We only have source routing now:

set policy local-route rule 100 set table '10'
set policy local-route rule 100 source '203.0.113.1'

Check rules:

vyos@r1-roll:~$ sudo ip rule show
0:	from all lookup local
100:	from 203.0.113.1 lookup 10
32766:	from all lookup main
32767:	from all lookup default

Hi @Viacheslav

Thanks for the info. I think (indeed) that *might* work for wireguard. But never the less, it would be cool to have the possibility to route by fwmark.

Edit: Is there some equivalent for the LTS branch?

@fetzerms The feature "policy local-route" in the 1.3/1.4 only.

Is that what you want? It should work also and for 1.2

set policy route FOO2 rule 20 set table 25
set interfaces wireguard wg0 policy route FOO2

I can add rules for fwmark (match fwmark 23/ match source 203.0.113.120 and fwmark 120) for 1.4/1.3 like:

set policy local-route rule 111 fwmark '23'
set policy local-route rule 111 set table '111'
commit
set policy local-route rule 120 set table '120'
set policy local-route rule 120 source '203.0.113.120'
set policy local-route rule 120 fwmark '120'
commit

But to set mark you still need to use:

set policy route FOO2 rule 10 set mark 23
set interfaces wireguard wg0 policy route FOO2

It there any sense to add this logic?

set policy local-route rule 100 set table '100'
set policy local-route rule 100 source '203.0.113.1'
commit
set policy local-route rule 111 fwmark '23'
set policy local-route rule 111 set table '111'
commit
set policy local-route rule 120 set table '120'
set policy local-route rule 120 source '203.0.113.120'
set policy local-route rule 120 fwmark '120'
commit

vyos@r1-roll# commit
[edit]
vyos@r1-roll# 
[edit]
vyos@r1-roll# sudo ip rule show
0:	from all lookup local
100:	from 203.0.113.1 lookup 100
111:	from all fwmark 0x17 lookup 111
120:	from 203.0.113.120 fwmark 0x78 lookup 120
32766:	from all lookup main
32767:	from all lookup default
[edit]
vyos@r1-roll#

Hi @Viacheslav

Wireguard has its own fwmark setting, such as:

set interfaces wireguard wg01 fwmark 100

I was hoping to use that fwmark to route the underlying wireguard traffic through a specific interface.

My use case is somehow special tho (where I need pbr and fwmark):

• I have a mesh of nodes with wireguard.
• Each node is connected to the internet (e.g. has a default gateway)
• Each of them speak BGP to each other.
• Some of the nodes inject a default route via BGP (and other routes).
• This is intended, as I want all routed traffic to pass through the tunnels.
• For maintenance of the routers themselves, I'd like to send traffic that originates (or is destined for the router itself) not through the BGP-Learned routes but through eth0

Thats where I use an extra routing table with the nodes default gateway. I then try to make sure that all traffic that is destined for the router gets routed through that.

I know this is some kind of special use case. If I'd have a wish, I would have the BGP daemon only inject routes to another table (not main) and use that for routing all client traffic.
I would be very open for a completely different approach, if there is some idea :-)

It seems what I want to do seems to work with 1.3 and newer, I didn't know that. I was hoping to do it with the LTS-Version.

PR https://github.com/vyos/vyos-1x/pull/944

@fetzerms Can you check it in 1.4?
For example:

set policy local-route rule 10 fwmark '42'
set policy local-route rule 10 set table '100'

@syncer We'll add/merge it to 1.3.3 (We discussed it and agree to add it after 1.3.2 release)