Skip to content

Instantly share code, notes, and snippets.

@adrianmihalko
Created November 25, 2021 14:45
Show Gist options
  • Save adrianmihalko/f2082454232c92d1905c01c310c28c64 to your computer and use it in GitHub Desktop.
Save adrianmihalko/f2082454232c92d1905c01c310c28c64 to your computer and use it in GitHub Desktop.
Policy based routing on USG
policy-based routing on USG.
NOTES & REQUIREMENTS:
Applicable to all UniFi Security Gateway models (USG / USG-PRO-4 / USG-XG-8).
This article does not apply to the UniFi Dream Machine (UDM) models.
This article contains advanced JSON configurations using the CLI and should only be attempted by advanced users.
See the Configuration Using config.gateway.json help center article for more information on JSON configurations.
Introduction
Policy-Based Routing (PBR) is a way to force traffic to use a specific address or interface as the next-hop. When using PBR, traffic is matched on a certain criteria, for example a source IP address, and forwarded to a next-hop. On the USG models, Policy-Based Routing can be used to send specific traffic to the WAN1/WAN2 interfaces or over a Route-Based VPN tunnel interface (VTI).
The Policy-Based Routing feature consists of three separate entities:
Firewall Rule Match traffic using a PBR firewall rule and modify it to use a certain routing table.
Routing Table Use a specific routing table to forward the traffic and specify the next-hop address or interface.
Applied Interface Apply the firewall policy that contains the PBR rule to a certain interface in the Ingress/In direction.
ATTENTION: Avoid using routing table 1 as it could interfere with the default routing on the USG. Use table 2 or higher.
The sections below contain examples of PBR that either uses a custom firewall policy or modifies the LOAD_BALANCE firewall policy that is used in Load Balancing setups. Regardless of the setup, it is necessary to add the configuration to the config.gateway.json file, otherwise, it will not persist through reboots or re-provisions.
Routing Traffic Out of WAN2 Based on the Source Network
The following example demonstrates how to route all traffic sourced from hosts in the LAN1 network (192.168.1.0/24) out of the WAN2 interface when also using a Load Balancing setup. The 192.0.2.2 address is the next-hop gateway address of the ISP connected to the WAN2 interface. When creating the firewall rule, you either directly match the source network (192.168.1.0/24) or match on a network group.
NOTE: The LOAD_BALANCE firewall policy is one used by Load Balancing. Policy-Based Routing can be used with either weighted or failover-only Load Balancing. When using PPPoE interfaces, create an interface-route instead with the next-hop set to the interface. For example: set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface pppoe0.
configure
set protocols static table 5 route 0.0.0.0/0 next-hop 192.0.2.2
set firewall modify LOAD_BALANCE rule 2500 action modify
set firewall modify LOAD_BALANCE rule 2500 modify table 5
set firewall modify LOAD_BALANCE rule 2500 source address 192.168.1.0/24
set firewall modify LOAD_BALANCE rule 2500 protocol all
commit ; exit
Routing Traffic Out of WAN2 Based on the Source Network, Destination Port and Protocol
The following example demonstrates how to route HTTP/HTTPS traffic (TCP port 80/443) sourced from hosts in the VLAN2 network (192.168.2.0/24) out of the WAN2 interface when also using a Load Balancing setup. The 192.0.2.2 address is the next-hop gateway address of the ISP connected to the WAN2 interface. When creating the firewall rule, you either directly match the source network (192.168.2.0/24) or match on a networking group.
NOTE: The LOAD_BALANCE firewall policy is one used by Load Balancing. Policy-Based Routing can be used with either weighted or failover-only Load Balancing. When using PPPoE interfaces, create an interface-route instead with the next-hop set to the interface. For example: set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface pppoe0.
configure
set protocols static table 5 route 0.0.0.0/0 next-hop 192.0.2.2
set firewall modify LOAD_BALANCE rule 2501 action modify
set firewall modify LOAD_BALANCE rule 2501 modify table 5
set firewall modify LOAD_BALANCE rule 2501 source address 192.168.2.0/24
set firewall modify LOAD_BALANCE rule 2501 destination port 80,443
set firewall modify LOAD_BALANCE rule 2501 protocol tcp
commit ; exit
Routing Traffic Out of a VPN Interface (VTI) Based on the Source
The following example demonstrates how to route all traffic sourced from hosts in the VLAN2 network (192.168.2.0/24) out of the vti64 interface when using a Route-Based VPN (Dynamic Routing). In this case, next-hop can be specified as an interface as it is a point-to-point tunnel interface. The USG is not using Load Balancing in this example so a custom firewall policy is created and applied to the interface. When creating the firewall rule, you either directly match the source network (192.168.2.0/24) or match on a networking group.
NOTE: The VTI number can differ depending on your setup, and can be displayed with the show interfaces command.
configure
set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface vti64
set firewall source-validation disable
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
set interfaces ethernet eth1 vif 2 firewall in modify VPN_Gateway
commit ; exit
The source-validation is set to disable (default enabled) as the USG is only using a single WAN interface. When using Load Balancing, the USG will automatically disable this setting. The Source Validation feature will interfere with PBR if is not disabled.
Routing Traffic to Different Load Balancing Groups Based on the Source Network
The following example demonstrates how to modify traffic to utilize multiple Load Balancing groups. When using the default failover-only Load Balancing setup, WAN1 will be the primary (active) interface and WAN2 will be the failover interface. As in the above example, modifying the LOAD_BALANCE firewall policy can be used route traffic to a specific WAN interface. Alternatively, it can also modify certain traffic (sourced from hosts in the 192.168.1.0/24 LAN network) to use a different Load Balancing group. When creating the firewall rule, you either directly match the source network (192.168.1.0/24) or match on a network group. When using the USG-PRO-4 for example:
Default Load Balancing Group
WAN1 (eth2) Active
WAN2 (eth3) Failover
Secondary Load Balancing Group
WAN1 (eth2) Failover
WAN2 (eth3) Active
configure
set load-balance group wan2_failover interface eth2 failover-only
set load-balance group wan2_failover interface eth3
set firewall modify LOAD_BALANCE rule 2503 action modify
set firewall modify LOAD_BALANCE rule 2503 modify lb-group wan2_failover
set firewall modify LOAD_BALANCE rule 2503 source address 192.168.1.0/24
commit ; exit
Prevent Certain Traffic from being Policy Routed
When utilizing the above example, all traffic that is matched by the rule will be routed using PBR without exception:
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
This will also apply to local traffic that is routed between (V)LANs, for example from VLAN2 to the Corporate LAN. To prevent this, exclusion can be added for certain destinations. You either match on another destination network or use one of the network groups:
configure
set firewall modify VPN_Gateway rule 2402 action accept
set firewall modify VPN_Gateway rule 2402 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2402 destination group network-group corporate_network
commit ; exit
The end result is that all traffic from the 192.168.2.0/24 network will be sent to the VTI interface, with the exception of traffic from this VLAN to the Corporate LAN. The complete configuration is added below, note that the exception rule will be matched before the modify rule:
configure
set protocols static table 5 interface-route 0.0.0.0/0 next-hop-interface vti64
set firewall source-validation disable
set firewall modify VPN_Gateway rule 2402 action accept
set firewall modify VPN_Gateway rule 2402 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2402 destination group network-group corporate_network
set firewall modify VPN_Gateway rule 2502 action modify
set firewall modify VPN_Gateway rule 2502 modify table 5
set firewall modify VPN_Gateway rule 2502 source address 192.168.2.0/24
set firewall modify VPN_Gateway rule 2502 protocol all
set interfaces ethernet eth1 vif 2 firewall in modify VPN_Gateway
commit ; exit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment