Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| docs:guide-user:network:routing:examples:pbr_netifd [2023/01/21 18:28] – [Routing example: PBR with netifd] add infobox vgaetera | docs:guide-user:network:routing:examples:pbr_netifd [2023/09/27 01:55] (current) – move to docs:guide-user:network:routing:pbr_netifd vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Routing example: PBR with netifd ====== | ||
| - | {{section> | ||
| - | |||
| - | See also: | ||
| - | [[docs: | ||
| - | |||
| - | ===== Introduction ===== | ||
| - | This how-to provides most common PBR with netifd scenarios. | ||
| - | |||
| - | It contains both IPv4 and IPv6 routing rules to prevent traffic leaks. | ||
| - | Set up [[docs: | ||
| - | |||
| - | There is no need to create any extra default routes for interface protocols natively supported by netifd. | ||
| - | Assign each interface to a separate routing table to avoid default route conflicts and only use routing rules. | ||
| - | |||
| - | ===== Instructions ===== | ||
| - | ==== Route LAN to VPN and DMZ to WAN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to VPN. | ||
| - | Route DMZ to WAN by default. | ||
| - | |||
| - | <code bash> | ||
| - | uci set network.lan.ip4table=" | ||
| - | uci set network.lan.ip6table=" | ||
| - | uci set network.vpn.ip4table=" | ||
| - | uci set network.vpn.ip6table=" | ||
| - | uci set network.dmz.ip4table=" | ||
| - | uci set network.dmz.ip6table=" | ||
| - | uci -q delete network.lan_vpn | ||
| - | uci set network.lan_vpn=" | ||
| - | uci set network.lan_vpn.in=" | ||
| - | uci set network.lan_vpn.lookup=" | ||
| - | uci set network.lan_vpn.priority=" | ||
| - | uci -q delete network.lan_vpn6 | ||
| - | uci set network.lan_vpn6=" | ||
| - | uci set network.lan_vpn6.in=" | ||
| - | uci set network.lan_vpn6.lookup=" | ||
| - | uci set network.lan_vpn6.priority=" | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to VPN with failover to WAN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to VPN. | ||
| - | Route LAN to WAN as fallback when VPN is down. | ||
| - | |||
| - | <code bash> | ||
| - | uci set network.lan.ip4table=" | ||
| - | uci set network.lan.ip6table=" | ||
| - | uci set network.wan.ip4table=" | ||
| - | uci set network.wan6.ip6table=" | ||
| - | uci -q delete network.lan_wan | ||
| - | uci set network.lan_wan=" | ||
| - | uci set network.lan_wan.in=" | ||
| - | uci set network.lan_wan.lookup=" | ||
| - | uci set network.lan_wan.priority=" | ||
| - | uci -q delete network.lan_wan6 | ||
| - | uci set network.lan_wan6=" | ||
| - | uci set network.lan_wan6.in=" | ||
| - | uci set network.lan_wan6.lookup=" | ||
| - | uci set network.lan_wan6.priority=" | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to VPN and forward HTTPS from WAN to LAN ==== | ||
| - | Route all traffic to VPN except a webserver running in LAN and serving to WAN. | ||
| - | Mark the webserver traffic with firewall to apply custom routing. | ||
| - | |||
| - | <code bash> | ||
| - | uci -q delete firewall.lan_web | ||
| - | uci set firewall.lan_web=" | ||
| - | uci set firewall.lan_web.name=" | ||
| - | uci set firewall.lan_web.src=" | ||
| - | uci set firewall.lan_web.src_mac=" | ||
| - | uci set firewall.lan_web.src_port=" | ||
| - | uci set firewall.lan_web.proto=" | ||
| - | uci set firewall.lan_web.set_mark=" | ||
| - | uci set firewall.lan_web.target=" | ||
| - | uci commit firewall | ||
| - | / | ||
| - | uci set network.lan.ip4table=" | ||
