Possible bug with domain-group routing

I’m trying to route specific traffic based on domain through a wireguard VPN interface. I feel like this might be a bug, but I am not sure, so if someone could either help me out confirming this, or perhaps I have done something wrong.

If I do:

set protocols static route x.y.z.0/24 interface wg01

Using the IP addresses/CIDR the domains resolve to, everything works as expected, so I know there is no blocking of the traffic anywhere. The only issue I have is routing.

I’ve created a domain-group

set firewall group domain-group BBC address 'bbc.com'

Used that group for a policy route (I’ve tried with and without the protocol, both tcp and tcp_udp, and with and without the interface. Interface is internal network, but just in case I’ve also tested with WAN and wg01 interfaces.)

set policy route FILTER-WEB interface 'eth1'
set policy route FILTER-WEB rule 1000 destination group domain-group 'BBC'
set policy route FILTER-WEB rule 1000 protocol 'tcp_udp'
set policy route FILTER-WEB rule 1000 set table '100'

Finally the static routing is set with:

set protocols static table 100 route 0.0.0.0/0 interface wg01

I have also tried using the IP of the wireguard gateway as the next-hop IP, but no luck there either.

Output:

show ip route table 100

VRF default table 100:
S>* 0.0.0.0/0 [1/0] is directly connected, wg01, weight 1, 13:06:32
show policy route statistics
Ruleset Information

(Nothing else comes out)

I may definitely be doing something wrong here, but I feel like it’s not picking up on my domain-group. Any assistance will be very helpful!

I am running VyOS 1.4-rolling-202305140317

Thank you!

Did you defined name-server in vyos router? Otherwise, it won’t be able to translate such domain in ips.
Also, you can check firewall ruleset if group bbc actually contains IP, or not.

# Check mangle table, were a set for such group should be placed and filled with ips.
# Also fules defined in policy route should be visible here.
# Check counters of that rules
sudo nft list table ip vyos_mangle

Also, while doing tests, you may see real-time traffic in wireguard interface using tcpdump… There you will now if traffic is being forward through it, or not.

sudo tcpdump -ni wg01
show policy route

Ruleset Information

---------------------------------
IPv4 Policy Route "FILTER-WEB"

Active on: eth1

  Rule  Action    Protocol
------  --------  ----------
  1000  set       tcp_udp

Good shout! Yes, the Vyos has DNS, and can resolve the domains fine.

‘sudo nft list table ip vyos_mangle’ does indeed list out the correct and expected IP addresses from my domain group! So far so good!

And very neat trick with the tcpdump, very useful!

set D_BBC {
                type ipv4_addr
                flags interval
                elements = { 151.101.0.81, 151.101.64.81,
                             151.101.128.81, 151.101.192.81 }
        }