5-tuple PBR matching in the docs, Is it configurable? how?

elico · August 6, 2019, 3:25pm

I have seen in the wiki https://wiki.vyos.net/wiki/User_Guide the next phrase:

VyOS supports Policy Routing, allowing traffic to be assigned to a different routing table. Traffic can be matched using standard 5-tuple matching (source address, destination address, protocol, source port, destination port).

And was wondering how exactly I am configuring 5-tuple based PBR?

rob · August 6, 2019, 4:47pm

Hi elico,

Theoretical this is possible, but uncommon. When i think about random source ports.
I think this sentense mean, that this 5 matches are possible.
What do you want to do?

The wiki is currently migrated to readthedocs, see the PBR part:
https://vyos.readthedocs.io/en/latest/routing/pbr.html

elico · August 6, 2019, 6:06pm

The wiki and the readthedocs has the same content regarding 5-tuple.
Nothing technical about ECMP or any routing related concepts such as weight.

What would happen if I am adding two next-hops?
Can VyOS be used as a load balancer for an AnyCast array of hosts?
… if it will route based on 5-tuple(srcip,dstip,proto,srcport,dstport) I can assume that it would be possible to advertise from an AnyCast array of hosts into VyOS with BGP and expect traffic routing to be static per 5-tuple.
(this is how it’s done on other Routing platforms)

rob · August 6, 2019, 7:18pm

Hi,

i have understand, that your vyos router will the gateway from your clients to the anycast host. Or the reversed way?

you define you matching criteria and set a routing table, in this table you have the next hop ip. Each rule can have oder matching criteria and an other routing table set.

you also can take a lock on https://vyos.readthedocs.io/en/latest/load-balancing.html
but i’m not sure if this fits your needs.

elico · August 6, 2019, 7:33pm

@rob The other way, this can be a border GW for a network of hosts.

clients <cloud> VyOS ---> <array of AnyCast hosts(such as DNS)>

These AnyCast hosts advertise to VyOS the same address using BGP.
The result should be a routing tables with let say multiple 8.8.8.8 addresses to couple next-hops with the same weight.

It’s not a LB for a network but for a border GW LB into the network.
This: https://docs.cumulusnetworks.com/cumulus-linux/Network-Solutions/Anycast-Design-Guide/
Might help to understand what it’s for…

elico · August 7, 2019, 7:56pm

This might shed some light:
https://patchwork.ozlabs.org/patch/735824/

sysctl -w net.ipv4.fib_multipath_hash_policy=1

elico · August 15, 2019, 3:49am

@rob , anyone?
Is this hash policy tunable from VyOS CLI and no hacks?

rob · August 15, 2019, 3:51pm

hey, sorry i asume you have set the sysctl setting already to your device.
If you want to set this sysctl option permanently you should use:

set system sysctl custom net.ipv4.fib_multipath_hash_policy value 1

system · August 17, 2019, 7:04pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.