Wireguard - Policty Based Routing - R9000 - 46069 [SOLVED]

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
View previous topic :: View next topic  
Author Message
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49
PostPosted: Wed Jul 21, 2021 21:36    Post subject: Reply with quote
I think I'm understanding how the PBR and the kill switch work:

With Wireguard enabled EVERY connection in my home is going through Wireguard. Not just the IP's listed in the PBR, correct (that is what it is doing now)?

If Wireguard goes down those IP's listed in the PBR with a kill switch will drop the connection until Wireguard re-connects. All the other devices will rollover from the Wireguard connection to the regular ISP connection and keep going?

I thought ONLY the IP's listed in the PBR were the only ones running through the VPN connection, and all the others ran outside Wireguard, even when Wireguard was enabled.

When I place the below into the firewall and disable Wireguard it rolls that IP over to the regular ISP and fails to drop the connection. I tried DROP, and REJECT.

iptables -I FORWARD -s 192.168.1.3 -o $(get wanface) -j DROP

Now I have the firewall rule set to the way it used to be in OpenVPN, and it does work.

iptables -I FORWARD -s 192.168.1.3 -o $(nvram get wan_iface) -j DROP
Code:
0;root@Nighthawk: ~root@Nighthawk:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      vlan2   192.168.1.3          0.0.0.0/0
    0     0 DROP       all  --  *      vlan2   192.168.1.2          0.0.0.0/0
   77 11640 ACCEPT     tcp  --  oet1   *       0.0.0.0/0            192.168.1.3          tcp dpt:4000
  341 23799 ACCEPT     udp  --  oet1   *       0.0.0.0/0            192.168.1.3          udp dpt:4000
    0     0 ACCEPT     all  --  oet1   *       0.0.0.0/0            0.0.0.0/0            state NEW
11471 4251K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 1240  106K upnp       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 lan2wan    all  --  oet1   *       0.0.0.0/0            0.0.0.0/0
 1240  106K lan2wan    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.1.0/24       0.0.0.0/0            tcp dpt:1723
    0     0 ACCEPT     47   --  *      vlan2   192.168.1.0/24       0.0.0.0/0
    0     0 TRIGGER    all  --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
 1240  106K trigger_out  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    all  --  vlan2  eth0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  eth2    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  vlan1   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  wlan0   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  wlan1   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  oet1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  oet1   *       0.0.0.0/0            0.0.0.0/0
 1177  103K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
   63  2780 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
0;root@Nighthawk: ~root@Nighthawk:~#


iptables -I FORWARD -s 192.168.1.3 -o $(get wanface) -j REJECT
Code:
0;root@Nighthawk: ~root@Nighthawk:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  oet1   *       0.0.0.0/0            192.168.1.3          tcp dpt:4000
    0     0 ACCEPT     udp  --  oet1   *       0.0.0.0/0            192.168.1.3          udp dpt:4000
    0     0 ACCEPT     all  --  oet1   *       0.0.0.0/0            0.0.0.0/0            state NEW
  133 43433 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   19  1145 upnp       all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 lan2wan    all  --  oet1   *       0.0.0.0/0            0.0.0.0/0
   19  1145 lan2wan    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      vlan2   192.168.1.0/24       0.0.0.0/0            tcp dpt:1723
    0     0 ACCEPT     47   --  *      vlan2   192.168.1.0/24       0.0.0.0/0
    0     0 TRIGGER    all  --  vlan2  br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
   19  1145 trigger_out  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 TRIGGER    all  --  vlan2  eth0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  eth2    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  vlan1   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  vlan1  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  wlan0   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  wlan1   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  vlan2  oet1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  oet1   *       0.0.0.0/0            0.0.0.0/0
   17  1041 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
    2   104 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
0;root@Nighthawk: ~root@Nighthawk:~#

_________________
Michael Steele
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Thu Jul 22, 2021 6:37    Post subject: Reply with quote
OK I will spell it out again.

nvram get wan_iface is not always reliable you better use get_wanface.

The reason it is not working for you is because you made a typo, please read and type carefully or better just copy and paste the rule e.g.:
Code:
iptables -I FORWARD -s 192.168.0.3 -o $(get_wanface) -j REJECT


Place these rules under Administration/Command and save as Firewall.
Reboot the router and check after that with:
iptables -vnL FORWARD

Next thing is to check that your clients actually have these IP addresses, so either set a static lease or static IP on the clients involved so that they have those IP addresses, check on the client presuming you use windows, from the cmd prompt with: ipconfig/all

That should deal with the killswitch.
In the latest WireGuard Client setup guide are instructions how to test.

Next PBR, for a description how it works and how you must implement it see the WireGuard client setup guide page 9.

Only IP addresses you put in the PBR list will use the VPN.
You can check with ipleak.net if clients are using the VPN or not.

Although safeguards are built in it is possible that when you enter wrong settings you will end up with all clients using the PBR.
If that is the case please show a picture of the PBR box so that I can see what you entered and were things went wrong.
In that case also show from the CLI (telnet/Putty):
ip route show table 21
ip rule show
grep -E -i 'oet|wireguard' /var/log/messages
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Night Prowler
DD-WRT Novice


Joined: 15 Jan 2016
Posts: 49
PostPosted: Thu Jul 22, 2021 13:23    Post subject: Reply with quote
egc wrote:
The reason it is not working for you is because you made a typo, please read and type carefully or better just copy and paste the rule e.g.:
Code:
iptables -I FORWARD -s 192.168.0.3 -o $(get_wanface) -j REJECT



Yes, it was a typo and it is now working.

Code:
0;root@Nighthawk: ~root@Nighthawk:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      vlan2   192.168.1.2          0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      vlan2   192.168.1.3          0.0.0.0/0            reject-with icmp-port-unreachable


egc wrote:
Next PBR, for a description how it works and how you must implement it see the WireGuard client setup guide page 9.


Yes, it was another error on my part and ONLY the IP's listed in the PBR are now going through Wireguard.

There is no easy way to test the kill switch in Wireguard, that I'm aware of. Putting the kill switch in the firewall settings appears to be the easiest way to make sure it is working. Maybe a test switch in the Wireguard configuration screen?

All my issues have been resolved Smile

Thank you for all your help, it was all very much appreaciated...
_________________
Michael Steele
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Thu Jul 22, 2021 13:52    Post subject: Reply with quote
You are welcome, glad it is resolved Smile

On the latest WG client setup guide (from this morning) I added instructions how you could test.

Warning this only works when using 47047 or later.

I think you are not yet using this as that build should have (some) protection from errors in the PBR field so that everything goes via the tunnel and not only the addresses in the PBR field Smile

It also throws an error in syslog when that is happening
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum