EdgeRouter - Policy-Based Routing


Overview


Readers will learn how to configure Policy-Based Routing (PBR) on an EdgeRouter based on source IP addresses.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Device used in this article:

Table of Contents


  1. Network Diagram
  2. Policy-Based Routing
  3. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN1) - 203.0.113.1
  • eth2 (WAN2) - 192.0.2.1
  • eth1.10 (VLAN10) - 10.0.10.1/24
  • eth1.20 (VLAN20) - 10.0.20.1/24

topology.png

In this example, the traffic from the hosts on VLAN10 will be forwarded to ISP1 and the traffic from VLAN20 will be forwarded to ISP.


Policy-Based Routing


Back to Top

For the purpose of this article, it is assumed that the interface configurations are already in place and that reachability has been tested. Policy-Based Routing (PBR) in EdgeOS works by matching traffic using firewall policies and forwarding it using different routing tables. The routing tables that will be used are:

  • table 11 The routing table used by hosts in VLAN10.
  • table 12 The routing table used by hosts in VLAN20.
  • main The main routing table used by the EdgeRouter itself and other interfaces that do not use PBR.
CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Make sure that two default routes are added to the main routing table.

set protocols static route 0.0.0.0/0 next-hop 203.0.113.2
set protocols static route 0.0.0.0/0 next-hop 192.0.2.2
NOTE: This step is necessary to allow hosts to fall-back to using the main routing table in case one of the ISPs is down.

3. Add two default routes for routing table 11 and table 12.

set protocols static table 11 route 0.0.0.0/0 next-hop 203.0.113.2
set protocols static table 12 route 0.0.0.0/0 next-hop 192.0.2.2
NOTE: When using a point-to-point interface (for example, PPPoE or OpenVPN), you can also add an interface-route instead of using the commands above:
set protocols static table <table-number> interface-route 0.0.0.0/0 next-hop-interface <interface-id>

4.  Exclude the inter-VLAN traffic (between VLAN10 and VLAN20) from PBR.

set firewall group network-group vlans network 10.0.10.0/24
set firewall group network-group vlans network 10.0.20.0/24

set firewall modify PBR_policy rule 10 description inter-vlan
set firewall modify PBR_policy rule 10 destination group network-group vlans
set firewall modify PBR_policy rule 10 modify table main
NOTE: This step is necessary to allow the VLAN10 hosts to communicate with the VLAN20 hosts using the main routing table.

5. Create the firewall "PBR_policy" that matches on the IP address ranges and places the traffic into each routing table.

set firewall modify PBR_policy rule 20 description vlan10
set firewall modify PBR_policy rule 20 source address 10.0.10.0/24
set firewall modify PBR_policy rule 20 modify table 11

set firewall modify PBR_policy rule 30 description vlan20
set firewall modify PBR_policy rule 30 source address 10.0.20.0/24
set firewall modify PBR_policy rule 30 modify table 12

6. Apply the firewall policies in the inbound direction on the eth1 VLAN/VIF interfaces.

set interfaces ethernet eth1 vif 10 firewall in modify PBR_policy
set interfaces ethernet eth1 vif 20 firewall in modify PBR_policy

7. Commit the changes and save the configuration.

commit ; save

Use the following operational mode commands to verify the routing tables and firewall statistics:

show ip route
show ip route table 11
show ip route table 12
show firewall modify PBR_policy statistics

Related Articles


Back to Top

EdgeRouter - WAN Load-Balancing

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!