Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:routing:pbr [2021/08/15 20:48] – [Unsupported protocols] update vgaetera | docs:guide-user:network:routing:pbr [2023/09/27 02:36] – [PBR (Policy-Based Routing)] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== PBR with netifd | + | ====== PBR (Policy-Based Routing) |
| - | {{section> | + | See also: |
| + | [[docs: | ||
| - | ===== Introduction ===== | + | [[wp> |
| - | OpenWrt offers built-in | + | There are different methods to implement PBR with their own pros and cons, and some methods can be more suitable than others depending on your goal. |
| - | * Custom | + | |
| - | * Routing rules using the sections '' | + | |
| - | ===== Goals ===== | + | ===== Solutions |
| - | * Utilize multiple upstream interfaces with their own gateways. | + | ==== PBR app ==== |
| - | * Route different subnets/ | + | See also: |
| - | * Prioritize | + | [[docs: |
| - | ===== Command-line instructions ===== | + | PBR app helps overcome routing issues for the following scenarios: |
| - | * Set up named routing tables | + | * Utilize split tunneling to route your traffic to VPN/WAN selectively |
| - | * Assign each interface to its own routing table. | + | * Implement port forwarding on the WAN interface |
| - | * Add default routing rules after subnets/ | + | * Run VPN client and server simultaneously and route traffic to the VPN client. |
| - | * Add custom | + | * Provide web interface to manage |
| - | <code bash> | + | ==== PBR with netifd ==== |
| - | # Configure | + | See also: |
| - | cat << " | + | [[docs: |
| - | 1 lan | + | |
| - | 2 wan | + | |
| - | 3 dmz | + | |
| - | 4 vpn | + | |
| - | EOF | + | |
| - | # Configure interfaces | + | PBR with netifd helps to utilize different routing tables to route traffic to a specific interface based on traffic parameters like ingress/ |
| - | uci set network.lan.ip4table=" | + | * Relies on the built-in netifd functionality and requires no extra software installation. |
| - | uci set network.lan.ip6table=" | + | * Suitable for managed and unmanaged interfaces declared in the network |
| - | uci set network.wan.ip4table=" | + | * Works well with interfaces, subnets, IP addresses and ports, but not domains. |
| - | uci set network.wan6.ip6table=" | + | |
| - | uci set network.dmz.ip4table=" | + | |
| - | uci set network.dmz.ip6table=" | + | |
| - | uci set network.vpn.ip4table=" | + | |
| - | uci set network.vpn.ip6table=" | + | |
| - | # Configure default rules | + | ==== mwan3 ==== |
| - | uci -q delete network.default | + | See also: |
| - | uci set network.default=" | + | [[docs: |
| - | uci set network.default.lookup=" | + | [[docs: |
| - | uci set network.default.priority=" | + | |
| - | uci -q delete | + | |
| - | uci set network.default6=" | + | |
| - | uci set network.default6.lookup=" | + | |
| - | uci set network.default6.priority=" | + | |
| - | # Configure custom rules | + | mwan3 provides load balancing and failover |
| - | uci -q delete network.dmz_vpn | + | |
| - | uci set network.dmz_vpn=" | + | |
| - | uci set network.dmz_vpn.in=" | + | |
| - | uci set network.dmz_vpn.lookup=" | + | |
| - | uci set network.dmz_vpn.priority=" | + | |
| - | uci -q delete network.dmz_vpn6 | + | |
| - | uci set network.dmz_vpn6=" | + | |
| - | uci set network.dmz_vpn6.in=" | + | |
| - | uci set network.dmz_vpn6.lookup=" | + | |
| - | uci set network.dmz_vpn6.priority=" | + | |
| - | uci commit network | + | |
| - | / | + | |
