Confused over wireguard and PBR.

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
James Greystone
DD-WRT User


Joined: 20 Nov 2011
Posts: 194

PostPosted: Mon Aug 02, 2021 16:09    Post subject: Confused over wireguard and PBR. Reply with quote
I have read all the guides but am still confused on how to set up certain clients to bypass the Wireguard VPN.

Current setup is.

Netgear R7800 Build BS 47117

DHCP 192.168.1.1 Maximum users is 50. starting at 192.168.1.100

Under services I have set static leases to my devices, and the ones that I do not want going through the VPN I set the ip addresses outside of the 192.168.1.150 so that they would not be in range of dhcp created leases. Think this is how I did it when using openvpn and it worked.

Wireguard Tunnel is set with allowed ip's as per instruction

0.0.0.0/1,128.0.0.0/1

So now in Wireguard under Policy based routing according to the client guide v18. I would put the dhcp range of 192.168.1.100 - 192.168.1.150 in cidr format. (Policy Based Routing (PBR) will route IP addresses in the PBR field via the tunnel.
All other traffic will use the WAN)

192.168.1.100/30
192.168.1.104/29
192.168.1.112/28
192.168.1.128/28
192.168.1.144/30
192.168.1.148/31
192.168.1.150/32

Now everything outside that range should bypass the VPN.


However nothing changes and everything still goes through the vpn.

I even tried putting just one device in the pbr field with and without the # and still went through vpn.

Am I missing a step.

Help is much appreciated.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Aug 02, 2021 16:39    Post subject: Reply with quote
It is easier to have your DHCP range starting at .64 for 64 clients then you can set the whole range with .64/26 Smile

You maybe have something left in the PBR field so make sure everything is taken out and just place this for testing in the PBR field:
Code:
192.168.1.100/32


Only that address should use the VPN other addresses not.

show picture of Wireguard settings page
show the output from CLI of:
Code:
nvram get oet1_pbr
ip route show
ip route show table 21
ip rule show

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Aug 02, 2021 17:18    Post subject: Reply with quote
As a quick test I placed your list in the PBR field (it has to be a comma delimited list) and that was working.
It is sometimes easy to make a typo e.g. using /24 but the list seems valid.

Code:
192.168.1.100/30, 192.168.1.104/29, 192.168.1.112/28, 192.168.1.128/28, 192.168.1.144/30, 192.168.1.148/31, 192.168.1.150/32


I am also using an R7800 running build 47117

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
James Greystone
DD-WRT User


Joined: 20 Nov 2011
Posts: 194

PostPosted: Tue Aug 03, 2021 0:50    Post subject: Reply with quote
egc wrote:
It is easier to have your DHCP range starting at .64 for 64 clients then you can set the whole range with .64/26 Smile

You maybe have something left in the PBR field so make sure everything is taken out and just place this for testing in the PBR field:
Code:
192.168.1.100/32


Only that address should use the VPN other addresses not.

show picture of Wireguard settings page
show the output from CLI of:
Code:
nvram get oet1_pbr
ip route show
ip route show table 21
ip rule show


I hope I did this right :*(
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Aug 03, 2021 9:55    Post subject: Reply with quote
That looks good.
All clients except 192.168.1.100 will use the WAN and not the VPN.

Client 129.168.1.100 will use the VPN

Test clients with ipleak.net but it can take a minute before the routing is established.
Sometimes you have to refresh your browser cache.

If all clients still show they are using the VPN then disable Wireguard (settings are retained)

If clients still use the VPN then check your upstream router if this is using a VPN.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
James Greystone
DD-WRT User


Joined: 20 Nov 2011
Posts: 194

PostPosted: Tue Aug 03, 2021 16:15    Post subject: Reply with quote
egc wrote:
That looks good.
All clients except 192.168.1.100 will use the WAN and not the VPN.

Client 129.168.1.100 will use the VPN

Test clients with ipleak.net but it can take a minute before the routing is established.
Sometimes you have to refresh your browser cache.

If all clients still show they are using the VPN then disable Wireguard (settings are retained)

If clients still use the VPN then check your upstream router if this is using a VPN.



As always thank you for your help egc, I think it is working now, I took your advice about using .64 for DHCP, it is easier not to make a mistake that way.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Aug 03, 2021 16:21    Post subject: Reply with quote
You are welcome, glad it is solved.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum