PVPN_NL IPv4/IPv6 input traffic"
iifname "IPVAN_CH" jump input_IPVAN_CH comment "!fw4: Handle IPVAN_CH IPv4/IPv6 input traffic"
jump handle_reject
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "phy0-ap1" jump forward_HTMGuest comment "!fw4: Handle HTMGuest IPv4/IPv6 forward traffic"
iifname "PVPN_NL" jump forward_PVPN_NL comment "!fw4: Handle PVPN_NL IPv4/IPv6 forward traffic"
iifname "IPVAN_CH" jump forward_IPVAN_CH comment "!fw4: Handle IPVAN_CH IPv4/IPv6 forward traffic"
jump handle_reject
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "phy0-ap1" jump output_HTMGuest comment "!fw4: Handle HTMGuest IPv4/IPv6 output traffic"
oifname "PVPN_NL" jump output_PVPN_NL comment "!fw4: Handle PVPN_NL IPv4/IPv6 output traffic"
oifname "IPVAN_CH" jump output_IPVAN_CH comment "!fw4: Handle IPVAN_CH IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
iifname "phy0-ap1" jump helper_HTMGuest comment "!fw4: Handle HTMGuest IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_MLVAD_CH comment "!fw4: Accept lan to MLVAD_CH forwarding"
jump accept_to_PVPN_NL comment "!fw4: Accept lan to PVPN_NL forwarding"
jump accept_to_IPVAN_CH comment "!fw4: Accept lan to IPVAN_CH forwarding"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "br-lan" counter packets 11 bytes 2242 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "br-lan" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . 0, mld-listener-report . 0, mld-listener-done . 0, mld2-listener-report . 0 } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, nd-neighbor-solicit . 0, nd-neighbor-advert . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
jump reject_to_wan
}
chain accept_to_wan {
oifname "pppoe-wan" counter packets 0 bytes 0 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname "pppoe-wan" counter packets 20 bytes 856 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain input_HTMGuest {
tcp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: HTMGuest DNS and DHCP"
udp dport { 53, 67, 68 } counter packets 0 bytes 0 accept comment "!fw4: HTMGuest DNS and DHCP"
jump reject_from_HTMGuest
}
chain output_HTMGuest {
jump accept_to_HTMGuest
}
chain forward_HTMGuest {
jump accept_to_wan comment "!fw4: Accept HTMGuest to wan forwarding"
jump accept_to_MLVAD_CH comment "!fw4: Accept HTMGuest to MLVAD_CH forwarding"
jump accept_to_PVPN_NL comment "!fw4: Accept HTMGuest to PVPN_NL forwarding"
jump accept_to_IPVAN_CH comment "!fw4: Accept HTMGuest to IPVAN_CH forwarding"
jump reject_to_HTMGuest
}
chain helper_HTMGuest {
}
chain accept_to_HTMGuest {
oifname "phy0-ap1" counter packets 0 bytes 0 accept comment "!fw4: accept HTMGuest IPv4/IPv6 traffic"
}
chain reject_from_HTMGuest {
iifname "phy0-ap1" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject HTMGuest IPv4/IPv6 traffic"
}
chain reject_to_HTMGuest {
oifname "phy0-ap1" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject HTMGuest IPv4/IPv6 traffic"
}
chain input_MLVAD_CH {
jump reject_from_MLVAD_CH
}
chain output_MLVAD_CH {
jump accept_to_MLVAD_CH
}
chain forward_MLVAD_CH {
jump accept_to_MLVAD_CH
}
chain accept_to_MLVAD_CH {
}
chain reject_from_MLVAD_CH {
}
chain input_PVPN_NL {
jump reject_from_PVPN_NL
}
chain output_PVPN_NL {
jump accept_to_PVPN_NL
}
chain forward_PVPN_NL {
jump accept_to_PVPN_NL
}
chain accept_to_PVPN_NL {
oifname "PVPN_NL" counter packets 0 bytes 0 accept comment "!fw4: accept PVPN_NL IPv4/IPv6 traffic"
}
chain reject_from_PVPN_NL {
iifname "PVPN_NL" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject PVPN_NL IPv4/IPv6 traffic"
}
chain input_IPVAN_CH {
jump reject_from_IPVAN_CH
}
chain output_IPVAN_CH {
jump accept_to_IPVAN_CH
}
chain forward_IPVAN_CH {
jump accept_to_IPVAN_CH
}
chain accept_to_IPVAN_CH {
oifname "IPVAN_CH" counter packets 41 bytes 2636 accept comment "!fw4: accept IPVAN_CH IPv4/IPv6 traffic"
}
chain reject_from_IPVAN_CH {
iifname "IPVAN_CH" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject IPVAN_CH IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
jump pbr_dstnat comment "Jump into pbr dstnat chain"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "PVPN_NL" jump srcnat_PVPN_NL comment "!fw4: Handle PVPN_NL IPv4/IPv6 srcnat traffic"
oifname "IPVAN_CH" jump srcnat_IPVAN_CH comment "!fw4: Handle IPVAN_CH IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain srcnat_MLVAD_CH {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 MLVAD_CH traffic"
}
chain srcnat_PVPN_NL {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 PVPN_NL traffic"
}
chain srcnat_IPVAN_CH {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 IPVAN_CH traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
jump pbr_prerouting comment "Jump into pbr prerouting chain"
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname "pppoe-wan" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
oifname "PVPN_NL" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone PVPN_NL IPv4/IPv6 egress MTU fixing"
oifname "IPVAN_CH" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone IPVAN_CH IPv4/IPv6 egress MTU fixing"
jump pbr_postrouting comment "Jump into pbr postrouting chain"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
jump pbr_input comment "Jump into pbr input chain"
}
chain mangle_output {
type route hook output priority mangle; policy accept;
jump pbr_output comment "Jump into pbr output chain"
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname "pppoe-wan" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
iifname "PVPN_NL" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone PVPN_NL IPv4/IPv6 ingress MTU fixing"
iifname "IPVAN_CH" tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone IPVAN_CH IPv4/IPv6 ingress MTU fixing"
jump pbr_forward comment "Jump into pbr forward chain"
}
chain pbr_dstnat {
}
chain pbr_forward {
}
chain pbr_input {
}
chain pbr_output {
}
chain pbr_prerouting {
ip saddr 192.168.10.0/24 goto pbr_mark_0x040000 comment "HTM"
ip saddr 192.168.11.0/24 goto pbr_mark_0x020000 comment "HTMGuest"
ip daddr @pbr_PVPN_NL_4_dst_ip_cfg0a6ff5 goto pbr_mark_0x020000 comment "WagasWorld"
}
chain pbr_postrouting {
}
chain pbr_mark_0x010000 {
meta mark set meta mark & 0xff01ffff | 0x00010000
return
}
chain pbr_mark_0x020000 {
meta mark set meta mark & 0xff02ffff | 0x00020000
return
}
chain pbr_mark_0x030000 {
meta mark set meta mark & 0xff03ffff | 0x00030000
return
}
chain pbr_mark_0x040000 {
meta mark set meta mark & 0xff04ffff | 0x00040000
return
}
}
root@HTMGateWay:~# cat /tmp/dnsmasq.d/pbr
cat: can't open '/tmp/dnsmasq.d/pbr': No such file or directory
root@HTMGateWay:~# ls -d /tmp/dns*
/tmp/dnsmasq.cfg01411c.d
root@HTMGateWay:~# cat $(ls -d /tmp/dns*)/pbr
nftset=/wagasworld.com/4#inet#fw4#pbr_PVPN_NL_4_dst_ip_cfg0a6ff5 # WagasWorld
Do I really always have to restart the router when I have inserted or changed a new domain?
First some non related things but something you should correct.
You have multiple tunnels all with default route usually only the last tunnel will take the default route but that is not good practice.
For the tunnel you want to be the default route Enable Route Allowed IPs, for the other tunnels Disable Route Allowed IPs
Now on to your problem, the nftset seems to be made
Although it is missing from nft list ruleset
maybe a copy error?
