EdgeRouter - Policy-based routing for destination port

Overview


Readers will learn the how to configure policy-based routing based on destination port / address. 

 

The Policy-Based Routing example at Edge OS Policy Based Routing demonstrates a source based policy where the routing table was chosen based on the source address of the packet. For this wiki page we will use PBR to make a routing decision based on the destination port.

 

PBR2.png
Sample network diagram to configure PBR according to destination.

 

In the diagram above, there are 2 WAN connections labelled, ISP-1 and ISP-2:

  1. ISP-1 on eth0 192.0.2.0/24
  2. ISP-2 on eth1 203.0.113.0/24


On the LAN side:

  1. eth2 172.16.0.0/24

For this example we want traffic from destination port 80 and 443 to ISP-1 and all other traffic use ISP-2.

Routing tables

We're using the same routing tables as from Edge OS Policy Based Routing where the "main" routing table has a default route to both ISP's, table 1 only has a route to ISP1 and table 2 only has a route to ISP2:

ubnt@PBR# show protocols static 
 route 0.0.0.0/0 {
     next-hop 192.0.2.1 {
     }
     next-hop 203.0.113.1 {
     }
 }
 table 1 {
     route 0.0.0.0/0 {
         next-hop 192.0.2.1 {
         }
     }
 }
 table 2 {
     route 0.0.0.0/0 {
         next-hop 203.0.113.1 {
         }
     }
 }

Destination Based Policy

firewall {
    modify DEST_PORT_ROUTE {
        rule 1 {
            action modify
            description "use table 1 to route for ports 80 & 443"
            destination {
                port 80,443
            }
            modify {
                table 1
            }
            protocol tcp
        }
        rule 2 {
            action modify
            description "use table 2 to route for everything else"
            modify {
                table 2
            }
        }
    }
}

Apply to Interface

ubnt@PBR# show interfaces ethernet eth2
 address 172.16.0.1/24
 duplex auto
 firewall {
     in {
         modify DEST_PORT_ROUTE
     }
 }
 speed auto
[edit]

 

Example Configuration

 
 firewall {
     modify DEST_PORT_ROUTE {
         rule 1 {
            action modify
            description "use table 1 to route for ports 80 & 443"
            destination {
                port 80,443
            }
            modify {
                table 1
            }
            protocol tcp
        }
        rule 2 {
            action modify
            description "use table 2 to route for everything else"
            modify {
                table 2
            }
        }
    }
 }
 interfaces {
    ethernet eth0 {
        address 192.0.2.2/24
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address 203.0.113.2/24
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 172.16.0.1/24
        duplex auto
        firewall {
            in {
                modify DEST_PORT_ROUTE
            }
        }
        speed auto
    }
    loopback lo {
    }
 }
 protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.0.2.1 {
            }
            next-hop 203.0.113.1 {
            }
        }
        table 1 {
            route 0.0.0.0/0 {
                next-hop 192.0.2.1 {
                }
            }
        }
        table 2 {
            route 0.0.0.0/0 {
                next-hop 203.0.113.1 {
                }
            }
        }
    }
 }
 service {
    dhcp-server {
        shared-network-name LAN {
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 8.8.8.8
                lease 86400
                start 172.16.0.10 {
                    stop 172.16.0.100
                }
            }
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5000 {
            outbound-interface eth0
            type masquerade
        }
        rule 6000 {
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
 }
 system {
    host-name PBR
    login {
        user ubnt {
            authentication {
                encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
 }


 /* Warning: Do not remove the following line. */
 /* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt- pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
 /* Release version: v1.1.0beta3.4539683.130226.1056 */

Related Articles