Readers will learn how to configure Policy-Based Routing (PBR) on an EdgeRouter.
NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
Device used in this article:
Configuring Policy-Based Routing (PBR)
Using PBR, the traffic from the hosts on VLAN10 will be forwarded to ISP1 and the traffic from VLAN20 will be forwarded to ISP2.
Policy-Based Routing (PBR) in EdgeOS works by matching source IP address ranges using firewall rules and forwarding the traffic using different routing tables. The routing tables that will be used in this example are:
table 11The routing table used by hosts in VLAN10.
table 12The routing table used by hosts in VLAN20.
mainThe main routing table used by the EdgeRouter itself and other interfaces that do not use PBR.
CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.
1. Enter configuration mode.
2. Make sure that two default routes are added to the main routing table.
set protocols static route 0.0.0.0/0 next-hop 203.0.113.2
set protocols static route 0.0.0.0/0 next-hop 192.0.2.2
NOTE: This step is necessary to allow hosts to use the main routing table in case one of the ISPs is down.
3. Add two default routes for routing table 11 and table 12.
set protocols static table 11 route 0.0.0.0/0 next-hop 203.0.113.2
set protocols static table 12 route 0.0.0.0/0 next-hop 192.0.2.2
NOTE: When using a point-to-point interface (PPPoE or OpenVPN, for example), you can also use an interface-route instead:
4. Exclude the Inter-VLAN traffic (between VLAN10 and VLAN20) from PBR.
set firewall group network-group vlans network 10.0.10.0/24
set firewall group network-group vlans network 10.0.20.0/24
set firewall modify PBR rule 10 description inter-vlan
set firewall modify PBR rule 10 destination group network-group vlans
set firewall modify PBR rule 10 modify table main
NOTE: This step allows the VLAN10 and VLAN20 hosts to communicate with each other using the main routing table.
5. Create the modify firewall policy that matches on the VLAN source IP address ranges.
set firewall modify PBR rule 20 description vlan10
set firewall modify PBR rule 20 source address 10.0.10.0/24
set firewall modify PBR rule 20 modify table 11
set firewall modify PBR rule 30 description vlan20
set firewall modify PBR rule 30 source address 10.0.20.0/24
set firewall modify PBR rule 30 modify table 12
6. Apply the firewall policy in the inbound/in direction on the eth2 VLAN interfaces.
set interfaces ethernet eth2 vif 10 firewall in modify PBR
set interfaces ethernet eth2 vif 20 firewall in modify PBR
7. Commit the changes and save the configuration.
commit ; save
You can use the following operational mode commands to verify the routing tables and firewall statistics:
show ip route
show ip route table 11
show ip route table 12
show firewall modify PBR statistics