Problem with pbr and wan6 interface - OpenWRT router wireguard VPN on separate LAN

Installing and Using OpenWrt Network and Wireless Configuration
1

I have an error with my OpenWrt router. I have a constant loop that keeps recurring every few seconds. The loop consists of reloading pbr wan6 interface routing due to ifupdate of wan6. I will post the loop below and need help figuring out how to prevent the loop from recurring. The link below is a fix for the "vpn-policy-routing" package but does not reflect the new "pbr" package. I want to know how I can use information from this answer and apply it to my issue in pbr.

https://github.com/stangri/source.openwrt.melmac.net/issues/116

Loop:

Tue Sep 19 01:01:51 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Tue Sep 19 01:01:52 2023 user.notice pbr: Activating traffic killswitch [✓]
Tue Sep 19 01:01:53 2023 user.notice pbr: Setting up routing for 'wan/eth0.2/{ipv4 address}/{ipv6 address}' [✓]
Tue Sep 19 01:01:54 2023 user.notice pbr: Setting up routing for 'WG_VPN/10.5.0.2/::/0' [✓]
Tue Sep 19 01:01:54 2023 user.notice pbr: Routing 'lan_vpn (zone) to WG_VPN (interface)' via WG_VPN [✓]
Tue Sep 19 01:01:54 2023 user.notice pbr: Deactivating traffic killswitch [✓]
Tue Sep 19 01:01:54 2023 user.notice pbr: service monitoring interfaces: wan WG_VPN
Tue Sep 19 01:02:22 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Tue Sep 19 01:02:23 2023 user.notice pbr: Activating traffic killswitch [✓]
Tue Sep 19 01:02:24 2023 user.notice pbr: Setting up routing for 'wan/eth0.2/{ipv4 address}/{ipv6 address} [✓]
Tue Sep 19 01:02:24 2023 user.notice pbr: Setting up routing for 'WG_VPN/10.5.0.2/::/0' [✓]
Tue Sep 19 01:02:24 2023 user.notice pbr: Routing 'lan_vpn (zone) to WG_VPN (interface)' via WG_VPN [✓]
Tue Sep 19 01:02:24 2023 user.notice pbr: Deactivating traffic killswitch [✓]
Tue Sep 19 01:02:25 2023 user.notice pbr: service monitoring interfaces: wan WG_VPN

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'GUESTZone'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'GUEST'

config zone
	option name 'IOTZone'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'IOTZone'

config forwarding
	option src 'GUESTZone'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'GUESTZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'IOT DHCP and DNS'
	option src 'IOTZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option dest_ip '192.168.1.131'
	option src_dport '43312'
	option dest_port '43312'
	option name 'openvpn_alienware'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'wireguard_alienware'
	option src 'wan'
	option src_dport '43313'
	option dest_ip '192.168.1.131'
	option dest_port '43313'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '58718'
	option name 'wireguard_media'
	option dest_port '58718'
	option dest_ip '10.20.30.151'

config redirect
	option target 'DNAT'
	option name 'DNS Intercept'
	option src 'lan'
	option src_dport '53'

config zone
	option name 'WGZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WG_VPN'

config zone
	option name 'lan_vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LAN_VPN'

config forwarding
	option src 'lan_vpn'
	option dest 'WGZone'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

Network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '{prefix}'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 4 1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config interface 'GUEST'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'br-guest'
	option ipaddr '10.20.30.1'

config interface 'IOT'
	option proto 'static'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'
	option device 'br-iot'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'TheLoft_Guest'
	option ports '0t 3'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option ports '0t 2'
	option description 'TheLoft_Guest2'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.3'
	list ports 'eth0.4'

config device
	option type 'bridge'
	option name 'br-iot'

config interface 'LAN_VPN'
	option proto 'static'
	option ipaddr '10.20.40.1'
	option netmask '255.255.255.0'
	list dns '{dns ip - working}'
	list dns '{dns ip - working}'
	option device 'br-vpn'

config interface 'WG_VPN'
	option proto 'wireguard'
	option private_key '{key}'
	option peerdns '0'
	list dns '{dns ip - working}'
	list dns '{dns ip - working}'
	list addresses '10.5.0.2'

config wireguard_WG_VPN
	option description '{host}'
	option public_key '{key}'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '{ip}'
	option persistent_keepalive '25'
	option disabled '1'

config device
	option type 'bridge'
	option name 'br-vpn'

config wireguard_WG_VPN
	option description '{host}'
	option public_key '{key}'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '{host}'
	option persistent_keepalive '25'

pbr:


config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '1'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'

config policy
	option src_addr '10.20.40.1/24'
	option interface 'WG_VPN'
	option name 'lan_vpn (zone) to WG_VPN (interface)'
2
  1. the issue is about PBR on the wan6 interface. Therefore, I'd check if there are any incorrect or conflicting rules in PBR that might be causing this continuous loop.
  2. Forwarding: Again, the forwarding between the lan_vpn and WGZone zones could be an issue, but the loop in question is on the wan6 interface and doesn't seem directly related to these zones.
  3. PBR (Policy-Based Routing): This is probably the most relevant point. You may have PBR rules that are in conflict with each other or that are misconfigured. This can result in an infinite loop of updates on the wan6 interface.