Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:routing:pbr [2021/08/10 17:31] – created from docs:guide-user:network:pbr vgaeteradocs:guide-user:network:routing:pbr [2023/09/27 02:36] – [PBR (Policy-Based Routing)] vgaetera
Line 1: Line 1:
-====== PBR with netifd ====== +====== PBR (Policy-Based Routing) ====== 
-OpenWrt offers built-in [[wp>Policy-based_routing|PBR]] support for netifd: +See also: 
-  * Custom routing tables using the interface options ''ip4table'' and ''ip6table''+[[docs:guide-user:network:routing:basics#policy-based_routing|Routing basics]]
-  * Routing rules using the sections ''rule'' and ''rule6''.+
  
-===== Typical goals ===== +[[wp>Policy-based_routing|PBR]] is a technique used to make routing decisions based on policies set by the network administrator. 
-  * Utilize multiple upstream interfaces with their own gateways. +There are different methods to implement PBR with their own pros and cons, and some methods can be more suitable than others depending on your goal.
-  * Route different subnets/clients to a different gateway. +
-  * Prioritize routing for local subnets and tunnel endpoints.+
  
-===== Generic instructions ===== +===== Solutions ===== 
-  * Set up named routing tables for each interface. +==== PBR app ==== 
-  * Assign each interface to its own routing table. +See also: 
-  * Add default routing rules after subnets/endpoints. +[[docs:guide-user:network:routing:pbr_app|PBR app]]
-  * Add custom routing rules before the default ones.+
  
-<code bash> +PBR app helps overcome routing issues for the following scenarios: 
-# Configure routing tables +  * Utilize split tunneling to route your traffic to VPN/WAN selectively for some of hosts/subnets/domains. 
-cat << "EOF" >> /etc/iproute2/rt_tables +  * Implement port forwarding on the WAN interface when traffic is routed to VPN by default. 
-1 lan +  * Run VPN client and server simultaneously and route traffic to the VPN client. 
-2 wan +  * Provide web interface to manage routing policies.
-3 dmz +
-4 vpn +
-EOF+
  
-# Configure interfaces +==== PBR with netifd ==== 
-uci set network.lan.ip4table="lan" +See also: 
-uci set network.lan.ip6table="lan" +[[docs:guide-user:network:routing:pbr_netifd|PBR with netifd]]
-uci set network.wan.ip4table="wan" +
-uci set network.wan6.ip6table="wan" +
-uci set network.dmz.ip4table="dmz" +
-uci set network.dmz.ip6table="dmz" +
-uci set network.vpn.ip4table="vpn" +
-uci set network.vpn.ip6table="vpn"+
  
-# Configure default rules +PBR with netifd helps to utilize different routing tables to route traffic to a specific interface based on traffic parameters like ingress/egress interface, source/destination address, firewall mark, etc.: 
-uci -q delete network.default +  * Relies on the built-in netifd functionality and requires no extra software installation
-uci set network.default="rule" +  * Suitable for managed and unmanaged interfaces declared in the network configuration
-uci set network.default.lookup="wan" +  * Works well with interfaces, subnets, IP addresses and ports, but not domains.
-uci set network.default.priority="40000" +
-uci -q delete network.default6 +
-uci set network.default6="rule6" +
-uci set network.default6.lookup="wan" +
-uci set network.default6.priority="40000"+
  
-# Configure custom rules +==== mwan3 ==== 
-uci -q delete network.dmz_vpn +See also: 
-uci set network.dmz_vpn="rule" +[[docs:guide-user:network:wan:multiwan:mwan3|mwan3]], 
-uci set network.dmz_vpn.in="dmz" +[[docs:guide-user:routing:examples:dual-wan|Routing example: Dual VPN with mwan3]]
-uci set network.dmz_vpn.lookup="vpn" +
-uci set network.dmz_vpn.priority="30000" +
-uci -q delete network.dmz_vpn6 +
-uci set network.dmz_vpn6="rule6" +
-uci set network.dmz_vpn6.in="dmz" +
-uci set network.dmz_vpn6.lookup="vpn" +
-uci set network.dmz_vpn6.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code>+
  
