UniFi - USG Advanced: Policy-Based Routing


Overview


This article describes how to configure policy-based routing on the UniFi Security Gateway (USGUSG‑PRO‑4, USG-XG-8)

NOTES & REQUIREMENTS: This article covers advanced configurations, and should only be used by advanced users. Editing the config.gateway.json file will be necessary.

Table of Contents


  1. Introduction
  2. Routing Traffic Out of WAN2 Based on the Source Network
  3. Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol
  4. Routing Traffic Out of the VPN Interface (vti) Based on the Source
  5. Routing Traffic Out of WAN2 Primarily, and WAN1 on Failover Based on the Source
  6. Excluding Certain Traffic From Load-Balancing
  7. Related Articles

Introduction


Back to Top

Policy-based routing is used by network administrators to route packets defined by the administrator themselves. Policy-based routing overrides the routing table and any routes defined by IPsec.

This article covers how to configure policy routing with any of these goals in mind:

1. Route traffic out WAN2 based on the source network.
2. Route traffic out WAN2 based on the source network, destination port, and protocol.
3. Route traffic out the VPN interface (vti) based on the source.
4. Route traffic out WAN2 primarily, and WAN1 secondarily (on failover) based on the source.
5. Exclude certain traffic from load-balancing.

Policy-based routing can be configured not only by the source address, source port, source network, etc. but can also be configured based on the destination address, destination port, or protocol, among others.

NOTE: These configurations will not be persistent until they are added to the config.gateway.json file. Users should test the configuration first, verify it is working as they expect, and then proceed to edit the config.gateway.json file to make the configuration persistent through reprovisions and reboots. For help on how to create and edit the config.gateway.json see this article.

Throughout the article, the subnets below will be used in each scenario. Note that the commands are for the USG-PRO-4. The USG will use eth0 for WAN1 and eth2 for WAN2.

WAN1 (eth2) address: 100.64.1.5
WAN1 gateway: 100.64.1.1/24
WAN2 (eth3) address: 200.64.2.5/24
WAN2 gateway: 200.64.2.1/24
LAN1 (eth1) network: 192.168.1.0/24
Vlan2 (eth1.2) network: 192.168.2.0/24
VTI0: auto site to site VPN


Routing Traffic Out of WAN2 Based on the Source Network


Back to Top

The following example demonstrates how to route traffic sourced from the LAN1 network out WAN2.

NOTE: The LOAD_BALANCE ruleset is only present on configurations with WAN2 configured. In policy routing, it does not make a difference if it's "failover-only" or "weighted load-balance".
ATTENTION: Avoid configuring static table 1 as it could override the default route in the USG. Use table 2 or higher.
configure
set protocols static table 5 route 0.0.0.0/0 next-hop 200.64.2.1
set firewall modify LOAD_BALANCE rule 2500 action modify
set firewall modify LOAD_BALANCE rule 2500 modify table 5
set firewall modify LOAD_BALANCE rule 2500 source address 192.168.1.0/24
set firewall modify LOAD_BALANCE rule 2500 protocol all
commit;exit

Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol


Back to Top

The following example demonstrates how to route traffic sourced from the VLAN2 network, and destined for TCP port 80 and 443 connections out WAN2.

configure
set protocols static table 5 route 0.0.0.0/0 next-hop 200.64.2.1
set firewall modify LOAD_BALANCE rule 2501 action modify
set firewall modify LOAD_BALANCE rule 2501 modify table 5
set firewall modify LOAD_BALANCE rule 2501 source address 192.168.2.0/24
set firewall modify LOAD_BALANCE rule 2501 destination port 80,443
set firewall modify LOAD_BALANCE rule 2501 protocol tcp
commit;exit

Routing Traffic Out of the VPN Interface (vti) Based on the Source


Back to Top

The following example demonstrates how to route traffic sourced from VLAN2 out vti0. A few notes:

  • This is on a WAN1-only setup, there's no LOAD_BALANCE ruleset if WAN2 is not configured. If WAN2 is configured, you can skip the set interfaces step and apply the firewall modify rules to the LOAD_BALANCE ruleset rather than VPN_Gateway.
  • vti0 is the starting numbered interface used for auto VPNs, and vti64 is the starting numbered interface used for manual VPNs.
configure
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface vti0
set interfaces ethernet eth1 vif 2 firewall in modify VPN_Gateway
commit;exit
NOTE: If you don't have multiWAN enabled and are only using one WAN, source validation needs to be disabled by connecting to the USG via SSH and executing the following commands:
configure
set firewall source-validation disable
commit;exit
clear connection-tracking

Source validation is by default set to strict if MultiWAN isn't enabled. This means, if a packet ingresses an interface sourced from the internet that the default route doesn't point out to, the USG drops that packet. Source validation doesn't understand multiple routing tables, so the controller disables source validation when using multiWAN (configuring a WAN2).


Routing Traffic Out of WAN2 Primarily, and WAN1 on Failover Based on the Source


Back to Top

The following example demonstrates how to route traffic sourced from LAN1 out WAN2 primarily and WAN1 secondarily (on failover) based on the source. This is helpful with regards to having a failover option in the opposite tiering than the default. This will tier WAN2 as primary and WAN1 as secondary, and it also has the added benefit of automatically tracking each WAN gateway, so there's no need for a manual route.

NOTE: Remember the commands below are specific for a USG-PRO-4. The USG will use eth0 for WAN1 and eth2 for WAN2.
configure
set load-balance group wan2_failover interface eth3
set load-balance group wan2_failover interface eth2 failover-only
set firewall modify LOAD_BALANCE rule 2000 action modify
set firewall modify LOAD_BALANCE rule 2000 modify lb-group wan2_failover
set firewall modify LOAD_BALANCE rule 2000 source address 192.168.1.0/24
commit;exit

Excluding Certain Traffic From Load-Balancing


Back to Top

The following example demonstrates how to exclude VLAN2 to LAN traffic from load-balancing entirely. This is helpful if you've configured one of the policy-based routing rules above and inter-vlan communication has stopped, you'll want to configure an exclusion based on source and destination like the example below. You can do this with any subnet or IP you like, or even create an address group in the UniFi controller and use that as the source or destination, this is helpful when you have multiple vlans that all need to communicate with each other, you can use the address group (containing all VLANs/LAN) as the source and destination in the rule.  

If you have other custom rules you've previously added to the LOAD_BALANCE table, the traffic you want to exclude should come before those rules, as the rule order processes from lowest to highest number (ex. rule 2450 has priority over rule 2500).

configure
set firewall modify LOAD_BALANCE rule 2450 action accept
set firewall modify LOAD_BALANCE rule 2450 source address 192.168.2.0/24
set firewall modify LOAD_BALANCE rule 2450 destination address 192.168.1.0/24
commit;exit

Related Articles


Back to Top

UniFi - USG Advanced Configuration