API tools faq
paste
Guest User

openwrt-pbr

a guest
Jan 9th, 2025
22
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 24.71 KB | None | 0 0
raw download clone embed print report
  1. root@OpenWrt:~# ubus call system board
  2. {
  3. "kernel": "5.15.167",
  4. "hostname": "OpenWrt",
  5. "system": "ARMv8 Processor rev 4",
  6. "model": "GL.iNet GL-MT6000",
  7. "board_name": "glinet,gl-mt6000",
  8. "rootfs_type": "squashfs",
  9. "release": {
  10. "distribution": "OpenWrt",
  11. "version": "23.05.5",
  12. "revision": "r24106-10cc5fcd00",
  13. "target": "mediatek/filogic",
  14. "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
  15. }
  16. }
  17. root@OpenWrt:~# uci export dhcp
  18. package dhcp
  19.  
  20. config dnsmasq
  21. option domainneeded '1'
  22. option localise_queries '1'
  23. option rebind_protection '0'
  24. option local '/lan/'
  25. option domain 'lan'
  26. option expandhosts '1'
  27. option cachesize '1000'
  28. option authoritative '1'
  29. option readethers '1'
  30. option leasefile '/tmp/dhcp.leases'
  31. option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
  32. option localservice '1'
  33. option ednspacket_max '1232'
  34. option noresolv '0'
  35. option port '54'
  36. list server '192.168.1.1'
  37.  
  38. config dhcp 'lan'
  39. option interface 'lan'
  40. option start '100'
  41. option limit '150'
  42. option leasetime '12h'
  43. option dhcpv4 'server'
  44. option dhcpv6 'server'
  45. option ra 'server'
  46. option ra_slaac '1'
  47. list ra_flags 'managed-config'
  48. list ra_flags 'other-config'
  49. option force '1'
  50. list dhcp_option '6,192.168.1.1'
  51. list dhcp_option '3,192.168.1.1'
  52. list dns 'fd3b:aadf:29cc::1'
  53.  
  54. config dhcp 'wan'
  55. option interface 'wan'
  56. option ignore '1'
  57.  
  58. config odhcpd 'odhcpd'
  59. option maindhcp '0'
  60. option leasefile '/tmp/hosts/odhcpd'
  61. option leasetrigger '/usr/sbin/odhcpd-update'
  62. option loglevel '4'
  63.  
  64. config host
  65. option mac '00:1E:06:42:34:A8'
  66. option ip '192.168.1.30'
  67.  
  68. config host
  69. option ip '192.168.1.60'
  70. option mac '60:B7:6E:4A:60:BD'
  71.  
  72. config host
  73. option ip '192.168.1.70'
  74. option mac '58:24:29:E3:BE:BA'
  75.  
  76. config host
  77. option mac '54:6C:EB:33:17:60'
  78. option ip '192.168.1.80'
  79.  
  80. config host
  81. option mac '10:3D:1C:67:C6:D1'
  82. option ip '192.168.1.90'
  83.  
  84. config host
  85. option mac '64:BC:58:EA:7D:EC'
  86. option ip '192.168.1.50'
  87.  
  88. config host
  89. option mac '34:73:5A:B2:CB:A9'
  90. option ip '192.168.1.10'
  91.  
  92. config host
  93. option mac 'F6:60:A2:B3:E7:85'
  94. option ip '192.168.1.100'
  95.  
  96. config host
  97. option mac 'DC:E5:5B:5A:8F:76'
  98. option ip '192.168.1.110'
  99.  
  100. config host
  101. option mac 'F0:2F:9E:4C:34:8B'
  102. option ip '192.168.1.130'
  103.  
  104. config host
  105. list mac '2C:7B:A0:4E:AF:AC'
  106. option ip '192.168.1.140'
  107.  
  108. config host
  109. list mac '00:E0:4C:68:0F:20'
  110. option ip '192.168.1.239'
  111.  
  112. root@OpenWrt:~# uci export firewall
  113. package firewall
  114.  
  115. config defaults
  116. option syn_flood '1'
  117. option input 'REJECT'
  118. option output 'ACCEPT'
  119. option forward 'REJECT'
  120.  
