info_i_25x25.png Due to unforeseen weather conditions we are experiencing higher chat wait times. Remember you can also submit a ticket and one of our support representatives will get back to you as soon as possible. We apologize for the inconvenience.

UniFi - USG Advanced: Policy-Based Routing


Overview


This article describes how to configure policy based routing on the UniFi Security Gateway (USGUSG‑PRO‑4, USG-XG-8)

NOTES & REQUIREMENTS: This article covers advanced configurations, and should only be used by advanced users. Editing the config.gateway.json file will be necessary.

Table of Contents


  1. Introduction
  2. Routing Traffic Out of WAN2 Based on the Source Network
  3. Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol
  4. Routing Traffic Out of the VPN Interface (vti) Based on the Source
  5. Routing Traffic Out of WAN2 Primarily, and WAN1 on Failover Based on the Source
  6. Related Articles

Introduction


Back to Top

Policy-based routing is used by network administrators to route packets defined by the administrator themselves. Policy-based routing overrides the routing table and any routes defined by IPsec.

This article covers how to configure policy routing with any of these goals in mind:

1. Route traffic out WAN2 based on the source network.
2. Route traffic out WAN2 based on the source network, destination port, and protocol.
3. Route traffic out the VPN interface (vti) based on the source.
4. Route traffic out WAN2 primarily, and WAN1 secondarily (on failover) based on the source.

Policy-based routing can be configured not only by the source address, source port, source network, etc. but can also be configured based on the destination address, destination port, or protocol, among others.

NOTE: These configurations will not be persistent until they are added to the config.gateway.json file. Users should test the configuration first, verify it is working as they expect, and then proceed to edit the config.gateway.json file to make the configuration persistent through reprovisions and reboots. For help on how to create and edit the config.gateway.json see this article.

Throughout the article, these subnets will be used in each scenario:

WAN1 (eth2) address: 100.64.1.5
WAN1 gateway: 100.64.1.1/24
WAN2 (eth3) address: 200.64.2.5/24
WAN2 gateway: 200.64.2.1/24
LAN1 (eth1) network: 192.168.1.0/24
Vlan2 (eth1.2) network: 192.168.2.0/24
VTI0: auto site to site VPN


Routing Traffic Out of WAN2 Based on the Source Network


Back to Top

The following example demonstrates how to route traffic sourced from the LAN1 network out WAN2.

NOTE: The LOAD_BALANCE ruleset is only present on configurations with WAN2 configured. In policy routing it does not make a difference if it's "failover-only" or "weighted load-balance".
configure
set protocols static table 1 route 0.0.0.0/0 next-hop 200.64.2.1
set firewall modify LOAD_BALANCE rule 2500 action modify
set firewall modify LOAD_BALANCE rule 2500 modify table 1
set firewall modify LOAD_BALANCE rule 2500 source address 192.168.1.0/24
set firewall modify LOAD_BALANCE rule 2500 protocol all
commit;exit

Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol


Back to Top

The following example demonstrates how to route traffic sourced from the VLAN2 network, and destined for TCP port 80 and 443 connections out WAN2.

configure
set protocols static table 1 route 0.0.0.0/0 next-hop 200.64.2.1
set firewall modify LOAD_BALANCE rule 2501 action modify
set firewall modify LOAD_BALANCE rule 2501 modify table 1
set firewall modify LOAD_BALANCE rule 2501 source address 192.168.2.0/24
set firewall modify LOAD_BALANCE rule 2501 destination port 80,443
set firewall modify LOAD_BALANCE rule 2501 protocol tcp
commit;exit

Routing Traffic Out of the VPN Interface (vti) Based on the Source


Back to Top

The following example demonstrates how to route traffic sourced from VLAN2 out vti0. A few notes:

  • This is on a WAN1-only setup, there's no LOAD_BALANCE ruleset if WAN2 is not configured. If WAN2 is configured, you can skip the set interfaces step and apply the firewall modify rules to the LOAD_BALANCE ruleset rather than VPN_Gateway.
  • vti0 is the starting numbered interface used for auto VPNs, and vti64 is the starting numbered interface used for manual VPNs.
ATTENTION: Currently configuring static table 1 doesn't work correctly when applying a VTI interface as the next-hop. Use table 2 or higher. We are working on correcting this.
configure
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 2
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface vti0
set interfaces ethernet eth1 vif 2 firewall in modify VPN_Gateway
commit;exit

Routing Traffic Out of WAN2 Primarily, and WAN1 on Failover Based on the Source


Back to Top

The following example demonstrates how to route traffic sourced from LAN1 out WAN2 primarily and WAN1 secondarily (on failover) based on the source. This is helpful with regards to having a failover option in the opposite tiering than the default. This will tier WAN2 as primary and WAN1 as secondary, and it also has the added benefit of automatically tracking each WAN gateway, so there's no need for a manual route.

configure
set load-balance group wan2_failover interface eth3
set load-balance group wan2_failover interface eth2 failover-only
set firewall modify LOAD_BALANCE rule 2000 action modify
set firewall modify LOAD_BALANCE rule 2000 modify lb-group wan2_failover
set firewall modify LOAD_BALANCE rule 2000 source address 192.168.1.0/24
commit;exit

Related Articles


Back to Top

UniFi - USG Advanced Configuration