Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:network:routing:examples:pbr_netifd [2023/01/21 17:53] – [Introduction] add vgaeteradocs:guide-user:network:routing:examples:pbr_netifd [2023/09/27 01:55] (current) – move to docs:guide-user:network:routing:pbr_netifd vgaetera
Line 1: Line 1:
-====== Routing example: PBR with netifd ====== 
-See also: 
-[[docs:guide-user:network:routing:basics#policy-based_routing|How it works / Policy-based routing]] 
- 
-===== Introduction ===== 
-This how-to provides most common PBR scenarios adapted for OpenWrt. 
-Set up [[docs:guide-user:network:ipv6:ipv6.nat6|IPv6 masquerading]] or disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_source_routing|source routing]] if necessary. 
- 
-===== Instructions ===== 
-==== Route LAN to VPN and DMZ to WAN ==== 
-Use custom routing tables and rules to prioritize routing LAN to VPN. 
-Route DMZ to WAN by default. 
- 
-<code bash> 
-uci set network.lan.ip4table="1" 
-uci set network.lan.ip6table="1" 
-uci set network.vpn.ip4table="2" 
-uci set network.vpn.ip6table="2" 
-uci set network.dmz.ip4table="3" 
-uci set network.dmz.ip6table="3" 
-uci -q delete network.lan_vpn 
-uci set network.lan_vpn="rule" 
-uci set network.lan_vpn.in="lan" 
-uci set network.lan_vpn.lookup="2" 
-uci set network.lan_vpn.priority="30000" 
-uci -q delete network.lan_vpn6 
-uci set network.lan_vpn6="rule6" 
-uci set network.lan_vpn6.in="lan" 
-uci set network.lan_vpn6.lookup="2" 
-uci set network.lan_vpn6.priority="30000" 
-uci commit network 
-/etc/init.d/network restart 
-</code> 
- 
-==== Route LAN to VPN with failover to WAN ==== 
-Use custom routing tables and rules to prioritize routing LAN to VPN. 
-Route LAN to WAN as fallback when VPN is down. 
- 
-<code bash> 
-uci set network.lan.ip4table="1" 
-uci set network.lan.ip6table="1" 
-uci set network.wan.ip4table="2" 
-uci set network.wan6.ip6table="2" 
-uci -q delete network.lan_wan 
-uci set network.lan_wan="rule" 
-uci set network.lan_wan.in="lan" 
-uci set network.lan_wan.lookup="2" 
-uci set network.lan_wan.priority="40000" 
-uci -q delete network.lan_wan6 
-uci set network.lan_wan6="rule6" 
-uci set network.lan_wan6.in="lan" 
-uci set network.lan_wan6.lookup="2" 
-uci set network.lan_wan6.priority="40000" 
-uci commit network 
-/etc/init.d/network restart 
-</code> 
- 
-==== Route LAN to VPN and forward HTTPS from WAN to LAN ==== 
-Route all traffic to VPN except a webserver running in LAN and serving to WAN. 
-Mark the webserver traffic with firewall to apply custom routing. 
- 
-<code bash> 
-uci -q delete firewall.lan_web 
-uci set firewall.lan_web="rule" 
-uci set firewall.lan_web.name="Mark-HTTPS" 
-uci set firewall.lan_web.src="lan" 
-uci set firewall.lan_web.src_mac="00:11:22:33:44:55" 
-uci set firewall.lan_web.src_port="443" 
-uci set firewall.lan_web.proto="tcp" 
-uci set firewall.lan_web.set_mark="0x1" 
-uci set firewall.lan_web.target="MARK" 
-uci commit firewall 
-/etc/init.d/firewall restart 
-uci set network.lan.ip4table="1" 
-uci set network.lan.ip6table="1" 
-uci set network.wan.ip4table="2" 
-uci set network.wan6.ip6table="2" 
-uci -q delete network.lan_web 
-uci set network.lan_web="rule" 
-uci set network.lan_web.in="lan" 
-uci set network.lan_web.mark="1" 
-uci set network.lan_web.lookup="2" 
-uci set network.lan_web.priority="30000" 
-uci -q delete network.lan_web6 
-uci set network.lan_web6="rule6" 
-uci set network.lan_web6.in="lan" 
-uci set network.lan_web6.mark="1" 
-uci set network.lan_web6.lookup="2" 
-uci set network.lan_web6.priority="30000" 
-uci commit network 
-/etc/init.d/network restart 
-</code> 
- 
-==== Route LAN to OpenVPN ==== 
-Use custom routing tables and rules to prioritize routing LAN to OpenVPN. 
