Hi @stangri,
I have installed pbr on my router and have been experimenting with it. I first tested this router within my home network and everything seemed to work fine. Even the Wireguard server, I could connect from the WAN side of the router to it. I also created a webserver as a test and opened port 8080. That also worked and I decided to the internet.
Once connected to the internet everything seems to be working fine again except the webserver and the Wireguard server. I did a portscan on my router and saw that the ports 61580 and 8080 are 'filtered'.
If I disable PBR and stop my Wireguard client connection the ports are reachable again, so it's not an issue with my internet provider. I have no idea why the ports are now filtered/closed and I cannot connect to them anymore.
With the PBR installation I have chosen the option Local Wireguard Server + Wireguard Client (Scenario 1) from these instruction https://docs.openwrt.melmac.net/pbr/
Here are the contents of my /var/pbr-support file:
pbr 0.9.4-10 running on OpenWrt 21.02.3.
============================================================
Dnsmasq version 2.85 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default * 0.0.0.0 U 10 0 0 wgclient
default 82-73-92-1.cabl 0.0.0.0 UG 20 0 0 eth0.100
IPv4 Table 201: default via [redacted] dev eth0.100
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.200.2 dev wgserver proto static scope link
IPv4 Table 201 Rules:
30000: from all fwmark 0x10000/0xff0000 lookup wan
IPv4 Table 202: default via 10.2.0.2 dev wgclient
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.200.2 dev wgserver proto static scope link
IPv4 Table 202 Rules:
29999: from all fwmark 0x20000/0xff0000 lookup wgclient
============================================================
Mangle IP Table: PREROUTING
-N PBR_PREROUTING
-A PBR_PREROUTING -p tcp -m multiport --dports 9200 -m comment --comment Policy_cfg036ff5 -c 27 1358 -g PBR_MARK0x010000
-A PBR_PREROUTING -p udp -m multiport --dports 9200 -m comment --comment Policy_cfg036ff5 -c 0 0 -g PBR_MARK0x010000
============================================================
Mangle IP Table: OUTPUT
-N PBR_OUTPUT
-A PBR_OUTPUT -p udp -m multiport --sports 61820 -m comment --comment Wireguard_Server -c 3 528 -g PBR_MARK0x010000
-A PBR_OUTPUT -p tcp -m multiport --sports 8080 -m comment --comment http -c 0 0 -g PBR_MARK0x010000
============================================================
Mangle IP Table MARK Chain: PBR_MARK0x010000
-N PBR_MARK0x010000
-A PBR_MARK0x010000 -c 26416 1846726 -j MARK --set-xmark 0x10000/0xff0000
-A PBR_MARK0x010000 -c 26416 1846726 -j RETURN
============================================================
Mangle IP Table MARK Chain: PBR_MARK0x020000
-N PBR_MARK0x020000
-A PBR_MARK0x020000 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A PBR_MARK0x020000 -c 0 0 -j RETURN
============================================================
Current ipsets
create pbr_wan_dst_ip_cfg066ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
add pbr_wan_dst_ip_cfg066ff5 165.227.63.200
add pbr_wan_dst_ip_cfg066ff5 206.189.214.49
add pbr_wan_dst_ip_cfg066ff5 159.89.129.146
add pbr_wan_dst_ip_cfg066ff5 142.93.81.166
add pbr_wan_dst_ip_cfg066ff5 159.65.77.153
add pbr_wan_dst_ip_cfg066ff5 159.89.142.52
add pbr_wan_dst_ip_cfg066ff5 138.68.28.244
add pbr_wan_dst_ip_cfg066ff5 104.248.79.120
create pbr_wan_dst_ip_cfg046ff5 hash:ip family inet hashsize 1024 maxelem 65536 comment
add pbr_wan_dst_ip_cfg046ff5 52.38.7.23
add pbr_wan_dst_ip_cfg046ff5 142.93.81.166
add pbr_wan_dst_ip_cfg046ff5 65.9.85.36
add pbr_wan_dst_ip_cfg046ff5 138.68.28.244
add pbr_wan_dst_ip_cfg046ff5 65.9.85.77
add pbr_wan_dst_ip_cfg046ff5 65.9.85.51
add pbr_wan_dst_ip_cfg046ff5 104.248.79.120
add pbr_wan_dst_ip_cfg046ff5 65.9.85.19
add pbr_wan_dst_ip_cfg046ff5 65.9.85.27
add pbr_wan_dst_ip_cfg046ff5 65.9.85.24
add pbr_wan_dst_ip_cfg046ff5 65.9.85.20
add pbr_wan_dst_ip_cfg046ff5 65.9.85.60
add pbr_wan_dst_ip_cfg046ff5 65.9.85.75
add pbr_wan_dst_ip_cfg046ff5 65.9.85.104
add pbr_wan_dst_ip_cfg046ff5 159.65.77.153
add pbr_wan_dst_ip_cfg046ff5 65.9.85.116
add pbr_wan_dst_ip_cfg046ff5 65.9.85.59
add pbr_wan_dst_ip_cfg046ff5 206.189.214.49
add pbr_wan_dst_ip_cfg046ff5 65.9.85.41
add pbr_wan_dst_ip_cfg046ff5 159.89.142.52
add pbr_wan_dst_ip_cfg046ff5 65.9.85.65
add pbr_wan_dst_ip_cfg046ff5 65.9.85.3
add pbr_wan_dst_ip_cfg046ff5 65.9.85.49
add pbr_wan_dst_ip_cfg046ff5 65.9.85.112
add pbr_wan_dst_ip_cfg046ff5 65.9.85.64
add pbr_wan_dst_ip_cfg046ff5 65.9.85.38
add pbr_wan_dst_ip_cfg046ff5 35.167.0.110
add pbr_wan_dst_ip_cfg046ff5 159.89.129.146
add pbr_wan_dst_ip_cfg046ff5 54.214.122.194
add pbr_wan_dst_ip_cfg046ff5 65.9.85.40
add pbr_wan_dst_ip_cfg046ff5 44.241.103.184
add pbr_wan_dst_ip_cfg046ff5 165.227.63.200
add pbr_wan_dst_ip_cfg046ff5 65.9.85.121
add pbr_wan_dst_ip_cfg046ff5 65.9.85.4
add pbr_wan_dst_ip_cfg046ff5 54.68.102.112
add pbr_wan_dst_ip_cfg046ff5 65.9.85.125
add pbr_wan_dst_ip_cfg046ff5 65.9.85.30
add pbr_wan_dst_ip_cfg046ff5 35.162.209.77
add pbr_wan_dst_ip_cfg046ff5 65.9.85.56
============================================================