Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| docs:guide-user:network:routing:examples:pbr_netifd [2023/09/17 00:19] – [Guidelines] vgaetera | docs:guide-user:network:routing:examples:pbr_netifd [2023/09/27 01:55] (current) – move to docs:guide-user:network:routing:pbr_netifd vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Routing example: PBR with netifd ====== | ||
| - | {{section> | ||
| - | |||
| - | See also: | ||
| - | [[docs: | ||
| - | |||
| - | ===== Introduction ===== | ||
| - | * This how-to provides most common scenarios for PBR with netifd. | ||
| - | * It contains both IPv4 and IPv6 routing rules to prevent traffic leaks. | ||
| - | * Enable [[docs: | ||
| - | |||
| - | ===== Guidelines ===== | ||
| - | * Assign each interface to a separate routing table. | ||
| - | * It makes netifd create essential rules automatically to simplify the setup. | ||
| - | * This isolates each default route resolving possible routing conflicts. | ||
| - | * Keep the default route enabled for each upstream interface. | ||
| - | * Multiple interfaces can be connected and used simultaneously by different clients. | ||
| - | * Do not duplicate the same default route in other routing tables. | ||
| - | * Create custom routing rules for each assigned routing table. | ||
| - | * Elevate routing decision on the level of routing rules for easier troubleshooting. | ||
| - | * Use a specific custom priority for each routing rule. | ||
| - | * A priority of about 30000 can override the '' | ||
| - | * A priority of about 40000-80000 follows after the '' | ||
| - | * Optionally use the '' | ||
| - | * This can be useful in a trivial setup to minimize configuration. | ||
| - | * It makes problematic to utilize rules with high numeric priority values. | ||
| - | |||
| - | ===== Instructions ===== | ||
| - | ==== Route LAN to VPN and DMZ to WAN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to VPN. | ||
| - | Route DMZ to WAN by default. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.vpn.ip${IPV}table=" | ||
| - | uci set network.dmz.ip${IPV}table=" | ||
| - | uci -q delete network.lan_vpn${IPV%4} | ||
| - | uci set network.lan_vpn${IPV%4}=" | ||
| - | uci set network.lan_vpn${IPV%4}.in=" | ||
| - | uci set network.lan_vpn${IPV%4}.lookup=" | ||
| - | uci set network.lan_vpn${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to VPN with failover to WAN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to VPN. | ||
| - | Route LAN to WAN as fallback when VPN is down. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.wan${IPV%4}.ip${IPV}table=" | ||
| - | uci -q delete network.lan_wan${IPV%4} | ||
| - | uci set network.lan_wan${IPV%4}=" | ||
| - | uci set network.lan_wan${IPV%4}.in=" | ||
| - | uci set network.lan_wan${IPV%4}.lookup=" | ||
| - | uci set network.lan_wan${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to VPN by IP set ==== | ||
| - | Route LAN traffic to VPN except destinations matching IP set. | ||
| - | Mark LAN traffic with firewall to apply custom routing. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci -q delete firewall.wan_set${IPV%4} | ||
| - | uci set firewall.wan_set${IPV%4}=" | ||
| - | uci set firewall.wan_set${IPV%4}.name=" | ||
| - | uci set firewall.wan_set${IPV%4}.family=" | ||
| - | uci set firewall.wan_set${IPV%4}.match=" | ||
| - | uci -q delete firewall.lan_mark${IPV%4} | ||
| - | uci set firewall.lan_mark${IPV%4}=" | ||
| - | uci set firewall.lan_mark${IPV%4}.name=" | ||
| - | uci set firewall.lan_mark${IPV%4}.src=" | ||
| - | uci set firewall.lan_mark${IPV%4}.dest=" | ||
| - | uci set firewall.lan_mark${IPV%4}.ipset=" | ||
| - | uci set firewall.lan_mark${IPV%4}.proto=" | ||
| - | uci set firewall.lan_mark${IPV%4}.family=" | ||
| - | uci set firewall.lan_mark${IPV%4}.set_mark=" | ||
| - | uci set firewall.lan_mark${IPV%4}.target=" | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.vpn.ip${IPV}table=" | ||
