Policy based routing, router not responding on vif address

DanFoster · September 18, 2019, 4:34pm

I’m trying to apply policy based routing so that my VyOS installation responds correctly on all of its 802.1Q vifs. I’ve followed the example in the documentation, but it doesn’t seem to be working.

The relevant parts of the config are:

interfaces {
    ethernet eth0 {
        duplex auto
        hw-id 52:54:00:8b:6b:61
        smp-affinity auto
        speed auto
        vif 206 {
            address 1xx.1xx.96.39/23
            policy {
                route PBR
            }
        }
        vif 298 {
            address 172.24.1.4/22
            policy {
                route PBR
            }
        }
    }
    ethernet eth1 {
        address 10.10.10.6/24
        duplex auto
        hw-id 52:54:00:f1:7b:c2
        smp-affinity auto
        speed auto
    }
}
policy {
    route PBR {
        rule 156 {
            set {
                table 156
            }
            source {
                address 1xx.1xx.96.0/23
            }
        }
        rule 198 {
            set {
                table 198
            }
            source {
                address 172.24.0.0/22
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 172.24.3.254 {
            }
        }
        table 156 {
            route 0.0.0.0/0 {
                next-hop 1xx.1xx.96.1 {
                }
            }
        }
        table 198 {
            route 0.0.0.0/0 {
                next-hop 172.24.3.254 {
                }
            }
        }
    }
}

show policy shows the rules and that they’re active on the vifs, but they don’t seem to be getting used.

$ show policy route PBR

-----------------------------
Rulesets Information
-----------------------------

IPv4 Policy Route "PBR":

 Active on (eth0.206,ROUTE) (eth0.298,ROUTE)

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
156   set      all       5806     876194                                  
  condition - saddr 1xx.1xx.96.0/23 daddr 0.0.0.0/0                             

198   set      all       621      80028                                   
  condition - saddr 172.24.0.0/22 daddr 0.0.0.0/0                               

10000 drop     all       31868    3048090                                 
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

The router isn’t responding to a ping from out on the internet to 1xx.1xx.96.39, and I can’t work out how to make it do so. Beyond pinging, I’d like to run some other things into the router and it will need to be contactable from the interenet to do so.

s.lorente · September 25, 2019, 3:23pm

Hi Dan,

Which example did you follow? The one here works ok.
Did you check connectivity without policy-based routing in place?
Can you please provide some more details on your setup?
Where is that connection to the Internet?
What are you trying to achieve?
I see you set as a next-hope for traffic coming from 172.24.0.0/22 an address (172.24.3.254) within the same subnet, was that a mistake?

DanFoster · September 26, 2019, 11:10am

That’s the example I was following, but I ended up building a simpler testbed that’s working fine. No idea what went wrong in the end but it’s all sorted now

mjb · September 29, 2019, 11:45pm

Out of curiousity, did you work out what you did to resolve this? I was researching this exact scenario today, and discovered that vyos does not support local outbound PBR.

However, that said, there is a PR that implements it, but half of the patch was reverted - 4 years ago!

Pull Request
Reversion

mjb · September 29, 2019, 11:54pm

Apparently, being a new user, I can’t post more than 2 links in a reply… so here’s two more relevant to this for those interested:

Bug in Phabricator
Original Bugzilla entry

DanFoster · September 30, 2019, 11:01am

I’m afraid not - I just built a simpler testbed with several vifs and it seemed to work without issue. I guessed that I’d done something strange (though I don’t know what) on the other install and have since wiped it.

DanFoster · October 21, 2019, 8:58am

This has now reared its head again for me. Good work on tracking down the cause, @mjb. I wonder if anyone has a workaround or if any work has been done on the phabricator task?

sd0 · February 22, 2020, 3:38am

This may help

pbr

16again · February 29, 2020, 8:23am

Maybe adding WAN loadbalancer alongside PBR solves the problem of router replying on correct interface.