Putting DHCP default gateway in different routing table

General questions
, , , , ,
7

Do you see any issues with my config below if I want to achieve:

  • DSL uplink on eth0.2 with dynamic IP assignment and NAT
  • A wireguard tunnel 192.0.2.227/31 peertopeer 192.0.2.226/31 which routes various PUBLIC subnets within 192.0.2.0/24
  • All traffic (local and forwarded!) should first consult routes from attached interfaces, static routes and OSPF
  • All traffic which does not have a source from 192.0.2/24 should be routed via DSL default gateway
  • All traffic which does have a source from 192.0.2/24 should use a default gateway back via the wireguard tunnel (“next-hop 192.0.2.226”)
set interfaces ethernet eth0 vif 2 address 'dhcp'
set interfaces ethernet eth0 vif 2 vrf 'vrf_dsl'
set interfaces ethernet eth0 vif 3 address '10.227.79.2/24'
set interfaces loopback lo
set interfaces wireguard wg0 address '192.0.2.227/31'
set interfaces wireguard wg0 ip ospf authentication md5 key-id 1 md5-key '***********'
set interfaces wireguard wg0 ip ospf cost '100'
set interfaces wireguard wg0 ip ospf dead-interval '40'
set interfaces wireguard wg0 ip ospf hello-interval '10'
set interfaces wireguard wg0 ip ospf network 'point-to-point'
set interfaces wireguard wg0 ip ospf priority '1'
set interfaces wireguard wg0 ip ospf retransmit-interval '5'
set interfaces wireguard wg0 ip ospf transmit-delay '1'
set interfaces wireguard wg0 peer vultr0 address '***********'
set interfaces wireguard wg0 peer vultr0 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer vultr0 port '51821'
set nat source rule 100 outbound-interface 'eth0.2'
set nat source rule 100 translation address 'masquerade'
set policy local-route rule 101 destination '0.0.0.0/0'
set policy local-route rule 101 set table 'local'
set policy local-route rule 102 destination '0.0.0.0/0'
set policy local-route rule 102 set table 'main'
set policy local-route rule 103 destination '0.0.0.0/0'
set policy local-route rule 103 set table '171'
set policy local-route rule 103 source '192.0.2.0/24'
set policy local-route rule 104 destination '0.0.0.0/0'
set policy local-route rule 104 set table '170'
set protocols ospf area 0.0.0.0 network '192.0.2.0/24'
set protocols ospf parameters abr-type 'cisco'
set protocols ospf parameters router-id '10.227.1.2'
set protocols ospf passive-interface 'eth0.2'
set protocols static table 171 route 0.0.0.0/0 next-hop 192.0.2.226
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'TestGate1'
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'America/Los_Angeles'
set vrf bind-to-all
set vrf name vrf_dsl table '170'

This seems to work but I was often already at the point where I thought it’s working and then something else broke / stopped working …

Also, what I am somewhat confused is set policy local-route. It seems this generates rules visible in ip rule show. That should apply to all traffic, not just local one! Is this a mistake in the documentation?