| - | </ | + | |
| - | + | ||
| - | ===== Extras ===== | + | |
| - | ==== PBR protocol ==== | + | |
| - | Provide PBR for protocols unsupported by netifd like OpenVPN. | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # Provide PBR for netifd | + | |
| - | cat << " | + | |
| - | #!/bin/sh | + | |
| - | + | ||
| - | proto_pbr_setup() { | + | |
| - | local NET_CONF=" | + | |
| - | local NET_DEV | + | |
| - | local NET_RT | + | |
| - | local NET_RT6 | + | |
| - | config_load network | + | |
| - | config_get NET_DEV " | + | |
| - | config_get NET_RT " | + | |
| - | config_get NET_RT6 " | + | |
| - | if [ -n " | + | |
| - | then ip route add default dev " | + | |
| - | fi | + | |
| - | if [ -n " | + | |
| - | then ip -6 route add default dev " | + | |
| - | fi | + | |
| - | proto_init_update " | + | |
| - | proto_send_update " | + | |
| - | } | + | |
| - | + | ||
| - | proto_pbr_teardown() { | + | |
| - | local NET_CONF=" | + | |
| - | } | + | |
| - | + | ||
| - | if [ -z " | + | |
| - | then | + | |
| - | . / | + | |
| - | . / | + | |
| - | . ../ | + | |
| - | init_proto " | + | |
| - | add_protocol pbr | + | |
| - | fi | + | |
| - | EOF | + | |
| - | chmod +x / | + | |
| - | cat << " | + | |
| - | / | + | |
| - | EOF | + | |
| - | </ | + | |
| - | + | ||
| - | ==== PBR functions ==== | + | |
| - | <code bash> | + | |
| - | # Configure profile | + | |
| - | mkdir -p / | + | |
| - | cat << " | + | |
| - | setup_pbr() { | + | |
| - | local NET_IF | + | |
| - | local NET_IF6 | + | |
| - | . / | + | |
| - | . / | + | |
| - | . / | + | |
| - | config_load network | + | |
| - | config_foreach setup_iface interface | + | |
| - | network_flush_cache | + | |
| - | network_find_wan NET_IF | + | |
| - | network_find_wan6 NET_IF6 | + | |
| - | uci_remove network default | + | |
| - | uci_add network rule default | + | |
| - | uci_set network default lookup " | + | |
| - | uci_set network default priority " | + | |
| - | uci_remove network default6 | + | |
| - | uci_add network rule6 default6 | + | |
| - | uci_set network default6 lookup " | + | |
| - | uci_set network default6 priority " | + | |
| - | uci_commit network | + | |
| - | / | + | |
| - | } | + | |
| - | + | ||
| - | setup_iface() { | + | |
| - | local NET_CONF=" | + | |
| - | local NET_RT | + | |
| - | local NET_RT6 | + | |
| - | local NET_RT0 | + | |
| - | local NET_PROTO | + | |
| - | local NET_RTCONF="/ | + | |
| - | NET_PROTO=" | + | |
| - | NET_RT=" | + | |
| - | NET_RT6=" | + | |
| - | NET_RT0=" | + | |
| - | if [ " | + | |
| - | then return 0 | + | |
| - | fi | + | |
| - | if [ " | + | |
| - | then uci_set network " | + | |
| - | fi | + | |
| - | if ! grep -q -E -e " | + | |
| - | then sed -i -e "\$a $((NET_RT0+1))\t${NET_CONF}" | + | |
| - | fi | + | |
| - | uci_set network " | + | |
| - | uci_set network " | + | |
| - | } | + | |
| - | + | ||
| - | unset_pbr() { | + | |
| - | . / | + | |
| - | . / | + | |
| - | config_load network | + | |
| - | config_foreach unset_iface interface | + | |
| - | uci_remove network default | + | |
| - | uci_remove network default6 | + | |
| - | uci_commit network | + | |
| - | / | + | |
| - | } | + | |
| - | + | ||
| - | unset_iface() { | + | |
| - | local NET_CONF=" | + | |
| - | NET_PROTO=" | + | |
| - | if [ " | + | |
| - | then return 0 | + | |
| - | fi | + | |
| - | if [ " | + | |
| - | then uci_set network " | + | |
| - | fi | + | |
| - | uci_remove network " | + | |
| - | uci_remove network " | + | |
| - | } | + | |