  121. config zone
  122. option name 'lan'
  123. list network 'lan'
  124. option input 'ACCEPT'
  125. option output 'ACCEPT'
  126. option forward 'ACCEPT'
  127.  
  128. config zone
  129. option name 'wan'
  130. list network 'wan'
  131. list network 'wan6'
  132. option input 'REJECT'
  133. option output 'ACCEPT'
  134. option forward 'REJECT'
  135. option masq '1'
  136. option mtu_fix '1'
  137.  
  138. config forwarding
  139. option src 'lan'
  140. option dest 'wan'
  141.  
  142. config rule
  143. option name 'Allow-DHCP-Renew'
  144. option src 'wan'
  145. option proto 'udp'
  146. option dest_port '68'
  147. option target 'ACCEPT'
  148. option family 'ipv4'
  149.  
  150. config rule
  151. option name 'Allow-Ping'
  152. option src 'wan'
  153. option proto 'icmp'
  154. option icmp_type 'echo-request'
  155. option family 'ipv4'
  156. option target 'ACCEPT'
  157.  
  158. config rule
  159. option name 'Allow-IGMP'
  160. option src 'wan'
  161. option proto 'igmp'
  162. option family 'ipv4'
  163. option target 'ACCEPT'
  164.  
  165. config rule
  166. option name 'Allow-DHCPv6'
  167. option src 'wan'
  168. option proto 'udp'
  169. option dest_port '546'
  170. option family 'ipv6'
  171. option target 'ACCEPT'
  172.  
  173. config rule
  174. option name 'Allow-MLD'
  175. option src 'wan'
  176. option proto 'icmp'
  177. option src_ip 'fe80::/10'
  178. list icmp_type '130/0'
  179. list icmp_type '131/0'
  180. list icmp_type '132/0'
  181. list icmp_type '143/0'
  182. option family 'ipv6'
  183. option target 'ACCEPT'
  184.  
  185. config rule
  186. option name 'Allow-ICMPv6-Input'
  187. option src 'wan'
  188. option proto 'icmp'
  189. list icmp_type 'echo-request'
  190. list icmp_type 'echo-reply'
  191. list icmp_type 'destination-unreachable'
  192. list icmp_type 'packet-too-big'
  193. list icmp_type 'time-exceeded'
  194. list icmp_type 'bad-header'
  195. list icmp_type 'unknown-header-type'
  196. list icmp_type 'router-solicitation'
  197. list icmp_type 'neighbour-solicitation'
  198. list icmp_type 'router-advertisement'
  199. list icmp_type 'neighbour-advertisement'
  200. option limit '1000/sec'
  201. option family 'ipv6'
  202. option target 'ACCEPT'
  203.  
  204. config rule
  205. option name 'Allow-ICMPv6-Forward'
  206. option src 'wan'
  207. option dest '*'
  208. option proto 'icmp'
  209. list icmp_type 'echo-request'
  210. list icmp_type 'echo-reply'
  211. list icmp_type 'destination-unreachable'
  212. list icmp_type 'packet-too-big'
  213. list icmp_type 'time-exceeded'
  214. list icmp_type 'bad-header'
  215. list icmp_type 'unknown-header-type'
  216. option limit '1000/sec'
  217. option family 'ipv6'
  218. option target 'ACCEPT'
  219.  
  220. config rule
  221. option name 'Allow-IPSec-ESP'
  222. option src 'wan'
  223. option dest 'lan'
  224. option proto 'esp'
  225. option target 'ACCEPT'
  226.  
  227. config rule
  228. option name 'Allow-ISAKMP'
  229. option src 'wan'
  230. option dest 'lan'
  231. option dest_port '500'
  232. option proto 'udp'
  233. option target 'ACCEPT'
  234.  
  235. config include 'pbr'
  236. option fw4_compatible '1'
  237. option type 'script'
  238. option path '/usr/share/pbr/firewall.include'
  239.  
  240. config zone
  241. option name 'wg0'
  242. option input 'ACCEPT'
  243. option output 'ACCEPT'
  244. option forward 'ACCEPT'
  245. option masq '1'
  246. list network 'wg0'
  247.  
  248. config forwarding
  249. option src 'lan'
  250. option dest 'wg0'
  251.  
  252. root@OpenWrt:~# uci export network
  253. package network
  254.  
