Routing example: PBR with netifd

Assuming interfaces named wan and novpn, (1) add a default route out of the wan interface to a routing table 10 and (2) add a rule to route all traffic from the novpn interface using routing table 10.

This is useful if the normal default route goes over a VPN but you want a separate network which bypasses the VPN.

In /etc/config/network:

config route
        option table '10'
        option target '0.0.0.0/0'
        option interface 'wan'

config rule
        option in 'novpn'
        option lookup '10'

Use custom routing tables and rules to prioritize routing LAN to VPN. Route LAN to WAN as fallback when VPN is down.

uci set network.lan.ip4table="1"
uci set network.lan.ip6table="1"
uci set network.wan.ip4table="2"
uci set network.wan6.ip6table="2"
uci -q delete network.lan_wan
uci set network.lan_wan="rule"
uci set network.lan_wan.in="lan"
uci set network.lan_wan.lookup="2"
uci set network.lan_wan.priority="40000"
uci -q delete network.lan_wan6
uci set network.lan_wan6="rule6"
uci set network.lan_wan6.in="lan"
uci set network.lan_wan6.lookup="2"
uci set network.lan_wan6.priority="40000"
uci commit network
/etc/init.d/network restart

Use custom routing tables and rules to prioritize routing DMZ to VPN. Route LAN to WAN by default.

uci set network.lan.ip4table="1"
uci set network.lan.ip6table="1"
uci set network.vpn.ip4table="2"
uci set network.vpn.ip6table="2"
uci set network.dmz.ip4table="3"
uci set network.dmz.ip6table="3"
uci -q delete network.dmz_vpn
uci set network.dmz_vpn="rule"
uci set network.dmz_vpn.in="dmz"
uci set network.dmz_vpn.lookup="2"
uci set network.dmz_vpn.priority="30000"
uci -q delete network.dmz_vpn6
uci set network.dmz_vpn6="rule6"
uci set network.dmz_vpn6.in="dmz"
uci set network.dmz_vpn6.lookup="2"
uci set network.dmz_vpn6.priority="30000"
uci commit network
/etc/init.d/network restart

Route all traffic to VPN except a webserver running in LAN and serving to WAN. Mark the webserver traffic with firewall to apply custom routing.

uci -q delete firewall.lan_web
uci set firewall.lan_web="rule"
uci set firewall.lan_web.name="Mark-HTTPS"
uci set firewall.lan_web.src="lan"
uci set firewall.lan_web.src_mac="00:11:22:33:44:55"
uci set firewall.lan_web.src_port="443"
uci set firewall.lan_web.proto="tcp"
uci set firewall.lan_web.set_mark="0x1"
uci set firewall.lan_web.target="MARK"
uci commit firewall
/etc/init.d/firewall restart
uci set network.lan.ip4table="1"
uci set network.lan.ip6table="1"
uci set network.wan.ip4table="2"
uci set network.wan6.ip6table="2"
uci -q delete network.lan_web
uci set network.lan_web="rule"
uci set network.lan_web.in="lan"
uci set network.lan_web.mark="1"
uci set network.lan_web.lookup="2"
uci set network.lan_web.priority="30000"
uci -q delete network.lan_web6
uci set network.lan_web6="rule6"
uci set network.lan_web6.in="lan"
uci set network.lan_web6.mark="1"
uci set network.lan_web6.lookup="2"
uci set network.lan_web6.priority="30000"
uci commit network
/etc/init.d/network restart

Use custom routing tables and rules to prioritize routing LAN to OpenVPN. Be sure to declare VPN interface and disable gateway redirection.

uci set network.lan.ip4table="1"
uci set network.lan.ip6table="1"
uci set network.vpn.ip4table="2"
uci set network.vpn.ip6table="2"
uci -q delete network.vpn_rt
uci set network.vpn_rt="route"
uci set network.vpn_rt.interface="vpn"
uci set network.vpn_rt.target="0.0.0.0/0"
uci -q delete network.vpn_rt6
uci set network.vpn_rt6="route6"
uci set network.vpn_rt6.interface="vpn"
uci set network.vpn_rt6.target="::/0"
uci -q delete network.lan_vpn
uci set network.lan_vpn="rule"
uci set network.lan_vpn.in="lan"
uci set network.lan_vpn.lookup="2"
uci set network.lan_vpn.priority="30000"
uci -q delete network.lan_vpn6
uci set network.lan_vpn6="rule6"
uci set network.lan_vpn6.in="lan"
uci set network.lan_vpn6.lookup="2"
uci set network.lan_vpn6.priority="30000"
uci commit network
/etc/init.d/network restart

Create prohibitive routes in the target routing table to prevent traffic leaks. Assuming the loopback interface is always up and the default route has a lower metric.

uci set network.vpn.ip4table="2"
uci set network.vpn.ip6table="2"
uci -q delete network.vpn_ks
uci set network.vpn_ks="route"
uci set network.vpn_ks.interface="loopback"
uci set network.vpn_ks.target="0.0.0.0/0"
uci set network.vpn_ks.type="prohibit"
uci set network.vpn_ks.metric="9000"
uci set network.vpn_ks.table="2"
uci -q delete network.vpn_ks6
uci set network.vpn_ks6="route6"
uci set network.vpn_ks6.interface="loopback"
uci set network.vpn_ks6.target="::/0"
uci set network.vpn_ks6.type="prohibit"
uci set network.vpn_ks6.metric="9000"
uci set network.vpn_ks6.table="2"
uci commit network
/etc/init.d/network restart

Create prohibitive rules to prevent traffic leaks. Assuming the custom rules use a lower numeric priority to override the prohibitive ones.

uci -q delete network.lan_ks
uci set network.lan_ks="rule"
uci set network.lan_ks.in="lan"
uci set network.lan_ks.action="prohibit"
uci set network.lan_ks.priority="32000"
uci -q delete network.lan_ks6
uci set network.lan_ks6="rule6"
uci set network.lan_ks6.in="lan"
uci set network.lan_ks6.action="prohibit"
uci set network.lan_ks6.priority="32000"
uci commit network
/etc/init.d/network restart
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/05/24 06:54
  • by rah