Using wireguard and PBR, some sites can be ping but not browse

So i'm using wireguard and pbr, basically pbr is routing some local ip and remote ip thru it, but i figure out on local ip client that got prerouting thru wg that some sites couldn't be open (e.g. github and yahoo), but i could ping and traceroute it.

but if i'm using wireguard client from windows or iOS, the problem is not happening

here's some of my /etc/config

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ipv6 '0'
        option delegate '0'

config device
        option name 'wan'
        option macaddr 'ss:ss:ss:ss:ss:ss'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        option ipv6 '0'
        list dns '192.168.1.4'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option defaultroute '0'
        list addresses 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config wireguard_wg
        option description 'xxxxxxxx'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxx'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '21'
        option endpoint_host 'xxxxxxxxxxxxxxxxxxxxxxx'
        option endpoint_port 'xxxx'

config interface 'wgsgsopi'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option defaultroute '0'
        list addresses 'xxxxxxxxxxx'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config wireguard_wgsgsopi
        option description 'xxxxxxxx'
        option public_key 'xxxxxxxxxxxxxxxxxxx'
        option preshared_key 'xxxxxxxxxxxxxxxxxxxxxx'
        option persistent_keepalive '25'
        option endpoint_host 'xxxxxxxxxxxxxxx'
        option endpoint_port 'xxxx'
        list allowed_ips '0.0.0.0/0'

firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg'
        list network 'wgsgsopi'

config forwarding
        option src 'lan'
        option dest 'vpn'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        option nft_file_mode '1'

config policy
        option src_addr 'XX:XX:XX:XX:XX YY:YY:YY:YY:YY'
        option interface 'wgsgsopi'
        option name 'iphone'

config policy
        option name 'laptop'
        option src_addr 'XX:XX:XX:XX:XX'
        option interface 'wgsgsopi'

config policy
        option name 'Twitter DNS'
        option dest_addr 'ads-twitter.com cms-twdigitalassets.com periscope.tv pscp.tv t.co tellapart.com tweetdeck.com twimg.com twitpic.com twitter.biz twitter.com twitter.jp twittercommunity.com twitterflightschool.com twitterinc.com twitteroauth.com twitterstat.us twtrdns.net twttr.com twttr.net twvid.com vine.co x.com'
        option interface 'wg'

Any help would be great, thanks

Try lowering MTU on the WG interface.

Default MTU is 1420 and that is sometimes too high resulting in slow or hanging connections, unable to load certain sites and/or streaming media.

Start with 1280 and if it works increase slowly

i've set 1280 but still i couldn't browse it, any other recommendation ?

Things you can try is to go even lower than 1280.

Other thing to try is to set option mtu_fix '1' on the vpn firewall zone

Make sure you reboot after changing settings or do:
service network restart
service firewall restart

1 Like

this fixed it, thanks

one more question if i set mtu back to 1420 and working, is it okay to just keep it on 1420 ?

1 Like

Sure the higher the MTU the faster the connection (until it is too high and breaks ;:wink: )