  255. config interface 'loopback'
  256. option device 'lo'
  257. option proto 'static'
  258. option ipaddr '127.0.0.1'
  259. option netmask '255.0.0.0'
  260.  
  261. config globals 'globals'
  262. option ula_prefix 'fd3b:aadf:29cc::/48'
  263.  
  264. config device
  265. option name 'br-lan'
  266. option type 'bridge'
  267. list ports 'lan1'
  268. list ports 'lan2'
  269. list ports 'lan3'
  270. list ports 'lan4'
  271. list ports 'lan5'
  272.  
  273. config device
  274. option name 'lan1'
  275. option macaddr '94:83:c4:a6:7d:3b'
  276.  
  277. config device
  278. option name 'lan2'
  279. option macaddr '94:83:c4:a6:7d:3b'
  280.  
  281. config device
  282. option name 'lan3'
  283. option macaddr '94:83:c4:a6:7d:3b'
  284.  
  285. config device
  286. option name 'lan4'
  287. option macaddr '94:83:c4:a6:7d:3b'
  288.  
  289. config device
  290. option name 'lan5'
  291. option macaddr '94:83:c4:a6:7d:3b'
  292.  
  293. config interface 'lan'
  294. option device 'br-lan'
  295. option proto 'static'
  296. option ipaddr '192.168.1.1'
  297. option netmask '255.255.255.0'
  298. option ip6assign '60'
  299.  
  300. config device
  301. option name 'eth1'
  302. option macaddr '94:83:c4:a6:7d:39'
  303.  
  304. config interface 'wan'
  305. option device 'eth1'
  306. option proto 'dhcp'
  307.  
  308. config interface 'wan6'
  309. option device 'eth1'
  310. option proto 'dhcpv6'
  311.  
  312. config interface 'wg0'
  313. option proto 'wireguard'
  314. option peerdns '0'
  315. option mtu '1382'
  316. option private_key 'uIiJvPqEbNU3yVO1rbvfB7QzTZJGmS62f0upHSFG1lM='
  317. list addresses '10.65.106.171/32'
  318. list addresses 'fc00:bbbb:bbbb:bb01::2:6aaa/128'
  319.  
  320. config wireguard_wg0
  321. list allowed_ips '0.0.0.0/1'
  322. list allowed_ips '::0/1'
  323. list allowed_ips '128.0.0.1/1'
  324. option route_allowed_ips '1'
  325. option persistent_keepalive '25'
  326. option public_key '***'
  327. option endpoint_host '185.209.196.76'
  328.  
  329. config wireguard_wg0
  330. list allowed_ips '0.0.0.0/1'
  331. list allowed_ips '::0/1'
  332. list allowed_ips '128.0.0.1/1'
  333. option route_allowed_ips '1'
  334. option persistent_keepalive '25'
  335. option public_key '***'
  336. option endpoint_host '193.32.248.70'
  337.  
  338. root@OpenWrt:~# uci export pbr
  339. package pbr
  340.  
  341. config pbr 'config'
  342. option enabled '1'
  343. option verbosity '2'
  344. option strict_enforcement '1'
  345. option resolver_set 'dnsmasq.nftset'
  346. list resolver_instance '*'
  347. option ipv6_enabled '0'
  348. option boot_timeout '30'
  349. list ignored_interface 'vpnserver'
  350. list ignored_interface 'wgserver'
  351. list supported_interface 'wg0'
  352. option rule_create_option 'add'
  353. option procd_boot_delay '0'
  354. option procd_reload_delay '1'
  355. option webui_show_ignore_target '0'
  356. option nft_rule_counter '1'
  357. option nft_set_auto_merge '1'
  358. option nft_set_counter '1'
  359. option nft_set_flags_interval '1'
  360. option nft_set_flags_timeout '0'
  361. option nft_set_policy 'performance'
  362. list webui_supported_protocol 'all'
  363. list webui_supported_protocol 'tcp'
  364. list webui_supported_protocol 'udp'
  365. list webui_supported_protocol 'tcp udp'
  366. list webui_supported_protocol 'icmp'
  367.  
  368. config include
  369. option path '/usr/share/pbr/pbr.user.aws'
  370. option enabled '0'
  371.  
