Hey folks,
yesterday I managed (with your help) to setup my RT-AX52 with OpenWRT + Wireguard and get my traffic thru the VPN. Unfortunately some sports websites I am subscribed to don't work when VPN is detected so I thought I'd follow this guide to the letter to set up a guest network https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
The issue is when I go to Network -> DNS -> Devices and Ports -> Add Non-VPN to 'Listen Devices' then nothing works anymore (no internet on the non-vpn or on the vpn only networks).
alexq
March 21, 2026, 12:58pm
2
Not sure what you're trying to achieve, but if your goal is to access some sites through a VPN while others open directly via your WAN, you'll need to configure Policy-Based Routing (PBR).
alexq
March 21, 2026, 1:13pm
3
Have you configured traffic rules to allow DNS and DHCP for the guest network?
With your current setup, devices on the lan network will access the internet via vpn... Devices connected to the guest network will access the internet via WAN.
Is this your desired setup? If not, please describe what you are trying to achieve
Hey thanks for your reply. I tried out this PBR thing earlier today but when I tried starting it, it got stuck at the 'pbr service is starting' forever. So I couldn't even make it past the first step.
My end goal is to route all traffic thru VPN from all devices, except when I am visiting certain websites like amazon, skysports etc. Right now, all my traffic goes thru the VPN, no exceptions, if the VPN connection drops I have no internet access.
How should I configure the traffic rules? I am new to all this so apologies.
1 Like
alexq
March 21, 2026, 1:30pm
5
The simplest way to achieve your setup is to use Policy-Based Routing (PBR) (see the video I shared above).
Then create PBR rules to route selected websites through the WAN. So, most traffic will go through the VPN, while specific sites defined in your PBR rules will bypass the VPN and use the WAN instead.
If needed, you can reset your router to factory default and start from initial setup ( make sure to back up your current configuration so you can restore it later).
Good luck exploring PBR routing
added :*.amazon.com), replace the default dnsmasq with dnsmasq-full: https://docs.openwrt.melmac.ca/pbr/#how-to-install-dnsmasq-full
Thanks for the video. Any chance you can help me with the following?
PBR doesn't show any service gateways and service status says stopped. If I try to start it it just says starting and nothing else happens.
alexq
March 21, 2026, 10:33pm
7
Let's take a look at the config...
Firstly reboot your router.using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/pbr
service pbr status
logread | grep pbr
apk list --installed | grep pbr
apk list --installed | grep dnsmasq
root@OpenWrt:~# ubus call system board
{
"kernel": "6.12.74",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "ASUS RT-AX52",
"board_name": "asus,rt-ax52",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.1",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32768-b21cfa8f8c",
"target": "mediatek/filogic",
"description": "OpenWrt 25.12.1 r32768-b21cfa8f8c",
"builddate": "1773711117"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr 'XXXXXXXXXXXXXXXXXXXX'
config globals 'globals'
option dhcp_default_duid 'XXXXXXXXXXXXXXXXXXXX'
option ula_prefix 'XXXXXXXXXXXXXXXXXXXX'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr 'XXXXXXXXXXXXXXXXXXXX'
option ip6assign '60'
config interface 'wan6'
option device 'wan'
option proto 'pppoe'
option username 'dsl000000000@broadband.vodafone.co.uk'
option password 'XXXXXXXXXXXXXXXXXXXX'
option ipv6 'auto'
option norelease '1'
option multipath 'off'
option peerdns '0'
list dns 'XXXXXXXXXXXXXXXXXXXX'
config interface 'VPN_ModerateNAT'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXXXXXXXXX'
list addresses 'XXXXXXXXXXXXXXXXXXXX'
list addresses 'XXXXXXXXXXXXXXXXXXXX'
list dns 'XXXXXXXXXXXXXXXXXXXX'
list dns 'XXXXXXXXXXXXXXXXXXXX'
option multipath 'off'
config wireguard_VPN_ModerateNAT
option description 'Imported peer configuration'
option public_key 'XXXXXXXXXXXXXXXXXXXX'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '25'
option endpoint_host 'XXXXXXXXXXXXXXXXXXXX'
option endpoint_port '00000'
option route_allowed_ips '1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr 'XXXXXXXXXXXXXXXXXXXX'
option multipath 'off'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option mtu_fix '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn_modnat'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'VPN_ModerateNAT'
option masq6 '1'
config forwarding
option src 'lan'
option dest 'vpn_modnat'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'guest'
option name 'Allow-DNS-Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Allow-DHCP-Guest'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'
root@OpenWrt:~# cat /etc/config/pbr
config pbr 'config'
option enabled '1'
option fw_mask '00ff0000'
option ipv6_enabled '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
option nft_user_set_counter '0'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '0'
option resolver_set 'dnsmasq.nftset'
option strict_enforcement '1'
option uplink_interface 'wan'
option uplink_interface6 'wan6'
option uplink_ip_rules_priority '30000'
option uplink_mark '00010000'
option verbosity '2'
list ignored_interface 'vpnserver'
list lan_device 'br-lan'
list resolver_instance '*'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option config_compat '25'
option config_version '1.2.2-r12'
config include
option path '/usr/share/pbr/pbr.user.dnsprefetch'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr 'XXXXXXXXXXXXXXXXXXXX'
option dest_dns 'XXXXXXXXXXXXXXXXXXXX'
option enabled '0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
root@OpenWrt:~# service pbr status
pbr - environment
pbr 1.2.2-r12 on OpenWrt 25.12.1 r32768-b21cfa8f8c.