| - | EOF | + | |
| - | . / | + | |
| - | </ | + | |
| - | + | ||
| - | ==== Automated ==== | + | |
| - | <code bash> | + | |
| - | opkg update | + | |
| - | opkg install libustream-mbedtls | + | |
| - | URL=" | + | |
| - | cat << EOF > pbr.sh | + | |
| - | $(uclient-fetch -O - " | + | |
| - | $(uclient-fetch -O - " | + | |
| - | EOF | + | |
| - | . ./pbr.sh | + | |
| - | setup_pbr | + | |
| - | </ | + | |
| - | + | ||
| - | ===== Examples ===== | + | |
| - | ==== Route LAN to VPN with failover to WAN ==== | + | |
| - | <code bash> | + | |
| - | uci set network.lan.ip4table=" | + | |
| - | uci set network.lan.ip6table=" | + | |
| - | uci set network.wan.ip4table=" | + | |
| - | uci set network.wan6.ip6table=" | + | |
| - | uci -q delete network.lan_wan | + | |
| - | uci set network.lan_wan=" | + | |
| - | uci set network.lan_wan.lookup=" | + | |
| - | uci set network.lan_wan.priority=" | + | |
| - | uci -q delete network.lan_wan6 | + | |
| - | uci set network.lan_wan6=" | + | |
| - | uci set network.lan_wan6.lookup=" | + | |
| - | uci set network.lan_wan6.priority=" | + | |
| - | uci commit network | + | |
| - | / | + | |
| - | </ | + | |
| - | + | ||
| - | ==== Route DMZ to VPN and LAN to WAN ==== | + | |
| - | <code bash> | + | |
| - | uci set network.lan.ip4table=" | + | |
| - | uci set network.lan.ip6table=" | + | |
| - | uci set network.vpn.ip4table=" | + | |
| - | uci set network.vpn.ip6table=" | + | |
| - | uci set network.dmz.ip4table=" | + | |
| - | uci set network.dmz.ip6table=" | + | |
| - | uci -q delete network.dmz_vpn | + | |
| - | uci set network.dmz_vpn=" | + | |
| - | uci set network.dmz_vpn.in=" | + | |
| - | uci set network.dmz_vpn.lookup=" | + | |
| - | uci set network.dmz_vpn.priority=" | + | |
| - | uci -q delete network.dmz_vpn6 | + | |
| - | uci set network.dmz_vpn6=" | + | |
| - | uci set network.dmz_vpn6.in=" | + | |
| - | uci set network.dmz_vpn6.lookup=" | + | |
| - | uci set network.dmz_vpn6.priority=" | + | |
| - | uci commit network | + | |
| - | / | + | |
| - | </ | + | |
| - | + | ||
| - | ==== Route LAN to VPN and forward HTTPS from WAN to LAN ==== | + | |
| - | <code bash> | + | |
| - | uci -q delete firewall.https_fwd | + | |
| - | uci set firewall.https_fwd=" | + | |
| - | uci set firewall.https_fwd.name=" | + | |
| - | uci set firewall.https_fwd.src=" | + | |
| - | uci set firewall.https_fwd.src_dport=" | + | |
| - | uci set firewall.https_fwd.dest_ip=" | + | |
| - | uci set firewall.https_fwd.proto=" | + | |
| - | uci set firewall.https_fwd.target=" | + | |
| - | uci -q delete firewall.https_mark | + | |
| - | uci set firewall.https_mark=" | + | |
| - | uci set firewall.https_mark.name=" | + | |
| - | uci set firewall.https_mark.src=" | + | |
| - | uci set firewall.https_mark.src_ip=" | + | |
| - | uci set firewall.https_mark.src_port=" | + | |
| - | uci set firewall.https_mark.proto=" | + | |
| - | uci set firewall.https_mark.set_mark=" | + | |
| - | uci set firewall.https_mark.target=" | + | |
| - | uci commit firewall | + | |
| - | / | + | |
| - | uci set network.lan.ip4table=" | + | |
| - | uci set network.wan.ip4table=" | + | |
| - | uci -q delete network.lan_wan | + | |
| - | uci set network.lan_wan=" | + | |
| - | uci set network.lan_wan.in=" | + | |
| - | uci set network.lan_wan.mark=" | + | |
| - | uci set network.lan_wan.lookup=" | + | |
| - | uci set network.lan_wan.priority=" | + | |
| - | uci commit network | + | |
| - | /etc/init.d/network restart | + | |
| - | </ | + | |