Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| docs:guide-user:network:routing:examples:pbr_netifd [2023/06/05 12:46] – [Route LAN to VPN by IP set] vgaetera | docs:guide-user:network:routing:examples:pbr_netifd [2023/09/27 01:55] (current) – move to docs:guide-user:network:routing:pbr_netifd vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Routing example: PBR with netifd ====== | ||
| - | {{section> | ||
| - | |||
| - | See also: | ||
| - | [[docs: | ||
| - | |||
| - | ===== Introduction ===== | ||
| - | This how-to provides most common scenarios for PBR with netifd. | ||
| - | It contains both IPv4 and IPv6 routing rules to prevent traffic leaks. | ||
| - | Set up [[docs: | ||
| - | |||
| - | There is no need to create any extra default routes for interface protocols natively supported by netifd. | ||
| - | Assign each interface to a separate routing table to avoid default route conflicts and only use routing rules. | ||
| - | |||
| - | ===== Instructions ===== | ||
| - | ==== Route LAN to VPN and DMZ to WAN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to VPN. | ||
| - | Route DMZ to WAN by default. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.vpn.ip${IPV}table=" | ||
| - | uci set network.dmz.ip${IPV}table=" | ||
| - | uci -q delete network.lan_vpn${IPV%4} | ||
| - | uci set network.lan_vpn${IPV%4}=" | ||
| - | uci set network.lan_vpn${IPV%4}.in=" | ||
| - | uci set network.lan_vpn${IPV%4}.lookup=" | ||
| - | uci set network.lan_vpn${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to VPN with failover to WAN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to VPN. | ||
| - | Route LAN to WAN as fallback when VPN is down. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.wan${IPV%4}.ip${IPV}table=" | ||
| - | uci -q delete network.lan_wan${IPV%4} | ||
| - | uci set network.lan_wan${IPV%4}=" | ||
| - | uci set network.lan_wan${IPV%4}.in=" | ||
| - | uci set network.lan_wan${IPV%4}.lookup=" | ||
| - | uci set network.lan_wan${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to VPN by IP set ==== | ||
| - | Route LAN traffic to VPN except destinations matching IP set. | ||
| - | Mark LAN traffic with firewall to apply custom routing. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci -q delete firewall.wan_set${IPV%4} | ||
| - | uci set firewall.wan_set${IPV%4}=" | ||
| - | uci set firewall.wan_set${IPV%4}.name=" | ||
| - | uci set firewall.wan_set${IPV%4}.family=" | ||
| - | uci set firewall.wan_set${IPV%4}.match=" | ||
| - | uci -q delete firewall.lan_mark${IPV%4} | ||
| - | uci set firewall.lan_mark${IPV%4}=" | ||
| - | uci set firewall.lan_mark${IPV%4}.name=" | ||
| - | uci set firewall.lan_mark${IPV%4}.src=" | ||
| - | uci set firewall.lan_mark${IPV%4}.dest=" | ||
| - | uci set firewall.lan_mark${IPV%4}.ipset=" | ||
| - | uci set firewall.lan_mark${IPV%4}.proto=" | ||
| - | uci set firewall.lan_mark${IPV%4}.family=" | ||
| - | uci set firewall.lan_mark${IPV%4}.set_mark=" | ||
| - | uci set firewall.lan_mark${IPV%4}.target=" | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.vpn.ip${IPV}table=" | ||
| - | uci -q delete network.lan_vpn${IPV%4} | ||
| - | uci set network.lan_vpn${IPV%4}=" | ||
| - | uci set network.lan_vpn${IPV%4}.in=" | ||
| - | uci set network.lan_vpn${IPV%4}.mark=" | ||
| - | uci set network.lan_vpn${IPV%4}.lookup=" | ||
| - | uci set network.lan_vpn${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit firewall | ||
| - | uci commit network | ||
| - | / | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to VPN and forward HTTPS from WAN to LAN ==== | ||
| - | Route all traffic to VPN except a webserver running in LAN and serving to WAN. | ||
| - | Mark the webserver traffic with firewall to apply custom routing. | ||
| - | |||
| - | <code bash> | ||
| - | uci -q delete firewall.lan_web | ||
| - | uci set firewall.lan_web=" | ||
| - | uci set firewall.lan_web.name=" | ||
| - | uci set firewall.lan_web.src=" | ||
| - | uci set firewall.lan_web.src_mac=" | ||
| - | uci set firewall.lan_web.src_port=" | ||
| - | uci set firewall.lan_web.dest=" | ||
| - | uci set firewall.lan_web.proto=" | ||
| - | uci set firewall.lan_web.set_mark=" | ||
| - | uci set firewall.lan_web.target=" | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.wan${IPV%4}.ip${IPV}table=" | ||
| - | uci -q delete network.lan_web${IPV%4} | ||
| - | uci set network.lan_web${IPV%4}=" | ||
| - | uci set network.lan_web${IPV%4}.in=" | ||
| - | uci set network.lan_web${IPV%4}.mark=" | ||
| - | uci set network.lan_web${IPV%4}.lookup=" | ||
| - | uci set network.lan_web${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit firewall | ||
| - | uci commit network | ||
| - | / | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to OpenVPN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to OpenVPN. | ||
| - | Be sure to [[docs: | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.vpn.ip${IPV}table=" | ||
| - | uci -q delete network.vpn_rt${IPV%4} | ||
| - | uci set network.vpn_rt${IPV%4}=" | ||
| - | uci set network.vpn_rt${IPV%4}.interface=" | ||
| - | uci -q delete network.lan_vpn${IPV%4} | ||
| - | uci set network.lan_vpn${IPV%4}=" | ||
| - | uci set network.lan_vpn${IPV%4}.in=" | ||
| - | uci set network.lan_vpn${IPV%4}.lookup=" | ||
| - | uci set network.lan_vpn${IPV%4}.priority=" | ||
| - | done | ||
| - | uci set network.vpn_rt.target=" | ||
| - | uci set network.vpn_rt6.target="::/ | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Kill switch using IP routes ==== | ||
| - | Create prohibitive routes in the target routing table to prevent traffic leaks. | ||
| - | Assuming the loopback interface is always up and the default route has a lower metric. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.vpn.ip${IPV}table=" | ||
| - | uci -q delete network.vpn_ks${IPV%4} | ||
| - | uci set network.vpn_ks${IPV%4}=" | ||
| - | uci set network.vpn_ks${IPV%4}.interface=" | ||
| - | uci set network.vpn_ks${IPV%4}.type=" | ||
| - | uci set network.vpn_ks${IPV%4}.metric=" | ||
| - | uci set network.vpn_ks${IPV%4}.table=" | ||
| - | done | ||
| - | uci set network.vpn_ks.target=" | ||
| - | uci set network.vpn_ks6.target="::/ | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Kill switch using IP rules ==== | ||
| - | Create prohibitive rules to prevent traffic leaks. | ||
| - | Assuming the custom rules use a lower numeric priority to override the prohibitive ones. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci -q delete network.lan_ks${IPV%4} | ||
| - | uci set network.lan_ks${IPV%4}=" | ||
| - | uci set network.lan_ks${IPV%4}.in=" | ||
| - | uci set network.lan_ks${IPV%4}.action=" | ||
| - | uci set network.lan_ks${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||