-Be sure to [[docs:guide-user:services:vpn:openvpn:extras#network_interface|declare VPN interface]] and [[docs:guide-user:services:vpn:openvpn:extras#disable_gateway_redirection|disable gateway redirection]]. 
- 
-<code bash> 
-uci set network.lan.ip4table="1" 
-uci set network.lan.ip6table="1" 
-uci set network.vpn.ip4table="2" 
-uci set network.vpn.ip6table="2" 
-uci -q delete network.vpn_rt 
-uci set network.vpn_rt="route" 
-uci set network.vpn_rt.interface="vpn" 
-uci set network.vpn_rt.target="0.0.0.0/0" 
-uci -q delete network.vpn_rt6 
-uci set network.vpn_rt6="route6" 
-uci set network.vpn_rt6.interface="vpn" 
-uci set network.vpn_rt6.target="::/0" 
-uci -q delete network.lan_vpn 
-uci set network.lan_vpn="rule" 
-uci set network.lan_vpn.in="lan" 
-uci set network.lan_vpn.lookup="2" 
-uci set network.lan_vpn.priority="30000" 
-uci -q delete network.lan_vpn6 
-uci set network.lan_vpn6="rule6" 
-uci set network.lan_vpn6.in="lan" 
-uci set network.lan_vpn6.lookup="2" 
-uci set network.lan_vpn6.priority="30000" 
-uci commit network 
-/etc/init.d/network restart 
-</code> 
- 
-==== Kill switch using IP routes ==== 
-Create prohibitive routes in the target routing table to prevent traffic leaks. 
-Assuming the loopback interface is always up and the default route has a lower metric. 
- 
-<code bash> 
-uci set network.vpn.ip4table="2" 
-uci set network.vpn.ip6table="2" 
-uci -q delete network.vpn_ks 
-uci set network.vpn_ks="route" 
-uci set network.vpn_ks.interface="loopback" 
-uci set network.vpn_ks.target="0.0.0.0/0" 
-uci set network.vpn_ks.type="prohibit" 
-uci set network.vpn_ks.metric="9000" 
-uci set network.vpn_ks.table="2" 
-uci -q delete network.vpn_ks6 
-uci set network.vpn_ks6="route6" 
-uci set network.vpn_ks6.interface="loopback" 
-uci set network.vpn_ks6.target="::/0" 
-uci set network.vpn_ks6.type="prohibit" 
-uci set network.vpn_ks6.metric="9000" 
-uci set network.vpn_ks6.table="2" 
-uci commit network 
-/etc/init.d/network restart 
-</code> 
- 
-==== Kill switch using IP rules ==== 
-Create prohibitive rules to prevent traffic leaks. 
-Assuming the custom rules use a lower numeric priority to override the prohibitive ones. 
- 
-<code bash> 
-uci -q delete network.lan_ks 
-uci set network.lan_ks="rule" 
-uci set network.lan_ks.in="lan" 
-uci set network.lan_ks.action="prohibit" 
-uci set network.lan_ks.priority="32000" 
-uci -q delete network.lan_ks6 
-uci set network.lan_ks6="rule6" 
-uci set network.lan_ks6.in="lan" 
-uci set network.lan_ks6.action="prohibit" 
-uci set network.lan_ks6.priority="32000" 
-uci commit network 
-/etc/init.d/network restart 
-</code> 
  
  • Last modified: 2023/01/21 17:53
  • by vgaetera