Hi,
I.m trying to setup PBR to route certain subnets stored in a “address-list” through a wireguard tunnel. Wireguard works fine, static routes work fine, however, I am not able to figure out why “routing-mark” doesn’t work. Here are the relevant parts of my setup:
I would expect when pinging an IP that’s part of a “DIGI-NETWORK” to get logged, but the PBR does not work and nothing shows up in the logs. Any ideas? what am I doing wrong ?
Can you clarify if the router here is at the server end or the client end.
I am assuming you are doing wireguard from MT router to MT router is that the case? OR are you doing MT router as client to 3 party VPN provider??
(reason I ask is I only see one MT router here and it seem set up to be the client end).
The MT is a wireguard client connected to a remote server (my own wg server, another country, no 3rd party providers). The remote WG server is in the same country as DIGI-NETWORK, my goal is to route DIGI-NETWORK destined traffic (destination → DIGI.NETWORK) through the WG tunnel in order to hide my local public IP. The WG tunnel works fine, I have static routes in place for private subnets from the other side that work without issues:
So to me the only difference from routing all traffic from a subnet on the client
dst- 0.0.0.0/0 gwy=wireguard_interface Routing Table - HideMyIP / Action - Lookup only in table Table - HideMyIP source-address - client subnet
To what you are asking seems to be the addition on the RULE part adding the PBR stuff… Action - Lookup only in table Table - HideMyIP source-address - client subnet, ROUTING MARK - >>>>>>
Sadly no option for dst-address-LIST in the route rule.
Here is what I would do… cause just like capsman I hate mangling LOL.
1x IP Route:
dst=0.0.0.0/0 gwy=wireguardinterface Routing Table=HideMyIP
4x Route Rules:
source-address=applicable subnet dst-address=5.2.128.0/19 Action=Lookup Only in Table Table=HideMyIP
source-address=applicable subnet dst-address=5.2.160.0/21 Action=Lookup Only in Table Table=HideMyIP
source-address=applicable subnet dst-address=5.2.174.0/24 Action=Lookup Only in Table Table=HideMyIP
source-address=applicable subnet dst-address=5.2.178.0/23 Action=Lookup Only in Table Table=HideMyIP
If this is applicable to all subnets then just remove the source address portion.
By the way, I dont assign any IP address to my wireguard interfaces as I have yet found a reason to do so!!!
@anav - thank you so much for your time and effort to help me out.
I am aware of the soultion you’ve suggested, in fact that’s what I’m using currently as a workaround to my problem, but it’s not a perfect soultion because:
“DIGI-NETWORK” is a long list (I’ve provided 4 subnets just to make a point),
Not all traffic in “DIGI-NETWORK” should go through the tunnel, e.g. the remote wireguard gw resides in the “DIGI.NETWORK” (server name is set by dynamic DNS, changes frequently) therefore UDP52311 should not get routed through the tunnel - this solution only works if I “know” the public IP of the remote WG GW + disable the route to that subnet/ip.
PBR would have been an elegant soultion, I’d have the option to route only certain ports or protocols through the tunnel while setting up only a few static routes.
No worries, Ive reached the extent of what I know to help LOL.
By the way I use the IP cloud dyndns name of the MT routers as endpoints and in firewall address lists.
What bugs me and what NORMIS still has to answer, is if the IP mynetname I put in wireguard settings will update if the far endpoint changes.
Right now I believe it resolves to the correct IP but unlike firewall address lists, there is no obvious dynamic assignment that gives me a warm and fuzzy .
IN addtiion I suggest that there are both paid and free dyndns name hosts out there and thus every public IP you have could be reacheable via this method.