Readers will learn how to configure Policy-Based Routing (PBR) on an EdgeRouter based on source IP addresses.
NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
Device used in this article:
Table of Contents
The network topology is shown below and the following interfaces are in use on the EdgeRouter:
- eth0 (WAN1) - 203.0.113.1
- eth2 (WAN2) - 192.0.2.1
- eth1.10 (VLAN10) - 10.0.10.1/24
- eth1.20 (VLAN20) - 10.0.20.1/24
In this example, the traffic from the hosts on VLAN10 will be forwarded to ISP1 and the traffic from VLAN20 will be forwarded to ISP.
For the purpose of this article, it is assumed that the interface configurations are already in place and that reachability has been tested. Policy-Based Routing (PBR) in EdgeOS works by matching traffic using firewall policies and forwarding it using different routing tables. The routing tables that will be used are:
table 11The routing table used by hosts in VLAN10.
table 12The routing table used by hosts in VLAN20.
mainThe main routing table used by the EdgeRouter itself and other interfaces that do not use PBR.
CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.
1. Enter configuration mode.
2. Make sure that two default routes are added to the
main routing table.
set protocols static route 0.0.0.0/0 next-hop 203.0.113.2
set protocols static route 0.0.0.0/0 next-hop 192.0.2.2
NOTE: This step is necessary to allow hosts to fall-back to using the
3. Add two default routes for routing
table 11 and
set protocols static table 11 route 0.0.0.0/0 next-hop 203.0.113.2
set protocols static table 12 route 0.0.0.0/0 next-hop 192.0.2.2
4. (Optional) Exclude the inter-VLAN traffic (between VLAN10 and VLAN20) from PBR.
set firewall group network-group vlans network 10.0.10.0/24
set firewall group network-group vlans network 10.0.20.0/24
set firewall modify policy rule 10 description inter-vlan
set firewall modify policy rule 10 destination group network-group vlans
set firewall modify policy rule 10 modify table main
NOTE: This step is necessary to allow the VLAN10 hosts to communicate with the VLAN20 hosts using the
5. Create the firewall policy that matches on the IP address ranges and places the traffic into each routing table.
set firewall modify policy rule 20 description vlan10
set firewall modify policy rule 20 source address 10.0.10.0/24
set firewall modify policy rule 20 modify table 11
set firewall modify policy rule 30 description vlan20
set firewall modify policy rule 30 source address 10.0.20.0/24
set firewall modify policy rule 30 modify table 12
6. Apply the firewall policies in the inbound direction on the eth1 VLAN/VIF interfaces.
set interfaces ethernet eth1 vif 10 firewall in modify policy
set interfaces ethernet eth1 vif 20 firewall in modify policy
7. Commit the changes and save the configuration.
commit ; save
Use the following operational mode commands to verify the routing tables and firewall statistics:
show ip route
show ip route table 11
show ip route table 12
show firewall modify policy statistics