Hello,
I am currently dropping PPP sessions into a network namespace “NS1” via RADIUS, and I’ve got a default route in this namespace into the main routing table via a VETH link:
VRF NS1:
> K> 0.0.0.0/0 [0/0] via 10.200.1.1, v-peer1, 02:48:47*
C>* 10.111.1.0/30 is directly connected, v-peer2, 02:48:47
C>* 10.200.1.0/30 is directly connected, v-peer1, 02:48:47
C>* 10.200.1.2/32 is directly connected, v-peer1, 02:48:47
C>* 192.168.1.1/32 is directly connected, ppp0, 02:48:47
K>* 192.168.34.0/29 [0/0] is directly connected, ppp0, 02:48:47
VETH link information is the following v-peer1 (NS1) ↔ v-eth1 (default main table)
Network: 10.200.1.0/30
v-peer1 = 10.200.1.2
v-eth1 = 10.200.1.1
This is working perfectly fine. This is also allowing me to perform PREROUTING in iptables to mark web traffic into “table 100” which will then send all destination traffic via a GRE tunnel towards my web proxy:
ip rule add fwmark 100 table 100
iptables -t mangle -A PREROUTING -i v-eth1 -p tcp -m tcp --dport 80 -j MARK --set-mark 100
iptables -t mangle -A PREROUTING -i v-eth1 -p tcp -m tcp --dport 443 -j MARK --set-mark 100
What I’m now trying to achieve is whitelisting source IP addresses within the network namespace “NS1” from being pre-routed via the iptables rules by forcing specific source IP address via a different VETH link into the main routing table.
I tried to action the following:
Created another VETH link: v-peer2 (NS1) ↔ v-eth11 (main routing table)
Network: 10.111.1.0./30
v-peer2 = 10.111.1.2
v-eth11 = 10.111.1.1
Created a pbr-map within FRR:
pbr-map Whitelist seq 10
match src-ip 192.168.1.1/32
set nexthop 10.111.1.1
Applied the PBR to the interface all destination traffic will go through by default:
interface v-peer1 vrf NS1
pbr-policy Whitelist
This should then force traffic go via the secondary VETH link which doesn’t have any PREROUTING enabled.
Although, tests from my DSL circuit (192.168.1.1) I still get web filtering. When I ping 10.111.1.1 from the DSL circuit and perform a tcpdump on v-eth11(VETH link) I can see the ICMP packets coming inbound on the v-eth11 interface as expected. Although, when I perform a tcpdump on v-eth11 and try to browse web pages I still have traffic being forced to my web proxy.
Here is a copy of the FRR config:
Current configuration:
!
frr version 7.4-dev-20200118-04-g9e1ecdbaa
frr defaults traditional
hostname vyos
log syslog informational
service integrated-vtysh-config
!
ip route 0.0.0.0/0 x.x.x.x
ip route 0.0.0.0/0 tun100 table 100
!
vrf NS1
netns /run/netns/NS1
exit-vrf
!
interface tun100
ip ospf network broadcast
!
interface v-peer1 vrf NS1
pbr-policy Whitelist
!
router bgp 65599
neighbor 10.200.1.2 remote-as 65599
!
router bgp 65599 vrf NS1
neighbor 10.200.1.1 remote-as 65599
!
address-family ipv4 unicast
redistribute connected
exit-address-family
!
pbr-map Whitelist seq 10
match src-ip 192.168.1.1/32
set nexthop 10.111.1.1
!
line vty
!
end
Is this possible what I am trying to achieve?