Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:routing:pbr [2021/08/15 20:48] – [Unsupported protocols] update vgaeteradocs:guide-user:network:routing:pbr [2023/09/27 02:36] – [PBR (Policy-Based Routing)] vgaetera
Line 1: Line 1:
-====== PBR with netifd ====== +====== PBR (Policy-Based Routing) ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+See also: 
 +[[docs:guide-user:network:routing:basics#policy-based_routing|Routing basics]]
  
-===== Introduction ===== +[[wp>Policy-based_routing|PBR]] is a technique used to make routing decisions based on policies set by the network administrator
-OpenWrt offers built-in [[wp>Policy-based_routing|PBR]] support with [[docs:techref:netifd|netifd]]: +There are different methods to implement PBR with their own pros and cons, and some methods can be more suitable than others depending on your goal.
-  * Custom routing tables using the interface options ''ip4table'' and ''ip6table''+
-  * Routing rules using the sections ''rule'' and ''rule6''.+
  
-===== Goals ===== +===== Solutions ===== 
-  * Utilize multiple upstream interfaces with their own gateways. +==== PBR app ==== 
-  * Route different subnets/clients to a different gateway. +See also: 
-  * Prioritize routing for local subnets and tunnel endpoints.+[[docs:guide-user:network:routing:pbr_app|PBR app]]
  
-===== Command-line instructions ===== +PBR app helps overcome routing issues for the following scenarios: 
-  * Set up named routing tables for each interface+  * Utilize split tunneling to route your traffic to VPN/WAN selectively for some of hosts/subnets/domains
-  * Assign each interface to its own routing table+  * Implement port forwarding on the WAN interface when traffic is routed to VPN by default
-  * Add default routing rules after subnets/endpoints+  * Run VPN client and server simultaneously and route traffic to the VPN client
-  * Add custom routing rules before the default ones.+  * Provide web interface to manage routing policies.
  
-<code bash> +==== PBR with netifd ==== 
-# Configure routing tables +See also: 
-cat << "EOF" >> /etc/iproute2/rt_tables +[[docs:guide-user:network:routing:pbr_netifd|PBR with netifd]]
-1 lan +
-2 wan +
-3 dmz +
-4 vpn +
-EOF+
  
-# Configure interfaces +PBR with netifd helps to utilize different routing tables to route traffic to a specific interface based on traffic parameters like ingress/egress interface, source/destination address, firewall mark, etc.: 
-uci set network.lan.ip4table="lan" +  * Relies on the built-in netifd functionality and requires no extra software installation
-uci set network.lan.ip6table="lan" +  * Suitable for managed and unmanaged interfaces declared in the network configuration
-uci set network.wan.ip4table="wan" +  * Works well with interfaces, subnets, IP addresses and ports, but not domains.
-uci set network.wan6.ip6table="wan" +
-uci set network.dmz.ip4table="dmz" +
-uci set network.dmz.ip6table="dmz" +
-uci set network.vpn.ip4table="vpn" +
-uci set network.vpn.ip6table="vpn"+
  
-# Configure default rules +==== mwan3 ==== 
-uci -q delete network.default +See also: 
-uci set network.default="rule" +[[docs:guide-user:network:wan:multiwan:mwan3|mwan3]], 
-uci set network.default.lookup="wan" +[[docs:guide-user:routing:examples:dual-wan|Routing example: Dual VPN with mwan3]]
-uci set network.default.priority="40000" +
-uci -q delete network.default6 +
-uci set network.default6="rule6" +
-uci set network.default6.lookup="wan+
-uci set network.default6.priority="40000"+
  
