Configure policy-based routing (PBR)

For a standard router, when it receives a packet, it will decide where to forward it based on destination address in the packet. It will look up its routing table (statically configured or learnt through dynamic routing protocols eg. OSPF/BGP), then the most specific route will be chosen (default route will be used if no matching route), and the nexthop gateway address will be derived from the chosen route entry. That's how mbox works as well in most situations. 

But in certain complex scenarios, we need to forward packets based on source addresses or even applications. That's where we need Policy-Based Routing (PBR). PBR can also forward packets based on the size of the packet, the protocol of the payload, or other information available in a packet header or payload. This permits routing of packets originating from different sources to different networks or next-hops even when the destinations are the same. PBR can be very useful when interconnecting several private networks, or sharing multiple upstream ISP links, or directing traffic for special purposes (eg. redirect to external proxies, firewalls or caching engines etc).

mbox supports PBR based on below packet information (to decide where to forward match packets):

CONFIG NOTES

CONFIGURATION STEPS

CONFIGURATION EXAMPLE - Based on source

In this example, we are trying to achieve below objectives:

!interface eth0 enable ip address 172.16.10.2/24!interface eth1 enable ip address 172.16.20.2/24!interface eth2 enable ip address 172.16.30.1/24!interface eth3 enable ip address 172.16.40.1/24!ip default-gateway 172.16.10.1!firewall-access 10 permit outbound eth0firewall-access 10 permit outbound eth1!firewall-snat 10 overload outbound eth0firewall-snat 10 overload outbound eth1!!define policy ID to match packets by source subnetsip pbr policy 10 src 172.16.30.0/24ip pbr policy 20 src 172.16.40.0/24!!apply specific forwarding/routing rule based on pre-defined policy IDip pbr route 10 0.0.0.0/0 nexthop 172.16.10.1 ip pbr route 20 0.0.0.0/0 nexthop 172.16.20.1!

CONFIGURATION EXAMPLE - Based on Applications

In this example, we are trying to achieve below objectives:

!interface eth0 enable ip address 172.16.10.2/24!interface eth1 enable ip address 172.16.20.2/24!interface eth2 enable ip address 172.16.30.1/24!interface eth3 enable ip address 172.16.40.1/24!ip default-gateway 172.16.10.1!firewall-access 10 permit outbound eth0firewall-access 10 permit outbound eth1!firewall-snat 10 overload outbound eth0firewall-snat 10 overload outbound eth1!!use firewall to mark the interesting packets at "inbound" interfaces !(use the same Mark NO. for packets belong to the same policy)firewall-set 10 mark 100 inbound eth2 tcp dport 80firewall-set 11 mark 100 inbound eth3 tcp dport 80firewall-set 21 mark 200 inbound eth2 tcp dport 443firewall-set 22 mark 200 inbound eth2 udp dport 443firewall-set 31 mark 200 inbound eth3 tcp dport 443firewall-set 32 mark 200 inbound eth3 udp dport 443!!define policy ID to match packets by fwmark Mark NO.ip pbr policy 10 fwmark 100ip pbr policy 20 fwmark 200!!apply specific forwarding/routing rule based on policy IDip pbr route 10 0.0.0.0/0 nexthop 172.16.10.1 ip pbr route 20 0.0.0.0/0 nexthop 172.16.20.1 !

TROUBLESHOOTING COMMANDS

show ip pbr policy show ip pbr route xxuse tcpdump to verify at the exit interface

CONFIG EXAMPLE ON HOTSPOT GATEWAY


!match inbound traffic on tun+, use src to narrow down restrictionsfirewall-set 10 mark 10 inbound tun+ src 172.16.1.0/24firewall-set 20 mark 20 inbound tun+ src 172.16.10.0/24!!define pbr policy by fwmarkip pbr policy 10 fwmark 10ip pbr policy 20 fwmark 20!ip pbr route 10 0.0.0.0/0 nexthop 192.168.1.1 interface eth0ip pbr route 20 0.0.0.0/0 nexthop 192.168.2.1 interface eth1!security hotspot eth2 hotspot-wan eth0 hotspot-server 172.16.1.1 ports 5001 5002 client-network 172.16.1.0 255.255.255.0 client-dhcp 172.16.1.20 255.255.255.0 lease 86400 client-dhcp-dns 8.8.8.8 8.8.4.4 hotspot-access 10 permit ip allowed-domain ransnet.com allowed-url mbox.ransnet.com radius-server localhost testing123 hotspot-online-page DEF-Tos start!security hotspot eth3 hotspot-wan eth1 hotspot-server 172.16.10.1 ports 5011 5012 client-network 172.16.10.0 255.255.255.0 client-dhcp 172.16.10.20 255.255.255.0 lease 86400 client-dhcp-dns 8.8.8.8 8.8.4.4 hotspot-access 10 permit ip allowed-domain ransnet.com allowed-url mbox.ransnet.com radius-server localhost testing123 hotspot-online-page DEF-Tos start!

Attached is a complete working configuration.