Contents
Overview
For a standard router, when it receives a packet, it will decide where to forward it based on the destination address in the packet. It will look up its routing table (statically configured or learned through dynamic routing protocols Eg. OSPF/BGP), then the most specific route will be chosen (default route will be used if no matching route), and the next-hop gateway address will be derived from the chosen route entry. This is how mbox works as well in most situations.
But in certain complex scenarios, we need to forward packets based on source addresses or even applications. That’s where we need Policy-Based Routing (PBR). PBR can also forward packets based on the size of the packet, the protocol of the payload, or other information available in a packet header or payload. This permits routing of packets originating from different sources to different networks or next-hops even when the destinations are the same.
PBR can be very useful when interconnecting several private networks, or sharing multiple upstream ISP links, or directing traffic for special purposes (eg. redirect to external proxies, firewalls or caching engines etc.).
mbox supports PBR based on below packet information (to decide where to forward match packets):
- source address
- applications (protocol and port number), identified by fwmark No. (by firewall-set rule)
- TOS values
Configuration Notes
*PBR happens at the inbound interface when packets enter the interface, so “ip pbr policy…” should always be matching packets when they enter the interface (therefore use firewall-set inbound to mark packets, or use “ip pbr policy xx src…”
*if the nexthop exit interface is a physical/VLAN interface, we must specific nexthop IP and optionally together with the interface eg. ip pbr route 10 0.0.0.0/0 nexthop 192.168.1.1 interface eth0 (the interface eth0 is optional, but the nexthop 192.168.1.1 is a MUST).
*if nexthop exit interface is an LTE interface (eg. lte0) which we don’t know the exact nexthop IP, we just use interface as next hop, eg. ip pbr route 10 0.0.0.0/0 nexthop lte0
*When we configure PBR on HSG (with hotspot service running), we need to take note of a few things:
we must use firewall-set to mark the interesting packets and apply fwmark to PBR policy. Don’t use “ip pbr policy xx src y.y.y.” to match by source IP address. Because the packets will not match this rule due to the order of operations between hotspot and PBR processes.
when we configure firewall-set to match packets, we must mark at the inbound interface. But because the hotspot service generates a dynamic tunnel interface so we are not sure which tunnel no. to use, so we will use tun+ and further restrict specific source networks by using the “src” option under firewall-set to narrow to a particular VLAN/network.
Configuration Procedure
- Configure PBR policy (ip pbr policy xx), to define target packets for PBR.
- Configure PBR route (ip pbr route x.x.x.x/y), to define how/where to forward targeted packets instead of using the default routing table.
- Configure firewall-access and firewall-snat rules to permit Internet access.

Method 1: Configuration Example [Based on source]
In this example, we are trying to achieve below objectives:
- Clients from 172.16.30.0/24 will go out from the ISP1 link for Internet access
- Clients from 172.16.40.0/24 will go out from the ISP2 link for Internet access
Policy Based Routing Based on Source Using UI
- Login to mfusion to configure the source-based PBR
- In mfusion, Navigate to the menu ‘ORCHESTRATOR > Devices > Gateway‘, select the relevant gateway MAC address.
Configure ethernet interface
- Click on ‘Ethernet Interface’ from the
dropdown menu, and configure the interface as per Table 1.

The fields of Ethernet Interface values are summarized below:
S/N | ETHERNET INTERFACE | VALUE |
---|---|---|
01. | eth0 | 172.16.10.2/24 |
02. | eth1 | 172.16.20.2/24 |
03. | eth2 | 172.16.30.1/24 |
04. | eth3 | 172.16.40.1/24 |
Configure default gateway and PBR
- Click on ‘Routing‘ from the
dropdown menu, and configure the default gateway policy-based routes as per Table 2 (Default Gateway) and Table 2 (Policy-Based Routes).
- User can click on
to configure the default gateway.

The fields of Default gateway values are summarized below:
S/N | FIELDS | VALUE |
---|---|---|
01. | Destination | Default Gateway |
02. | Default Gateway | 172.16.10.1 |
- User can click on
to configure the PBR.

The fields of PBR values are summarized below:
S/N | FIELDS | VALUE (Policy No -100) | VALUE (Policy No -100) |
---|---|---|---|
01. | Policy No. | 100 | 200 |
02. | Packet Flow Direction | Output (Local origin) | Output (Local origin) |
03. | Packet Matching Criteria | Packet Source Packet Source IP/Subnet – 172.168.30.0/24 | Packet Source Packet Source IP/Subnet – 172.168.40.0/24 |
04. | Nexthop | eth0 | eth1 |
- click on
and
to push the config to the devices.
Method 2: Configuration Example [Based on Application]
In this example, we are trying to achieve below objectives:
- HTTP (TCP/80) access will go out from ISP1 link
- HTTPS (TCP/443 and UDP/443) access will go out from ISP2 link
Policy Based Routing Based on Application Using UI
- Login to mfusion to configure the application-based PBR
- In mfusion, Navigate to the menu ‘ORCHESTRATOR > Devices > Gateway‘, select the relevant gateway MAC address.
Configure ethernet interface
- Click on ‘Ethernet Interface’ from the
dropdown menu, and configure the interface as per Table 5.
The fields of Ethernet Interface values are summarized below:
S/N | ETHERNET INTERFACE | VALUE |
---|---|---|
01. | eth0 | 172.16.10.2/24 |
02. | eth1 | 172.16.20.2/24 |
03. | eth2 | 172.16.30.1/24 |
04. | eth3 | 172.16.40.1/24 |
Configure default gateway and PBR
- Click on ‘Routing‘ from the
dropdown menu, and configure the default gateway policy-based routes as per Table 2 (Default Gateway) and Table 2 (Policy-Based Routes).
- User can click on
to configure the default gateway.

The fields of Default gateway values are summarized below:
S/N | FIELDS | VALUE |
---|---|---|
01. | Destination | Default Gateway |
02. | Default Gateway | 172.16.10.1 |
Method 3: Configuration Example [Hotspot Gateway]
Troubleshooting Command
show ip pbr policy
show ip pbr route xx
use tcpdump to verify at the exit interface