-# Configure custom rules +mwan3 provides load balancing and failover with multiple WAN interfaces.
-uci -q delete network.dmz_vpn +
-uci set network.dmz_vpn="rule" +
-uci set network.dmz_vpn.in="dmz" +
-uci set network.dmz_vpn.lookup="vpn" +
-uci set network.dmz_vpn.priority="30000" +
-uci -q delete network.dmz_vpn6 +
-uci set network.dmz_vpn6="rule6" +
-uci set network.dmz_vpn6.in="dmz" +
-uci set network.dmz_vpn6.lookup="vpn" +
-uci set network.dmz_vpn6.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code> +
- +
-===== Extras ===== +
-==== PBR protocol ==== +
-Provide PBR for protocols unsupported by netifd like OpenVPN. +
- +
-<code bash> +
-# Provide PBR for netifd +
-cat << "EOF" > /lib/netifd/proto/pbr.sh +
-#!/bin/sh +
- +
-proto_pbr_setup() { +
-local NET_CONF="${1}" +
-local NET_DEV +
-local NET_RT +
-local NET_RT6 +
-config_load network +
-config_get NET_DEV "${NET_CONF}" ifname +
-config_get NET_RT "${NET_CONF}" ip4table +
-config_get NET_RT6 "${NET_CONF}" ip6table +
-if [ -n "${NET_RT}"+
-then ip route add default dev "${NET_DEV}" table "${NET_RT}" +
-fi +
-if [ -n "${NET_RT6}"+
-then ip -6 route add default dev "${NET_DEV}" table "${NET_RT6}" +
-fi +
-proto_init_update "${NET_DEV}"+
-proto_send_update "${NET_CONF}" +
-+
- +
-proto_pbr_teardown() { +
-local NET_CONF="${1}" +
-+
- +
-if [ -z "${INCLUDE_ONLY}"+
-then +
-. /lib/functions.sh +
-. /lib/functions/network.sh +
-. ../netifd-proto.sh +
-init_proto "${@}" +
-add_protocol pbr +
-fi +
-EOF +
-chmod +x /lib/netifd/proto/pbr.sh +
-cat << "EOF" >> /etc/sysupgrade.conf +
-/lib/netifd/proto/pbr.sh +
-EOF +
-</code> +
- +
-==== PBR functions ==== +
-<code bash> +
-# Configure profile +
-mkdir -p /etc/profile.d +
-cat << "EOF" > /etc/profile.d/pbr.sh +
-setup_pbr() { +
-local NET_IF +
-local NET_IF6 +
-. /lib/functions.sh +
-. /lib/config/uci.sh +
-. /lib/functions/network.sh +
-config_load network +
-config_foreach setup_iface interface +
-network_flush_cache +
-network_find_wan NET_IF +
-network_find_wan6 NET_IF6 +
-uci_remove network default +
-uci_add network rule default +
-uci_set network default lookup "${NET_IF:-wan}" +
-uci_set network default priority "40000" +
-uci_remove network default6 +
-uci_add network rule6 default6 +
-uci_set network default6 lookup "${NET_IF6:-wan6}" +
-uci_set network default6 priority "40000" +
-uci_commit network +
-/etc/init.d/network restart +
-+
- +
-setup_iface() { +
-local NET_CONF="${1}" +
-local NET_RT +
-local NET_RT6 +
-local NET_RT0 +
-local NET_PROTO +
-local NET_RTCONF="/etc/iproute2/rt_tables" +
-NET_PROTO="$(uci_get network "${NET_CONF}" proto "${NET_PROTO}")" +
-NET_RT="$(uci_get network "${NET_CONF}" ip4table "${NET_CONF}")" +
-NET_RT6="$(uci_get network "${NET_CONF}" ip6table "${NET_CONF}")" +
-NET_RT0="$(grep -o -E -e "^[0-9]+" "${NET_RTCONF}" | sort -n | tail -n 1)" +
-if [ "${NET_CONF}" = "loopback"+
-then return 0 +
-fi +
-if [ "${NET_PROTO}" = "none"+
-then uci_set network "${NET_CONF}" proto "pbr" +
-fi +
-if ! grep -q -E -e "^[0-9]+\s+${NET_CONF}$" "${NET_RTCONF}" +
-then sed -i -e "\$a $((NET_RT0+1))\t${NET_CONF}" "${NET_RTCONF}" +
-fi +
-uci_set network "${NET_CONF}" ip4table "${NET_RT}" +
-uci_set network "${NET_CONF}" ip6table "${NET_RT6}" +
-+
- +
-unset_pbr() { +
-. /lib/functions.sh +
-. /lib/config/uci.sh +
-config_load network +
-config_foreach unset_iface interface +
-uci_remove network default +
-uci_remove network default6 +
-uci_commit network +
-/etc/init.d/network restart +
-+
- +
-unset_iface() { +
-local NET_CONF="${1}" +
-NET_PROTO="$(uci_get network "${NET_CONF}" proto "${NET_PROTO}")" +
-if [ "${NET_CONF}" = "loopback"+
-then return 0 +
-fi +
-if [ "${NET_PROTO}" = "pbr"+
-then uci_set network "${NET_CONF}" proto "none" +
-fi +
-uci_remove network "${NET_CONF}" ip4table +
-uci_remove network "${NET_CONF}" ip6table +
-+
-EOF +
-. /etc/profile.d/pbr.sh +
-</code> +
- +
-==== Automated ==== +
-<code bash> +
-opkg update +
-opkg install libustream-mbedtls +
-URL="https://openwrt.org/_export/code/docs/guide-user/network/routing" +
-cat << EOF > pbr.sh +
-$(uclient-fetch -O - "${URL}/pbr?codeblock=1"+
-$(uclient-fetch -O - "${URL}/pbr?codeblock=2"+
-EOF +
-. ./pbr.sh +
-setup_pbr +
-</code> +
- +
-===== Examples ===== +
-==== Route LAN to VPN with failover to WAN ==== +
-<code bash> +
-uci set network.lan.ip4table="1" +
-uci set network.lan.ip6table="1" +
-uci set network.wan.ip4table="2" +
-uci set network.wan6.ip6table="2" +
-uci -q delete network.lan_wan +
-uci set network.lan_wan="rule" +
-uci set network.lan_wan.lookup="2" +
-uci set network.lan_wan.priority="40000" +
-uci -q delete network.lan_wan6 +
-uci set network.lan_wan6="rule6" +
-uci set network.lan_wan6.lookup="2" +
-uci set network.lan_wan6.priority="40000" +
-uci commit network +
-/etc/init.d/network restart +
-</code> +
- +
-==== Route DMZ to VPN and LAN to WAN ==== +
-<code bash> +
-uci set network.lan.ip4table="1" +
-uci set network.lan.ip6table="1" +
-uci set network.vpn.ip4table="2" +
-uci set network.vpn.ip6table="2" +
-uci set network.dmz.ip4table="3" +
-uci set network.dmz.ip6table="3" +
-uci -q delete network.dmz_vpn +
-uci set network.dmz_vpn="rule" +
-uci set network.dmz_vpn.in="dmz" +
-uci set network.dmz_vpn.lookup="2" +
-uci set network.dmz_vpn.priority="30000" +
-uci -q delete network.dmz_vpn6 +
-uci set network.dmz_vpn6="rule6" +
-uci set network.dmz_vpn6.in="dmz" +
-uci set network.dmz_vpn6.lookup="2" +
-uci set network.dmz_vpn6.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code> +
- +
-==== Route LAN to VPN and forward HTTPS from WAN to LAN ==== +
-<code bash> +
-uci -q delete firewall.https_fwd +
-uci set firewall.https_fwd="rule" +
-uci set firewall.https_fwd.name="Forward-HTTPS" +
-uci set firewall.https_fwd.src="wan" +
-uci set firewall.https_fwd.src_dport="443" +
-uci set firewall.https_fwd.dest_ip="192.168.1.2" +
-uci set firewall.https_fwd.proto="tcp" +
-uci set firewall.https_fwd.target="DNAT" +
-uci -q delete firewall.https_mark +
-uci set firewall.https_mark="rule" +
-uci set firewall.https_mark.name="Mark-HTTPS" +
-uci set firewall.https_mark.src="lan" +
-uci set firewall.https_mark.src_ip="192.168.1.2" +
-uci set firewall.https_mark.src_port="443" +
-uci set firewall.https_mark.proto="tcp" +
-uci set firewall.https_mark.set_mark="0x1" +
-uci set firewall.https_mark.target="MARK" +
-uci commit firewall +
-/etc/init.d/firewall restart +
-uci set network.lan.ip4table="1" +
-uci set network.wan.ip4table="2" +
-uci -q delete network.lan_wan +
-uci set network.lan_wan="rule" +
-uci set network.lan_wan.in="lan" +
-uci set network.lan_wan.mark="1" +
-uci set network.lan_wan.lookup="2" +
-uci set network.lan_wan.priority="30000" +
-uci commit network +
-/etc/init.d/network restart +
-</code>+
  
  • Last modified: 2023/10/29 00:46
  • by vgaetera