Uplink (IPv4): wan/0.0.0.0.
Dnsmasq version 2.91 Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
pbr chains - policies
pbr chains - marking
pbr nft sets
pbr tables & routing
IPv4 table main routes:
default dev VPN_ModerateNAT proto static scope link
XXXXXXXXXXXXXXXXXXXX dev pppoe-wan6 proto kernel scope link src XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX via 84.65.192.1 dev pppoe-wan6 proto static
XXXXXXXXXXXXXXXXXXXX dev br-lan proto kernel scope link src XXXXXXXXXXXXXXXXXXXX
IPv4 table main rules:
32766: from all lookup main
root@OpenWrt:~# logread | grep pbr
Sat Mar 21 21:11:52 2026 user.notice pbr [1748]: Setting trigger (on_boot) [β]
Sat Mar 21 21:14:06 2026 user.notice pbr [3805]: Forwarding is disabled
Sat Mar 21 21:14:06 2026 user.notice pbr [3805]: Using uplink interface (on_start): wan [β]
Sat Mar 21 21:14:07 2026 user.notice pbr [3805]: Processing environment (on_start) [β]
Sat Mar 21 21:14:07 2026 user.notice pbr [3805]: WARNING: Uplink/WAN interface is still down, going back to boot mode.
Sat Mar 21 21:14:07 2026 user.notice pbr [3805]: Setting trigger (on_boot) [β]
Sat Mar 21 21:14:07 2026 user.notice pbr [3805]: Forwarding is enabled
Sat Mar 21 21:14:42 2026 user.notice pbr [4440]: Forwarding is disabled
Sat Mar 21 21:14:43 2026 user.notice pbr [4440]: Using uplink interface (on_start): wan [β]
Sat Mar 21 21:14:43 2026 user.notice pbr [4440]: Processing environment (on_start) [β]
Sat Mar 21 21:14:43 2026 user.notice pbr [4440]: WARNING: Uplink/WAN interface is still down, going back to boot mode.
Sat Mar 21 21:14:43 2026 user.notice pbr [4440]: Setting trigger (on_boot) [β]
Sat Mar 21 21:14:43 2026 user.notice pbr [4440]: Forwarding is enabled
Sat Mar 21 21:20:53 2026 user.notice pbr [5581]: Forwarding is disabled
Sat Mar 21 21:20:54 2026 user.notice pbr [5581]: Using uplink interface (on_start): wan [β]
Sat Mar 21 21:20:54 2026 user.notice pbr [5581]: Processing environment (on_start) [β]
Sat Mar 21 21:20:54 2026 user.notice pbr [5581]: WARNING: Uplink/WAN interface is still down, going back to boot mode.
Sat Mar 21 21:20:54 2026 user.notice pbr [5581]: Setting trigger (on_boot) [β]
Sat Mar 21 21:20:54 2026 user.notice pbr [5581]: Forwarding is enabled
Sat Mar 21 21:44:01 2026 user.notice pbr [7371]: Forwarding is disabled
Sat Mar 21 21:44:01 2026 user.notice pbr [7371]: Using uplink interface (on_start): wan [β]
Sat Mar 21 21:44:02 2026 user.notice pbr [7371]: Processing environment (on_start) [β]
Sat Mar 21 21:44:02 2026 user.notice pbr [7371]: WARNING: Uplink/WAN interface is still down, going back to boot mode.
