Open egc112 opened 2 weeks ago
Thank you for the report and suggested patch Erik. I'm in the process of preparing to remove the iptables-related code and reworking the nft code to improve the nft_file_mode support (by adding all elements to the nft set in one command and thus hopefully avoiding the nft set collision errors), so I'll try to review this with the attention it deserves at some point next week.
Thanks, good idea to remove the iptables-related code as stable and main builds are now nftables
[pbr] issue: IPv6, missing default route in VPN table if the default route is not present in main table
I was experimenting with IPv6 and PBR and ran into some problems.
This is a test router with which I am tinkering a lot, so it might just be gremlins on the router.
IPv6 works without PBR with a WireGuard tunnel to Mullvad. I had to do some tweaks to get the default routing via the VPN right:
With this ipleak.net and traceroute show the use of IPv6 via the tunnel.
Now on to PBR. When PBR is enabled, tables for WAN and VPN are made with appropriate default routing
The problem arises, for IPv6 only, when I disable default routing by either disabling Route Allowed IPs or disabling default gateway. IPv4 is working, but in the IPv6 VPN table there is no longer a default route via the VPN
I looked at the code and although I do not grasp all the details there seems to be a difference between IPv4 and IPv6
IPv4:
As far as I can see it will either add and unreachable or the default route to the routing table and then adds "local" rules to the routing table
IPv6
The IPv6 code seems to do things differently:
This seems to set only default routes if there is no unreachable route set or if there is no "local" route which in my case results in no default route set as there is a local route (the route of the WG interface). (The fact that there is a default route when the default route is in the main table is that it is copied with the "local" route copying)
This is my VPN table without the default route:
I hacked the code a bit and shuffled things around and now it seems to work:
Now that the code with default route runs, I hit another problem the following rule threw an error because the wan interface has two entries so I added an
exit;
inawk '{print $4;exit;}')
Of course not the way to solve this but it got my code runningMaybe I am wasting your time so apologizes beforehand and of course my hacking is not a proper solution but only meant to demonstrate what I found
Thanks for all you excellent work
Regards, Erik
Your configs
/etc/config/dhcp
/etc/config/network
/etc/config/firewall
/etc/config/pbr