blob: c2746fa3e8f433a057904102028f769b709abbe4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
.. _routing-pbr:
PBR
---
:abbr:`PBR (Policy-Based Routing)` allowing traffic to be assigned to different
routing tables. Traffic can be matched using standard 5-tuple matching (source
address, destination address, protocol, source port, destination port).
Transparent Proxy
^^^^^^^^^^^^^^^^^
The following example will show how VyOS can be used to redirect web traffic to
an external transparent proxy:
.. code-block:: console
set policy route FILTER-WEB rule 1000 destination port 80
set policy route FILTER-WEB rule 1000 protocol tcp
set policy route FILTER-WEB rule 1000 set table 100
This creates a route policy called FILTER-WEB with one rule to set the routing
table for matching traffic (TCP port 80) to table ID 100 instead of the
default routing table.
To create routing table 100 and add a new default gateway to be used by
traffic matching our route policy:
.. code-block:: console
set protocols static table 100 route 0.0.0.0/0 next-hop 10.255.0.2
This can be confirmed using the show ip route table 100 operational command.
Finally, to apply the policy route to ingress traffic on our LAN interface,
we use:
.. code-block:: console
set interfaces ethernet eth1 policy route FILTER-WEB
Multiple Uplinks
^^^^^^^^^^^^^^^^
VyOS Policy-Based Routing (PBR) works by matching source IP address ranges and
forwarding the traffic using different routing tables.
Routing tables that will be used in this example are:
* ``table 10`` Routing tabled used for VLAN 10 (192.168.188.0/24)
* ``table 11`` Routing tabled used for VLAN 11 (192.168.189.0/24)
* ``main`` Routing table used by VyOS and other interfaces not paritipating in
PBR
.. figure:: ../_static/images/pbr_example_1.png
:scale: 80 %
:alt: PBR multiple uplinks
Policy-Based Routing with multiple ISP uplinks
(source ./draw.io/pbr_example_1.drawio)
Add default routes for routing ``table 10`` and ``table 11``
.. code-block:: console
set protocols static table 10 route 0.0.0.0/0 next-hop 192.0.1.1
set protocols static table 11 route 0.0.0.0/0 next-hop 192.0.2.2
Add policy route matching VLAN source addresses
.. code-block:: console
set policy route PBR rule 20 set table '10'
set policy route PBR rule 20 description 'Route VLAN10 traffic to table 10'
set policy route PBR rule 20 source address '192.168.188.0/24'
set policy route PBR rule 30 set table '11'
set policy route PBR rule 30 description 'Route VLAN11 traffic to table 11'
set policy route PBR rule 30 source address '192.168.189.0/24'
Apply routing policy to **inbound** direction of out VLAN interfaces
.. code-block:: console
set interfaces ethernet eth0 vif 10 policy route 'PBR'
set interfaces ethernet eth0 vif 11 policy route 'PBR'
**OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) from PBR
.. code-block:: console
set policy route PBR rule 10 description 'VLAN10 <-> VLAN11 shortcut'
set policy route PBR rule 10 destination address '192.168.188.0/24'
set policy route PBR rule 10 destination address '192.168.189.0/24'
set policy route PBR rule 10 set table 'main'
.. note:: Allows the VLAN10 and VLAN20 hosts to communicate with each other
using the main routing table.
|
