Routing my country via the WAN

I am running 22.03.2 on a Xiaomi 4A Gigabit edition, with PBR.
Now I need to route all the IP blocks domiciled in my country via the WAN, not VPN.
The IPs are from http://www.ipdeny.com/ipblocks/data/countries/ke.zone.
How do I route all these blocks via the WAN?

Thanks!

Use PBR!
https://forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639

I actually found a video that explained the thing very well. I believe this video - https://www.youtube.com/watch?v=YEHDf8-nZyA - needs to be linked prominently on the documentation for PBR.
It turns out it was a very simple process:

1. Grab the template file - https://github.com/vantechcorner/OpenWRT-VPN-Policy-Based-Routing/blob/main/vpn-policy-routing.user and save it in your router in /etc
2. cp /etc/vpn-policy-routing.user /etc/vpn-policy-routing.CC #CC is just Country Code, in my case KE
3. Grab the file containing your country's blocks of IPs from https://www.ipdeny.com/ipblocks/ or wherever, save it.
4. Edit /etc/vpn-policy-routing.CC - and specify the interface (WAN in my case) and the path to the file containing your country's IPs
5. Specify the /etc/vpn-policy-routing.CC in the PBR under "Custom User File Includes", save & apply, and voila!

Okay. Looks like I spoke too soon, but the problem is probably minor.
I am getting this error on the UI: Error running custom user file '/etc/vpn-policy-routing.ke.user'!
My /etc/vpn-policy-routing.ke.user is mode 755 (executable).
My TARGET_FNAME="/etc/KE-IPs.lst" and the file /etc/KE-IPs.lst contains IP subnets in CIDR format, one per line.

Is there a way to diagnose the cause of the error?
I have tried to manually run the file /etc/vpn-policy-routing.ke.user and I get the following:

root@OpenWrt:/etc# export TARGET_IPSET='wan'
root@OpenWrt:/etc# export TARGET_FNAME="/etc/KE-IPs.lst"
root@OpenWrt:/etc# awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
ipset v7.15: Missing second mandatory argument to command add
Try `ipset help' for more information.
root@OpenWrt:/etc#

What am I missing from the command line?

should you use ipset restore during ipset creation ?

TBH, I am new to all this and so the cli argument structure is still not clear.
What do you suppose is supposed to be the correct argument to ipset?
I think 'restore' will overwrite if there was none. Not sure.

I would use add, but you need to create an ipset 1st.

https://ipset.netfilter.org/ipset.man.html
https://wiki.archlinux.org/title/Ipset

Are you using fw3 or fw4 ? 22.03 comes with fw4 (nftables) by default; you can, of course, install the backward compatibility stuff, but the way that sets work is completely different (and, IMHO, not so very well documented) with nftables and iptables. Its hard to know which you're using, since you're mentioning ipset (i.e. the "old", fw3)....

with fw4, you can easily setup named sets by dropping nft configuration files into /etc/nftables.d (see the readme inside this directory).

Just be careful when doing this, and make sure that you have console access in case you make a mistake and lock yourself out!

And, if you're already running 22.03, you might as well start investigating how fw4 works.....It will pay off in the future...

No need for user files, as long as you can use any supported resolver set, just add your country TLD ke in the remote addresses/domains field of luci-app-pbr package.

That will not do what I want. I need to route ALL IPs allocated by the RIR to entities in my country. So it's not just the TLD ke. There are several TLDs and ccTLD that are hosted within KE. So I am looking at all the subnets listed here - http://www.ipdeny.com/ipblocks/data/countries/ke.zone

I have flushed 22.03.2 again while wiping everything. Initially, I upgraded while retaining the settings I had from the previous version. I am going to install https://docs.openwrt.melmac.net/pbr/#how-to-install

For pbr you'll definitely need to make changes to your user file, as the ipset and nft set names have changed.

Thank you so much for your time spent onholding my hand on this matter.
I have followed https://docs.openwrt.melmac.net/pbr/, but I have a problem: In luci-app-pbr -> Basic Configuration -> Use resolver set support for domains, I only have "disabled" and no Dnsmasq nft set as shown on the screenshots in the documentation. I believe this is fine, yes?

pbr1418×412 14.6 KB

Now that I am using pbr, how do I incorporate all subnets from http://www.ipdeny.com/ipblocks/data/countries/ke.zone to be routed via the WAN?

Thank you in advance.

No, you don't need resolver set support to populate sets from the file of ranges.

I''ve posted the correct user file for pbr in the main pbr thread: Policy-Based-Routing (pbr) package discussion - #127 by stangri

Thank you very much. I have implemented the custom config and tested and anything within those ranges of subnets is being routed via the WAN.
If I may ask, is the alternative to that scripted option to just add the ranges under the "remote addresses/domains" one by one until one finishes?
It would be nice if one could also just edit /etc/config/pbr and add the subnets - with line breaks:

config policy
option name 'KE'
option interface 'wan'
option dest_addr 'a.b.c.d/20 w.x.y./19
n.n.n.n/n .b.c.d/n
x.x.y.y/n'
option enabled '1'

One last question though - why is it that in my case the option for Dnsmasq nft set" is not showing?

Thanks

The syntax of the config file is dictated by OpenWrt, not the pbr package.

Your CIDR file is 240-ish lines long. With multi-line editing of any decent GUI text editor (like sublime text for example), it shouldn't be too hard to make 10 groups of 24 CIDRs and convert line breaks into spaces.

Check the README please.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.