Travelrouter: WireGuard Road Warrior-Config and VLAN - Route Traffic from LAN to Wireguard

Hello everyone

I've just read a couple of entries to this topic and tried some suggestions, e.g. this, without any positive results.

My Situation:
I'm on holidays with my Travelrouter running OpenWRT 23.05.3.
On the Travelrouter, there are 3 different VLANs configured - LAN, Multimedia and Work.

In addition to this i configured a WireGuard interface which communicates with the LAN-VLAN on my home router.

TravelRouter LAN-IP-Range: 192.168.100.0/24
Home LAN-IP-Range: 192.168.1.0/24

The WireGuard Interface is configured for Allowed IPs in 192.168.1.0/24, the Option to create the Routes for the Allowed IPs is checked.

My goal is to configure the TravelRouter to route all traffic (including Internet Access) from TravelRouter LAN-VLAN to the WG-Interface as an Road Warrior Configuration, the other two VLANs should be routed directly to WAN for Internet Access.

I've also tried policy based routing on the TravelRouter, which works just fine in first instance (prerouting traffic from LAN-VLAN to WG-Interface).
The Problem is as follows: I'm running an Active Directory-Domain on my Home-Site LAN-VLAN with two DNS Servers (IPs 192.168.1.5, 192.168.1.15), so for optimal resource access, it is required to forward the DNS queries regarding the Home LAN to them.

For this, I configured dnsmasq on the TravelRouter to forward the DNS queries for Domain-Suffix XXX.local to the above mentioned DNS Servers.

If I route only traffic regarding the Home-LAN through the WG-Tunnel, DNS-Resolution for home resources and access to them work fine.

I have no idea how to set this up.

The Router config is as follows:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd1a::/60'

config device
	option name 'br-lan'
	option type 'bridge'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan2'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-work'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-multimedia'
	option bridge_empty '1'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'
	option peerdns '0'
	list dns '5.1.66.255'
	list dns '185.150.99.255'
	list dns '5.1.66.255'
	list dns '185.150.99.255'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option reqaddress 'none'
	option reqprefix '56'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '5.1.66.255'
	list dns '185.150.99.255'

config interface 'wwan6'
	option proto 'dhcpv6'
	option device '@wwan'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option reqaddress 'none'
	option reqprefix '56'
	option type 'bridge'

config interface 'tethering_wan'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	list dns '5.1.66.255'
	list dns '185.150.99.255'

config interface 'tethering_wan6'
	option proto 'dhcpv6'
	option device '@tethering_wan'
	option reqaddress 'none'
	option reqprefix '56'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.100.1'
	option ip6weight '10'
	option ip6hint '0'
	option ip6assign '64'

config interface 'lan6'
	option proto 'dhcpv6'
	option device '@lan'
	option force_link '1'
	option reqaddress 'none'
	option reqprefix 'auto'
	option delegate '0'

config interface 'work'
	option proto 'static'
	list ipaddr '192.168.61.1/29'
	list dns '5.1.66.255'
	list dns '185.150.99.255'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option device 'br-work'
	option ip6weight '9'
	option ip6assign '64'
	option ip6hint '1'
	option auto '0'

config interface 'multimedia'
	option proto 'static'
	list ipaddr '192.168.70.1/27'
	list dns '5.1.66.255'
	list dns '185.150.99.255'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option device 'br-multimedia'
	option ip6weight '7'
	option ip6assign '64'
	option ip6hint '3'

config interface 'wg0'
	option proto 'wireguard'
	option peerdns '0'
	option private_key 'ZZZZ'
	list addresses '192.168.77.3/32'
	list addresses 'fd11:5ee:bad:c0de::3/128'
	list dns 'fd00::dea6:32ff:fe85:b004'
	list dns 'fd00::dea6:32ff:fe19:ede8'
	list dns '192.168.1.5'
	list dns '192.168.1.15'

config wireguard_wg0
	option description 'Importierte Verbindungspartner-Konfiguration'
	option public_key 'XXX'
	option preshared_key 'XXX'
	option persistent_keepalive '25'
	option endpoint_host 'dyndns.dyndnsProvider.net'
	option endpoint_port '51821'
	option route_allowed_ips '1'
	list allowed_ips '192.168.1.0/24'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        list network 'lan'
        list network 'lan6'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option log '0'
        list network 'wwan6'
        list network 'wan'
        list network 'wan6'
        list network 'tethering_wan'
        list network 'tethering_wan6'
        list network 'wwan'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config zone 'Work'
        option name 'work'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option log '0'
        list network 'work'

config zone 'Multimedia'
        option name 'multimedia'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option log '0'
        list network 'multimedia'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option log '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'multimedia'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'work'
        option dest 'wan'

config forwarding
        option src 'multimedia'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'lan'
        option dest 'work'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option name 'LAN - Allow ICMPv4-OUT LAN-WORK'

config rule
        list proto 'tcp'
        option src 'lan'
        option dest 'work'
        option dest_port '3389'
        option target 'ACCEPT'
        option name 'LAN - Allow RDP-OUT LAN-WORK'

config rule
        option src 'lan'
        option dest 'guest'
        option target 'DROP'
        option name 'LAN - Drop LAN-Guest'

config rule
        option src 'lan'
        option dest 'work'
        option target 'DROP'
        option name 'LAN - Drop LAN-WORK'

config rule
        option name 'Guest - Allow DHCP'
        list proto 'udp'
        option src 'guest'
        option src_port '67-68 546-547'
        option dest_port '67-68 546-547'
        option target 'ACCEPT'

config rule
        option name 'Guest - Allow DNS'
        option src 'guest'
        option dest_port '53 853'
        option target 'ACCEPT'

config rule
        option name 'Guest - Allow-ICMPv6'
        option src 'guest'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        list proto 'icmp'
        option src 'guest'
        option target 'ACCEPT'
        option name 'Guest - Allow ICMPv4'
        option icmp_type 'echo-request'
        option family 'ipv4'

config rule
        list proto 'udp'
        option src 'guest'
        option dest_port '123'
        option target 'ACCEPT'
        option name 'Guest - Allow NTP'

config rule
        option src 'guest'
        option dest 'lan'
        option target 'DROP'
        option name 'Guest - Drop Guest-LAN'

config rule
        list proto 'tcp'
        option src 'guest'
        option dest 'wan'
        option dest_port '80 8080 443'
        option target 'ACCEPT'
        option name 'Guest - Allow HTTP/S-OUT Guest-WAN'

config rule
        list proto 'icmp'
        option src 'guest'
        option dest 'wan'
        option target 'ACCEPT'
        option name 'Guest - Allow ICMPv4-OUT Guest-WAN'
        option icmp_type 'echo-request'
        option family 'ipv4'

config rule
        option name 'Guest - Allow ICMPv6-OUT Guest-WAN'
        option src 'guest'
        option dest 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        list proto 'tcp'
        option src 'guest'
        option dest 'wan'
        option dest_port '110 143 465 587 993 995'
        option target 'ACCEPT'
        option name 'Guest - Allow E-Mail-OUT Guest-WAN'

config rule
        option src 'guest'
        option dest 'wan'
        option target 'DROP'
        option name 'Guest - Drop Guest-WAN'

config rule
        option name 'Work - Allow DHCP'
        list proto 'udp'
        option src 'work'
        option src_port '67-68 546-547'
        option dest_port '67-68 546-547'
        option target 'ACCEPT'

config rule
        option name 'Work - Allow DNS'
        option src 'work'
        option dest_port '53 853'
        option target 'ACCEPT'

config rule
        option name 'Work - Allow-ICMPv6'
        option src 'work'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        list proto 'icmp'
        option src 'work'
        option target 'ACCEPT'
        option name 'Work - Allow ICMPv4'
        option icmp_type 'echo-request'
        option family 'ipv4'

config rule
        list proto 'udp'
        option src 'work'
        option dest_port '123'
        option target 'ACCEPT'
        option name 'Work - Allow NTP'

config rule
        list proto 'udp'
        option src 'work'
        option dest_port '137'
        option target 'ACCEPT'
        option name 'Work - Allow NetBios'

config rule
        option src 'work'
        option dest 'lan'
        option target 'DROP'
        option name 'Work - Drop WORK-LAN'

config rule
        list proto 'tcp'
        option src 'work'
        option dest 'wan'
        option dest_port '80 8080 443 8443'
        option target 'ACCEPT'
        option name 'Work - Allow HTTP/S-OUT WORK-WAN'

config rule
        list proto 'icmp'
        option src 'work'
        option dest 'wan'
        option target 'ACCEPT'
        option name 'Work - Allow ICMPv4-OUT WORK-WAN'
        option icmp_type 'echo-request'
        option family 'ipv4'

config rule
        option name 'Work - Allow ICMPv6-OUT WORK-WAN'
        option src 'work'
        option dest 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        list proto 'tcp'
        option src 'work'
        option dest 'wan'
        option dest_port '110 143 587 993 995'
        option target 'ACCEPT'
        option name 'Work - Allow E-Mail-OUT WORK-WAN'

config rule
        list proto 'udp'
        option src 'work'
        option dest 'wan'
        option dest_port '3478 3479 8801-8810'
        option target 'ACCEPT'
        option name 'Work - Allow ZOOM-UDP-OUT WORK-WAN'

config rule
        list proto 'tcp'
        option src 'work'
        option dest 'wan'
        option dest_port '8801 8802 4434'
        option target 'ACCEPT'
        option name 'Work - Allow ZOOM-TCP-OUT WORK-WAN'

config rule
        option src 'work'
        option dest 'wan'
        option target 'DROP'
        option name 'Work - Drop WORK-WAN'

config rule
        option name 'Multimedia - Allow DHCP'
        list proto 'udp'
        option src 'multimedia'
        option src_port '67-68 546-547'
        option dest_port '67-68 546-547'
        option target 'ACCEPT'

config rule
        option name 'Multimedia - Allow DNS'
        option src 'multimedia'
        option dest_port '53 853'
        option target 'ACCEPT'

config rule
        option name 'Multimedia - Allow-ICMPv6'
        option src 'multimedia'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        list proto 'icmp'
        option src 'multimedia'
        option target 'ACCEPT'
        option name 'Multimedia - Allow ICMPv4'
        option icmp_type 'echo-request'
        option family 'ipv4'

config rule
        list proto 'udp'
        option src 'multimedia'
        option dest_port '123'
        option target 'ACCEPT'
        option name 'Multimedia - Allow NTP'

config rule
        list proto 'tcp'
        option src 'multimedia'
        option dest_port '7'
        option target 'ACCEPT'
        option name 'Multimedia - Allow Echo'

config rule
        option name 'Multimedia - Drop Input'
        option src 'multimedia'
        list proto 'all'
        option target 'DROP'

config rule
        option src 'multimedia'
        option dest 'lan'
        option target 'DROP'
        option name 'Multimedia - Drop Multimedia-LAN'

config rule
        list proto 'icmp'
        option src 'multimedia'
        option dest 'wan'
        option target 'ACCEPT'
        option name 'Multimedia - Allow ICMPv4-OUT Multimedia-WAN'
        option icmp_type 'echo-request'
        option family 'ipv4'

config rule
        option name 'Multimedia - Allow ICMPv6-OUT Multimedia-WAN'
        option src 'multimedia'
        option dest 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        list proto 'tcp'
        option src 'multimedia'
        option dest 'wan'
        option dest_port '80 8080 443'
        option target 'ACCEPT'
        option name 'Multimedia - Allow HTTP/S-OUT Multimedia-WAN'

config rule
        list proto 'udp'
        option src 'multimedia'
        option dest 'wan'
        option dest_port '123'
        option dest_ip '52.45.237.36'
        option target 'ACCEPT'
        option name 'Multimedia - Allow NTP-OUT Amazon-WAN'

config rule
        list proto 'tcp'
        option src 'multimedia'
        option dest 'wan'
        option dest_port '8063 33227 33428 37020 37021'
        option target 'ACCEPT'
        option name 'Multimedia - Allow TCP-Communication-OUT MagentaTV-WAN'

config rule
        option src 'multimedia'
        option dest 'wan'
        option target 'DROP'
        option name 'Multimedia - Drop Multimedia-WAN'

[Update]
Just forgotten to post the dnsmasq-config

/etc/network/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/XXX.mobile/'
	option domain 'XXX.mobile'
	list notinterface 'wan'
	list notinterface 'eth1'
	list notinterface 'wlan2'
	list server '5.1.66.255'
	list server '185.150.99.255'
	list server '2001:678:e68:f000::'
	list server '2001:678:ed0:f000::'
	list server '/XXX.local/192.168.1.5'
	list server '/XXX.local/192.168.1.15'
	option rebind_protection '1'
	list rebind_domain 'XXX.local'
	list rebind_domain 'zoomonprem.com'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

config dhcp 'wwan6'
	option interface 'wwan6'
	option ignore '1'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'wan6'
	option interface 'wan6'
	option ignore '1'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'tethering_wan6'
	option interface 'tethering_wan6'
	option ignore '1'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'guest'
	option interface 'guest'
	option start '10'
	option limit '40'
	option force '1'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'work'
	option interface 'work'
	option leasetime '12h'
	option start '2'
	option limit '6'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option force '1'

config dhcp 'multimedia'
	option interface 'multimedia'
	option leasetime '12h'
	option start '5'
	option limit '30'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option force '1'

config domain
	option name 'dyndns.dyndnsProvider.net'
	option ip '10.0.0.2'

Is here anybody, who have a similar setup or can anybody help me with this?

Further questions apprecciated.

I am traveling so just a short description.

You need PBR.

For the WG interface you do not want to have a default route but you do want a route for your DNS server
To disable the default route via the WG client add to the WG interface:
option defaultroute '0'

Add as Allowed IPs

I am not 100% sure that this will get you a routing of 192.168.1.0/24 via the WG interface check with : ip route show
Otherwise use PBR to add the destination for 192.168.1.0/24 via the WG interface on the output chain for DNSMasq.

WIth PBR you route your br-lan via the WG interface.

For DNSMasg, assuming your servers DNS server is 192.168.1.1, you add:
address=/mydomain/192.168.1.1

You have to disable rebind protection (you can do this for this specific domain)

On the server side DNSMasq has to listen on the WG interface but normally DNSMasq listens on all interface but DNSMasq should also answer non local queries so on the server side DNSMasq add:

/etc/config/dhcp:
config dnsmasq
	option localservice '0'   <<< ADD THIS

I hope this makes sense and I did not forget anything

Hi egc,

thanks for your advice. Indeed, it seems to be the best to config PBR.

As you suggest to put the policy for the Home LAN on the OUTPUT chain to get dnsmasq to work properly for the DNS forwarding, can you give me an advice, how to configure the the policy for the rest of the traff, especially on which chain to place which policies?

The YouTube Tutorial Iβ€˜ve followed suggests to put domain based policies for routing over the WG Interface on the prerouting chain, so I put a policy with the target 0.0.0.0/0 initially on prerouting chain, too.

But if I do that, the policy for the AD domain specific traffic wonβ€˜t work, correct?

Which sorting should I try for the policies

Iβ€˜ve tried to find some more information about routing chains, so I roughly know, how it works. However, that’s the first time, I’ve to deal with this.

Every advices are welcome.

Best Regards

There is a good guide for it see:

For the lan/br-lan interface the chain has to be put on the prerouting chain.

If you still have questions feel free to ask

Hi egc,

sorry about my late reply, i spent a couple of hours trying to set up this on yesterday.

Now it seems to be done - except one problem. I'll explain that on the end of my reply.

