Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:routing:pbr [2021/08/11 15:37] – [Unsupported protocols] update vgaeteradocs:guide-user:network:routing:pbr [2023/09/27 02:36] – [PBR (Policy-Based Routing)] vgaetera
Line 1: Line 1:
-====== PBR with netifd ====== +====== PBR (Policy-Based Routing) ====== 
-OpenWrt offers built-in [[wp>Policy-based_routing|PBR]] support with [[docs:techref:netifd|netifd]]+See also: 
-  * Custom routing tables using the interface options ''ip4table'' and ''ip6table''+[[docs:guide-user:network:routing:basics#policy-based_routing|Routing basics]]
-  * Routing rules using the sections ''rule'' and ''rule6''.+
  
-===== Typical goals ===== +[[wp>Policy-based_routing|PBR]] is a technique used to make routing decisions based on policies set by the network administrator. 
-  * Utilize multiple upstream interfaces with their own gateways. +There are different methods to implement PBR with their own pros and cons, and some methods can be more suitable than others depending on your goal.
-  * Route different subnets/clients to a different gateway. +
-  * Prioritize routing for local subnets and tunnel endpoints.+
  
-===== Generic instructions ===== +===== Solutions ===== 
-  * Set up named routing tables for each interface. +==== PBR app ==== 
-  * Assign each interface to its own routing table. +See also: 
-  * Add default routing rules after subnets/endpoints. +[[docs:guide-user:network:routing:pbr_app|PBR app]]
-  * Add custom routing rules before the default ones.+
  
-<code bash> +PBR app helps overcome routing issues for the following scenarios: 
-# Configure routing tables +  * Utilize split tunneling to route your traffic to VPN/WAN selectively for some of hosts/subnets/domains. 
-cat << "EOF" >> /etc/iproute2/rt_tables +  * Implement port forwarding on the WAN interface when traffic is routed to VPN by default. 
-1 lan +  * Run VPN client and server simultaneously and route traffic to the VPN client. 
-2 wan +  * Provide web interface to manage routing policies.
-3 dmz +
-4 vpn +
-EOF+
  
-# Configure interfaces +==== PBR with netifd ==== 
-uci set network.lan.ip4table="lan" +See also: 
-uci set network.lan.ip6table="lan" +[[docs:guide-user:network:routing:pbr_netifd|PBR with netifd]]
-uci set network.wan.ip4table="wan" +
-uci set network.wan6.ip6table="wan" +
-uci set network.dmz.ip4table="dmz" +
-uci set network.dmz.ip6table="dmz" +
-uci set network.vpn.ip4table="vpn" +
-uci set network.vpn.ip6table="vpn"+
  
-# Configure default rules +PBR with netifd helps to utilize different routing tables to route traffic to a specific interface based on traffic parameters like ingress/egress interface, source/destination address, firewall mark, etc.: 
-uci -q delete network.default +  * Relies on the built-in netifd functionality and requires no extra software installation
-uci set network.default="rule" +  * Suitable for managed and unmanaged interfaces declared in the network configuration
-uci set network.default.lookup="wan" +  * Works well with interfaces, subnets, IP addresses and ports, but not domains.
-uci set network.default.priority="40000" +
-uci -q delete network.default6 +
-uci set network.default6="rule6" +
-uci set network.default6.lookup="wan" +
-uci set network.default6.priority="40000"+
  
-# Configure custom rules +==== mwan3 ==== 
-uci -q delete network.dmz_vpn +See also: 
-uci set network.dmz_vpn="rule" +[[docs:guide-user:network:wan:multiwan:mwan3|mwan3]], 
-uci set network.dmz_vpn.in="dmz" +[[docs:guide-user:routing:examples:dual-wan|Routing example: Dual VPN with mwan3]]
-uci set network.dmz_vpn.lookup="vpn" +
-uci set network.dmz_vpn.priority="30000" +
-uci -q delete network.dmz_vpn6 +
-uci set network.dmz_vpn6="rule6" +
-uci set network.dmz_vpn6.in="dmz" +
-uci set network.dmz_vpn6.lookup="vpn" +
-uci set network.dmz_vpn6.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code>+
  
-===== Unsupported protocols ===== +mwan3 provides load balancing and failover with multiple WAN interfaces.
-Provide PBR for protocols unsupported by netifd like OpenVPN. +
- +
-<code bash> +
-# Provide PBR for netifd +
-cat << "EOF" > /lib/netifd/proto/pbr.sh +
-#!/bin/sh +
- +
-proto_pbr_setup() { +
-local NET_CONF="${1}" +
-local NET_DEV +
-local NET_IPRT +
-local NET_IPRT6 +
-config_load network +
-config_get NET_DEV "${NET_CONF}" ifname +
-config_get NET_IPRT "${NET_CONF}" ip4table +
-config_get NET_IPRT6 "${NET_CONF}" ip6table +
-if [ -n "${NET_IPRT}"+
-then ip route add default dev "${NET_DEV}" table "${NET_IPRT}" +
-fi +
-if [ -n "${NET_IPRT6}"+
-then ip -6 route add default dev "${NET_DEV}" table "${NET_IPRT6}" +
-fi +
-proto_init_update "${NET_DEV}"+
-proto_send_update "${NET_CONF}" +
-+
- +
-proto_pbr_teardown() { +
-local NET_CONF="${1}" +
-+
- +
-if [ -z "${INCLUDE_ONLY}"+
-then +
-. /lib/functions.sh +
-. /lib/functions/network.sh +
-. ../netifd-proto.sh +
-init_proto "${@}" +
-add_protocol pbr +
-fi +
-EOF +
-chmod +x /lib/netifd/proto/pbr.sh +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/lib/netifd/proto/pbr.sh +
-EOF +
- +
-# Configure interfaces +
-uci -q delete network.vpn +
-uci set network.vpn="interface" +
-uci set network.vpn.proto="pbr" +
-uci set network.vpn.ifname="tun0" +
-uci set network.vpn.ip4table="vpn" +
-uci set network.vpn.ip6table="vpn" +
-uci commit network +
-/etc/init.d/network restart +
-/etc/init.d/openvpn restart +
-</code> +
- +
-===== Examples ===== +
-==== Route LAN to VPN with failover to WAN ==== +
-<code bash> +
-uci set network.lan.ip4table="1" +
-uci set network.lan.ip6table="1" +
-uci set network.wan.ip4table="2" +
-uci set network.wan6.ip6table="2" +
-uci -q delete network.lan_wan +
-uci set network.lan_wan="rule" +
-uci set network.lan_wan.lookup="2" +
-uci set network.lan_wan.priority="40000" +
-uci -q delete network.lan_wan6 +
-uci set network.lan_wan6="rule6" +
-uci set network.lan_wan6.lookup="2" +
-uci set network.lan_wan6.priority="40000" +
-uci commit network +
-/etc/init.d/network restart +
-</code> +
- +
-==== Route DMZ to VPN and LAN to WAN ==== +
-<code bash> +
-uci set network.lan.ip4table="1" +
-uci set network.lan.ip6table="1" +
-uci set network.vpn.ip4table="2" +
-uci set network.vpn.ip6table="2" +
-uci set network.dmz.ip4table="3" +
-uci set network.dmz.ip6table="3" +
-uci -q delete network.dmz_vpn +
-uci set network.dmz_vpn="rule" +
-uci set network.dmz_vpn.in="dmz" +
-uci set network.dmz_vpn.lookup="2" +
-uci set network.dmz_vpn.priority="30000" +
-uci -q delete network.dmz_vpn6 +
-uci set network.dmz_vpn6="rule6" +
-uci set network.dmz_vpn6.in="dmz" +
-uci set network.dmz_vpn6.lookup="2" +
-uci set network.dmz_vpn6.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code> +
- +
-==== Route LAN to VPN and forward HTTPS from WAN to LAN ==== +
-<code bash> +
-uci -q delete firewall.https_fwd +
-uci set firewall.https_fwd="rule" +
-uci set firewall.https_fwd.name="Forward-HTTPS" +
-uci set firewall.https_fwd.src="wan" +
-uci set firewall.https_fwd.src_dport="443" +
-uci set firewall.https_fwd.dest_ip="192.168.1.2" +
-uci set firewall.https_fwd.proto="tcp" +
-uci set firewall.https_fwd.target="DNAT" +
-uci -q delete firewall.https_mark +
-uci set firewall.https_mark="rule" +
-uci set firewall.https_mark.name="Mark-HTTPS" +
-uci set firewall.https_mark.src="lan" +
-uci set firewall.https_mark.src_ip="192.168.1.2" +
-uci set firewall.https_mark.src_port="443" +
-uci set firewall.https_mark.proto="tcp" +
-uci set firewall.https_mark.set_mark="0x1" +
-uci set firewall.https_mark.target="MARK" +
-uci commit firewall +
-/etc/init.d/firewall restart +
-uci set network.lan.ip4table="1" +
-uci set network.wan.ip4table="2" +
-uci -q delete network.lan_wan +
-uci set network.lan_wan="rule" +
-uci set network.lan_wan.in="lan" +
-uci set network.lan_wan.mark="1" +
-uci set network.lan_wan.lookup="2" +
-uci set network.lan_wan.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code>+
  
  • Last modified: 2023/10/29 00:46
  • by vgaetera