Policy-Based Routing (PBR)

Overview

For a standard router, when it receives a packet, it will decide where to forward it based on the destination address in the packet. It will look up its routing table (statically configured or learned through dynamic routing protocols Eg. OSPF/BGP), then the most specific route will be chosen (default route will be used if no matching route), and the next-hop gateway address will be derived from the chosen route entry. This how mbox works as well in most situations.

But in certain complex scenarios, we need to forward packets based on source addresses or even applications. That’s where we need Policy-Based Routing (PBR). PBR can also forward packets based on the size of the packet, the protocol of the payload, or other information available in a packet header or payload. This permits routing of packets originating from different sources to different networks or next-hops even when the destinations are the same.

PBR can be very useful when interconnecting several private networks, or sharing multiple upstream ISP links, or directing traffic for special purposes (eg. redirect to external proxies, firewalls or caching engines etc.).

mbox supports PBR based on below packet information (to decide where to forward match packets):

  • source address
  • applications (protocol and port number), identified by fwmark No. (by firewall-set rule)
  • TOS values

Configuration Notes

*PBR happens at the inbound interface when packets enter the interface, so “ip pbr policy…” should always be matching packets when they enter the interface (therefore use firewall-set inbound to mark packets, or use “ip pbr policy xx src…”

*if the nexthop exit interface is a physical/VLAN interface, we must specific nexthop IP and optionally together with the interface eg. ip pbr route 10 0.0.0.0/0 nexthop 192.168.1.1 interface eth0 (the interface eth0 is optional, but the nexthop 192.168.1.1 is a MUST).

*if nexthop exit interface is an LTE interface (eg. lte0) which we don’t know the exact nexthop IP, we just use interface as next hop, eg. ip pbr route 10 0.0.0.0/0 nexthop lte0

*When we configure PBR on HSG (with hotspot service running), we need to take note of a few things:
we must use firewall-set to mark the interesting packets and apply fwmark to PBR policy. Don’t use “ip pbr policy xx src y.y.y.” to match by source IP address. Because the packets will not match this rule due to the order of operations between hotspot and PBR processes.

when we configure firewall-set to match packets, we must mark at the inbound interface. But because the hotspot service generates a dynamic tunnel interface so we are not sure which tunnel no. to use, so we will use tun+ and further restrict specific source networks by using the “src” option under firewall-set to narrow to a particular VLAN/network.

Configuration Procedure

  1. Configure PBR policy (ip pbr policy xx), to define target packets for PBR.
  2. Configure PBR route (ip pbr route x.x.x.x/y), to define how/where to forward targeted packets instead of using the default routing table.
  3. Configure firewall-access and firewall-snat rules to permit Internet access.

Method 1: Configuration Example [Based on source]

In this example, we are trying to achieve below objectives:

  • Clients from 172.16.30.0/24 will go out from the ISP1 link for Internet access
  • Clients from 172.16.40.0/24 will go out from the ISP2 link for Internet access

Policy Based Routing Based on Source Using UI

  • Login to mfusion to configure the source-based PBR
  • In mfusion, Navigate to the menu ‘ORCHESTRATOR > Devices > Gateway‘, select the relevant gateway MAC address.

Configure ethernet interface

  • Click on ‘Ethernet Interface’ from the dropdown menu, and configure the interface as per Table 1.
Image 2 : Ethernet Interface list interface

The fields of Ethernet Interface values are summarized below:

S/NETHERNET INTERFACEVALUE
01.eth0172.16.10.2/24
02.eth1172.16.20.2/24
03.eth2172.16.30.1/24
04.eth3172.16.40.1/24
Table 1 : Appliance ip interface settings.

Configure default gateway and PBR

  • Click on ‘Routing‘ from the dropdown menu, and configure the default gateway policy-based routes as per Table 2 (Default Gateway) and Table 2 (Policy-Based Routes).
  • User can click on to configure the default gateway.

Image 3 : Routing-default gateway interface

The fields of Default gateway values are summarized below:

S/NFIELDSVALUE
01.Destination Default Gateway
02.Default Gateway172.16.10.1
Table 3 : ??

  • User can click on to configure the PBR.
Image 4 : Routing-default gateway interface

The fields of PBR values are summarized below:

S/NFIELDSVALUE
(Policy No -100)
VALUE
(Policy No -100)
01.Policy No.100200
02.Packet Flow DirectionOutput (Local origin) Output (Local origin)
03.Packet Matching CriteriaPacket Source
Packet Source IP/Subnet – 172.168.30.0/24
Packet Source
Packet Source IP/Subnet – 172.168.40.0/24
04.Nexthopeth0eth1
Table 4 :

  • click on and to push the config to the devices.

!
interface eth0
 enable
 ip address 172.16.10.2/24
!
interface eth1
 enable
 ip address 172.16.20.2/24
!
interface eth2
 enable
 ip address 172.16.30.1/24
!
interface eth3
 enable
 ip address 172.16.40.1/24
!
ip default-gateway 172.16.10.1
!
firewall-access 10 permit outbound eth0
firewall-access 11 permit outbound eth1
!
firewall-snat 10 overload outbound eth0
firewall-snat 11 overload outbound eth1
!
!define policy ID to match packets by source subnets
ip pbr policy 10 src 172.16.30.0/24
ip pbr policy 20 src 172.16.40.0/24
!
!apply specific forwarding/routing rule based on pre-defined policy ID
ip pbr route 10 0.0.0.0/0 nexthop 172.16.10.1 
ip pbr route 20 0.0.0.0/0 nexthop 172.16.20.1
!