So the steps which lead to a positive result where es follows:

1. Editing WG config:

/etc/config/network

config interface 'wg0'
        option proto 'wireguard'
        option peerdns '0'
        option private_key 'ZZZ'
        list addresses '192.168.77.3/32'
        list addresses 'fd11:5ee:bad:c0de::3/128'
        option defaultroute '0'          <<<Add this option 
        list dns '192.168.1.5'
        list dns '192.168.1.15'

config wireguard_wg0
        option description 'Importierte Verbindungspartner-Konfiguration'
        option public_key 'XYZ'
        option preshared_key 'ZYX'
        option persistent_keepalive '25'
        option endpoint_host 'dyndns.dyndnsProvider.net'
        option endpoint_port '51821'
        option route_allowed_ips '1'          <<<Set this option to '0'
        list allowed_ips '0.0.0.0/0'           <<<<  Add this IP to the Allowed IPs-List 
        list allowed_ips '::/0'                    <<<< Add this IP to the Allowed IPs-List (optional - only, if IPv6 is used)

2. Set up PBR Policies

/etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '1'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Route_Ressources_HomeBase_IPv4'
	option src_addr '192.168.100.0/24'
	option dest_addr '10.0.0.0/29 192.168.1.0/24 192.168.2.0/24'
	option interface 'wg0'
	option chain 'output'

config policy
	option name 'Route_Ressources_HomeBase_IPv6'
	option src_addr 'fd1a:0:0:1::/60'
	option dest_addr 'fd00::/60 fd02::/60'
	option chain 'output'
	option interface 'wg0'

config policy
	option name 'Internet LAN-VPN IPv4'
	option src_addr '192.168.100.0/24'
	option interface 'wg0'

config policy
	option name 'Internet LAN-VPN IPv6'
	option src_addr 'fd1a:0:0:1::/64'
	option interface 'wg0'

After that, the GUI-Config of PBR looks like this (in my case):

3. Editing DNSMASQ config
In the dnsmasq config, I already had configured the domain forwarding and the whitelisting for the DNS rebind protection a long time ago for my Home LAN:

        option rebind_protection '1'
        list rebind_domain 'XYZ.local'
        list server '/XYZ.local/192.168.1.5'
        list server '/XYZ.local/192.168.1.15'

The listed servers for the domain forwarding didn't work after setting up the PBR policies, so I had to edit the dnsmasq config again and add the DHCP option 6:

/etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'
        list dhcp_option '6,192.168.1.5,192.168.1.15'    <<<< Add the DHCP option 6 to provide other DNS-Servers

I'm not sure, if the server-entries (list server '/XYZ.local/192.168.1.5', list server '/XYZ.local/192.168.1.15') listed in the general config of dnsmasq had to remain or not; didn't try that already.

For the moment, PBR works as expected, regarding the basically routing.

Now the remaining problem:

I have a LAN and a LAN6 interface (alias of lan, for IPv6).

With every router reboot or even with a single ifupdate (or ifdown / ifup) of the lan6 interface, the PBR won't work until I restart the service manually.

cat /var/log/syslog

Sat Jun  8 09:00:56 2024 user.notice pbr: Reloading pbr lan6 interface routing due to ifupdate of lan6 (br-lan)

Even if I restart the network service manually, I had to restart the PBR service, too.

For the router reboot, I can add an entry for restarting the PBR service to the crontabs, but for the other case, I don't know how to get that covered.

Is there a config option for PBR, which I'm missing? IPv6 support in PBR is already enabled (see config file above).

Do you have any suggestions, how to deal with that?

Best Regards and many thanks in advance!

Looks good.

I can remember that @stangri has done some work on IPv6 restarts not sure if this is related but you might see if you can update PBR.

About DNSMasq option 6 is a viable option to use so if you are happy with it keep it.

But the cause why DNSMasq cannot resolve 192.168.1.0/24 is because DNSMasq is running on the router and the router does not have a route to the other side via the tunnel any more.
You can solve this by adding a route for 192.168.1.0/24 (or the specific addresses) via the tunnel to the router.
You can do this via several ways, add a routing rule, use PBR or my favorite add to the Allowed IPs:

This should add a route to the router because we still has Route Allowed IPS enabled. and DNSmasq should be able to resolve your domain.

But as said option 6, like you are using, is fine

Hi epc,

thank you for your further input! I didn't realized that i would also have to set up a route from the router to the DNS servers.

I ran a few more tests and I was able to determine, that DHCP option 6 in the dnsmasq configuration is not the best solution for the final config (at least in my case); the LAN-internal DNS resolving won't work any more.

Since I have to access my notebook from my smartphone via SSH / SFTP and I don't want to give the notebook a static IP, I edited the config for PBR again and added a route from the router to the Home LAN, not only for the DNS resolvers.

This will give me the the advantage, that I can test the WG tunnel from the router itself.

Actually, I'm happy with the actual results.
The only problem remaining is, as mentioned in my previous post, the restart of the lan6 interface. I just set up a cron job for the time the router reboots (every day on 5:00 AM) + 5 minutes delay, to restart the PBR service automatically.

Maybe @stangri has a solution to resolve the problem with lan6 interfaces.

I'll post my final configuration in a separate reply, to close the topic as solved, when @stangri has given a short statement.

Best regards and thank you again for your input!

1 Like

pbr reload should not be triggered on LAN updates, so I don't understand why it's happening for you. Do consider providing all the information requested in pbr's README Getting Help section.

Hi Stan, no problem.

Unfortunately, i have to split the post due to a character limit.

The following action of the lan6 interface causes PBR to stop routing:

Sun Jun  9 05:02:11 2024 user.notice pbr: Reloading pbr lan6 interface routing due to ifup of lan6 (br-lan)

Here, it is the action "ifup", but it also happens, when the action "ifupdate" occurs.

I run a few tests with restarting the network service and a parallel Ping to my Home DNS server. Every time, when PBR starts a reload due to an ifup:

root@M0B1L3R0UT3R:~# logread -f | grep pbr
Sun Jun  9 08:01:55 2024 user.notice pbr: Reloading pbr guest interface routing due to ifdown of guest ()
Sun Jun  9 08:02:05 2024 user.notice pbr: service waiting for wan gateway...
Sun Jun  9 08:02:07 2024 user.notice pbr: Activating traffic killswitch [βœ“]
Sun Jun  9 08:02:11 2024 user.notice pbr: Setting up routing for 'wan/192.168.0.1/::/0' [βœ“]
Sun Jun  9 08:02:13 2024 user.notice pbr: Setting up routing for 'wwan/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:02:14 2024 user.notice pbr: Setting up routing for 'tethering_wan/eth1/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:02:16 2024 user.notice pbr: Setting up routing for 'wg0/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:02:17 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:02:18 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:02:19 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:02:20 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:02:20 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv4' via wg0 [βœ“]
Sun Jun  9 08:02:21 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv6' via wg0 [βœ“]
Sun Jun  9 08:02:21 2024 user.notice pbr: Deactivating traffic killswitch [βœ“]
Sun Jun  9 08:02:22 2024 user.notice pbr: service monitoring interfaces: wan tethering_wan wwan wg0
Sun Jun  9 08:02:22 2024 user.notice pbr: Reloading pbr guest interface routing due to ifup of guest (br-guest)
Sun Jun  9 08:02:25 2024 user.notice pbr: Activating traffic killswitch [βœ“]
Sun Jun  9 08:02:29 2024 user.notice pbr: Setting up routing for 'wan/192.168.0.1/::/0' [βœ“]
Sun Jun  9 08:02:31 2024 user.notice pbr: Setting up routing for 'wwan/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:02:32 2024 user.notice pbr: Setting up routing for 'tethering_wan/eth1/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:02:34 2024 user.notice pbr: Setting up routing for 'wg0/192.168.77.3/fd11:5ee:bad:c0de::3/128' [βœ“]
Sun Jun  9 08:02:35 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:02:35 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:02:36 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:02:37 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:02:38 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv4' via wg0 [βœ“]
Sun Jun  9 08:02:38 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv6' via wg0 [βœ“]
Sun Jun  9 08:02:38 2024 user.notice pbr: Deactivating traffic killswitch [βœ“]
Sun Jun  9 08:02:39 2024 user.notice pbr: service monitoring interfaces: wan tethering_wan wwan wg0
Sun Jun  9 08:02:47 2024 user.notice pbr: Activating traffic killswitch [βœ“]
Sun Jun  9 08:02:51 2024 user.notice pbr: Setting up routing for 'wan/192.168.0.1/::/0' [βœ“]
Sun Jun  9 08:02:53 2024 user.notice pbr: Setting up routing for 'wwan/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:02:54 2024 user.notice pbr: Setting up routing for 'tethering_wan/eth1/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:02:56 2024 user.notice pbr: Setting up routing for 'wg0/192.168.77.3/fd11:5ee:bad:c0de::3/128' [βœ“]
Sun Jun  9 08:02:56 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:02:57 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:02:58 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:02:59 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:03:00 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv4' via wg0 [βœ“]
Sun Jun  9 08:03:00 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv6' via wg0 [βœ“]
Sun Jun  9 08:03:00 2024 user.notice pbr: Deactivating traffic killswitch [βœ“]
Sun Jun  9 08:03:01 2024 user.notice pbr: service monitoring interfaces: wan tethering_wan wwan wg0
Sun Jun  9 08:03:01 2024 user.notice pbr: Reloading pbr lan interface routing due to ifup of lan (br-lan)
Sun Jun  9 08:03:04 2024 user.notice pbr: Activating traffic killswitch [βœ“]
Sun Jun  9 08:03:08 2024 user.notice pbr: Setting up routing for 'wan/192.168.0.1/::/0' [βœ“]
Sun Jun  9 08:03:10 2024 user.notice pbr: Setting up routing for 'wwan/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:03:11 2024 user.notice pbr: Setting up routing for 'tethering_wan/eth1/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:03:13 2024 user.notice pbr: Setting up routing for 'wg0/192.168.77.3/fd11:5ee:bad:c0de::3/128' [βœ“]
Sun Jun  9 08:03:13 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:03:14 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:03:15 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:03:16 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:03:17 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv4' via wg0 [βœ“]
Sun Jun  9 08:03:17 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv6' via wg0 [βœ“]
Sun Jun  9 08:03:17 2024 user.notice pbr: Deactivating traffic killswitch [βœ“]
Sun Jun  9 08:03:18 2024 user.notice pbr: service monitoring interfaces: wan tethering_wan wwan wg0
Sun Jun  9 08:03:26 2024 user.notice pbr: Reloading pbr multimedia interface routing due to ifup of multimedia (br-multimedia)
Sun Jun  9 08:03:30 2024 user.notice pbr: Reloading pbr loopback interface routing due to ifup of loopback (lo)
Sun Jun  9 08:03:38 2024 user.notice pbr: Reloading pbr wan interface routing due to ifup of wan (wan)
Sun Jun  9 08:03:41 2024 user.notice pbr: Activating traffic killswitch [βœ“]
Sun Jun  9 08:03:45 2024 user.notice pbr: Setting up routing for 'wan/192.168.0.1/::/0' [βœ“]
Sun Jun  9 08:03:46 2024 user.notice pbr: Setting up routing for 'wwan/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:03:47 2024 user.notice pbr: Setting up routing for 'tethering_wan/eth1/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:03:49 2024 user.notice pbr: Setting up routing for 'wg0/192.168.77.3/fd11:5ee:bad:c0de::3/128' [βœ“]
Sun Jun  9 08:03:50 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:03:50 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:03:52 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:03:52 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:03:53 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv4' via wg0 [βœ“]
Sun Jun  9 08:03:53 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv6' via wg0 [βœ“]
Sun Jun  9 08:03:54 2024 user.notice pbr: Deactivating traffic killswitch [βœ“]
Sun Jun  9 08:03:54 2024 user.notice pbr: service monitoring interfaces: wan tethering_wan wwan wg0
Sun Jun  9 08:03:58 2024 user.notice pbr: Reloading pbr wg0 interface routing due to ifup of wg0 (wg0)
Sun Jun  9 08:04:01 2024 user.notice pbr: Activating traffic killswitch [βœ“]
Sun Jun  9 08:04:05 2024 user.notice pbr: Setting up routing for 'wan/192.168.0.1/::/0' [βœ“]
Sun Jun  9 08:04:06 2024 user.notice pbr: Setting up routing for 'wwan/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:04:07 2024 user.notice pbr: Setting up routing for 'tethering_wan/eth1/0.0.0.0/::/0' [βœ“]
Sun Jun  9 08:04:09 2024 user.notice pbr: Setting up routing for 'wg0/192.168.77.3/fd11:5ee:bad:c0de::3/128' [βœ“]
Sun Jun  9 08:04:10 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:04:11 2024 user.notice pbr: Routing 'Route_Router_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:04:12 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv4' via wg0 [βœ“]
Sun Jun  9 08:04:13 2024 user.notice pbr: Routing 'Route_LAN_HomeBase_IPv6' via wg0 [βœ“]
Sun Jun  9 08:04:13 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv4' via wg0 [βœ“]
Sun Jun  9 08:04:14 2024 user.notice pbr: Routing 'Internet LAN-VPN IPv6' via wg0 [βœ“]
Sun Jun  9 08:04:14 2024 user.notice pbr: Deactivating traffic killswitch [βœ“]
Sun Jun  9 08:04:15 2024 user.notice pbr: service monitoring interfaces: wan tethering_wan wwan wg0
Sun Jun  9 08:04:18 2024 user.notice pbr: Reloading pbr lan6 interface routing due to ifup of lan6 (br-lan)

I got a ping to the DNS (except Guest interface, due to status ifdown from wan) - PBR also reloads on LAN-Interface but not on LAN6, as you can see here.

If I restart the pbr service manually, everything is working as expected, until lan6 get an "ifupdate" action:

Sun Jun  9 08:12:33 2024 user.notice pbr: Reloading pbr lan6 interface routing due to ifupdate of lan6 (br-lan)

After that, pinging the Home DNS is not possible.

Here is an status of pbr with the actual problem:
/etc/init.d/pbr status

============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.3. WAN (IPv4): wan/wan/192.168.0.1.
============================================================
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward { # handle 61
	}
	chain pbr_input { # handle 62
	}
	chain pbr_output { # handle 63
	}
	chain pbr_prerouting { # handle 64
	}
	chain pbr_postrouting { # handle 65
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 { # handle 4839
	}
	chain pbr_mark_0x020000 { # handle 4842
	}
	chain pbr_mark_0x030000 { # handle 4845
	}
	chain pbr_mark_0x040000 { # handle 4848
	}
============================================================
pbr nft sets
	set pbr_wg0_4_dst_ip_cfg046ff5 { # handle 4851
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv4"
		elements = { 10.0.0.0/29 counter packets 0 bytes 0, 192.168.1.0-192.168.2.255 counter packets 170 bytes 16761 }
	}
	set pbr_wg0_6_dst_ip_cfg046ff5 { # handle 4852
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv4"
	}
	set pbr_wg0_4_dst_ip_cfg056ff5 { # handle 4855
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv6"
	}
	set pbr_wg0_6_dst_ip_cfg056ff5 { # handle 4856
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv6"
		elements = { fd00::/60 counter packets 0 bytes 0,
			     fd02::/60 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_src_ip_cfg066ff5 { # handle 4859
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
		elements = { 192.168.100.0/24 counter packets 1207 bytes 249430 }
	}
	set pbr_wg0_6_src_ip_cfg066ff5 { # handle 4860
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
	}
	set pbr_wg0_4_dst_ip_cfg066ff5 { # handle 4861
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
		elements = { 10.0.0.0/29 counter packets 0 bytes 0, 192.168.1.0-192.168.2.255 counter packets 0 bytes 0 }
	}
	set pbr_wg0_6_dst_ip_cfg066ff5 { # handle 4862
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
	}
	set pbr_wg0_4_src_ip_cfg076ff5 { # handle 4865
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
	}
	set pbr_wg0_6_src_ip_cfg076ff5 { # handle 4866
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
		elements = { fd1a:0:0:1::/64 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_dst_ip_cfg076ff5 { # handle 4867
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
	}
	set pbr_wg0_6_dst_ip_cfg076ff5 { # handle 4868
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
		elements = { fd00::/60 counter packets 0 bytes 0,
			     fd02::/60 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_src_ip_cfg086ff5 { # handle 4871
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv4"
		elements = { 192.168.100.0/24 counter packets 3268 bytes 376319 }
	}
	set pbr_wg0_6_src_ip_cfg086ff5 { # handle 4872
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv4"
	}
	set pbr_wg0_4_src_ip_cfg096ff5 { # handle 4875
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv6"
	}
	set pbr_wg0_6_src_ip_cfg096ff5 { # handle 4876
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv6"
		elements = { fd1a:0:0:1::/64 counter packets 1 bytes 93 }
	}
============================================================
IPv4 table 256 route: default via 192.168.0.1 dev wan 
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 256 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 257 route: unreachable default 
IPv4 table 257 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_wwan
IPv6 table 257 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 257 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 258 route: unreachable default 
IPv4 table 258 rule(s):
30002:	from all fwmark 0x30000/0xff0000 lookup pbr_tethering_wan
IPv6 table 258 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 258 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 259 route: default via 192.168.77.3 dev wg0 
IPv4 table 259 rule(s):
30003:	from all fwmark 0x40000/0xff0000 lookup pbr_wg0
IPv6 table 259 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 259 rule(s):
fd11:5ee:bad:c0de::3 dev wg0 proto kernel metric 256 pref medium
unreachable default dev lo metric 1024 pref medium

This is my actual configuration in a working state:

ubus call system board

{
	"kernel": "5.15.150",
	"hostname": "M0B1L3R0UT3R",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "GL.iNet GL-MT1300",
	"board_name": "glinet,gl-mt1300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option local '/XYZ.mobile/'
	option domain 'XYZ.mobile'
	option rebind_protection '1'
	list notinterface 'wan'
	list server '/xyz.local/192.168.1.5'
	list server '/xyz.local/192.168.1.15'
	list server '/xyz.local.dmz/192.168.1.5'
	list server '/xyz.local.dmz/192.168.1.15'
	list rebind_domain 'zoomonprem.com'
	list rebind_domain 'xyz.local'
	list rebind_domain 'xyz.local.dmz'
	list rebind_domain 'dyndns.dynDNSProvider.net'
	list rebind_domain 'xyz.local.iot'
	list rebind_domain 'xyz.local.multimedia'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

config dhcp 'wwan6'
	option interface 'wwan6'
	option ignore '1'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'wan6'
	option interface 'wan6'
	option ignore '1'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'tethering_wan6'
	option interface 'tethering_wan6'
	option ignore '1'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config dhcp 'guest'
	option interface 'guest'
	option start '10'
	option limit '40'
	option force '1'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'work'
	option interface 'work'
	option leasetime '12h'
	option start '2'
	option limit '6'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option force '1'

config dhcp 'multimedia'
	option interface 'multimedia'
	option leasetime '12h'
	option start '5'
	option limit '30'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option force '1'

config domain
	option name 'dyndns.dynDNSProvider.net'
	option ip '10.0.0.2'

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	list network 'lan'
	list network 'lan6'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '0'
	list network 'wwan6'
	list network 'wan'
	list network 'wan6'
	list network 'tethering_wan'
	list network 'tethering_wan6'
	list network 'wwan'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone 'Work'
	option name 'work'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option log '0'
	list network 'work'

config zone 'Multimedia'
	option name 'multimedia'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option log '0'
	list network 'multimedia'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '0'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'multimedia'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'work'
	option dest 'wan'

config forwarding
	option src 'multimedia'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'work'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option name 'LAN - Allow ICMPv4-OUT LAN-WORK'

config rule
	list proto 'tcp'
	option src 'lan'
	option dest 'work'
	option dest_port '3389'
	option target 'ACCEPT'
	option name 'LAN - Allow RDP-OUT LAN-WORK'

config rule
	option src 'lan'
	option dest 'guest'
	option target 'DROP'
	option name 'LAN - Drop LAN-Guest'

config rule
	option src 'lan'
	option dest 'work'
	option target 'DROP'
	option name 'LAN - Drop LAN-WORK'

config rule
	option name 'Guest - Allow DHCP'
	list proto 'udp'
	option src 'guest'
	option src_port '67-68 546-547'
	option dest_port '67-68 546-547'
	option target 'ACCEPT'

config rule
	option name 'Guest - Allow DNS'
	option src 'guest'
	option dest_port '53 853'
	option target 'ACCEPT'

config rule
	option name 'Guest - Allow-ICMPv6'
	option src 'guest'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	list proto 'icmp'
	option src 'guest'
	option target 'ACCEPT'
	option name 'Guest - Allow ICMPv4'
	option icmp_type 'echo-request'
	option family 'ipv4'

config rule
	list proto 'udp'
	option src 'guest'
	option dest_port '123'
	option target 'ACCEPT'
	option name 'Guest - Allow NTP'

config rule
	option src 'guest'
	option dest 'lan'
	option target 'DROP'
	option name 'Guest - Drop Guest-LAN'

config rule
	list proto 'tcp'
	option src 'guest'
	option dest 'wan'
	option dest_port '80 8080 443'
	option target 'ACCEPT'
	option name 'Guest - Allow HTTP/S-OUT Guest-WAN'

config rule
	list proto 'icmp'
	option src 'guest'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'Guest - Allow ICMPv4-OUT Guest-WAN'
	option icmp_type 'echo-request'
	option family 'ipv4'

config rule
	option name 'Guest - Allow ICMPv6-OUT Guest-WAN'
	option src 'guest'
	option dest 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	list proto 'tcp'
	option src 'guest'
	option dest 'wan'
	option dest_port '110 143 465 587 993 995'
	option target 'ACCEPT'
	option name 'Guest - Allow E-Mail-OUT Guest-WAN'

config rule
	option src 'guest'
	option dest 'wan'
	option target 'DROP'
	option name 'Guest - Drop Guest-WAN'

config rule
	option name 'Work - Allow DHCP'
	list proto 'udp'
	option src 'work'
	option src_port '67-68 546-547'
	option dest_port '67-68 546-547'
	option target 'ACCEPT'

config rule
	option name 'Work - Allow DNS'
	option src 'work'
	option dest_port '53 853'
	option target 'ACCEPT'

config rule
	option name 'Work - Allow-ICMPv6'
	option src 'work'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	list proto 'icmp'
	option src 'work'
	option target 'ACCEPT'
	option name 'Work - Allow ICMPv4'
	option icmp_type 'echo-request'
	option family 'ipv4'

config rule
	list proto 'udp'
	option src 'work'
	option dest_port '123'
	option target 'ACCEPT'
	option name 'Work - Allow NTP'

config rule
	list proto 'udp'
	option src 'work'
	option dest_port '137'
	option target 'ACCEPT'
	option name 'Work - Allow NetBios'

config rule
	option src 'work'
	option dest 'lan'
	option target 'DROP'
	option name 'Work - Drop WORK-LAN'

config rule
	list proto 'tcp'
	option src 'work'
	option dest 'wan'
	option dest_port '80 8080 443 8443'
	option target 'ACCEPT'
	option name 'Work - Allow HTTP/S-OUT WORK-WAN'

config rule
	list proto 'icmp'
	option src 'work'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'Work - Allow ICMPv4-OUT WORK-WAN'
	option icmp_type 'echo-request'
	option family 'ipv4'

config rule
	option name 'Work - Allow ICMPv6-OUT WORK-WAN'
	option src 'work'
	option dest 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	list proto 'tcp'
	option src 'work'
	option dest 'wan'
	option dest_port '110 143 587 993 995'
	option target 'ACCEPT'
	option name 'Work - Allow E-Mail-OUT WORK-WAN'

config rule
	list proto 'udp'
	option src 'work'
	option dest 'wan'
	option dest_port '3478 3479 8801-8810'
	option target 'ACCEPT'
	option name 'Work - Allow ZOOM-UDP-OUT WORK-WAN'

config rule
	list proto 'tcp'
	option src 'work'
	option dest 'wan'
	option dest_port '8801 8802 4434'
	option target 'ACCEPT'
	option name 'Work - Allow ZOOM-TCP-OUT WORK-WAN'

config rule
	option src 'work'
	option dest 'wan'
	option target 'DROP'
	option name 'Work - Drop WORK-WAN'

config rule
	option name 'Multimedia - Allow DHCP'
	list proto 'udp'
	option src 'multimedia'
	option src_port '67-68 546-547'
	option dest_port '67-68 546-547'
	option target 'ACCEPT'

config rule
	option name 'Multimedia - Allow DNS'
	option src 'multimedia'
	option dest_port '53 853'
	option target 'ACCEPT'

config rule
	option name 'Multimedia - Allow-ICMPv6'
	option src 'multimedia'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	list proto 'icmp'
	option src 'multimedia'
	option target 'ACCEPT'
	option name 'Multimedia - Allow ICMPv4'
	option icmp_type 'echo-request'
	option family 'ipv4'

config rule
	list proto 'udp'
	option src 'multimedia'
	option dest_port '123'
	option target 'ACCEPT'
	option name 'Multimedia - Allow NTP'

config rule
	list proto 'tcp'
	option src 'multimedia'
	option dest_port '7'
	option target 'ACCEPT'
	option name 'Multimedia - Allow Echo'

config rule
	option name 'Multimedia - Drop Input'
	option src 'multimedia'
	list proto 'all'
	option target 'DROP'

config rule
	option src 'multimedia'
	option dest 'lan'
	option target 'DROP'
	option name 'Multimedia - Drop Multimedia-LAN'

config rule
	list proto 'icmp'
	option src 'multimedia'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'Multimedia - Allow ICMPv4-OUT Multimedia-WAN'
	option icmp_type 'echo-request'
	option family 'ipv4'

config rule
	option name 'Multimedia - Allow ICMPv6-OUT Multimedia-WAN'
	option src 'multimedia'
	option dest 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	list proto 'tcp'
	option src 'multimedia'
	option dest 'wan'
	option dest_port '80 8080 443'
	option target 'ACCEPT'
	option name 'Multimedia - Allow HTTP/S-OUT Multimedia-WAN'

config rule
	list proto 'udp'
	option src 'multimedia'
	option dest 'wan'
	option dest_port '123'
	option dest_ip '52.45.237.36'
	option target 'ACCEPT'
	option name 'Multimedia - Allow NTP-OUT Amazon-WAN'

config rule
	list proto 'tcp'
	option src 'multimedia'
	option dest 'wan'
	option dest_port '8063 33227 33428 37020 37021'
	option target 'ACCEPT'
	option name 'Multimedia - Allow TCP-Communication-OUT MagentaTV-WAN'

config rule
	option src 'multimedia'
	option dest 'wan'
	option target 'DROP'
	option name 'Multimedia - Drop Multimedia-WAN'

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd1a::/60'

config device
	option name 'br-lan'
	option type 'bridge'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan2'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-work'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-multimedia'
	option bridge_empty '1'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'
	option peerdns '0'
	list dns '5.1.66.255'
	list dns '185.150.99.255'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option reqaddress 'none'
	option reqprefix '56'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '5.1.66.255'
	list dns '185.150.99.255'

config interface 'wwan6'
	option proto 'dhcpv6'
	option device '@wwan'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option reqaddress 'none'
	option reqprefix '56'
	option type 'bridge'

config interface 'tethering_wan'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	list dns '5.1.66.255'
	list dns '185.150.99.255'

config interface 'tethering_wan6'
	option proto 'dhcpv6'
	option device '@tethering_wan'
	option reqaddress 'none'
	option reqprefix '56'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.100.1'
	option ip6weight '10'
	option ip6hint '1'
	option ip6assign '64'

config interface 'lan6'
	option proto 'dhcpv6'
	option device '@lan'
	option force_link '1'
	option reqaddress 'none'
	option reqprefix 'auto'
	option delegate '0'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	list ipaddr '192.168.40.1/26'
	list dns '5.1.66.255'
	list dns '185.150.99.255'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option ip6weight '8'
	option ip6assign '64'
	option ip6hint '3'

config interface 'work'
	option proto 'static'
	list ipaddr '192.168.61.1/29'
	list dns '5.1.66.255'
	list dns '185.150.99.255'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option device 'br-work'
	option ip6weight '9'
	option ip6assign '64'
	option ip6hint '2'
	option auto '0'

config interface 'multimedia'
	option proto 'static'
	list ipaddr '192.168.70.1/27'
	list dns '5.1.66.255'
	list dns '185.150.99.255'
	list dns '2001:678:e68:f000::'
	list dns '2001:678:ed0:f000::'
	option device 'br-multimedia'
	option ip6weight '7'
	option ip6assign '64'
	option ip6hint '4'

config interface 'wg0'
	option proto 'wireguard'
	option peerdns '0'
	option private_key 'XYZ'
	list addresses '192.168.77.3/32'
	list addresses 'fd11:5ee:bad:c0de::3/128'
	option defaultroute '0'
	list dns '192.168.1.5'
	list dns '192.168.1.15'

config wireguard_wg0
	option description 'Importierte Verbindungspartner-Konfiguration'
	option public_key 'ZYX'
	option preshared_key 'ABC'
	option persistent_keepalive '25'
	option endpoint_host 'dyndns.dynDNSProvider.net'
	option endpoint_port '51821'
	option route_allowed_ips '0'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

/etc/config/pbr


config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '1'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Route_Router_HomeBase_IPv4'
	option dest_addr '10.0.0.0/29 192.168.1.0/24 192.168.2.0/24'
	option chain 'output'
	option interface 'wg0'

config policy
	option name 'Route_Router_HomeBase_IPv6'
	option chain 'output'
	option interface 'wg0'
	option dest_addr 'fd00::/60 fd02::/60'

config policy
	option name 'Route_LAN_HomeBase_IPv4'
	option src_addr '192.168.100.0/24'
	option dest_addr '10.0.0.0/29 192.168.1.0/24 192.168.2.0/24'
	option interface 'wg0'
	option chain 'output'

config policy
	option name 'Route_LAN_HomeBase_IPv6'
	option src_addr 'fd1a:0:0:1::/64'
	option dest_addr 'fd00::/60 fd02::/60'
	option chain 'output'
	option interface 'wg0'

config policy
	option name 'Internet LAN-VPN IPv4'
	option src_addr '192.168.100.0/24'
	option interface 'wg0'

config policy
	option name 'Internet LAN-VPN IPv6'
	option src_addr 'fd1a:0:0:1::/64'
	option interface 'wg0'

/etc/init.d/pbr status

============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.3. WAN (IPv4): wan/wan/192.168.0.1.
============================================================
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward { # handle 61
	}
	chain pbr_input { # handle 62
	}
	chain pbr_output { # handle 63
		ip daddr @pbr_wg0_4_dst_ip_cfg046ff5 goto pbr_mark_0x040000 comment "Route_Router_HomeBase_IPv4" # handle 1647
		ip6 daddr @pbr_wg0_6_dst_ip_cfg046ff5 goto pbr_mark_0x040000 comment "Route_Router_HomeBase_IPv4" # handle 1648
		ip daddr @pbr_wg0_4_dst_ip_cfg056ff5 goto pbr_mark_0x040000 comment "Route_Router_HomeBase_IPv6" # handle 1651
		ip6 daddr @pbr_wg0_6_dst_ip_cfg056ff5 goto pbr_mark_0x040000 comment "Route_Router_HomeBase_IPv6" # handle 1652
		ip saddr @pbr_wg0_4_src_ip_cfg066ff5 ip daddr @pbr_wg0_4_dst_ip_cfg066ff5 goto pbr_mark_0x040000 comment "Route_LAN_HomeBase_IPv4" # handle 1657
		ip6 saddr @pbr_wg0_6_src_ip_cfg066ff5 ip6 daddr @pbr_wg0_6_dst_ip_cfg066ff5 goto pbr_mark_0x040000 comment "Route_LAN_HomeBase_IPv4" # handle 1658
		ip saddr @pbr_wg0_4_src_ip_cfg076ff5 ip daddr @pbr_wg0_4_dst_ip_cfg076ff5 goto pbr_mark_0x040000 comment "Route_LAN_HomeBase_IPv6" # handle 1663
		ip6 saddr @pbr_wg0_6_src_ip_cfg076ff5 ip6 daddr @pbr_wg0_6_dst_ip_cfg076ff5 goto pbr_mark_0x040000 comment "Route_LAN_HomeBase_IPv6" # handle 1664
	}
	chain pbr_prerouting { # handle 64
		ip saddr @pbr_wg0_4_src_ip_cfg086ff5 goto pbr_mark_0x040000 comment "Internet LAN-VPN IPv4" # handle 1667
		ip6 saddr @pbr_wg0_6_src_ip_cfg086ff5 goto pbr_mark_0x040000 comment "Internet LAN-VPN IPv4" # handle 1668
		ip saddr @pbr_wg0_4_src_ip_cfg096ff5 goto pbr_mark_0x040000 comment "Internet LAN-VPN IPv6" # handle 1671
		ip6 saddr @pbr_wg0_6_src_ip_cfg096ff5 goto pbr_mark_0x040000 comment "Internet LAN-VPN IPv6" # handle 1672
	}
	chain pbr_postrouting { # handle 65
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 { # handle 1633
		counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1634
		return # handle 1635
	}
	chain pbr_mark_0x020000 { # handle 1636
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1637
		return # handle 1638
	}
	chain pbr_mark_0x030000 { # handle 1639
		counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 1640
		return # handle 1641
	}
	chain pbr_mark_0x040000 { # handle 1642
		counter packets 16612 bytes 3256549 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 1643
		return # handle 1644
	}
============================================================
pbr nft sets
	set pbr_wg0_4_dst_ip_cfg046ff5 { # handle 1645
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv4"
		elements = { 10.0.0.0/29 counter packets 14 bytes 560, 192.168.1.0-192.168.2.255 counter packets 1869 bytes 237491 }
	}
	set pbr_wg0_6_dst_ip_cfg046ff5 { # handle 1646
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv4"
	}
	set pbr_wg0_4_dst_ip_cfg056ff5 { # handle 1649
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv6"
	}
	set pbr_wg0_6_dst_ip_cfg056ff5 { # handle 1650
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv6"
		elements = { fd00::/60 counter packets 0 bytes 0,
			     fd02::/60 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_src_ip_cfg066ff5 { # handle 1653
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
		elements = { 192.168.100.0/24 counter packets 2087 bytes 872914 }
	}
	set pbr_wg0_6_src_ip_cfg066ff5 { # handle 1654
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
	}
	set pbr_wg0_4_dst_ip_cfg066ff5 { # handle 1655
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
		elements = { 10.0.0.0/29 counter packets 0 bytes 0, 192.168.1.0-192.168.2.255 counter packets 0 bytes 0 }
	}
	set pbr_wg0_6_dst_ip_cfg066ff5 { # handle 1656
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
	}
	set pbr_wg0_4_src_ip_cfg076ff5 { # handle 1659
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
	}
	set pbr_wg0_6_src_ip_cfg076ff5 { # handle 1660
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
		elements = { fd1a:0:0:1::/64 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_dst_ip_cfg076ff5 { # handle 1661
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
	}
	set pbr_wg0_6_dst_ip_cfg076ff5 { # handle 1662
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
		elements = { fd00::/60 counter packets 0 bytes 0,
			     fd02::/60 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_src_ip_cfg086ff5 { # handle 1665
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv4"
		elements = { 192.168.100.0/24 counter packets 14748 bytes 3019296 }
	}
	set pbr_wg0_6_src_ip_cfg086ff5 { # handle 1666
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv4"
	}
	set pbr_wg0_4_src_ip_cfg096ff5 { # handle 1669
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv6"
	}
	set pbr_wg0_6_src_ip_cfg096ff5 { # handle 1670
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv6"
		elements = { fd1a:0:0:1::/64 counter packets 7 bytes 651 }
	}
============================================================
IPv4 table 256 route: default via 192.168.0.1 dev wan 
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 256 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 257 route: unreachable default 
IPv4 table 257 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_wwan
IPv6 table 257 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 257 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 258 route: unreachable default 
IPv4 table 258 rule(s):
30002:	from all fwmark 0x30000/0xff0000 lookup pbr_tethering_wan
IPv6 table 258 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 258 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 259 route: default via 192.168.77.3 dev wg0 
IPv4 table 259 rule(s):
30003:	from all fwmark 0x40000/0xff0000 lookup pbr_wg0
IPv6 table 259 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 259 rule(s):
fd11:5ee:bad:c0de::3 dev wg0 proto kernel metric 256 pref medium
unreachable default dev lo metric 1024 pref medium

/etc/init.d/pbr reload

Activating traffic killswitch [βœ“]
Setting up routing for 'wan/192.168.0.1/::/0' [βœ“]
Setting up routing for 'wwan/0.0.0.0/::/0' [βœ“]
Setting up routing for 'tethering_wan/eth1/0.0.0.0/::/0' [βœ“]
Setting up routing for 'wg0/192.168.77.3/fd11:5ee:bad:c0de::3/128' [βœ“]
Routing 'Route_Router_HomeBase_IPv4' via wg0 [βœ“]
Routing 'Route_Router_HomeBase_IPv6' via wg0 [βœ“]
Routing 'Route_LAN_HomeBase_IPv4' via wg0 [βœ“]
Routing 'Route_LAN_HomeBase_IPv6' via wg0 [βœ“]
Routing 'Internet LAN-VPN IPv4' via wg0 [βœ“]
Routing 'Internet LAN-VPN IPv6' via wg0 [βœ“]
Deactivating traffic killswitch [βœ“]
pbr 1.1.1-7 monitoring interfaces: wan tethering_wan wwan wg0 
pbr 1.1.1-7 (nft) started with gateways:
wan/192.168.0.1/::/0 [βœ“]
wwan/0.0.0.0/::/0
tethering_wan/eth1/0.0.0.0/::/0
wg0/192.168.77.3/fd11:5ee:bad:c0de::3/128