-===== Unsupported protocols ===== +mwan3 provides load balancing and failover with multiple WAN interfaces.
-Provide PBR for protocols unsupported by netifd like OpenVPN. +
- +
-<code bash> +
-# Provide PBR for netifd +
-cat << "EOF" > /lib/netifd/proto/pbr.sh +
-#!/bin/sh +
- +
-proto_pbr_setup() { +
-local config="${1}" +
-local ifname +
-local ip4table +
-local ip6table +
-config_load network +
-config_get ifname "${config}" "ifname" +
-config_get ip4table "${config}" "ip4table" +
-config_get ip6table "${config}" "ip6table" +
-if [ -n "${ip4table}"+
-then ip route add default dev "${ifname}" table "${ip4table}" +
-fi +
-if [ -n "${ip6table}"+
-then ip -6 route add default dev "${ifname}" table "${ip6table}" +
-fi +
-proto_init_update "${ifname}"+
-proto_send_update "${config}" +
-+
- +
-proto_pbr_teardown() { +
-local config="${1}" +
-+
- +
-if [ -z "${INCLUDE_ONLY}"+
-then +
-. /lib/functions.sh +
-. /lib/functions/network.sh +
-. ../netifd-proto.sh +
-init_proto "${@}" +
-add_protocol pbr +
-fi +
-EOF +
-chmod +x /lib/netifd/proto/pbr.sh +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/lib/netifd/proto/pbr.sh +
-EOF +
- +
-# Configure interfaces +
-uci -q delete network.vpn +
-uci set network.vpn="interface" +
-uci set network.vpn.proto="pbr" +
-uci set network.vpn.ifname="tun0" +
-uci set network.vpn.ip4table="vpn" +
-uci set network.vpn.ip6table="vpn" +
-uci commit network +
-/etc/init.d/network restart +
-/etc/init.d/openvpn restart +
-</code> +
- +
-===== Examples ===== +
-==== Route LAN to VPN with failover to WAN ==== +
-<code bash> +
-uci set network.lan.ip4table="1" +
-uci set network.lan.ip6table="1" +
-uci set network.wan.ip4table="2" +
-uci set network.wan6.ip6table="2" +
-uci -q delete network.lan_wan +
-uci set network.lan_wan="rule" +
-uci set network.lan_wan.lookup="2" +
-uci set network.lan_wan.priority="40000" +
-uci -q delete network.lan_wan6 +
-uci set network.lan_wan6="rule6" +
-uci set network.lan_wan6.lookup="2" +
-uci set network.lan_wan6.priority="40000" +
-uci commit network +
-/etc/init.d/network restart +
-</code> +
- +
-==== Route DMZ to VPN and LAN to WAN ==== +
-<code bash> +
-uci set network.lan.ip4table="1" +
-uci set network.lan.ip6table="1" +
-uci set network.vpn.ip4table="2" +
-uci set network.vpn.ip6table="2" +
-uci set network.dmz.ip4table="3" +
-uci set network.dmz.ip6table="3" +
-uci -q delete network.dmz_vpn +
-uci set network.dmz_vpn="rule" +
-uci set network.dmz_vpn.in="dmz" +
-uci set network.dmz_vpn.lookup="2" +
-uci set network.dmz_vpn.priority="30000" +
-uci -q delete network.dmz_vpn6 +
-uci set network.dmz_vpn6="rule6" +
-uci set network.dmz_vpn6.in="dmz" +
-uci set network.dmz_vpn6.lookup="2" +
-uci set network.dmz_vpn6.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code> +
- +
-==== Route LAN to VPN and forward HTTPS from WAN to LAN ==== +
-<code bash> +
-uci -q delete firewall.https_fwd +
-uci set firewall.https_fwd="rule" +
-uci set firewall.https_fwd.name="Forward-HTTPS" +
-uci set firewall.https_fwd.src="wan" +
-uci set firewall.https_fwd.src_dport="443" +
-uci set firewall.https_fwd.dest_ip="192.168.1.2" +
-uci set firewall.https_fwd.proto="tcp" +
-uci set firewall.https_fwd.target="DNAT" +
-uci -q delete firewall.https_mark +
-uci set firewall.https_mark="rule" +
-uci set firewall.https_mark.name="Mark-HTTPS" +
-uci set firewall.https_mark.src="lan" +
-uci set firewall.https_mark.src_ip="192.168.1.2" +
-uci set firewall.https_mark.src_port="443" +
-uci set firewall.https_mark.proto="tcp" +
-uci set firewall.https_mark.set_mark="0x1" +
-uci set firewall.https_mark.target="MARK" +
-uci commit firewall +
-/etc/init.d/firewall restart +
-uci set network.lan.ip4table="1" +
-uci set network.wan.ip4table="2" +
-uci -q delete network.lan_wan +
-uci set network.lan_wan="rule" +
-uci set network.lan_wan.in="lan" +
-uci set network.lan_wan.mark="1" +
-uci set network.lan_wan.lookup="2" +
-uci set network.lan_wan.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code>+
  
  • Last modified: 2023/10/29 00:46
  • by vgaetera