Using PBR with IOT VLAN zone to only connect to specific domains

Hi. I have a VLAN separated zone for my IOT things. Devices on the IOT interface are not allowed to access the WAN. I made a rule to allow IOT devices to request DNS. How can I setup PBR to allow devices to only connect out to specific domains? I have pbr and luci-app-pbr installed.

Here is the part of my firewall config for the iot zone-

config zone
  option name 'iot'
  option input 'REJECT'
  option output 'ACCEPT'
  option forward 'REJECT'
  list network 'iot'

config rule
  option src 'iot'
  option target 'ACCEPT'
  list proto 'tcp'
  list proto 'udp'
  option dest_port '53 67 68'
  option name 'iot dhcp dns'
  option family 'ipv4'

Have you tried with the use of PBR?
Your firewall blocks routing to the WAN but the PBR also uses the firewall prerouting rule so it could be hit first before the block rule so it might work,at least worth a try :slight_smile:

in /etc/config/pbr add:

config policy
	option dest_addr 'ipchicken.com netflix.com'
	option interface 'wan'
	option name 'wandomains'

I have two domains routed via the WAN, but I do not have the block rules so not sure if it works for you.

You can even use nftset resolving if the domains have multiple changing addresses:

Hi. I does not work for me. I have a rpi on the IOT interface which is 10.1.5.145. It can't connect with this in pbr:

config policy
  option name 'test'
  option src_addr '10.1.5.0/24'
  option dest_addr 'ipinfo.io'
  option interface 'wan'
  option dest_port '443'
  option proto 'tcp'

This is what I see-

curl https://ipinfo.io        
curl: (6) Could not resolve host: ipinfo.io

But dig works?

dig ipinfo.io

; <<>> DiG 9.18.25 <<>> ipinfo.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28609
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ipinfo.io.			IN	A

;; ANSWER SECTION:
ipinfo.io.		12	IN	A	34.117.186.192

;; Query time: 0 msec
;; SERVER: 10.1.5.1#53(10.1.5.1) (UDP)
;; WHEN: Sat Apr 06 07:18:25 EDT 2024
;; MSG SIZE  rcvd: 54

Maybe the firewall rule of deny takes precedence

@egc - I've been meaning to set up PBR too. I too have an iot interface that I disallow from WAN access. I would like to use PBR to grant access to a few domains. I added your rule to my /etc/config/pbr and restarted it but am met with the same results as @msilletti

Do we know that PBR when setup as preroute (although I tried postroute too) should override fw4 deny for the interface?

@stangri - can you clear up the confusion?

If you're not allowing WAN access from your IOT firewall zone, there's nothing pbr can do about routing requests from IOT zone to WAN.

Thanks for confirming the priority of fw4 and pbr. To me, the next question how to achieve the goal of keeping an interface banned from accessing the WAN with domain-specific exceptions?

EDIT: I read dns_ipset and have these entries but still not achieving the result. I created a new thread here.