/etc/init.d/pbr status

============================================================
pbr - environment
pbr 1.1.1-7 running on OpenWrt 23.05.3. WAN (IPv4): wan/wan/192.168.0.1.
============================================================
Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
pbr chains - policies
	chain pbr_forward { # handle 61
	}
	chain pbr_input { # handle 62
	}
	chain pbr_output { # handle 63
		ip daddr @pbr_wg0_4_dst_ip_cfg046ff5 goto pbr_mark_0x040000 comment "Route_Router_HomeBase_IPv4" # handle 1689
		ip6 daddr @pbr_wg0_6_dst_ip_cfg046ff5 goto pbr_mark_0x040000 comment "Route_Router_HomeBase_IPv4" # handle 1690
		ip daddr @pbr_wg0_4_dst_ip_cfg056ff5 goto pbr_mark_0x040000 comment "Route_Router_HomeBase_IPv6" # handle 1693
		ip6 daddr @pbr_wg0_6_dst_ip_cfg056ff5 goto pbr_mark_0x040000 comment "Route_Router_HomeBase_IPv6" # handle 1694
		ip saddr @pbr_wg0_4_src_ip_cfg066ff5 ip daddr @pbr_wg0_4_dst_ip_cfg066ff5 goto pbr_mark_0x040000 comment "Route_LAN_HomeBase_IPv4" # handle 1699
		ip6 saddr @pbr_wg0_6_src_ip_cfg066ff5 ip6 daddr @pbr_wg0_6_dst_ip_cfg066ff5 goto pbr_mark_0x040000 comment "Route_LAN_HomeBase_IPv4" # handle 1700
		ip saddr @pbr_wg0_4_src_ip_cfg076ff5 ip daddr @pbr_wg0_4_dst_ip_cfg076ff5 goto pbr_mark_0x040000 comment "Route_LAN_HomeBase_IPv6" # handle 1705
		ip6 saddr @pbr_wg0_6_src_ip_cfg076ff5 ip6 daddr @pbr_wg0_6_dst_ip_cfg076ff5 goto pbr_mark_0x040000 comment "Route_LAN_HomeBase_IPv6" # handle 1706
	}
	chain pbr_prerouting { # handle 64
		ip saddr @pbr_wg0_4_src_ip_cfg086ff5 goto pbr_mark_0x040000 comment "Internet LAN-VPN IPv4" # handle 1709
		ip6 saddr @pbr_wg0_6_src_ip_cfg086ff5 goto pbr_mark_0x040000 comment "Internet LAN-VPN IPv4" # handle 1710
		ip saddr @pbr_wg0_4_src_ip_cfg096ff5 goto pbr_mark_0x040000 comment "Internet LAN-VPN IPv6" # handle 1713
		ip6 saddr @pbr_wg0_6_src_ip_cfg096ff5 goto pbr_mark_0x040000 comment "Internet LAN-VPN IPv6" # handle 1714
	}
	chain pbr_postrouting { # handle 65
	}
============================================================
pbr chains - marking
	chain pbr_mark_0x010000 { # handle 1675
		counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1676
		return # handle 1677
	}
	chain pbr_mark_0x020000 { # handle 1678
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1679
		return # handle 1680
	}
	chain pbr_mark_0x030000 { # handle 1681
		counter packets 0 bytes 0 meta mark set meta mark & 0xff03ffff | 0x00030000 # handle 1682
		return # handle 1683
	}
	chain pbr_mark_0x040000 { # handle 1684
		counter packets 658 bytes 83959 meta mark set meta mark & 0xff04ffff | 0x00040000 # handle 1685
		return # handle 1686
	}
============================================================
pbr nft sets
	set pbr_wg0_4_dst_ip_cfg046ff5 { # handle 1687
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv4"
		elements = { 10.0.0.0/29 counter packets 0 bytes 0, 192.168.1.0-192.168.2.255 counter packets 42 bytes 5182 }
	}
	set pbr_wg0_6_dst_ip_cfg046ff5 { # handle 1688
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv4"
	}
	set pbr_wg0_4_dst_ip_cfg056ff5 { # handle 1691
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv6"
	}
	set pbr_wg0_6_dst_ip_cfg056ff5 { # handle 1692
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_Router_HomeBase_IPv6"
		elements = { fd00::/60 counter packets 0 bytes 0,
			     fd02::/60 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_src_ip_cfg066ff5 { # handle 1695
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
		elements = { 192.168.100.0/24 counter packets 189 bytes 30862 }
	}
	set pbr_wg0_6_src_ip_cfg066ff5 { # handle 1696
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
	}
	set pbr_wg0_4_dst_ip_cfg066ff5 { # handle 1697
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
		elements = { 10.0.0.0/29 counter packets 0 bytes 0, 192.168.1.0-192.168.2.255 counter packets 0 bytes 0 }
	}
	set pbr_wg0_6_dst_ip_cfg066ff5 { # handle 1698
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv4"
	}
	set pbr_wg0_4_src_ip_cfg076ff5 { # handle 1701
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
	}
	set pbr_wg0_6_src_ip_cfg076ff5 { # handle 1702
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
		elements = { fd1a:0:0:1::/64 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_dst_ip_cfg076ff5 { # handle 1703
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
	}
	set pbr_wg0_6_dst_ip_cfg076ff5 { # handle 1704
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Route_LAN_HomeBase_IPv6"
		elements = { fd00::/60 counter packets 0 bytes 0,
			     fd02::/60 counter packets 0 bytes 0 }
	}
	set pbr_wg0_4_src_ip_cfg086ff5 { # handle 1707
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv4"
		elements = { 192.168.100.0/24 counter packets 636 bytes 79889 }
	}
	set pbr_wg0_6_src_ip_cfg086ff5 { # handle 1708
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv4"
	}
	set pbr_wg0_4_src_ip_cfg096ff5 { # handle 1711
		type ipv4_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv6"
	}
	set pbr_wg0_6_src_ip_cfg096ff5 { # handle 1712
		type ipv6_addr
		flags interval
		counter
		auto-merge
		comment "Internet LAN-VPN IPv6"
		elements = { fd1a:0:0:1::/64 counter packets 0 bytes 0 }
	}
============================================================
IPv4 table 256 route: default via 192.168.0.1 dev wan 
IPv4 table 256 rule(s):
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
IPv6 table 256 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 256 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 257 route: unreachable default 
IPv4 table 257 rule(s):
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_wwan
IPv6 table 257 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 257 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 258 route: unreachable default 
IPv4 table 258 rule(s):
30002:	from all fwmark 0x30000/0xff0000 lookup pbr_tethering_wan
IPv6 table 258 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 258 rule(s):
unreachable default dev lo metric 1024 pref medium
IPv4 table 259 route: default via 192.168.77.3 dev wg0 
IPv4 table 259 rule(s):
30003:	from all fwmark 0x40000/0xff0000 lookup pbr_wg0
IPv6 table 259 route: unreachable default dev lo metric 1024 pref medium
IPv6 table 259 rule(s):
fd11:5ee:bad:c0de::3 dev wg0 proto kernel metric 256 pref medium
unreachable default dev lo metric 1024 pref medium

I hope this helps to give you the information you need.

That version is correctly identifying the list of supported interfaces, so I'm surprised it triggers reload on lan6 event.

I'm reluctant to go back in time and fix outdated version, could you please update to the newest from my repo and re-test. Just a heads up, the newer version no longer tries to detect the WAN interface automatically, you can set the WAN interface and any other supported interface manually in the config now, refer to the README section for the pbr settings.

Hi Stan,

thank you for investigating the problem. I've updated the pbr package from your repo.

As always, there are a few steps to do, when replacing a package, which i don't knew before (uninstall pbr package from official openWRT repo, remove config files, etc).

Finally, I could install the latest package from your repo and configuring pbr from scratch (just have cheated a bit by copying the rules from the old pbr config file) - in the first tests, it works like a charm!

I've also tested pbr with tethering_wan. It was good, that you pointed on to manually set the prefered wan interface in the config. Works also!

An auto detection on which wan interface is actually up is however an advantage IMHO, to keep an eye on in the further development on the package, but knowing the issues in my own case, I can understand, why you've removed that.

Just another update: Midwhile, I was able to handle the issue in pbr package version 1.1.1-7 with a simple workaround:

/etc/hotplug.d/71-pbr-lan6

  GNU nano 7.2                                                            /mnt/71-pbr-lan6                                                                      
#!/bin/sh
exec >>/root/hotplug.log 2>&1
if [ "${ACTION}" != "ifdown" ] && [ "${INTERFACE}" = "lan6" ]
then
service pbr restart

fi

pbr service would restart, if lan6 get another action as "ifdown".

As always: thanks you two for the help to handle my problem!

Can you please elaborate why do you need pbr restarted on lan6 ifdown?

Hi Stan,

sorry, my mistake. i needed pbr restarted on other actions than ifdown (ifup, ifupdate)

Thank you, that's much clearer.