Master Policy-Based Routing (PBR) on OpenWrt with this comprehensive guide. Learn how to install, configure, and easily route traffic between interfaces on your router.
For some time, I have been covering topics concerning OpenWrt on my website. One of the primary interests among my users has been the implementation of WireGuard and adding a Cloudflare WARP tunnel, as well as managing multiple internet connections on a single router.
What I have not yet covered is how to conditionally route traffic once we have established two internet connections, or when we have added a virtual connection (such as a VPN) to the router on a single physical connection.
While firewall rules can be used to route traffic, they are not always straightforward to implement; consequently, I looked for an alternative solution.
I was particularly interested in being able to quickly configure a router to direct traffic from a specific device over a VPN tunnel whenever necessary. To assist with this, I looked into the PBR (Policy-Based Routing) package.
Installation
The objective is to manage everything swiftly through the web interface. For this reason, I will not be installing the pbr package in isolation; instead, I will install the LuCI package directly, which will automatically pull in pbr as a dependency.
opkg update
opkg install luci-app-pbr
service rpcd restart
This procedure requires the installation of
luci-app-pbrand a restart of therpcdpackage before we proceed with any further configuration.
By default, during the initial installation, you will be presented with an error message. This is normal. The pbr service is disabled by default to ensure nothing breaks at this stage. You can ignore it for now.
ERROR: The pbr service is currently disabled!
Run the following commands before starting the service again:
uci set pbr.config.enabled='1'; uci commit pbr;
pbr 1.2.0-r6 FAILED TO START in fw4 nft file mode!!! Check the output of nft -c -f /var/run/pbr.nftERROR: The pbr service is currently disabled!
ERROR: Errors encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.0/#ErrorMessagesDetails!
Before moving any further, we can log in to our router via a web browser. In the Services section, a new option called Policy Routing will now be visible.
Let’s review the default options and adjust them to our environment before enabling the service.
Configuration
Basic Configuration
- Output verbosity
This determines the level of detail the
pbrservice writes to your system log (logread) and console during startup and rule changes.
- Recommendation: Keep this set to Verbose output (the default). Once everything is functioning correctly, you can switch to Condensed output.
- Strict Enforcement