Sat Mar 21 21:44:02 2026 user.notice pbr [7371]: Setting trigger (on_boot) [β]
Sat Mar 21 21:44:02 2026 user.notice pbr [7371]: Forwarding is enabled
Sat Mar 21 22:14:01 2026 user.notice pbr [7834]: Forwarding is disabled
Sat Mar 21 22:14:02 2026 user.notice pbr [7834]: Using uplink interface (on_start): wan [β]
Sat Mar 21 22:14:02 2026 user.notice pbr [7834]: Processing environment (on_start) [β]
Sat Mar 21 22:14:02 2026 user.notice pbr [7834]: WARNING: Uplink/WAN interface is still down, going back to boot mode.
Sat Mar 21 22:14:02 2026 user.notice pbr [7834]: Setting trigger (on_boot) [β]
Sat Mar 21 22:14:02 2026 user.notice pbr [7834]: Forwarding is enabled
Sat Mar 21 22:44:01 2026 user.notice pbr [8294]: Forwarding is disabled
Sat Mar 21 22:44:02 2026 user.notice pbr [8294]: Using uplink interface (on_start): wan [β]
Sat Mar 21 22:44:02 2026 user.notice pbr [8294]: Processing environment (on_start) [β]
Sat Mar 21 22:44:02 2026 user.notice pbr [8294]: WARNING: Uplink/WAN interface is still down, going back to boot mode.
Sat Mar 21 22:44:02 2026 user.notice pbr [8294]: Setting trigger (on_boot) [β]
Sat Mar 21 22:44:02 2026 user.notice pbr [8294]: Forwarding is enabled
Sat Mar 21 23:14:01 2026 user.notice pbr [8757]: Forwarding is disabled
Sat Mar 21 23:14:02 2026 user.notice pbr [8757]: Using uplink interface (on_start): wan [β]
Sat Mar 21 23:14:02 2026 user.notice pbr [8757]: Processing environment (on_start) [β]
Sat Mar 21 23:14:02 2026 user.notice pbr [8757]: WARNING: Uplink/WAN interface is still down, going back to boot mode.
Sat Mar 21 23:14:02 2026 user.notice pbr [8757]: Setting trigger (on_boot) [β]
Sat Mar 21 23:14:02 2026 user.notice pbr [8757]: Forwarding is enabled
root@OpenWrt:~# apk list --installed | grep pbr
luci-app-pbr-1.2.2-r12 noarch {feeds/luci/feeds/luci/applications/luci-app-pbr} (AGPL-3.0-or-later) [installed]
pbr-1.2.2-r12 noarch {feeds/packages/feeds/packages/net/pbr} (AGPL-3.0-or-later) [installed]
root@OpenWrt:~# apk list --installed | grep dnsmasq
I pasted the output above, I just put XXXXXXXXXXXXXXXXXXXX wherever I thought was private info per your comments.
alexq
March 22, 2026, 7:43am
10
Let's try to clean up your setup a bit.
I do not see a wan interface in your network configuration. Currently, your /etc/config/network contains config interface 'wan6'. Let's rename this line to config interface 'wan':
config interface 'wan6' <- change to 'wan'
option device 'wan'
option proto 'pppoe'
Let's set option route_allowed_ips '0' in your VPN configuration in /etc/config/network (so we can later configure routing from the PRB config side):
config wireguard_VPN_ModerateNAT
option description 'Imported peer configuration'
...
option route_allowed_ips '1' <- change to '0'
Let's also add a separate lan to wan forwarding. Add the following entry to /etc/config/firewall:
config forwarding
option src 'lan'
option dest 'wan'
Also, in the /etc/config/firewall, change list network 'wan6' to list network 'wan' within this block:
After that, reboot the router and check logread | grep pbr and service pbr status again.
P.S.> if you are a Windows user, you can install WinSCP and connect to the router using the SCP protocol to edit configuration files
Here's a dumb question for you.. When I type the following
config interface 'wan'
I get this
What am I doing wrong?
slh
March 22, 2026, 8:28pm
12
You are mixing up the shell with the appropriate config file, you could just as well shout at your router, with the same result, nothing.
1 Like
Sadly it still doesn't work (same issue, it doesn't start).Here's the output
alexq
March 22, 2026, 8:30pm
14
CluelessPoster:
What am I doing wrong?
main Openwrt config files located under /etc/config/ in your router. They can be modified either with a text editor or via the UCI command-line interface.
Hey, yep I got mixed up with the entries. I managed to use your instructions. Please see my previous post with the outputs. The issue persists unfortunately. (I am on a Macbook by the way)
alexq
March 22, 2026, 8:37pm
16
Let's review your current configuration. Please provide the terminal output of the following commands (do not forget to redact any sensitive information).
