[solved] Set policy route "table" AND "mark"

matzus · January 9, 2020, 9:56pm

Hello,

I am using the “policy route” function to set subnet-specific default routes, like so:

set policy route vpn rule 100 destination group network-group ‘!local-networks’
set policy route vpn rule 100 set table ‘10’
set policy route vpn rule 100 source address ‘192.168.10.0/29’

What I would like to achieve now is to set up a custom QoS policy that matches by traffic marking, as has been outlined here: Using the “policy route” and packet marking for custom QoS matches

set policy route vpn rule 100 set mark 100

However, this yields the following error:

commit

[ policy route vpn ]
Firewall configuration error: Can not define more than one “set” parameter per policy route

[[policy route vpn]] failed
Commit failed

Is there any way at all to achieve what I want?

Dmitry · January 9, 2020, 10:50pm

Hello @matzus, did you try to change sequence number for rules? e.g.

set policy route vpn rule 90 destination group network-group ‘!local-networks’
set policy route vpn rule 90 set mark 100
set policy route vpn rule 90 source address ‘192.168.10.0/29’
set policy route vpn rule 100 destination group network-group ‘!local-networks’
set policy route vpn rule 100 set table ‘10’
set policy route vpn rule 100 source address ‘192.168.10.0/29’

matzus · January 9, 2020, 11:10pm

Hello Dmitry,

thank you for the quick reply!

Doesn’t “policy route” work similar to firewall rules? I.e., only the first matching rule is executed?

Dmitry · January 10, 2020, 7:37am

Hello @matzus,
Yes and No. I think an exception in this case packets MARKing. I was create LAB for this task and see next result

 vyos@GW1:~$ show policy 

-----------------------------
Rulesets Information
-----------------------------
--------------------------------------------------------------------------------
IPv4 Policy Route "vpn":

 Active on (eth0,ROUTE)

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
90    set      all       45       3780                                    
  condition - saddr 172.31.0.0/24 daddr 0.0.0.0/0 dst /* vpn-90 */ MARK set 0x64

100   set      all       45       3780                                    
  condition - saddr 172.31.0.0/24 daddr 0.0.0.0/0 dst /* vpn-100 */             

10000 drop     all       0        0                                       
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

matzus · January 11, 2020, 5:43pm

Dear @Dmitry,

this works indeed. Thank you for all your effort, this is excellent support!

system · January 13, 2020, 5:43pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.