Configure policy-based routing (PBR)

For a standard router, when it receives a packet, it will decide where to forward it based on destination address in the packet. It will look up its routing table (statically configured or learnt through dynamic routing protocols eg. OSPF/BGP), then the most specific route will be chosen (default route will be used if no matching route), and the nexthop gateway address will be derived from the chosen route entry. That's how mbox works as well in most situations.

But in certain complex scenarios, we need to forward packets based on source addresses or even applications. That's where we need Policy-Based Routing (PBR). PBR can also forward packets based on the size of the packet, the protocol of the payload, or other information available in a packet header or payload. This permits routing of packets originating from different sources to different networks or next-hops even when the destinations are the same. PBR can be very useful when interconnecting several private networks, or sharing multiple upstream ISP links, or directing traffic for special purposes (eg. redirect to external proxies, firewalls or caching engines etc).

mbox supports PBR based on below packet information (to decide where to forward match packets):

  • source address
  • applications (protocol and port number), identified by fwmark No. (by firewall-set rule)
  • TOS values

CONFIG NOTES

  • PBR happens at inbound interface when packets enters the interface, so "ip pbr policy..." should always be matching packets when they enter the interface (therefore use firewall-set inbound to mark packets, or use "ip pbr policy xx src..."
  • When we configure PBR on HSG (with hotspot service running), we need to take note of a few things:
    • we must use firewall-set to mark the interesting packets, and apply fwmark to PBR policy. Don't use "ip pbr policy xx src y.y.y." to match by source IP address. Because the packets will not match this rule due to the order of operations between hotspot and PBR processes.
    • when we configure firewall-set to match packets, we must mark at the inbound interface. But because hotspot service generates dynamic tunnel interface so we are not sure which tunnel no. to use, so we will use tun+ and further restrict specific source networks by using "src" option under firewall-set to narrow to a particular vlan/network.
  • if the nexthop exit interface is a physical/vlan interface, we must specific nexthop IP and optionally together with the interface eg. ip pbr route 10 0.0.0.0/0 nexthop 192.168.1.1 interface eth0 (the interface eth0 is optional, but the nexthop 192.168.1.1 is a MUST)
  • if nexthop exit interface is a LTE interface (eg. lte0) which we don't know the exact nexthop IP, we just use interface as next hop, eg. ip pbr route 10 0.0.0.0/0 nexthop lte0

CONFIGURATION STEPS

  1. Configure PBR policy (ip pbr policy xx), to define target packets for PBR
  2. Configure PBR route (ip pbr route x.x.x.x/y), to define how/where to forward targeted packets instead of using default routing table
  3. Configure firewall-access and firewall-snat rules to permit Internet access

CONFIGURATION EXAMPLE - Based on source

In this example, we are trying to achieve below objectives:

  1. clients from 172.16.30.0/24 will go out from ISP1 link for Internet access
  2. clients from 172.16.40.0/24 will go out from ISP2 link for Internet access
!interface eth0 enable ip address 172.16.10.2/24!interface eth1 enable ip address 172.16.20.2/24!interface eth2 enable ip address 172.16.30.1/24!interface eth3 enable ip address 172.16.40.1/24!ip default-gateway 172.16.10.1!firewall-access 10 permit outbound eth0firewall-access 10 permit outbound eth1!firewall-snat 10 overload outbound eth0firewall-snat 10 overload outbound eth1!!define policy ID to match packets by source subnetsip pbr policy 10 src 172.16.30.0/24ip pbr policy 20 src 172.16.40.0/24!!apply specific forwarding/routing rule based on pre-defined policy IDip pbr route 10 0.0.0.0/0 nexthop 172.16.10.1 ip pbr route 20 0.0.0.0/0 nexthop 172.16.20.1!

CONFIGURATION EXAMPLE - Based on Applications

In this example, we are trying to achieve below objectives:

  • HTTP (TCP/80) access will go out from ISP1 link
  • HTTPS (TCP/443 and UDP/443) access will go out from ISP2 link
!interface eth0 enable ip address 172.16.10.2/24!interface eth1 enable ip address 172.16.20.2/24!interface eth2 enable ip address 172.16.30.1/24!interface eth3 enable ip address 172.16.40.1/24!ip default-gateway 172.16.10.1!firewall-access 10 permit outbound eth0firewall-access 10 permit outbound eth1!firewall-snat 10 overload outbound eth0firewall-snat 10 overload outbound eth1!!use firewall to mark the interesting packets at "inbound" interfaces !(use the same Mark NO. for packets belong to the same policy)firewall-set 10 mark 100 inbound eth2 tcp dport 80firewall-set 11 mark 100 inbound eth3 tcp dport 80firewall-set 21 mark 200 inbound eth2 tcp dport 443firewall-set 22 mark 200 inbound eth2 udp dport 443firewall-set 31 mark 200 inbound eth3 tcp dport 443firewall-set 32 mark 200 inbound eth3 udp dport 443!!define policy ID to match packets by fwmark Mark NO.ip pbr policy 10 fwmark 100ip pbr policy 20 fwmark 200!!apply specific forwarding/routing rule based on policy IDip pbr route 10 0.0.0.0/0 nexthop 172.16.10.1 ip pbr route 20 0.0.0.0/0 nexthop 172.16.20.1 !

TROUBLESHOOTING COMMANDS

show ip pbr policy show ip pbr route xxuse tcpdump to verify at the exit interface

CONFIG EXAMPLE ON HOTSPOT GATEWAY


!match inbound traffic on tun+, use src to narrow down restrictionsfirewall-set 10 mark 10 inbound tun+ src 172.16.1.0/24firewall-set 20 mark 20 inbound tun+ src 172.16.10.0/24!!define pbr policy by fwmarkip pbr policy 10 fwmark 10ip pbr policy 20 fwmark 20!ip pbr route 10 0.0.0.0/0 nexthop 192.168.1.1 interface eth0ip pbr route 20 0.0.0.0/0 nexthop 192.168.2.1 interface eth1!security hotspot eth2 hotspot-wan eth0 hotspot-server 172.16.1.1 ports 5001 5002 client-network 172.16.1.0 255.255.255.0 client-dhcp 172.16.1.20 255.255.255.0 lease 86400 client-dhcp-dns 8.8.8.8 8.8.4.4 hotspot-access 10 permit ip allowed-domain ransnet.com allowed-url mbox.ransnet.com radius-server localhost testing123 hotspot-online-page DEF-Tos start!security hotspot eth3 hotspot-wan eth1 hotspot-server 172.16.10.1 ports 5011 5012 client-network 172.16.10.0 255.255.255.0 client-dhcp 172.16.10.20 255.255.255.0 lease 86400 client-dhcp-dns 8.8.8.8 8.8.4.4 hotspot-access 10 permit ip allowed-domain ransnet.com allowed-url mbox.ransnet.com radius-server localhost testing123 hotspot-online-page DEF-Tos start!

Attached is a complete working configuration.