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/pbr
service pbr status
logread | grep pbr
Here you go
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr 'REDACTED'
config globals 'globals'
option dhcp_default_duid 'REDACTED'
option ula_prefix 'REDACTED'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr 'REDACTED'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'REDACTED@REDACTED'
option password 'REDACTED'
option ipv6 'auto'
option norelease '1'
option multipath 'off'
option peerdns '0'
list dns 'REDACTED'
config interface 'VPN_ModerateNAT'
option proto 'wireguard'
option private_key 'REDACTED'
list addresses 'REDACTED'
list addresses 'REDACTED'
list dns 'REDACTED'
list dns 'REDACTED'
option multipath 'off'
config wireguard_VPN_ModerateNAT
option description 'Imported peer configuration'
option public_key 'REDACTED'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '25'
option endpoint_host 'REDACTED'
option endpoint_port 'REDACTED'
option route_allowed_ips '0'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr 'REDACTED'
option multipath 'off'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option mtu_fix '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn_modnat'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'VPN_ModerateNAT'
option masq6 '1'
config forwarding
option src 'lan'
option dest 'vpn_modnat'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'guest'
option name 'Allow-DNS-Guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'guest'
option name 'Allow-DHCP-Guest'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
root@OpenWrt:~# cat /etc/config/pbr
config pbr 'config'
option enabled '1'
option fw_mask '00ff0000'
option ipv6_enabled '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
option nft_user_set_counter '0'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '0'
option resolver_set 'dnsmasq.nftset'
option strict_enforcement '1'
option uplink_interface 'wan'
option uplink_interface6 'wan6'
option uplink_ip_rules_priority '30000'
option uplink_mark '00010000'
option verbosity '2'
list ignored_interface 'vpnserver'
list lan_device 'br-lan'
list resolver_instance '*'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option config_compat '25'
option config_version '1.2.2-r12'
config include
option path '/usr/share/pbr/pbr.user.dnsprefetch'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config dns_policy
option name 'Redirect Local IP DNS'
option src_addr 'REDACTED'
option dest_dns 'REDACTED'
option enabled '0'
config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
root@OpenWrt:~# service pbr status
pbr - environment
pbr 1.2.2-r12 on OpenWrt 25.12.1 r32768-b21cfa8f8c.
Uplink (IPv4): wan/wan/0.0.0.0.
Dnsmasq version 2.91 Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
pbr chains - policies
pbr chains - marking
pbr nft sets
pbr tables & routing
IPv4 table main routes:
REDACTED dev br-lan proto kernel scope link src 192.168.1.1
IPv4 table main rules:
REDACTED: from all lookup main
root@OpenWrt:~# logread | grep pbr
alexq
March 22, 2026, 8:53pm
18
Did you reboot the router after the config changes? The WAN interface still doesn't have an IP address:
Let's first add two simple test rules to /etc/config/pbr at the end of the file:
config policy
option name 'ifconfig.me via VPN'
option dest_addr 'ifconfig.me'
option interface 'VPN_ModerateNAT'
option enabled '1'
config policy
option name 'ident.me via WAN'
option dest_addr 'ident.me'
option interface 'wan'
option enabled '1'
Then restart PBR:
service pbr restart
Also, please confirm that dnsmasq-full is installed (domain policies require nftset support):
apk list --installed | grep dnsmasq
If you see dnsmasq instead of dnsmasq-full, replace it by following: https://docs.openwrt.melmac.ca/pbr/#how-to-install-dnsmasq-full
Thanks that seems to make it work. Now I don't have any internet connection though. I guess it's because I haven't actually set up PBR yet, is that right?
alexq
March 22, 2026, 9:27pm
20
I updated my previous comment with additional information. Please take a look.
Now you have WAN and VPN visible in the PBR UI, and you need to start the PBR configuration.
Firstly, let's route all LAN traffic through the VPN, as you requested: open a terminal connected to your router via ssh and run these commands (taken from this guide ) :
# Route LAN to VPN
uci add pbr policy
uci set pbr.@policy[-1].src_addr="192.168.1.0/24"
uci set pbr.@policy[-1].interface="VPN_ModerateNAT"
uci commit pbr
service pbr restart
If you want traffic for a specific website to go through the WAN instead of the VPN, simply add another policy rule above the previous "Route LAN to VPN" rule in the /etc/config/pbr file:
config policy
option name 'amazon non-vpn access'
option dest_addr 'amazon.com'
option interface 'wan'
option enabled '1'
No, this is not ok, because you should have internet access like normal via your WAN port (like when you hadn't configured a VPN and just connected your ISP cable to the WAN port).
