IP rules / policy-based routing

See also: mwan3, VPN Policy-Based Routing

Netifd supports IP rule declarations which are required to implement policy routing.

IPv4 rules can be defined by declaring one or more sections of type rule, IPv6 rules are denoted by sections of type rule6. Both types share the same set of defined options.

A simple IPv4 rule may look like: 

config rule
	option mark   '0xFF'
        option in     'lan'
	option dest   '172.16.0.0/16'
	option lookup '100'
  • 0xFF is a fwmark to be matched
  • lan is the incoming logical interface name
  • 172.16.0.0/16 is the destination subnet to match
  • 100 is the routing table ID to use for the matched traffic

Similary, an IPv6 rule looks like: 

config rule6
        option in     'vpn'
	option dest   'fdca:1234::/64'
	option action 'prohibit'
  • vpn is the incoming logical interface name
  • fdca:1234::/64 is the destination subnet to match
  • prohibit is a routing action to take

Options for IP rule (rule and rule6) sections

Name Type Required Default Description
in string no (none) Specifies the incoming logical interface name
out string no (none) Specifies the outgoing logical interface name
src ip subnet no (none) Specifies the source subnet to match (CIDR notation)
dest ip subnet no (none) Specifies the destination subnet to match (CIDR notation)
tos integer no (none) Specifies the TOS value to match in IP headers
mark mark/mask no (none) Specifies the fwmark and optionally its mask to match, e.g. 0xFF to match mark 255 or 0x0/0x1 to match any even mark value
suppress_prefixlength integer no (none) Reject routing decisions that have a prefix length less than or equal to the specified value
invert boolean no 0 If set to 1, the meaning of the match options is inverted
priority integer no (incrementing) Controls the order of the IP rules, by default the priority is auto-assigned so that they are processed in the same order they're declared in the config file
lookup routing table at least one of (none) The rule target is a table lookup, the ID can be either a numeric table index ranging from 0 to 65535 or a symbolic alias declared in /etc/iproute2/rt_tables. The special aliases local (255), main (254) and default (253) are recognized as well
goto rule index The rule target is a jump to another rule specified by its priority value
action string The rule target is one of the routing actions outlined in the table below

Routing actions

Action Description
prohibit When reaching the rule, respond with ICMP prohibited messages and abort route lookup
unreachable When reaching the rule, respond with ICMP unreachable messages and abort route lookup
blackhole When reaching the rule, drop packet and abort route lookup
throw Stop lookup in the current routing table even if a default route exists

Examples

Route guest network to VPN

Utilize PBR to route only guest network to VPN. 

uci set network.lan.ip4table="1"
uci set network.guest.ip4table="2"
uci set network.vpn.ip4table="3"
uci -q delete network.guest_vpn
uci set network.guest_vpn="rule"
uci set network.guest_vpn.in="guest"
uci set network.guest_vpn.lookup="3"
uci set network.guest_vpn.priority="30000"
uci commit network
/etc/init.d/network restart

Route IPv6 guest network to VPN

Utilize PBR to route only IPv6 guest network to VPN. 

uci set network.lan.ip6table="1"
uci set network.guest.ip6table="2"
uci set network.vpn.ip6table="3"
uci -q delete network.guest_vpn6
uci set network.guest_vpn6="rule6"
uci set network.guest_vpn6.in="guest"
uci set network.guest_vpn6.lookup="3"
uci set network.guest_vpn6.priority="30000"
uci commit network
/etc/init.d/network restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/04/15 16:40
  • by vgaetera