I’m experiencing an issue with Policy-Based Routing (PBR) on my Flint 3 router. Here is my setup:
The router has a NordVPN client connected via OpenVPN.
Several WireGuard clients connect to the Flint 3 router (WG server) using the 10.0.0.0/24 subnet.
The LAN is on 192.168.2.0/24.
Via the gl-inet UI, I have configured the VPN policy to filter by MAC address. I don't want to exclude based on website or IP addresses or ranges.
It is not possible, by default, to create a policy based routing so I went to Luci and installed PBR.
I have created a PBR policy to route traffic to certain IPs/domains (e.g., speedtest.net, 151.101.0.0/16, 104.16.0.0/12) via the WAN interface instead of the VPN.
Issue:
PBR appears to be running, and the policy shows up in the Luci interface.
However, traffic from both LAN and WG clients is still routed through the NordVPN tunnel.
I have tried static routes, changing source addresses, and leaving the gateway empty or using the WAN IP. None of these options allow the traffic to bypass NordVPN.
It seems that the NordVPN OpenVPN client pushes a default route that overrides the PBR and static route rules.
There is no option in the GL.iNet web interface to disable “redirect internet traffic through VPN” or equivalent.
Expected behavior:
Traffic matching the PBR policy or static routes (e.g., speedtest.net) should go out via the WAN interface, while all other traffic (based on their MAC address) continues through NordVPN.
Could you please advise how to achieve selective routing of traffic via WAN?
On my Flint 3 I use the GL.iNet VPN Policy set to MAC-based routing (some devices go through NordVPN, others not).
Now I want to add an extra layer: certain websites (e.g. speedtest.net) should always bypass VPN for all devices, regardless of their MAC. I thought Policy-Based Routing (PBR) could achieve this, but in practice the VPN policy seems to override PBR completely. Even with PBR enabled, traffic to those sites still goes through NordVPN.
Could you please advise if it is possible to combine MAC-based VPN policies with domain/IP-based PBR rules, so that selected sites never use the VPN tunnel?
That's a helluva way to draw a topology. Try Draw.io. it might be a little easier.
"VPN Policy" == PBR. GL.iNet employee's first language isn't English... or are you referring to Stangri's PBR (luci-app-pbr)? Stangri's PBR conflicts with GL.iNet's PBR. GL uses custom routing & tagging scripts that over-rides Stangri's.
Ah crap; you are referring to Stangri's PBR. Yeah, that's not gonna work & it wouldn't suprise me if your firewall is all mangled to Hell. I wouldn't trust it with a WAN connection until you reflashed back to stock & without keeping settings to get rid of any contamination.
So I'm reading your map as that you have a WG 'Server' running in conjunction with a OVPN client thru NordVPN, correct? The first thing I'd do is shut that down to see if it makes a difference. PBR is a relativity newer feature. It wouldn't surprise me if you've hit a bug but that's just speculation right now.
Can you add ip.me to one policy/whitelist & ifconfig.me to another? This will help verify the routing by just visiting the sites in question but... it really is a helluva lot easier if you're comfortable around the CLI. If you use Windows I recommend MobaXterm. It's free.
Then, from your Windows client (not SSH but as a 'local terminal'), execute:
NVM. I only caught that now. You want two different sets of policies (MAC, IP/domain) to be effective @ the same time. I have no insight there. That would seem to be a feature request as I'm pretty sure it's not supported but I haven't tested such a set up using stock GL.
printf "%s\n" \
"tunnel one's ip is $(curl -s ip.me)" \
"tunnel two's ip is $(curl -s ifconfig.me/ip)" \
"$(env TZ='UTC' date +'%Y%m%dT%H%M%S%Z')"
You might as well open a new thread marked with '[Ftr Req]' & a succinct title & short description. Link back to this thread just as point of discovery/history. That should help get GL.iNet's 'eyes' on it quicker. They're pretty open about taking requests but time will tell if they get implemented.
If you do I might suggest closing this thread with a 'Solution' as to not confuse others who may be looking here for something definitive & think this is an active discussion.
On the other hand, don't forget to reset to stock. Pull a backup in LuCI before you do if you have other configuration files (they're just text files encoded in UTF-8/LF) you'd like to replicate but I really wouldn't trust your firewall having been mutated by part GL PBR, part Stangri's PBR.