Policy based routing: what are the options?

[Jeroen1000]

Hi,

I've got 2 VPN-tunnels enabled. These are not pulling in or configuring a default route. So the only default route in the table is the one pointing to my ISP.

However, I want to set a next-hop IP (or preferably a next-hop interface), thus policy route, based on the source ip.

Code: [Select]

I.E host 192.168.200.1 => next hop =>  send traffic to VPN_int_1
host 192.168.200.2 => Next hop => sent traffic to VPN_int_2
Traffic not matching those 2 rules will used the default route in the routing table pointing to the ISP. Hence, traffic that has not been matched will no not go to any of the VPN-tunnels.

In Linux there are 2 options for achieving the same thing:

- Mark a packet in the "prerouting" chain and put a second default route in the routing table which will only be used if the packet mark is present
- Bypass the main routing table and set a next hop interface (or ip) in "prerouting".

So both are policy based routing mechanisms. I can't find anything in the documentation that will allow me to do this. Am I missing something?

[mimugmail]

You have to create a gateway with the P2P IP (mark as far gateway) and then set this gateway in firewall rule

[Jeroen1000]

Thanks I'll try that! What also seems to be an option after a fair bit of googling is https://forum.opnsense.org/index.php?topic=4979.msg19771#msg19771

So that's 2 options:)!

[Jeroen1000]

You have to create a gateway with the P2P IP (mark as far gateway) and then set this gateway in firewall rule

I couldn't quite figure out what you meant with that.

For future reference to others with respect to OpenVPN tunnels specifically: I followed the instructions of FMSTRAT here https://forum.netgate.com/topic/65970/solved-routing-some-traffic-static-ips-through-openvpn-over-pia/5

However, the general idea should also apply to PBR'ing traffic to Openconnect tunnels (which I'm also trying).

Some remarks that are not evident in the above link:

1) The VPN gateways are automatically created under System > Gateways as soon as a tunnel came up. I did give them a better description.
Checking "Far Gateway" was not needed.
2) You need to assign the ovpnc interfaces (they are virtual) by adding them under Interfaces > Assignments. You can rename them from OPTx (x is a number) to whatever you want. If you don't assign them, you cannot use them in the Firewall or NAT-rules.
following should be evident from the link:
3) The Firewall LAN rules seem to do the PBR-part and there you have to use the VPN-gateways as described in the link
4) You also need to NAT the LAN IP's under Firewall > NAT Outbound. You do this for the same IP's you used in the Firewall LAN rules.

I PBR'd 2 LAN IP's and it seems to work. But you can also create an alias where you can add many more IP's instead of creating many LAN FW and NAT rules. Keep it tidy:)   

ps: I hope posting that link is allowed though

[mimugmail]

It's allowed, but the one-liner makes the same. You dont have to assign interfaces (which can brake system). Create a gateway and mark as far (since there is no IF) .. then you can set in firewall rules as you described yourself..

[Jeroen1000]

I see I'm going to give it a second try in that case. Note the IP is dynamic but it looks like I can just fill in the word "dynamic" without actually having to type an IP.

[Jeroen1000]

It's allowed, but the one-liner makes the same. You dont have to assign interfaces (which can brake system). Create a gateway and mark as far (since there is no IF) .. then you can set in firewall rules as you described yourself..

I can see how to use the GW in the LAN FW rules. But what is the translation target for outbound NAT? You fill in the virtual address of the tunnel? This does not seem to work for my as I still get to see the public ip from my ISP.

[mimugmail]

outbound nat .. manual rule .. interface openconnect .. src: lan, dst: any, translated interface address ...

[Jeroen1000]

Hmm I did try that with interface OpenVPN (via gui) but it didn't work. Perhaps I missed something. It definitely was not NATTING

[mimugmail]

Hm, with OpenVPN you have multiple IFs in system but only one in GUI .. that can't work.
What happens when you set IPs manually?

[Jeroen1000]

I suspected that. Unless you assign them, then they pop up.

Well I'm still looking into what exactly happens. If I set the VPN-GW ip (the private one of course) and I NAT to that...Surfing just works but traffic skips the VPN. So I'm going to give it one more shot and see whether I can pinpoint what happens. But since the VPN private IP is dynamic, it won't be a reliable solution.

[mimugmail]

True, but to be honest, we cant always move our code when other VPN hosters so their own thing. I'll think about this and how to solve