| - | uci -q delete network.lan_vpn${IPV%4} | ||
| - | uci set network.lan_vpn${IPV%4}=" | ||
| - | uci set network.lan_vpn${IPV%4}.in=" | ||
| - | uci set network.lan_vpn${IPV%4}.mark=" | ||
| - | uci set network.lan_vpn${IPV%4}.lookup=" | ||
| - | uci set network.lan_vpn${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit firewall | ||
| - | uci commit network | ||
| - | / | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to VPN with WAN port forwarding ==== | ||
| - | Route all traffic to VPN except a webserver running in LAN and serving to WAN. | ||
| - | Mark the webserver traffic with firewall to apply custom routing. | ||
| - | |||
| - | <code bash> | ||
| - | uci -q delete firewall.lan_web | ||
| - | uci set firewall.lan_web=" | ||
| - | uci set firewall.lan_web.name=" | ||
| - | uci set firewall.lan_web.src=" | ||
| - | uci set firewall.lan_web.src_mac=" | ||
| - | uci set firewall.lan_web.src_port=" | ||
| - | uci set firewall.lan_web.dest=" | ||
| - | uci set firewall.lan_web.proto=" | ||
| - | uci set firewall.lan_web.set_mark=" | ||
| - | uci set firewall.lan_web.target=" | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.wan${IPV%4}.ip${IPV}table=" | ||
| - | uci -q delete network.lan_web${IPV%4} | ||
| - | uci set network.lan_web${IPV%4}=" | ||
| - | uci set network.lan_web${IPV%4}.in=" | ||
| - | uci set network.lan_web${IPV%4}.mark=" | ||
| - | uci set network.lan_web${IPV%4}.lookup=" | ||
| - | uci set network.lan_web${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit firewall | ||
| - | uci commit network | ||
| - | / | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Route LAN to OpenVPN ==== | ||
| - | Use custom routing tables and rules to prioritize routing LAN to OpenVPN. | ||
| - | Be sure to [[docs: | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.lan.ip${IPV}table=" | ||
| - | uci set network.vpn.ip${IPV}table=" | ||
| - | uci -q delete network.vpn_rt${IPV%4} | ||
| - | uci set network.vpn_rt${IPV%4}=" | ||
| - | uci set network.vpn_rt${IPV%4}.interface=" | ||
| - | uci -q delete network.lan_vpn${IPV%4} | ||
| - | uci set network.lan_vpn${IPV%4}=" | ||
| - | uci set network.lan_vpn${IPV%4}.in=" | ||
| - | uci set network.lan_vpn${IPV%4}.lookup=" | ||
| - | uci set network.lan_vpn${IPV%4}.priority=" | ||
| - | done | ||
| - | uci set network.vpn_rt.target=" | ||
| - | uci set network.vpn_rt6.target="::/ | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Kill switch using IP routes ==== | ||
| - | Create prohibitive routes in the target routing table to prevent traffic leaks. | ||
| - | Assuming the loopback interface is always up and the default route has a lower metric. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci set network.vpn.ip${IPV}table=" | ||
| - | uci -q delete network.vpn_ks${IPV%4} | ||
| - | uci set network.vpn_ks${IPV%4}=" | ||
| - | uci set network.vpn_ks${IPV%4}.interface=" | ||
| - | uci set network.vpn_ks${IPV%4}.type=" | ||
| - | uci set network.vpn_ks${IPV%4}.metric=" | ||
| - | uci set network.vpn_ks${IPV%4}.table=" | ||
| - | done | ||
| - | uci set network.vpn_ks.target=" | ||
| - | uci set network.vpn_ks6.target="::/ | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||
| - | |||
| - | ==== Kill switch using IP rules ==== | ||
| - | Create prohibitive rules to prevent traffic leaks. | ||
| - | Assuming the custom rules use a lower numeric priority to override the prohibitive ones. | ||
| - | |||
| - | <code bash> | ||
| - | for IPV in 4 6 | ||
| - | do | ||
| - | uci -q delete network.lan_ks${IPV%4} | ||
| - | uci set network.lan_ks${IPV%4}=" | ||
| - | uci set network.lan_ks${IPV%4}.in=" | ||
| - | uci set network.lan_ks${IPV%4}.action=" | ||
| - | uci set network.lan_ks${IPV%4}.priority=" | ||
| - | done | ||
| - | uci commit network | ||
| - | / | ||
| - | </ | ||