Question regarding policy based route using marks and rules

I have a firewall rule like this:

config rule
	option target 'MARK'
	option src 'lan'
	option proto 'all'
	list src_ip '0.0.0.0/0'
	list dest_ip '6.6.6.6'
	option family 'ipv4'
	option set_mark '0xff12'
	option dest '*'

I'm using this mark in /etc/config/network as follows:

config interface 'wgc_ada'
	option proto 'wireguard'
	option private_key '<redacted>'
	list addresses '10.5.5.2/32'
	list addresses 'fd42:1337:1337::2/128'
	option mtu '1280'
	option metric '2020'
	option ip4table '14436'
	option ip6table '14436'

config rule
	option mark '0xff12'
	option lookup '14436'

Everything works well, but I was curious, I have 3 wan interfaces (wan and wan6) and a 4G interface (4G) like this

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'
	option metric '10'

config interface 'wan6'
	option device 'br-wan'
	option metric '10'
	option reqaddress 'try'
	option reqprefix 'auto'
	option sourcefilter '0'
	option proto 'dhcpv6'

config interface '4G'
	option proto 'qmi'
	option auth 'none'
	option pdptype 'ipv4v6'
	option device '/dev/cdc-wdm0'
	option metric '50'
	option delegate '1'

Is it possible for me to create rules that use either the wan or 4G interface like I do with my wireguard interface? I tried adding an ip4table and ip6 table to my 4G interface and creating rules for it, but it still goes through my main WAN interface instead of going through the 4G. Also if I create a manual lookup table like this (since I use the 4G also for failover will that stop working?)

It should work assuming you don't install conflicting PBR or MWAN apps.
Analyze the runtime configuration to understand the cause of the problem:
https://openwrt.org/docs/guide-user/network/routing/basics#troubleshooting

Looks like I had to do a network service restart instead of a reload to make it work, but there is an issue still which is that when the 4G interface has the options ip4table and ip6table enabled only the marked packets go through them (when the main WAN interface is down) all the other packets don't go anywhere, is there a workaround for this?

I turned off my main WAN with this as my config:

config interface '4G'
	option proto 'qmi'
	option auth 'none'
	option pdptype 'ipv4v6'
	option device '/dev/cdc-wdm0'
	option metric '50'
	option delegate '1'
	option ip4table '27928'
	option ip6table '27928'
config rule
	option mark '0xFF2'
	option lookup '27928'

And these in my firewall config:

config rule
	option target 'MARK'
	option proto 'all'
	option set_mark '0xFF2'
	list src_ip '0.0.0.0/0'
	option dest '*'
	list dest_ip '1.1.1.1/32'
	option family 'ipv4'

config rule
	option target 'MARK'
	option src 'lan'
	option proto 'all'
	option set_mark '0xFF2'
	list src_ip '0.0.0.0/0'
	option dest '*'
	list dest_ip '1.1.1.1/32'
	option family 'ipv4'

Then tried pinging/tracing to 1.1.1.1 as well as 8.8.8.8:

└──╼ $ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=238 time=498 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=238 time=226 ms

 └──╼ $traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  owrtbox (192.168.1.1)  0.309 ms  0.343 ms  0.362 ms
 2  * * *
 3  * * *
 4  122.15.177.142 (122.15.177.142)  106.537 ms 182.19.34.10 (182.19.34.10)  115.383 ms 122.15.177.142 (122.15.177.142)  106.551 ms

Ping/Traceroute to 1.1.1.1 works fine

└──╼ $ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  owrtbox (192.168.1.1)  0.260 ms  0.233 ms  0.219 ms^C

Ping/traceroute to 8.8.8.8 doesn't do anything

Create another ip rule referencing routing table 27928 but with a higher priority number than the one referencing the main routing table.

config rule
        option in 'lan'
        option priority '40000'
        option lookup '27928'
1 Like

That worked! Now when the main WAN is down my traffic does indeed go through wwan0 but there's still a small issue that remains I had a wireguard interface with allowed IPs 0.0.0.0 and ::/0 set, when I try to browse on the LAN it always goes through that interface for some reason when I looked at the output of ip route on the router I can see this:

default dev wgc_Gardens proto static scope link metric 2010 
10.0.0.0/24 dev wgc_monolith proto static scope link metric 180 
10.1.0.2 dev wgc_monolith proto static scope link metric 180 
10.254.248.0/24 dev wgc_Gardens proto static scope link metric 2010 
<some-public-ip> dev wgc_Gardens proto static scope link metric 2010 
<some-public-ip> dev wgc_Gardens proto static scope link metric 2010 
172.19.125.0/24 dev wg_server proto static scope link metric 2000 
172.19.125.2 dev wg_server proto static scope link metric 2000 
172.29.233.4 dev wgc_Gardens proto static scope link metric 2010 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

I had to manually add the route like this:

ip route add default dev wwan0

This is my /etc/config/network :

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd49:5b71:694c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan3'
	list ports 'sfp2'
	list ports 'lan4'
	list ports 'lan2'
	list ports 'lan1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.1.1/24'
	list dns '192.168.1.1'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'wan'

config device
	option name 'eth1'
	option macaddr '4e:7b:37:ba:28:8f'

config device
	option name 'wan'
	option macaddr '4e:7b:37:ba:28:8f'

config interface 'wan'
	option device 'br-wan'
	option metric '50'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ipv6 '0'
	option proto 'dhcp'

config interface 'wan6'
	option device '@wan'
	option metric '50'
	option reqaddress 'try'
	option reqprefix 'auto'
	option sourcefilter '0'
	option proto 'dhcpv6'

config interface '4G'
	option proto 'qmi'
	option auth 'none'
	option pdptype 'ipv4v6'
	option device '/dev/cdc-wdm0'
	option metric '10'
	option delegate '1'
	option ip4table '42628'
	option ip6table '42628'

config interface 'wgc_gw'
	option proto 'wireguard'
	option private_key '<redacted>'
	list addresses '192.168.20.2/32'
	list addresses 'fc00:deaf:916d::2/128'
	option metric '150'

config wireguard_wgc_gw
	option description 'wgc_gw'
	option public_key '<redacted>'
	option endpoint_host '<redacted>'
	list allowed_ips '192.168.20.0/24'
	list allowed_ips 'fc00:deaf:916d::/64'
	option mtu '1280'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config interface 'wgc_monolith'
	option proto 'wireguard'
	option private_key '<redacted>'
	list addresses '10.1.0.2/32'
	list addresses 'fc00:beef:477e::2/128'
	option metric '180'

config wireguard_wgc_monolith
	option description 'wgc_monolith'
	option public_key '<redacted>'
	list allowed_ips '10.0.0.0/24'
	option mtu '1280'
	option endpoint_host '<redacted>'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config interface 'wg_server'
	option proto 'wireguard'
	option private_key '<redacted>'
	option listen_port '45593'
	option mtu '1280'
	list addresses '172.19.125.1/24'
	list addresses 'fc01:deed:9d9a::1/64'
	option metric '2000'

config wireguard_wg_server
	option public_key '<redacted>'
	list allowed_ips '172.19.125.2/32'
	list allowed_ips '<redacted>'
	option private_key '<redacted>'
	option description '<redacted>'
	option mtu '1280'
	option route_allowed_ips '1'

config interface 'wgc_Gardens'
	option proto 'wireguard'
	option private_key '<redacted>'
	list addresses '172.29.233.4/32'
	list addresses '<redacted>'
	option mtu '1280'
	option metric '2010'

config wireguard_wgc_Gardens
	option description 'wgc_Gardens'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '10.254.248.0/24'
	list allowed_ips '::0/0'
	option public_key '<redacted>'
	option mtu '1280'
	option endpoint_host '<redacted>'
	option endpoint_port '47852'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config interface 'wgc_ada'
	option proto 'wireguard'
	option private_key '<redacted>'
	list addresses '10.5.5.2/32'
	list addresses 'fd42:1337:1337::2/128'
	option mtu '1280'
	option metric '2020'
	option ip4table '21922'
	option ip6table '21922'

config wireguard_wgc_ada
	option description 'wgc_ada'
	option public_key '<redacted>'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option mtu '1280'
	option endpoint_host '<redacted>'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config rule
	option mark '0xFAA1'
	option lookup '21922'

config rule6
	option mark '0xFAA1'
	option lookup '21922'

config rule
	option mark '0xFAA2'
	option lookup '42628'

config rule6
	option mark '0xFAA2'
	option lookup '42628'

config rule
	option in 'lan'
	option priority '40000'
	option lookup '42628'

When I remove the rule and lookup table on the 4G interface and restart the network service the default route shows up again:

default via 10.30.46.94 dev wwan0 proto static src 10.30.46.93 metric 10
default dev wgc_Gardens proto static scope link metric 2010 
10.0.0.0/24 dev wgc_monolith proto static scope link metric 180 
10.1.0.2 dev wgc_monolith proto static scope link metric 180 
10.30.46.92/30 dev wwan0 proto static scope link metric 10 
10.254.248.0/24 dev wgc_Gardens proto static scope link metric 2010 
<redacted> via 10.30.46.94 dev wwan0 proto static metric 10 
<redacted> via 10.30.46.94 dev wwan0 proto static metric 10 
172.19.125.0/24 dev wg_server proto static scope link metric 2000 
172.19.125.2 dev wg_server proto static scope link metric 2000 
172.29.233.4 dev wgc_Gardens proto static scope link metric 2010 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

Basically you should move the routes for wgc_Gardens from the main to a dedicated routing table like you did with wgc_ada and then create ip rules according to your needs.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.