Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Routing example: PBR with netifd Introduction Instructions Route LAN to VPN and DMZ to WAN Route LAN to VPN with failover to WAN Route LAN to VPN and forward HTTPS from WAN to LAN Route LAN to OpenVPN Kill switch using IP routes Kill switch using IP rules Routing example: PBR with netifd This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs See also: How it works / Policy-based routing Introduction This how-to provides most common scenarios for PBR with netifd. It contains both IPv4 and IPv6 routing rules to prevent traffic leaks. Set up IPv6 masquerading if necessary. There is no need to create any extra default routes for interface protocols natively supported by netifd. Assign each interface to a separate routing table to avoid default route conflicts and only use routing rules. Instructions Route LAN to VPN and DMZ to WAN Use custom routing tables and rules to prioritize routing LAN to VPN. Route DMZ to WAN by default. uci set network.lan.ip4table="1" uci set network.lan.ip6table="1" uci set network.vpn.ip4table="2" uci set network.vpn.ip6table="2" uci set network.dmz.ip4table="3" uci set network.dmz.ip6table="3" uci -q delete network.lan_vpn uci set network.lan_vpn="rule" uci set network.lan_vpn.in="lan" uci set network.lan_vpn.lookup="2" uci set network.lan_vpn.priority="30000" uci -q delete network.lan_vpn6 uci set network.lan_vpn6="rule6" uci set network.lan_vpn6.in="lan" uci set network.lan_vpn6.lookup="2" uci set network.lan_vpn6.priority="30000" uci commit network /etc/init.d/network restart Route LAN to VPN with failover to WAN Use custom routing tables and rules to prioritize routing LAN to VPN. Route LAN to WAN as fallback when VPN is down. uci set network.lan.ip4table="1" uci set network.lan.ip6table="1" uci set network.wan.ip4table="2" uci set network.wan6.ip6table="2" uci -q delete network.lan_wan uci set network.lan_wan="rule" uci set network.lan_wan.in="lan" uci set network.lan_wan.lookup="2" uci set network.lan_wan.priority="40000" uci -q delete network.lan_wan6 uci set network.lan_wan6="rule6" uci set network.lan_wan6.in="lan" uci set network.lan_wan6.lookup="2" uci set network.lan_wan6.priority="40000" uci commit network /etc/init.d/network restart Route LAN to VPN and forward HTTPS from WAN to LAN Route all traffic to VPN except a webserver running in LAN and serving to WAN. Mark the webserver traffic with firewall to apply custom routing. uci -q delete firewall.lan_web uci set firewall.lan_web="rule" uci set firewall.lan_web.name="Mark-HTTPS" uci set firewall.lan_web.src="lan" uci set firewall.lan_web.src_mac="00:11:22:33:44:55" uci set firewall.lan_web.src_port="443" uci set firewall.lan_web.proto="tcp" uci set firewall.lan_web.set_mark="0x1" uci set firewall.lan_web.target="MARK" uci commit firewall /etc/init.d/firewall restart uci set network.lan.ip4table="1" uci set network.lan.ip6table="1" uci set network.wan.ip4table="2" uci set network.wan6.ip6table="2" uci -q delete network.lan_web uci set network.lan_web="rule" uci set network.lan_web.in="lan" uci set network.lan_web.mark="1" uci set network.lan_web.lookup="2" uci set network.lan_web.priority="30000" uci -q delete network.lan_web6 uci set network.lan_web6="rule6" uci set network.lan_web6.in="lan" uci set network.lan_web6.mark="1" uci set network.lan_web6.lookup="2" uci set network.lan_web6.priority="30000" uci commit network /etc/init.d/network restart Route LAN to OpenVPN Use custom routing tables and rules to prioritize routing LAN to OpenVPN. Be sure to declare VPN interface and disable gateway redirection. uci set network.lan.ip4table="1" uci set network.lan.ip6table="1" uci set network.vpn.ip4table="2" uci set network.vpn.ip6table="2" uci -q delete network.vpn_rt uci set network.vpn_rt="route" uci set network.vpn_rt.interface="vpn" uci set network.vpn_rt.target="0.0.0.0/0" uci -q delete network.vpn_rt6 uci set network.vpn_rt6="route6" uci set network.vpn_rt6.interface="vpn" uci set network.vpn_rt6.target="::/0" uci -q delete network.lan_vpn uci set network.lan_vpn="rule" uci set network.lan_vpn.in="lan" uci set network.lan_vpn.lookup="2" uci set network.lan_vpn.priority="30000" uci -q delete network.lan_vpn6 uci set network.lan_vpn6="rule6" uci set network.lan_vpn6.in="lan" uci set network.lan_vpn6.lookup="2" uci set network.lan_vpn6.priority="30000" uci commit network /etc/init.d/network restart Kill switch using IP routes Create prohibitive routes in the target routing table to prevent traffic leaks. Assuming the loopback interface is always up and the default route has a lower metric. uci set network.vpn.ip4table="2" uci set network.vpn.ip6table="2" uci -q delete network.vpn_ks uci set network.vpn_ks="route" uci set network.vpn_ks.interface="loopback" uci set network.vpn_ks.target="0.0.0.0/0" uci set network.vpn_ks.type="prohibit" uci set network.vpn_ks.metric="9000" uci set network.vpn_ks.table="2" uci -q delete network.vpn_ks6 uci set network.vpn_ks6="route6" uci set network.vpn_ks6.interface="loopback" uci set network.vpn_ks6.target="::/0" uci set network.vpn_ks6.type="prohibit" uci set network.vpn_ks6.metric="9000" uci set network.vpn_ks6.table="2" uci commit network /etc/init.d/network restart Kill switch using IP rules Create prohibitive rules to prevent traffic leaks. Assuming the custom rules use a lower numeric priority to override the prohibitive ones. uci -q delete network.lan_ks uci set network.lan_ks="rule" uci set network.lan_ks.in="lan" uci set network.lan_ks.action="prohibit" uci set network.lan_ks.priority="32000" uci -q delete network.lan_ks6 uci set network.lan_ks6="rule6" uci set network.lan_ks6.in="lan" uci set network.lan_ks6.action="prohibit" uci set network.lan_ks6.priority="32000" uci commit network /etc/init.d/network restart This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/02/16 00:41by vgaetera