Found a Reference here: https://github.com/openwrt/luci/issues/5409#issuecomment-1013350787
I don’t have a clue why I continued to brick my latest FW4 build by adding a second instance ¯\(ツ)/¯ other than the missing iptables-nft
????
I eventually ended up going back to my last FW3 build on the other box, configuring/verifying the problem second instance, and making a sysupgrade backup.
Made a new build with the missing iptables-nft
module, flashed, and restored backup from FW3 build.
All is GOOD again!
I am able to route all devices subjected to policies at will. Everything else goes to default gateway.
Apparently ipset
is also being deprecated by introduction of firewall4
, I would recommend to NOT upgrade to the snapshots build from January 18th or later if you want to keep using vpn-policy-routing
, pbr
or simple-adblock
.
I understood from this that firewall3 would still be an option in the interim.
As discussed at yesterdays meeting I merged the changes. The next release will use firewall4
as default and all packages incompatible (e.g. using ipset
) should add a negative dependency. Our considerations are that the default (WiFI home router) setup works fine wir firewall4
and special cases can always replace firewall4
with firewall3
, which should work at least until the upcoming 5.15 Kernels.
@stangri Will you be able to point me at something that will help me solve the issue? I am a bit lost a the moment.
Hello.
I have about 30 rules and they all work fine except for some domains.
For example, ypncdn.com and t-ru.org
Error example:
iptables -t mangle -A VPR_PREROUTING -g VPR_MARK0x020000 -s 192.168.0.0/16 -d ypncdn.com -m comment --comment ypncdn_com
iptables -t mangle -A VPR_PREROUTING -g VPR_MARK0x020000 -s 192.168.0.0/16 -d t-ru.org -m comment --comment t-ru_org
What does this mean and what could be the problem?
Hello everyone. I am very new to openwrt and been using it for couple months now.
I'm having a problem using custom user files in this app.
I have set up a wireguard on my asus router.
If i add remote addresses in "Policies" section, it all works, but with custom user files it doesn't work.
Even the two pre-set files in the app do not work and give me error Error running custom user file '/etc/vpn-policy-routing.aws.user'!
Same for the netflix file
I'm trying to route my steam/valve connection directly without wireguard.
I am using this list of ip addresses https://bgp.he.net/AS32590#_prefixes
I have created two files in /etc/ folder:
-
VALVE_IP.list
(just the list of the ip addresses of valve from the link above) vpn-policy-routing.valve.user
#!/bin/sh
TARGET_IPSET="WAN"
TARGET_FNAME="/etc/VALVE_IP.list"
_ret=1
if [ -s "$TARGET_FNAME" ]; then
awk -v ipset="$TARGET_IPSET" '{print "add " ipset " " $1}' "$TARGET_FNAME" | ipset restore -! && _ret=0
fi
return $_ret
I have used tutorial of this guy https://www.youtube.com/watch?v=YEHDf8-nZyA
I have took his .user file and added WAN
to the TARGET_IPSET
and /etc/VALVE_IP.list
to the TARGET_FNAME
If anyone can help or at least hint what might cause the problem it would be very helpful
Will vpn policy based routing support fw4? Or is there a workaround?
No domain names should make it into the iptables rules, something somewhere gone awry.
Have you tried running this file manually after VPR has started? What's the outcome?
Its replacement package (pbr
) will in one way or the other. I'm still not clear what'll happen with dnsmasq support for ipset/nftset, once there's some clarity on that, I'll start experimenting with the updates.
try lowercase wan instead of WAN
Thank's for answer.
I'm setting rules throw LUCI VPN and WAN Policy-Based Routing with "Use DNSMASQ ipset resolver" option.
In etc/config/vpn-policy-routing i have record
config policy
option name 't-ru.org'
option src_addr '192.168.0.0/16'
option dest_addr 't-ru.org'
option interface 'CloudFlare'
it have no any differences with other 30 records except address, but only this and other one give me error. If i change ANY symbol in 't-ru.org' dest_addr option then policy fine. Same thing for "ypncdn.com" address. It's very strange behavior.
Thank's for any advice.
I'm not sure how exactly do I do that, could you please explain?
I'm very new to networking and openwert.
thank you
I tried that yes, the outcome is the same.
the default files for "aws" and "netflix" which come pre-installed with VPN Policy-Based Routing app don't work as well and give the same error.
Is reverting to fw3 just a package replacement? i e. in imagebuilder, -fw4 +fw3?
the problem i think is with the extra string characters (") in various parts of that script (badly written script)...for your case you can just use 3 lines in your script
#!/bin/sh
awk -v ipset=wan '{print "add " ipset " " $1}' /etc/VALVE_IP.list | ipset restore -!
return 0
wow the error indeed went away! thank you
though steam still connects through vpn, and not around it.
i wonder if the list of ip addresses for valve may be incorrect.
run "ipset list" to confirm the entries have been added...if it is but still not working then something else is wrong
thank you, but I'm not sure where to run the command
I can connect to my rounter through putty (i use windows)
when I run this command nothing happens
or should I run it elsewhere?
install dnsmasq-full package