Pbr-maps via VETH links

Hello,

I am currently dropping PPP sessions into a network namespace “NS1” via RADIUS, and I’ve got a default route in this namespace into the main routing table via a VETH link:

VRF NS1:
> K> 0.0.0.0/0 [0/0] via 10.200.1.1, v-peer1, 02:48:47*

C>* 10.111.1.0/30 is directly connected, v-peer2, 02:48:47
C>* 10.200.1.0/30 is directly connected, v-peer1, 02:48:47
C>* 10.200.1.2/32 is directly connected, v-peer1, 02:48:47
C>* 192.168.1.1/32 is directly connected, ppp0, 02:48:47
K>* 192.168.34.0/29 [0/0] is directly connected, ppp0, 02:48:47

VETH link information is the following v-peer1 (NS1) <-> v-eth1 (default main table)
Network: 10.200.1.0/30
v-peer1 = 10.200.1.2
v-eth1 = 10.200.1.1

This is working perfectly fine. This is also allowing me to perform PREROUTING in iptables to mark web traffic into “table 100” which will then send all destination traffic via a GRE tunnel towards my web proxy:

ip rule add fwmark 100 table 100
iptables -t mangle -A PREROUTING -i v-eth1 -p tcp -m tcp --dport 80 -j MARK --set-mark 100
iptables -t mangle -A PREROUTING -i v-eth1 -p tcp -m tcp --dport 443 -j MARK --set-mark 100

What I’m now trying to achieve is whitelisting source IP addresses within the network namespace “NS1” from being pre-routed via the iptables rules by forcing specific source IP address via a different VETH link into the main routing table.

I tried to action the following:

Created another VETH link: v-peer2 (NS1) <-> v-eth11 (main routing table)
Network: 10.111.1.0./30
v-peer2 = 10.111.1.2
v-eth11 = 10.111.1.1

Created a pbr-map within FRR:

pbr-map Whitelist seq 10
match src-ip 192.168.1.1/32
set nexthop 10.111.1.1

Applied the PBR to the interface all destination traffic will go through by default:

interface v-peer1 vrf NS1
pbr-policy Whitelist

This should then force traffic go via the secondary VETH link which doesn’t have any PREROUTING enabled.

Although, tests from my DSL circuit (192.168.1.1) I still get web filtering. When I ping 10.111.1.1 from the DSL circuit and perform a tcpdump on v-eth11(VETH link) I can see the ICMP packets coming inbound on the v-eth11 interface as expected. Although, when I perform a tcpdump on v-eth11 and try to browse web pages I still have traffic being forced to my web proxy.

Here is a copy of the FRR config:

Current configuration:
!
frr version 7.4-dev-20200118-04-g9e1ecdbaa
frr defaults traditional
hostname vyos
log syslog informational
service integrated-vtysh-config
!
ip route 0.0.0.0/0 x.x.x.x
ip route 0.0.0.0/0 tun100 table 100
!
vrf NS1
netns /run/netns/NS1
exit-vrf
!
interface tun100
ip ospf network broadcast
!
interface v-peer1 vrf NS1
pbr-policy Whitelist
!
router bgp 65599
neighbor 10.200.1.2 remote-as 65599
!
router bgp 65599 vrf NS1
neighbor 10.200.1.1 remote-as 65599
!
address-family ipv4 unicast
redistribute connected
exit-address-family
!
pbr-map Whitelist seq 10
match src-ip 192.168.1.1/32
set nexthop 10.111.1.1
!
line vty
!
end

Is this possible what I am trying to achieve?