But better check that that set is available nft list ruleset
Let's see if we can fill the set, do the following form the command line:
service pbr restart
Check if the set pbr_PVPN_NL_4_dst_ip_cfg0a6ff5
is made with:
service pbr status
If the set is empy try to fill it with:
nslookup wieistmeineip.de
The address should be resolved which should fill the nftset, check again with:
service pbr status
I use the same destination but with ipchicken.com, after a reboot the set is empty:
pbr nft sets
set pbr_wg_proton_nl_4_dst_ip_bypass { # handle 1364
type ipv4_addr
flags interval
auto-merge
comment "ipchicken"
}
After filling it from command line or from a client which does the lookup:
root@DL-WRX36:~# nslookup ipchicken.com
Server: 127.0.0.1
Address: 127.0.0.1:53
Non-authoritative answer:
Name: ipchicken.com
Address: 104.26.6.112
Name: ipchicken.com
Address: 172.67.68.101
Name: ipchicken.com
Address: 104.26.7.112
service pbr status
:
pbr nft sets
set pbr_wg_proton_nl_4_dst_ip_bypass { # handle 1364
type ipv4_addr
flags interval
auto-merge
comment "ipchicken"
elements = { 104.26.6.112, 104.26.7.112,
172.67.68.101 }
}
nft list ruleset
:
root@DL-WRX36:~# nft list ruleset
table inet fw4 {
set pbr_wg_proton_nl_4_dst_ip_bypass {
type ipv4_addr
flags interval
auto-merge
comment "ipchicken"
elements = { 104.26.6.112, 104.26.7.112,
172.67.68.101 }
}
To test I tried to reach ipchicken with my WAN and NL is my default gateway. but I still get the NL address displayed. The way I see it, ipchicken is also resolved correctly.
root@HTMGateWay:~# service pbr restart
Resetting chains and sets [β]
Removing routing for 'wan/pppoe-wan/212.37.63.165' [β]
Removing routing for 'PVPN_NL/10.2.0.2' [β]
Removing routing for 'MLVAD_CH/0.0.0.0' [β]
Removing routing for 'IPVAN_CH/100.96.9.152' [β]
pbr 1.1.8-r16 (fw4 nft file mode) stopped [β]
Using uplink interface (on_start): wan [β]
Found uplink gateway (on_start): 212.37.63.165 [β]
Setting up routing for 'wan/pppoe-wan/212.37.63.165' [β]
Setting up routing for 'PVPN_NL/10.2.0.2' [β]
Setting up routing for 'MLVAD_CH/0.0.0.0' [β]
Setting up routing for 'IPVAN_CH/100.96.9.152' [β]
Routing 'HTM' via PVPN_NL [β]
Routing 'HTMGuest' via PVPN_NL [β]
Routing 'ipchicken' via wan [β]
Installing fw4 nft file [β]
Setting interface trigger for wan [β]
Setting interface trigger for PVPN_NL [β]
Setting interface trigger for MLVAD_CH [β]
Setting interface trigger for IPVAN_CH [β]
pbr 1.1.8-r16 monitoring interfaces: wan PVPN_NL MLVAD_CH IPVAN_CH
pbr 1.1.8-r16 (fw4 nft file mode) started with gateways:
wan/pppoe-wan/212.37.63.165
PVPN_NL/10.2.0.2 [β]
MLVAD_CH/0.0.0.0
IPVAN_CH/100.96.9.152
root@HTMGateWay:~#
OK and now the rest of the things I have asked:
output of service pbr status
if the nftset is empty try to fill it with: nslookup ipchicken.com
or the domain you have set in the PBR rule
Please also show the output
Then see if the nftset is filled with:
service pbr status
It works so far now. But how can I change the DNS because this one. For example, if I access ipleaks.net with my wan interface, the IP is correct but the DNS is not correct. I can't manage to change it. The last DNS used always remains.
About DNS leaks some background information can be found in my notes:
Basically you want the DNS query to follow the same route the IP traffic takes so you are not only routing IP traffic but also routing e.g. splitting DNS traffic.
In this case where we are talking about destination (domain) routing i.e. different DNS routing based on the destination see:
Be warned there can be a lot of variables involved (secure DNS, DNS hijacking, Private DNS, etc.) which can make this a frustrating subject.