Assistance regarding the PBR (Policy based routing) using the extended ACL

Assistance is required regarding the PBR (Policy based routing) using the extended ACL.
My agenda is to route the traffic to different destination IP addresses based on the source, destination and destination protocol.

Scenario:
Route-map PBR has been created in which access-list should match and traffic should be routed to different destinations;

1- Traffic from source 10.10.10.10 to destination 20.20.20.20 and destination port 22 (ssh) should be routed to the next hop 30.30.30.45.
2- Traffic from source 10.10.10.10 to destination 20.20.20.20 and destination port 443 (https) should be routed to the next hop 30.30.30.50.

There is an example

set policy route ROUTE22 interface 'eth2'
set policy route ROUTE22 rule 10 destination address '20.20.20.20'
set policy route ROUTE22 rule 10 destination port '22'
set policy route ROUTE22 rule 10 protocol 'tcp'
set policy route ROUTE22 rule 10 set table '10'
set policy route ROUTE22 rule 10 source address '10.10.10.10'
set protocols static table 10 route 0.0.0.0/0 next-hop 30.30.30.45

In the same way use another rule with another table and gateway

2 Likes

If there is a possibility of doing this using Route-maps. But I’m not able to configure port in the extended ACL.
set policy access-list 2001 description ‘test’
set policy access-list 2001 rule 1 action ‘permit’
set policy access-list 2001 rule 1 destination any
set policy access-list 2001 rule 1 source host ‘10.11.17.200’

set policy route-map PBR description ‘First PBR’
set policy route-map PBR rule 1 action ‘permit’
set policy route-map PBR rule 1 match ip address access-list ‘2001’
set policy route-map PBR rule 1 match ip nexthop
set policy route-map PBR rule 1 set ip-next-hop ‘10.11.19.45’

Access lists are used for routing protocols like BGP/OSPF and not used for the firewall
You can use groups

vyos@r14# set policy route foo rule 10 source group 
Possible completions:
   address-group        Group of addresses
   domain-group         Group of domains
   mac-group            Group of MAC addresses
   network-group        Group of networks
   port-group           Group of ports

1 Like