This is an old revision of the document!
Routing example: PBR with netifd
Route all IPv4 traffic from an interface named 'novpn' over the 'wan' interface
Assuming interfaces named 'wan' and 'novpn', (1) add a default route out of the 'wan' interface to a routing table 10 and (2) add a rule to route all traffic from the 'novpn' interface using routing table 10.
This is useful if the normal default route goes over a VPN but you want a separate network which bypasses the VPN.
config route
option table '10'
option target '0.0.0.0/0'
option interface 'wan'
config rule
option in 'novpn'
option lookup '10'
Route LAN to VPN with failover to WAN
Use custom routing tables and rules to prioritize routing LAN to VPN. Route LAN to WAN as fallback when VPN is down.
uci set network.lan.ip4table="1" uci set network.lan.ip6table="1" uci set network.wan.ip4table="2" uci set network.wan6.ip6table="2" uci -q delete network.lan_wan uci set network.lan_wan="rule" uci set network.lan_wan.in="lan" uci set network.lan_wan.lookup="2" uci set network.lan_wan.priority="40000" uci -q delete network.lan_wan6 uci set network.lan_wan6="rule6" uci set network.lan_wan6.in="lan" uci set network.lan_wan6.lookup="2" uci set network.lan_wan6.priority="40000" uci commit network /etc/init.d/network restart
Route DMZ to VPN and LAN to WAN
Use custom routing tables and rules to prioritize routing DMZ to VPN. Route LAN to WAN by default.
uci set network.lan.ip4table="1" uci set network.lan.ip6table="1" uci set network.vpn.ip4table="2" uci set network.vpn.ip6table="2" uci set network.dmz.ip4table="3" uci set network.dmz.ip6table="3" uci -q delete network.dmz_vpn uci set network.dmz_vpn="rule" uci set network.dmz_vpn.in="dmz" uci set network.dmz_vpn.lookup="2" uci set network.dmz_vpn.priority="30000" uci -q delete network.dmz_vpn6 uci set network.dmz_vpn6="rule6" uci set network.dmz_vpn6.in="dmz" uci set network.dmz_vpn6.lookup="2" uci set network.dmz_vpn6.priority="30000" uci commit network /etc/init.d/network restart
Route LAN to VPN and forward HTTPS from WAN to LAN
Route all traffic to VPN except a webserver running in LAN and serving to WAN. Mark the webserver traffic with firewall to apply custom routing.
uci -q delete firewall.lan_web uci set firewall.lan_web="rule" uci set firewall.lan_web.name="Mark-HTTPS" uci set firewall.lan_web.src="lan" uci set firewall.lan_web.src_mac="00:11:22:33:44:55" uci set firewall.lan_web.src_port="443" uci set firewall.lan_web.proto="tcp" uci set firewall.lan_web.set_mark="0x1" uci set firewall.lan_web.target="MARK" uci commit firewall /etc/init.d/firewall restart uci set network.lan.ip4table="1" uci set network.lan.ip6table="1" uci set network.wan.ip4table="2" uci set network.wan6.ip6table="2" uci -q delete network.lan_web uci set network.lan_web="rule" uci set network.lan_web.in="lan" uci set network.lan_web.mark="1" uci set network.lan_web.lookup="2" uci set network.lan_web.priority="30000" uci -q delete network.lan_web6 uci set network.lan_web6="rule6" uci set network.lan_web6.in="lan" uci set network.lan_web6.mark="1" uci set network.lan_web6.lookup="2" uci set network.lan_web6.priority="30000" uci commit network /etc/init.d/network restart
Route LAN to OpenVPN
Use custom routing tables and rules to prioritize routing LAN to OpenVPN. Be sure to declare VPN interface and disable gateway redirection.
uci set network.lan.ip4table="1" uci set network.lan.ip6table="1" uci set network.vpn.ip4table="2" uci set network.vpn.ip6table="2" uci -q delete network.vpn_rt uci set network.vpn_rt="route" uci set network.vpn_rt.interface="vpn" uci set network.vpn_rt.target="0.0.0.0/0" uci -q delete network.vpn_rt6 uci set network.vpn_rt6="route6" uci set network.vpn_rt6.interface="vpn" uci set network.vpn_rt6.target="::/0" uci -q delete network.lan_vpn uci set network.lan_vpn="rule" uci set network.lan_vpn.in="lan" uci set network.lan_vpn.lookup="2" uci set network.lan_vpn.priority="30000" uci -q delete network.lan_vpn6 uci set network.lan_vpn6="rule6" uci set network.lan_vpn6.in="lan" uci set network.lan_vpn6.lookup="2" uci set network.lan_vpn6.priority="30000" uci commit network /etc/init.d/network restart
Kill switch using IP routes
Create prohibitive routes in the target routing table to prevent traffic leaks. Assuming the loopback interface is always up and the default route has a lower metric.
uci set network.vpn.ip4table="2" uci set network.vpn.ip6table="2" uci -q delete network.vpn_ks uci set network.vpn_ks="route" uci set network.vpn_ks.interface="loopback" uci set network.vpn_ks.target="0.0.0.0/0" uci set network.vpn_ks.type="prohibit" uci set network.vpn_ks.metric="9000" uci set network.vpn_ks.table="2" uci -q delete network.vpn_ks6 uci set network.vpn_ks6="route6" uci set network.vpn_ks6.interface="loopback" uci set network.vpn_ks6.target="::/0" uci set network.vpn_ks6.type="prohibit" uci set network.vpn_ks6.metric="9000" uci set network.vpn_ks6.table="2" uci commit network /etc/init.d/network restart
Kill switch using IP rules
Create prohibitive rules to prevent traffic leaks. Assuming the custom rules use a lower numeric priority to override the prohibitive ones.
uci -q delete network.lan_ks uci set network.lan_ks="rule" uci set network.lan_ks.in="lan" uci set network.lan_ks.action="prohibit" uci set network.lan_ks.priority="32000" uci -q delete network.lan_ks6 uci set network.lan_ks6="rule6" uci set network.lan_ks6.in="lan" uci set network.lan_ks6.action="prohibit" uci set network.lan_ks6.priority="32000" uci commit network /etc/init.d/network restart