I'm currently trying to get Policy Based Routing to play nicely with Wireguard. I have both WG and PBR set up and I have a specific IP address of a device (192.168.1.225) connected to my router getting sent through Wireguard while all other traffic is correctly routed through WAN. The issue is that I'm seeing DNS leaks on the device being tunneled through Wireguard -- I'm still seeing my ISP where I should only be seeing Cloudflare from my VPN provider. I'm using https://www.dnsleaktest.com/. The other weird thing is that I'm only getting reported leaks in Chrome and Safari, not on Firefox.
My hunch is that I'm not understanding something about how DNS gets resolved by the router and that I'm missing something fairly straightforward.
One thing I'd like to do is keep DNS resolution tied to my ISP for the WAN connection, while DNS resolution for Wireguard should be handled entirely by the Wireguard client.
Some general settings below:
// /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxxx'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'xxxx'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option broadcast '1'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'wireguard_1'
option proto 'wireguard'
option private_key 'xxxxx'
list addresses 'xxxx'
option peerdns '0'
list dns '103.xx.xx.100'
config wireguard_wireguard_1
option description 'Imported peer configuration'
option public_key 'xxxxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '25'
option endpoint_host 'xxxxx'
option endpoint_port 'xxxxx'
// /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option quietdhcp '1'
option strictorder '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dns_service '0'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'MBP'
option ip '192.168.1.225'
option mac 'xxxxx'
// /etc/config/pbr
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option webui_show_ignore_target '1'
option enabled '1'
config policy
option name 'MBP'
option interface 'wireguard_1'
option src_addr '192.168.1.225'
config policy
option name 'Other Requests'
option src_addr '192.168.1.1/24'
option interface 'wan'
Thanks for any and all help