[Solved] Ping stops on WAN when WireGuard client is connected

Hello to all members, and thanks in advance for any reply.

Pretty much what the title says: The WAN interface (DHCP client) gets a public IP from the provider. I have added all needed firewall rules to allow ping from WAN.

Here is the problem, with steps for reproduction:

Pinging/reaching my public IP from the Internet works until the VPN interface (WireGuard client) is connected. Then, suddenly, my public IP is not reachable/pingable. As soon as I disconnect the VPN interface and restart the WAN interface, the "problem" is gone.

If anyone can help, that would be more than welcome. Configuration follows and all sensitive parts are masked.

Some insights about the network/installation:

  • OpenWrt 23.05.0-rc4 (r23482-7fe85ce1f2) x86_64
  • OpenWrt runs as a VM, inside Proxmox 8.0.4, in order to be able to handle 1Gbps up/down internet
  • DNS is outside OpenWrt, all DNS requests are forwarded to AdGuard Home, where DNS blocklists are enabled and DoH is enabled as well
  • IPv6 is disabled
  • PBR (Policy Based Routing) service is active, but this is not affecting the above-mentioned WAN behavior - I have tried with the service enabled and disabled, and I am getting the same results

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        option stp '1'
        option igmp_snooping '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.255.1'
        option netmask '255.255.255.128'
        option ipv6 'off'
        option force_link '0'
        option broadcast '192.168.255.127'
        list dns '192.168.255.4'
        list dns_search 'xxx'
        option delegate '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth4'
        option hostname '*'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '51820'
        list addresses 'x.x.x.x/32'
        list dns '192.168.255.4'

config wireguard_vpn
        option description 'xxx'
        option public_key 'xxx'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host 'xxx'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '57198'
        list dns '192.168.255.4'
        option nohostroute '1'
        option mtu '1420'
        list addresses '192.168.254.1/24'

config wireguard_wg
        option description 'xxx'
        option public_key 'xxx'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option preshared_key 'xxx'
        option private_key 'xxx'
        list allowed_ips '192.168.254.2/32'

config wireguard_wg
        option description 'xxx'
        option public_key 'xxx'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option private_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '192.168.254.3/32'

config device
        option name 'wg'
        option ipv6 '0'
        option macaddr 'AA:AA:AA:AA:AA:46'
        option mtu '1420'

config device
        option name 'vpn'
        option ipv6 '0'
        option macaddr 'AA:AA:AA:AA:AA:45'
        option mtu '1420'

config device
        option name 'tun0'
        option macaddr 'AA:AA:AA:AA:AA:47'
        option ipv6 '0'
        option mtu '1420'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option family 'ipv4'
        list device 'br-lan'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option family 'ipv4'
        list network 'wan'
        list device 'eth4'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option family 'ipv4'
        list network 'vpn'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        option family 'ipv4'
        option masq_allow_invalid '1'
        option masq '1'
        list network 'wg'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping-Wan'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option name 'Allow-SSH'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option dest_port '22022'
        option target 'ACCEPT'

config rule
        option name 'Disallow-HTTPS-Wan'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option dest_port '443'
        option target 'DROP'

config rule
        option name 'Allow-WireGuard'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option dest_port '57198'
        option target 'ACCEPT'

config rule
        option src 'wg'
        option name 'Allow-Ping-WireGuard'
        option family 'ipv4'
        option target 'ACCEPT'
        list proto 'icmp'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-HTTPS'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wg'
        option dest_port '443'
        option target 'ACCEPT'

config rule
        option name 'Allow-DNS'
        option family 'ipv4'
        list proto 'udp'
        option src 'lan'
        option dest_port '53'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wg'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'wg'
        option dest 'vpn'

config redirect
        option target 'DNAT'
        option name 'Intercept-Forward-DNS'
        option family 'ipv4'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'
        option dest_ip '192.168.255.4'
        list src_mac '!AA:AA:AA:AA:AA:24'
        list src_mac '!AA:AA:AA:AA:AA:DA'

config rule
        option name 'Allow-DoH'
        option family 'ipv4'
        option src 'lan'
        option dest_port '853'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Intercept-Forward-DoH'
        option family 'ipv4'
        option src 'lan'
        option src_dport '853'
        option dest_port '853'
        option dest_ip '192.168.255.4'
        list src_mac '!AA:AA:AA:AA:AA:24'
        list src_mac '!AA:AA:AA:AA:AA:DA'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option cachesize '0'
        option authoritative '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '0'
        option ednspacket_max '1232'
        option sequential_ip '1'
        option boguspriv '0'
        option filter_aaaa '1'
        option nohosts '1'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        list server '192.168.255.4'
        list interface 'lan'
        list interface 'wg'
        option nonegcache '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option start '30'
        option limit '70'
        option leasetime '6h'
        option force '1'
        list dhcp_option '6,192.168.255.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

It's not really clear what you mean by this.

