I acquired a Flint-2 and this is my 1st day using it.
I find the configuration options using the default interface quite underwhelming.
Here are the two issues I have observed that don't inspire:
Wireguard client - that I am not able to edit a client config and enter my preferred server name is a problem.
I should also be able to select a region. In my case, I need to connect to the US East Coast - NY, NJ, around there. The router only gives me servers in Seattle, which is West Coast.
Why these limitations? What's the rationale?
Policy routing for LAN clients: I have been using luci-app-pbr for managing Policy Routing.
It allows me to specify clients or destination domain names/IPs to be routed via WAN. In my situation, the wireguard client interface is the default gateway for everything unless I exempt the client or destination in my PBR config.
Flint-2, running the latest release firmware version, appears to lack this functionality. I am saying 'appears' because I didn't find it.
I am wondering whether it is considered normal practice to resort to using Luci for such requirements. Will they not conflict with the other functionality managed from the Flint 2 GUI?
I am on 4.7.7 release1. I only bought this router last week for a client's project after it was recommended in the OpenWrt forum. Initially I wanted to go with the Xiaomi Mi Router AX9000.
I was impressed by the VPN throughput of the Flint-2 so I grabbed one. And I was planning to get 2 more.
For VPN, I am using NordVPN with a Wireguard client.
I have several routers running OpenWrt 24.10.1 and I use the https://firmware-selector.openwrt.org/ to build my images.
I have to say that I hate the Wireguard implementation. There is no good reason why I am only being given servers in Seattle. I need to configure servers of my choice and change them as often as I want. Being in Africa/Kenya and the device sends my VPN termination servers to US West Coast instead of East Coast doesn't make sense. The Wireguard implementation is below par. I am yet to test the OpenVPN aspect.
There is a semblance of Policy Routing, but it's nothing close to using pbr+luci-app-pbr.
I had to shutdown this Flint-2 and continue using my other routers because Flint-2 DOES NOT have PBR.
Should I just go to luci and implement my Wireguard and PBR there instead of relying on GL-iNet implementation?
I am using NordVPN. How do I configure it to use servers in the East Coast? Or better still, an individual server determined by going to https://nordvpn.com/servers/tools/, selecting the US, which then gives you the fastest servers you can use?
It would be better if GL-iNet improved the config to allow the selection of a REGION, besides the country. Such that if I select US, I can then narrow down on REGION, instead of hardcoding Seattle.
I am good with Luci, pbr+luci-app-pbr.
So, if I ignore the default implementation of VPN by GL-iNet and just install my own apps (opkg install) and configure, all should be fine?
I am using the 4.6.6-op24 firmware and when I install pbr and luci-app-pbr, the policy based routing process won't start. The last thing it does is write a line to the logs with the date and time but no log message. Is the OpenWRT pbr package conflicting with something else on this firmware version? Are there any processes or packages I can safely disable/delete that will enable PBR to work on this version?
I got pbr started, but wasn't routing traffic via the wgclient interface.
root@GL-MT6000:/etc/config# service pbr start
Using uplink interface (on_start): wan [β]
Found uplink gateway (on_start): 192.168.1.1 [β]
Setting up routing for 'wan/eth1/192.168.1.1' [β]
Setting up routing for 'wwan/0.0.0.0' [β]
Setting up routing for 'secondwan/0.0.0.0' [β]
Setting up routing for 'wgclient/10.5.0.2' [β]
Routing 'Via WAN' via wan [β]
Routing 'Paypal' via wan [β]
Routing 'chatgpt_via_wan' via wan [β]
Routing 'stanbic_internet_banking' via wan [β]
Routing 'aliexpress.com' via wan [β]
Routing 'odoo.com noip.com' via wan [β]
Routing 'Wyze' via wan [β]
Routing 'VanessaFireTV' via wan [β]
Routing 'Panafcon' via wan [β]
Routing 'eCitizen' via wan [β]
Routing 'Oraimo' via wan [β]
Routing 'eBay' via wan [β]
Routing 'ZA' via wan [β]
Routing 'Mara.Cloud' via wan [β]
Routing 'Microsoft Live' via wan [β]
Routing 'DDNS' via wan [β]
Routing 'CSL Sophos' via wan [β]
Routing 'Telenet Solutions' via wan [β]
Routing 'Sophos' via wan [β]
Running /usr/share/pbr/pbr.user.ke.lst [β]
Installing fw4 nft file [β]
Setting interface trigger for wan [β]
Setting interface trigger for wwan [β]
Setting interface trigger for secondwan [β]
Setting interface trigger for wgclient [β]
pbr 1.1.8-r30 monitoring interfaces: wan wwan secondwan wgclient
pbr 1.1.8-r30 (fw4 nft file mode) started with gateways:
wan/eth1/192.168.1.1 [β]
wwan/0.0.0.0
secondwan/0.0.0.0
wgclient/10.5.0.2
root@GL-MT6000:/etc/config#
How did I know it wasn't routing traffic?
If I enabled it, I could ping a destination from the router using the wireguard client as the source interface. However, from my PC, I could ping any IP or name.
I have changed things here and there while running tests and concluded that if you want to use pbr/luci-app-pbr, you are just better off running vanilla OpenWrt than mixing things up with the customized Flint-2 firmware. It's an unnecessary waste of time.
For firmware version 4.7 and earlier, the package that conflicts with PBR is gl-sdk4-vpn-policy,
which writes IP rules (uci show network | grep policy) and firewall rules.
Itβs not recommended to remove it, as it is an essential part of the overall VPN functionality.
As @odhiambo mentioned, using vanilla OpenWrt is a better choice if you want to enable PBR.
Thanks for the feedback. The nordvpn wiregard limited REGION issue has been fixed.
Forgot to mention, it's a server implementation bug, you don't need to update the firmware. @odhiambo
Thank you for the update.
I am currently testing 4.8 BETA. Is that change going to be in another BETA, or how do I test it?
I don't see any BETA build after 2025-06-14.