  372. config include
  373. option path '/usr/share/pbr/pbr.user.netflix'
  374. option enabled '0'
  375.  
  376. config include
  377. option path '/usr/share/pbr/pbr.user.wg_server_and_client'
  378. option enabled '0'
  379.  
  380. config dns_policy
  381. option name 'Redirect Local IP DNS'
  382. option src_addr '192.168.1.5'
  383. option dest_dns '1.1.1.1'
  384. option enabled '0'
  385.  
  386. config policy
  387. option name 'Ignore Local Requests'
  388. option interface 'ignore'
  389. option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
  390. option enabled '0'
  391.  
  392. config policy
  393. option name 'Plex/Emby Local Server'
  394. option interface 'wan'
  395. option src_port '8096 8920 32400'
  396. option enabled '0'
  397.  
  398. config policy
  399. option name 'Plex/Emby Remote Servers'
  400. option interface 'wan'
  401. option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
  402. option enabled '0'
  403.  
  404. config policy
  405. option name 'direct-remote'
  406. option interface 'wan'
  407. option dest_port '7 53 80 443 9418 22'
  408.  
  409. config policy
  410. option name 'direct-local'
  411. option src_port '7 53 80 443 9418 22'
  412. option interface 'wan'
  413.  
  414. config policy
  415. option name 'libtorrent'
  416. option src_port '6800-7000'
  417. option dest_addr '1.1.1.1'
  418. option interface 'wg0'
  419. option enabled '0'
  420.  
  421. config policy
  422. option name 'dns-google'
  423. option dest_addr '1.1.1.1'
  424. option interface 'wan'
  425.  
  426. config policy
  427. option name 'dns-cloud'
  428. option dest_addr '8.8.8.8'
  429. option interface 'wan'
  430.  
  431. config policy
  432. option name 'direct-4a'
  433. option interface 'wan'
  434. option src_addr '192.168.1.70'
  435.  
  436. config policy
  437. option name 'direct-4a-5g'
  438. option interface 'wan'
  439. option src_addr '192.168.1.60'
  440.  
  441. config policy
  442. option name 'direct-mipad'
  443. option src_addr '192.168.1.130'
  444. option interface 'wan'
  445.  
  446. config policy
  447. option name 'direct-citrix'
  448. option interface 'wan'
  449. option dest_port '1494 2598 8080 8008 16500-16509 9002 3478-3481'
  450.  
  451. config policy
  452. option name 'phone-4a'
  453. option src_addr '192.168.1.60'
  454. option interface 'wan'
  455.  
  456. config policy
  457. option name 'phone-4a-5g'
  458. option src_addr '192.168.1.70'
  459. option interface 'wan'
  460.  
  461. config policy
  462. option name 'k8-route'
  463. option src_addr '192.168.1.140'
  464. option interface 'wan'
  465.  
  466. config policy
  467. option name '845-eth-test'
  468. option src_addr '192.168.1.239'
  469. option interface 'wan'
  470.  
  471. config policy
  472. option name 'icmp'
  473. option proto 'icmp'
  474. option interface 'wan'
  475. option enabled '0'
  476.  
  477. config policy
  478. option name '845-wifi-test'
  479. option src_addr '192.168.1.90'
  480. option interface 'wan'
  481.  
  482. root@OpenWrt:~# /etc/init.d/pbr status
  483.  
  484. pbr - environment
  485. pbr 1.1.6-22 running on OpenWrt 23.05.5.
  486.  
  487. Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
  488. Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
  489.  
  490. pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
  491. add chain inet fw4 pbr_mark_0x010000
  492. add rule inet fw4 pbr_mark_0x010000 mark set mark and 0xff00ffff xor 0x010000
  493. add rule inet fw4 pbr_mark_0x010000 return
  494. add chain inet fw4 pbr_mark_0x020000
  495. add rule inet fw4 pbr_mark_0x020000 mark set mark and 0xff00ffff xor 0x020000
  496. add rule inet fw4 pbr_mark_0x020000 return
  497. add rule inet fw4 pbr_prerouting tcp dport { 7, 53, 80, 443, 9418, 22 } goto pbr_mark_0x010000 comment "direct-remote"
  498. add rule inet fw4 pbr_prerouting udp dport { 7, 53, 80, 443, 9418, 22 } goto pbr_mark_0x010000 comment "direct-remote"
  499. add rule inet fw4 pbr_prerouting tcp sport { 7, 53, 80, 443, 9418, 22 } goto pbr_mark_0x010000 comment "direct-local"
  500. add rule inet fw4 pbr_prerouting udp sport { 7, 53, 80, 443, 9418, 22 } goto pbr_mark_0x010000 comment "direct-local"
  501. add rule inet fw4 pbr_prerouting ip daddr { 1.1.1.1 } goto pbr_mark_0x010000 comment "dns-google"
  502. add rule inet fw4 pbr_prerouting ip daddr { 8.8.8.8 } goto pbr_mark_0x010000 comment "dns-cloud"
  503. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.70 } goto pbr_mark_0x010000 comment "direct-4a"
  504. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.60 } goto pbr_mark_0x010000 comment "direct-4a-5g"
  505. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.130 } goto pbr_mark_0x010000 comment "direct-mipad"
  506. add rule inet fw4 pbr_prerouting tcp dport { 1494, 2598, 8080, 8008, 16500-16509, 9002, 3478-3481 } goto pbr_mark_0x010000 comment "direct-citrix"
  507. add rule inet fw4 pbr_prerouting udp dport { 1494, 2598, 8080, 8008, 16500-16509, 9002, 3478-3481 } goto pbr_mark_0x010000 comment "direct-citrix"
  508. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.60 } goto pbr_mark_0x010000 comment "phone-4a"
  509. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.70 } goto pbr_mark_0x010000 comment "phone-4a-5g"
  510. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.140 } goto pbr_mark_0x010000 comment "k8-route"
  511. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.239 } goto pbr_mark_0x010000 comment "845-eth-test"
  512. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.90 } goto pbr_mark_0x010000 comment "845-wifi-test"
  513.  
  514. pbr chains - policies
  515. chain pbr_forward { # handle 39
  516. }
  517. chain pbr_input { # handle 40
  518. }
  519. chain pbr_output { # handle 41
  520. }
  521. chain pbr_postrouting { # handle 43
  522. }
  523. chain pbr_prerouting { # handle 42
  524. tcp dport { 7, 22, 53, 80, 443, 9418 } goto pbr_mark_0x010000 comment "direct-remote" # handle 1790
  525. udp dport { 7, 22, 53, 80, 443, 9418 } goto pbr_mark_0x010000 comment "direct-remote" # handle 1792
  526. tcp sport { 7, 22, 53, 80, 443, 9418 } goto pbr_mark_0x010000 comment "direct-local" # handle 1794
  527. udp sport { 7, 22, 53, 80, 443, 9418 } goto pbr_mark_0x010000 comment "direct-local" # handle 1796
  528. ip daddr 1.1.1.1 goto pbr_mark_0x010000 comment "dns-google" # handle 1797
  529. ip daddr 8.8.8.8 goto pbr_mark_0x010000 comment "dns-cloud" # handle 1798
  530. ip saddr 192.168.1.70 goto pbr_mark_0x010000 comment "direct-4a" # handle 1799
  531. ip saddr 192.168.1.60 goto pbr_mark_0x010000 comment "direct-4a-5g" # handle 1800
  532. ip saddr 192.168.1.130 goto pbr_mark_0x010000 comment "direct-mipad" # handle 1801
  533. tcp dport { 1494, 2598, 3478-3481, 8008, 8080, 9002, 16500-16509 } goto pbr_mark_0x010000 comment "direct-citrix" # handle 1803
  534. udp dport { 1494, 2598, 3478-3481, 8008, 8080, 9002, 16500-16509 } goto pbr_mark_0x010000 comment "direct-citrix" # handle 1805
  535. ip saddr 192.168.1.60 goto pbr_mark_0x010000 comment "phone-4a" # handle 1806
  536. ip saddr 192.168.1.70 goto pbr_mark_0x010000 comment "phone-4a-5g" # handle 1807
  537. ip saddr 192.168.1.140 goto pbr_mark_0x010000 comment "k8-route" # handle 1808
  538. ip saddr 192.168.1.239 goto pbr_mark_0x010000 comment "845-eth-test" # handle 1809
  539. ip saddr 192.168.1.90 goto pbr_mark_0x010000 comment "845-wifi-test" # handle 1810
  540. }
  541. chain pbr_dstnat { # handle 38
  542. }
  543.  
  544. pbr chains - marking
  545. chain pbr_mark_0x010000 { # handle 1783
  546. meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1784
  547. return # handle 1785
  548. }
  549. chain pbr_mark_0x020000 { # handle 1786
  550. meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1787
  551. return # handle 1788
  552. }
  553.  
  554. pbr nft sets
  555.  
  556. IPv4 table 256 route: default via 89.77.142.1 dev eth1
  557. IPv4 table 256 rule(s):
  558. 30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
  559. IPv4 table 257 route: default via 10.65.106.171 dev wg0
  560. IPv4 table 257 rule(s):
  561. 29998: from all fwmark 0x20000/0xff0000 lookup pbr_wg0
  562. root@OpenWrt:~# /etc/init.d/pbr reload
  563. Using wan interface (on_start): wan
  564. Found wan gateway (on_start): 89.77.142.1
  565. Setting up routing for 'wan/eth1/89.77.142.1' [✓]
  566. Setting up routing for 'wg0/10.65.106.171' [✓]
  567. Routing 'direct-remote' via wan [✓]
  568. Routing 'direct-local' via wan [✓]
  569. Routing 'dns-google' via wan [✓]
  570. Routing 'dns-cloud' via wan [✓]
  571. Routing 'direct-4a' via wan [✓]
  572. Routing 'direct-4a-5g' via wan [✓]
  573. Routing 'direct-mipad' via wan [✓]
  574. Routing 'direct-citrix' via wan [✓]
  575. Routing 'phone-4a' via wan [✓]
  576. Routing 'phone-4a-5g' via wan [✓]
  577. Routing 'k8-route' via wan [✓]
  578. Routing '845-eth-test' via wan [✓]
  579. Routing '845-wifi-test' via wan [✓]
  580. Installing fw4 nft file [✓]
  581. pbr 1.1.6-22 monitoring interfaces: wan wg0
  582. pbr 1.1.6-22 (fw4 nft file mode) started with gateways:
  583. wan/eth1/89.77.142.1
  584. wg0/10.65.106.171 [✓]
  585. root@OpenWrt:~# /etc/init.d/pbr status
  586.  
  587. pbr - environment
  588. pbr 1.1.6-22 running on OpenWrt 23.05.5.
  589.  
  590. Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
  591. Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
  592.  
  593. pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
  594. add chain inet fw4 pbr_mark_0x010000
  595. add rule inet fw4 pbr_mark_0x010000 counter mark set mark and 0xff00ffff xor 0x010000
  596. add rule inet fw4 pbr_mark_0x010000 return
  597. add chain inet fw4 pbr_mark_0x020000
  598. add rule inet fw4 pbr_mark_0x020000 counter mark set mark and 0xff00ffff xor 0x020000
  599. add rule inet fw4 pbr_mark_0x020000 return
  600. add rule inet fw4 pbr_prerouting tcp dport { 7, 53, 80, 443, 9418, 22 } counter goto pbr_mark_0x010000 comment "direct-remote"
  601. add rule inet fw4 pbr_prerouting udp dport { 7, 53, 80, 443, 9418, 22 } counter goto pbr_mark_0x010000 comment "direct-remote"
  602. add rule inet fw4 pbr_prerouting tcp sport { 7, 53, 80, 443, 9418, 22 } counter goto pbr_mark_0x010000 comment "direct-local"
  603. add rule inet fw4 pbr_prerouting udp sport { 7, 53, 80, 443, 9418, 22 } counter goto pbr_mark_0x010000 comment "direct-local"
  604. add rule inet fw4 pbr_prerouting ip daddr { 1.1.1.1 } counter goto pbr_mark_0x010000 comment "dns-google"
  605. add rule inet fw4 pbr_prerouting ip daddr { 8.8.8.8 } counter goto pbr_mark_0x010000 comment "dns-cloud"
  606. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.70 } counter goto pbr_mark_0x010000 comment "direct-4a"
  607. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.60 } counter goto pbr_mark_0x010000 comment "direct-4a-5g"
  608. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.130 } counter goto pbr_mark_0x010000 comment "direct-mipad"
  609. add rule inet fw4 pbr_prerouting tcp dport { 1494, 2598, 8080, 8008, 16500-16509, 9002, 3478-3481 } counter goto pbr_mark_0x010000 comment "direct-citrix"
  610. add rule inet fw4 pbr_prerouting udp dport { 1494, 2598, 8080, 8008, 16500-16509, 9002, 3478-3481 } counter goto pbr_mark_0x010000 comment "direct-citrix"
  611. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.60 } counter goto pbr_mark_0x010000 comment "phone-4a"
  612. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.70 } counter goto pbr_mark_0x010000 comment "phone-4a-5g"
  613. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.140 } counter goto pbr_mark_0x010000 comment "k8-route"
  614. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.239 } counter goto pbr_mark_0x010000 comment "845-eth-test"
  615. add rule inet fw4 pbr_prerouting ip saddr { 192.168.1.90 } counter goto pbr_mark_0x010000 comment "845-wifi-test"
  616.  