  • Do you mean you cannot ping the WAN IP from a client?
  • Do you mean you cannot ping your ISP's gateway from a client?
  • The ping diagnostic tool in the LuCI web GUI doesn't work?

I think you mean: "I cannot remotely ping my WAN IP from the Internet once I enable the Wireguad interface."

Then in that case, any rules also apply to output on WAN too. Your ICMP Echo-Reply packets might be responding via the tunnel. You can use PBR (or add IP Routes and IP Rules without the PBR app) to only configure e.g. you LAN of 192.168.255.0/25:

config route
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '1' #<---number used, or add name to a file, see Wiki
        option interface 'vpn'

config rule
        option src '192.168.255.0/25'
        option dest '0.0.0.0/0'
        option priority '1' #<---IP Rule No - not same as table
        option lookup '1'#<--- table No

Since your WAN IP != 192.168.255.0/25, the ICMP Echo Reply should exit WAN as normal.

Additionally, you would then change:

option route_allowed_ips '0'

This is correct. My apologies for confusing you - in my mind, while typing the post, that was like a given fact. I will edit that part to avoid confusion.
I will try to implement what you have suggested and I will come back with the results.

Thank you.

1 Like

@lleachii thanks for the suggestion once more. With some tweaks and changes here and there, I was able to accomplish the following:

  • I can remotely ping my public IP
  • I can remotely connect to the router
    1. by SSH
    2. as a WireGuard client from several devices
  • All local WireGuard hosts are ping-able
  • I can route all hosts through VPN by using the PBR package
  • WireGuard clients are able to access any LAN service, eg Plex, but, once I enable (through the PBR package) the option that routes all outgoing traffic through VPN, and this is driving me insane.

I have tried the following to mitigate that:

  • I've tried to mark the traffic that is coming from the WireGuard interface and apply routing
  • I've used the ignore target in the PBR to not apply such traffic - incoming from the WireGuard interface with a target network of all local addresses
  • Other combinations of settings

Unfortunately, there is something (huge?) I am missing. Any help is more than welcome. The tweaked/changed settings are the following:

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option ipv6 'off'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	option stp '1'
	option igmp_snooping '1'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.255.1'
	option netmask '255.255.255.128'
	option ipv6 'off'
	option force_link '0'
	option broadcast '192.168.255.127'
	list dns '192.168.255.4'
	option delegate '0'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth4'
	option hostname '*'
	option peerdns '0'
	list dns '192.168.255.4'
	option ipv6 'off'

config interface 'vpn'
	option proto 'wireguard'
	option private_key '-'
	option listen_port '51820'
	list addresses '10.5.0.2/32'
	list dns '192.168.255.4'
	option defaultroute '0'

config wireguard_vpn
	option description 'VPN'
	option public_key '-'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '-'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config interface 'wg'
	option proto 'wireguard'
	option private_key -'
	option listen_port '57198'
	list dns '192.168.255.4'
	option nohostroute '1'
	option mtu '1420'
	list addresses '192.168.254.1/24'

config wireguard_wg
	option description 'Client 1'
	option public_key '-'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option preshared_key '-'
	option private_key '-'
	list allowed_ips '192.168.254.2/32'

config wireguard_wg
	option description 'Client 2'
	option public_key '-'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option private_key '-'
	option preshared_key '-'
	list allowed_ips '192.168.254.3/32'

config device
	option name 'wg'
	option ipv6 '0'
	option macaddr 'AA:AA:AA:AA:AA:46'
	option mtu '1420'

config device
	option name 'vpn'
	option ipv6 '0'
	option macaddr 'AA:AA:AA:AA:AA:45'
	option mtu '1420'

config device
	option name 'tun0'
	option macaddr 'AA:AA:AA:AA:AA:47'
	option ipv6 '0'
	option mtu '1420'

config rule
	option priority '10000'
	option lookup 'pbr_wan'
	option mark '0x10000/0x100000'
	option src '0.0.0.0/0'
	option out 'wan'
	option dest '0.0.0.0/0'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'lan'
	option masq_allow_invalid '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option family 'ipv4'
	list network 'wan'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'vpn'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	option masq_allow_invalid '1'
	list network 'wg'

config rule
	option name 'Allo-Ping-Lan'
	option family 'ipv4'
	list proto 'icmp'
	list icmp_type 'echo-request'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping-Wan'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule
	option name 'Allow-SSH'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option dest_port '22022'
	option target 'ACCEPT'

