What do I need to setup PBR?


#1

UPDATE: I have resolved my issue and have successfully configured my routing with failover.
UPDATE 2: As it turns out, PBR does require more than what the Brocade and other examples were showing. It was in the EdgeMax config file (not in their guide) that I found the missing piece. NAT rules for each ethX is needed! Here is the EdgeMax guide for anyone interested: https://community.ubnt.com/t5/EdgeMAX-Configuration-Examples/EdgeMAX-Policy-based-routing-source-address-based/ta-p/521923#Other_PBR_Examples

I have been trying to setup PBR in my test environment, I have done it with a few examples, one provided in another thread, and other examples by Brocade and other internet sites (one specifically done with the EdgeMax), but I can’t seem to get even a basic test to work. I can’t route anything from an internal network. I don’t know what is missing, because not one of the examples tells me what is a prerequisite for these configs to work.

My steps are as follows:

  1. set static route tables
  2. set interfaces
  3. set firewall object (one of the examples)
  4. set policy route
  5. apply policy to interface

Is there anything that I am missing? Do I need to do something else, to make PBR properly route my traffic?

I know for a fact that my internal interface is able to communicate with my test client, because I have gone back and tested with load-balancing and nat routing, and both work fine. But when I try PBR, it does not route the traffic. I even considered that maybe I needed a firewall setup on each interfaces, so I setup a firewall to allow all traffic, but this did not do anything either. So I am really lost here, I don’t know what is missing.

Anyone got some info on this?


#2

So here is my config:

I have protocols set for table 1 and 2 (I have tried adding a default static route, but that also fails).

static { table 1 { route 0.0.0.0/0 { next-hop 10.0.1.1 { } } } table 2 { route 0.0.0.0/0 { next-hop 10.10.0.1 { } } } }

I have my interfaces setup as eth0 address 10.0.1.2 and eth1 address 10.10.0.2, with two internal networks 172.16.2.1 eth2, and 172.16.2.1 eth3. I have a routing policy ‘src’ with two rules (10, 20) for the two incoming interfaces and the two outgoing interfaces; in on eth2 goes out eth0, in on eth3 goes out eth1.

route src { rule 10 { destination { address 0.0.0.0/0 } set { table 1 } source { address 172.16.1.0/24 } } rule 20 { destination { address 0.0.0.0/0 } set { table 2 } source { address 172.16.2.0/24 } } }

This is a replica of the setup example in the Vyatta document Vyatta_PolicyBasedRouting_6.5R1_v01.pdf (found in another post here). Of course, I have used my own IP addreses, but the setup is the same, with two WAN and two LAN interfaces.

ethernet eth0 { address 10.0.1.2/24 hw-id d2:c0:0b:94:43:1e } ethernet eth1 { address 10.10.0.2/24 hw-id 4e:4f:d2:61:79:dc } ethernet eth2 { address 172.16.1.1/24 hw-id fe:2d:70:15:b9:01 policy { route src } } ethernet eth3 { address 172.16.2.1/24 hw-id ea:ee:2f:33:cb:6c policy { route src } } loopback lo { }

The strange thing is that I can reach 10.0.1.2 and 10.10.0.2 from my client, but I can’t reach 10.0.1.1 nor 10.10.0.1. Obviously, I am able to reach these addresses from the router itself, but not from the client.


#3

Okay, so the problem was really with a minor oversight in one of my gateway configs – I was originally using an internal IP with with 10.0.2.1, but I shortened the number of devices, so this time I was using 10.0.1.1, but in my nat for that same gateway, I had 10.0.2.0/24 as my routed network. This was causing one of my static routes to fail. It seems that everything is working now.


#4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.