  617. pbr chains - policies
  618. chain pbr_forward { # handle 39
  619. }
  620. chain pbr_input { # handle 40
  621. }
  622. chain pbr_output { # handle 41
  623. }
  624. chain pbr_postrouting { # handle 43
  625. }
  626. chain pbr_prerouting { # handle 42
  627. tcp dport { 7, 22, 53, 80, 443, 9418 } counter packets 20 bytes 968 goto pbr_mark_0x010000 comment "direct-remote" # handle 1983
  628. udp dport { 7, 22, 53, 80, 443, 9418 } counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "direct-remote" # handle 1985
  629. tcp sport { 7, 22, 53, 80, 443, 9418 } counter packets 6 bytes 516 goto pbr_mark_0x010000 comment "direct-local" # handle 1987
  630. udp sport { 7, 22, 53, 80, 443, 9418 } counter packets 2 bytes 260 goto pbr_mark_0x010000 comment "direct-local" # handle 1989
  631. ip daddr 1.1.1.1 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "dns-google" # handle 1990
  632. ip daddr 8.8.8.8 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "dns-cloud" # handle 1991
  633. ip saddr 192.168.1.70 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "direct-4a" # handle 1992
  634. ip saddr 192.168.1.60 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "direct-4a-5g" # handle 1993
  635. ip saddr 192.168.1.130 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "direct-mipad" # handle 1994
  636. tcp dport { 1494, 2598, 3478-3481, 8008, 8080, 9002, 16500-16509 } counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "direct-citrix" # handle 1996
  637. udp dport { 1494, 2598, 3478-3481, 8008, 8080, 9002, 16500-16509 } counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "direct-citrix" # handle 1998
  638. ip saddr 192.168.1.60 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "phone-4a" # handle 1999
  639. ip saddr 192.168.1.70 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "phone-4a-5g" # handle 2000
  640. ip saddr 192.168.1.140 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "k8-route" # handle 2001
  641. ip saddr 192.168.1.239 counter packets 0 bytes 0 goto pbr_mark_0x010000 comment "845-eth-test" # handle 2002
  642. ip saddr 192.168.1.90 counter packets 1 bytes 60 goto pbr_mark_0x010000 comment "845-wifi-test" # handle 2003
  643. }
  644. chain pbr_dstnat { # handle 38
  645. }
  646.  
  647. pbr chains - marking
  648. chain pbr_mark_0x010000 { # handle 1976
  649. counter packets 40 bytes 4463 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 1977
  650. return # handle 1978
  651. }
  652. chain pbr_mark_0x020000 { # handle 1979
  653. counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 1980
  654. return # handle 1981
  655. }
  656.  
  657. pbr nft sets
  658.  
  659. IPv4 table 256 route: default via 89.77.142.1 dev eth1
  660. IPv4 table 256 rule(s):
  661. 30000: from all fwmark 0x10000/0xff0000 lookup pbr_wan
  662. IPv4 table 257 route: default via 10.65.106.171 dev wg0
  663. IPv4 table 257 rule(s):
  664. 29998: from all fwmark 0x20000/0xff0000 lookup pbr_wg0
  665. root@OpenWrt:~#
  666.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!