config rule
	option name 'Mark-SSH-Traffic'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option dest_port '22022'
	option target 'MARK'
	option set_mark '0x10000/0x100000'

config rule
	option name 'Allow-WireGuard'
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option dest_port '57198'
	option target 'ACCEPT'

config rule
	option name 'Mark-WireGuard-Traffic'
	option family 'ipv4'
	option src 'wan'
	option dest_port '57198'
	option target 'MARK'
	option set_mark '0x10000/0x100000'
	list proto 'udp'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'wg'
	option dest 'vpn'

config forwarding
	option src 'wg'
	option dest 'wan'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option expandhosts '1'
	option cachesize '0'
	option authoritative '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '0'
	option ednspacket_max '1232'
	option sequential_ip '1'
	option boguspriv '0'
	option filter_aaaa '1'
	option nohosts '1'
	list server '192.168.255.4'
	option nonegcache '1'
	list notinterface 'vpn'
	list notinterface 'wan'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option start '30'
	option limit '70'
	option leasetime '6h'
	option force '1'
	list dhcp_option '6,192.168.255.4'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

I didn't understand this statement.

If you used the PBR app instead, please show those configs. Someone familiar with PBR certainly will see and assist.

Also, please clarify the issue you're still having.

1 Like

I've created a rule in the PBR package that routes all outgoing internet traffic through the VPN tunnel. When enabled, the WireGuard clients can't use the Plex server, which runs on my local network.

/etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option rule_create_option 'insert'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list supported_interface 'br-lan'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '1'

# This the rule that routes all outgoing internet traffic through VPN #
config policy
	option name 'All-via-VPN'
	option src_addr '192.168.255.0/25'
	option dest_addr '!192.168.255.0/25 !172.16.0.0/24'
	option interface 'vpn'

https://openwrt.org/docs/guide-user/network/routing/pbr_app#prioritize_local_subnets

1 Like

I've tried that (with slightly different configration):

config policy
        option name 'Local-via-Local'
        option src_addr '192.168.255.0/25 192.168.254.1/24 192.168.254.2/32 192.168.254.3/32'
        option dest_addr '192.168.255.0/25 172.16.0.0/24'
        option interface 'ignore'
        option enabled '1'

but I will try to modify it as per the example you shared.

Change to 192.168.254.0/24.

Remove that as it should be covered by the subnet.

This is not even necessary and can be safely removed.

This policy must be above all others to make it work.

1 Like

Here is the current configuration, as per your suggestion, which is still not working, unfortunately (I remember that I've tried these settings before, that's why I tried a more granular approach):

/etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option rule_create_option 'insert'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list supported_interface 'br-lan'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '1'

config policy
        option name 'Local-via-Local'
        option dest_addr '192.168.255.0/25 192.168.254.0/24 172.16.0.0/24'
        option interface 'ignore'

config policy
        option name 'All-via-VPN'
        option interface 'vpn'
        option dest_addr '0.0.0.0/0'
        # I've also tried to exclude local networks
        # by adding !192.168.255.0/25 !192.168.254.0/24 !172.16.0.0/24
1 Like
ip -4 route show table all; ip -4 rule show
default via 192.168.255.1 dev br-lan table pbr_lan
default via <WAN_GATEWAY> dev eth4 table pbr_wan
default via 10.5.0.2 dev vpn table pbr_vpn
default via 192.168.254.1 dev wg table pbr_wg
default via <WAN_GATEWAY> dev eth4 proto static src <WAN_IP>
<WAN_NETWORK>/24 dev eth4 proto kernel scope link src <WAN_IP>
178.132.104.130 via <WAN_GATEWAY> dev eth4 proto static
192.168.254.0/24 dev wg proto kernel scope link src 192.168.254.1
192.168.254.2 dev wg proto static scope link
192.168.254.3 dev wg proto static scope link
192.168.255.0/25 dev br-lan proto kernel scope link src 192.168.255.1
local 10.5.0.2 dev vpn table local proto kernel scope host src 10.5.0.2
local <WAN_IP> dev eth4 table local proto kernel scope host src <WAN_IP>
broadcast <WAN_BROADCAST> dev eth4 table local proto kernel scope link src <WAN_IP>
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.254.1 dev wg table local proto kernel scope host src 192.168.254.1
broadcast 192.168.254.255 dev wg table local proto kernel scope link src 192.168.254.1
local 192.168.255.1 dev br-lan table local proto kernel scope host src 192.168.255.1
broadcast 192.168.255.127 dev br-lan table local proto kernel scope link src 192.168.255.1
0:      from all lookup local
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_lan
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_wan
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_vpn
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_wg
32766:  from all lookup main
32767:  from all lookup default
1 Like

Verify that routing between local subnets works when you stop the PBR service.
If the issue persists, it is most likely unrelated to the PBR app.