| - | uci set network.lan.ip6table=" | ||
| - | uci set network.wan.ip4table=" | ||
| - | uci set network.wan6.ip6table=" | ||
| - | uci -q delete network.lan_web | ||
| - | uci set network.lan_web=" | ||
| - | uci set network.lan_web.in=" | ||
| - | uci set network.lan_web.mark=" | ||
| - | uci set network.lan_web.lookup=" | ||
| - | uci set network.lan_web.priority=" | ||
| - | uci -q delete network.lan_web6 | ||
| - | uci set network.lan_web6=" | ||
| - | uci set network.lan_web6.in=" | ||
| - | uci set network.lan_web6.mark=" | ||
| - | uci set network.lan_web6.lookup=" | ||
| - | uci set network.lan_web6.priority=" | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to OpenVPN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to OpenVPN. | ||
| - | Be sure to [[docs: | ||
| - | |||
| - | <code bash> | ||
| - | uci set network.lan.ip4table=" | ||
| - | uci set network.lan.ip6table=" | ||
| - | uci set network.vpn.ip4table=" | ||
| - | uci set network.vpn.ip6table=" | ||
| - | uci -q delete network.vpn_rt | ||
| - | uci set network.vpn_rt=" | ||
| - | uci set network.vpn_rt.interface=" | ||
| - | uci set network.vpn_rt.target=" | ||
| - | uci -q delete network.vpn_rt6 | ||
| - | uci set network.vpn_rt6=" | ||
| - | uci set network.vpn_rt6.interface=" | ||
| - | uci set network.vpn_rt6.target="::/ | ||
| - | uci -q delete network.lan_vpn | ||
| - | uci set network.lan_vpn=" | ||
| - | uci set network.lan_vpn.in=" | ||
| - | uci set network.lan_vpn.lookup=" | ||
| - | uci set network.lan_vpn.priority=" | ||
| - | uci -q delete network.lan_vpn6 | ||
| - | uci set network.lan_vpn6=" | ||
| - | uci set network.lan_vpn6.in=" | ||
| - | uci set network.lan_vpn6.lookup=" | ||
| - | uci set network.lan_vpn6.priority=" | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Kill switch using IP routes ==== | ||
| - | Create prohibitive routes in the target routing table to prevent traffic leaks. | ||
| - | Assuming the loopback interface is always up and the default route has a lower metric. | ||
| - | |||
| - | <code bash> | ||
| - | uci set network.vpn.ip4table=" | ||
| - | uci set network.vpn.ip6table=" | ||
| - | uci -q delete network.vpn_ks | ||
| - | uci set network.vpn_ks=" | ||
| - | uci set network.vpn_ks.interface=" | ||
| - | uci set network.vpn_ks.target=" | ||
| - | uci set network.vpn_ks.type=" | ||
| - | uci set network.vpn_ks.metric=" | ||
| - | uci set network.vpn_ks.table=" | ||
| - | uci -q delete network.vpn_ks6 | ||
| - | uci set network.vpn_ks6=" | ||
| - | uci set network.vpn_ks6.interface=" | ||
| - | uci set network.vpn_ks6.target="::/ | ||
| - | uci set network.vpn_ks6.type=" | ||
| - | uci set network.vpn_ks6.metric=" | ||
| - | uci set network.vpn_ks6.table=" | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Kill switch using IP rules ==== | ||
| - | Create prohibitive rules to prevent traffic leaks. | ||
| - | Assuming the custom rules use a lower numeric priority to override the prohibitive ones. | ||
| - | |||
| - | <code bash> | ||
| - | uci -q delete network.lan_ks | ||
| - | uci set network.lan_ks=" | ||
| - | uci set network.lan_ks.in=" | ||
| - | uci set network.lan_ks.action=" | ||
| - | uci set network.lan_ks.priority=" | ||
| - | uci -q delete network.lan_ks6 | ||
| - | uci set network.lan_ks6=" | ||
| - | uci set network.lan_ks6.in=" | ||
| - | uci set network.lan_ks6.action=" | ||
| - | uci set network.lan_ks6.priority=" | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||