!
interface eth0
 enable
 ip address dhcp
!
interface eth1
 enable
 ip address 172.16.20.2/24
!
interface eth2
 enable
 ip address 172.16.30.1/24
!
interface eth3
 ip address 172.16.40.1/24
!
ip name-server 8.8.8.8 8.8.4.4
!
ip default-gateway 172.16.10.1
!
!define policy ID to match packets by source subnets
ip pbr policy 100 fwmark 100
ip pbr policy 200 fwmark 200
!
!apply specific forwarding/routing rule based on pre-defined policy ID
ip pbr route 100 0.0.0.0/0 nexthop eth0
ip pbr route 200 0.0.0.0/0 nexthop eth1
!
firewall-set 100 mark 100 output src 172.16.30.0/24 remark "Generated from PBR rule 100"
firewall-set 200 mark 200 output src 172.16.40.0/24 remark "Generated from PBR rule 200"
!
firewall-input 10 permit all tcp dport 80 admin remark "WEB mgmt from OOB"
firewall-input 11 permit all tcp dport 22 remark "SSH mgmt"
!
firewall-access 10 permit outbound eth0
firewall-access 11 permit outbound eth1
!
firewall-snat 10 overload outbound eth0
firewall-snat 11 overload outbound eth1

Method 2: Configuration Example [Based on Application]

In this example, we are trying to achieve below objectives:

  • HTTP (TCP/80) access will go out from ISP1 link
  • HTTPS (TCP/443 and UDP/443) access will go out from ISP2 link

Policy Based Routing Based on Application Using UI

  • Login to mfusion to configure the application-based PBR
  • In mfusion, Navigate to the menu ‘ORCHESTRATOR > Devices > Gateway‘, select the relevant gateway MAC address.

Configure ethernet interface

  • Click on ‘Ethernet Interface’ from the dropdown menu, and configure the interface as per Table 5.

The fields of Ethernet Interface values are summarized below:

S/NETHERNET INTERFACEVALUE
01.eth0172.16.10.2/24
02.eth1172.16.20.2/24
03.eth2172.16.30.1/24
04.eth3172.16.40.1/24
Table 5 : Appliance ip interface settings.

Configure default gateway and PBR

  • Click on ‘Routing‘ from the dropdown menu, and configure the default gateway policy-based routes as per Table 2 (Default Gateway) and Table 2 (Policy-Based Routes).
  • User can click on to configure the default gateway.

Image 3 : Routing-default gateway interface

The fields of Default gateway values are summarized below:

S/NFIELDSVALUE
01.Destination Default Gateway
02.Default Gateway172.16.10.1
Table 6 : Host default gateway config

!
interface eth0
 enable
 ip address 172.16.10.2/24
!
interface eth1
 enable
 ip address 172.16.20.2/24
!
interface eth2
 enable
 ip address 172.16.30.1/24
!
interface eth3
 enable
 ip address 172.16.40.1/24
!
ip default-gateway 172.16.10.1
!
firewall-access 10 permit outbound eth0
firewall-access 11 permit outbound eth1
!
firewall-snat 10 overload outbound eth0
firewall-snat 11 overload outbound eth1
!
!use firewall to mark the interesting packets at "inbound" interfaces 
!(use the same Mark NO. for packets belong to the same policy)
firewall-set 100 mark 100 inbound eth2 tcp dport 80
firewall-set 101 mark 100 inbound eth3 tcp dport 80
firewall-set 102 mark 200 inbound eth2 tcp dport 443
firewall-set 103 mark 200 inbound eth2 udp dport 443
firewall-set 104 mark 200 inbound eth3 tcp dport 443
firewall-set 105 mark 200 inbound eth3 udp dport 443
!
!define policy ID to match packets by fwmark Mark NO.
ip pbr policy 100 fwmark 100
ip pbr policy 101 fwmark 200
!
!apply specific forwarding/routing rule based on policy ID
ip pbr route 100 0.0.0.0/0 nexthop 172.16.10.1 
ip pbr route 101 0.0.0.0/0 nexthop 172.16.20.1 
!

Method 3: Configuration Example [Hotspot Gateway]

!match inbound traffic on tun+, use src to narrow down restrictions
firewall-set 100 mark 100 inbound tun+ src 172.16.30.0/24
firewall-set 101 mark 101 inbound tun+ src 172.16.40.0/24
!
!define pbr policy by fwmark
ip pbr policy 100 fwmark 100
ip pbr policy 101 fwmark 101
!
ip pbr route 100 0.0.0.0/0 nexthop eth0
ip pbr route 101 0.0.0.0/0 nexthop eth1
!
security hotspot eth2
 hotspot-wan eth0
 hotspot-server 172.16.1.1 ports 5001 5002
 client-network 172.16.1.0 255.255.255.0
 client-dhcp 172.16.1.20 255.255.255.0 lease 86400
 client-dhcp-dns 8.8.8.8 8.8.4.4
 hotspot-access 10 permit ip
 allowed-domain ransnet.com
 allowed-url mbox.ransnet.com
 radius-server localhost testing123
 start
!
security hotspot eth3
 hotspot-wan eth1
 hotspot-server 172.16.10.1 ports 5011 5012
 client-network 172.16.10.0 255.255.255.0
 client-dhcp 172.16.10.20 255.255.255.0 lease 86400
 client-dhcp-dns 8.8.8.8 8.8.4.4
 hotspot-access 10 permit ip
 allowed-domain ransnet.com
 allowed-url mbox.ransnet.com
 radius-server localhost testing123
 start
!

Troubleshooting Command

show ip pbr policy
show ip pbr route xx
use tcpdump to verify at the exit interface