1 Like

By disabling the PBR service, some routing tables are removed. Two firewall marking rules I had created relied on them and now are disabled (also seem obsolete).

Result of

ip -4 route show table all; ip -4 rule show

is

default via <WAN_GATEWAY> dev eth4 proto static src <WAN_IP>
<WAN_NETWORK/24 dev eth4 proto kernel scope link src <WAN_IP>
178.132.104.130 via <WAN_GATEWAY> dev eth4 proto static
192.168.254.0/24 dev wg proto kernel scope link src 192.168.254.1
192.168.254.2 dev wg proto static scope link
192.168.254.3 dev wg proto static scope link
192.168.255.0/25 dev br-lan proto kernel scope link src 192.168.255.1
local 10.5.0.2 dev vpn table local proto kernel scope host src 10.5.0.2
local <WAN_IP> dev eth4 table local proto kernel scope host src <WAN_IP>
broadcast <WAN_BROADCAST> dev eth4 table local proto kernel scope link src <WAN_IP>
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.254.1 dev wg table local proto kernel scope host src 192.168.254.1
broadcast 192.168.254.255 dev wg table local proto kernel scope link src 192.168.254.1
local 192.168.255.1 dev br-lan table local proto kernel scope host src 192.168.255.1
broadcast 192.168.255.127 dev br-lan table local proto kernel scope link src 192.168.255.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

I confirm that routing between local subnets is working after disabling the PBR service. Based on that, I conducted another test: I enabled the PBR service back and enabled the "route all outgoing traffic via VPN" along with the "prioritized local subnets" rule. My findings are:

  • Routing between local still subnets works
  • No internet on all hosts!

Result of

ip -4 route show table all; ip -4 rule show

after enabling the PBR service is

default via 192.168.255.1 dev br-lan table pbr_lan
default via <WAN_GATEWAY> dev eth4 table pbr_wan
default via 10.5.0.2 dev vpn table pbr_vpn
default via 192.168.254.1 dev wg table pbr_wg
default via <WAN_GATEWAY> dev eth4 proto static src <WAN_IP>
<WAN_NETWORK>/24 dev eth4 proto kernel scope link src <WAN_IP>
178.132.104.130 via <WAN_GATEWAY> dev eth4 proto static
192.168.254.0/24 dev wg proto kernel scope link src 192.168.254.1
192.168.254.2 dev wg proto static scope link
192.168.254.3 dev wg proto static scope link
192.168.255.0/25 dev br-lan proto kernel scope link src 192.168.255.1
local 10.5.0.2 dev vpn table local proto kernel scope host src 10.5.0.2
local <WAN_IP> dev eth4 table local proto kernel scope host src <WAN_IP>
broadcast <WAN_BROADCAST> dev eth4 table local proto kernel scope link src <WAN_IP>
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.254.1 dev wg table local proto kernel scope host src 192.168.254.1
broadcast 192.168.254.255 dev wg table local proto kernel scope link src 192.168.254.1
local 192.168.255.1 dev br-lan table local proto kernel scope host src 192.168.255.1
broadcast 192.168.255.127 dev br-lan table local proto kernel scope link src 192.168.255.1
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_lan
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_wan
30002:  from all fwmark 0x30000/0xff0000 lookup pbr_vpn
30003:  from all fwmark 0x40000/0xff0000 lookup pbr_wg
32766:  from all lookup main
32767:  from all lookup default

An update: after upgrading the PBR package to the latest version (1.1.3-11), everything worked as expected. So, there was an issue with the package. PBR configuration is the following, if anyone is interested:

/etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        list resolver_instance '*'
        option ipv6_enabled '0'
        option nft_file_support '0'
        option boot_timeout '30'
        option rule_create_option 'insert'
        option procd_boot_delay '0'
        option procd_reload_delay '1'
        option webui_show_ignore_target '1'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list supported_interface 'vpn'
        list ignored_interface 'wg'
        list ignored_interface 'br-lan'

config include
        option path '/etc/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/etc/pbr/pbr.user.netflix'
        option enabled '0'

config include
        option path '/etc/pbr/pbr.user.wg_server_and_client'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '192.168.255.0/25 192.168.254.0/24 172.16.0.0/24'

config policy
        option name 'Plex Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'

config policy
        option name 'Plex Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com'

config policy
        option name 'All via VPN'
        option dest_addr '0.0.0.0/0'
        option interface 'vpn'

Thank you for your time, highly appreciated!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.