Reply
New Member
Posts: 5
Registered: ‎11-02-2016
Solutions: 1
Accepted Solution

Intermittent Connectivity with PBR

Hi all,

 

Long time lurker... I accidently posted this in Unifi routing/switching so I am reposting here. I have a Edgrouter lite that I'm using to play around with OpenVPN. I'm having some troubles with PBR for the VPN. Here's my topology:

 

eth0         -> WAN from ISP, dynamic IP

eth1.2      -> Management VLAN

eth1.10    -> Main LAN

eth1.100  -> LAN to be routed through VPN

eth2.xxx   -> Not used anywhere, just experimenting

vtun0        -> VPN connection

 

Now, when I first configured VLANs, I made the mistake of not assigning the main interface e.g. eth1 a network. I guess this doesn't really matter, but it bothers me. Anyways, that's why I didn't list eth1 or eth2. So, to my problem.

 

I can successfully connect to the VPN and everything, but on my other networks that aren't routed through the VPN, I'm getting some weird packet loss (I think). For example, I'll be browsing a site, and randomly Chrome will say "Address unreachable". If I try a couple of more times after that it will load the page correctly. Also when doing ping tests, I'll get intermittent packet loss. I've also noticed ever since implementing the VPN that navigating to a website takes significantly longer. I used to be able to load Youtube in ~2 seconds, and now it takes ~10+ seconds. Again, all of this is happening on my networks that aren't routed through the VPN.

 

I would classify my networking skills as the lower end of intermediate to advanced, so feel free to offer any solution you might have. I've played around with tcpdump to see if I can see anything out of the ordinary, but I guess I don't really know what I'm looking for. 

 

Any help is greatly appreciated!

 

Spoiler
firewall {
all-ping enable
broadcast-ping disable
group {
network-group All_Networks {
description ""
network 172.16.0.0/24
network 172.16.1.0/24
network 10.0.0.0/24
network 192.168.0.0/24
}
network-group LAN_NETWORKS {
network 10.0.0.0/24
network 172.16.0.0/24
network 192.168.0.0/24
}
network-group VPN_LAN_NETWORKS {
description "Networks that will be routed through the VPN"
network 172.16.1.0/24
}
port-group ISY_Ports {
description ""
port 444
port 81
}
port-group Xbox_Live_Ports {
description "Ports for Xbox Live"
port 88
port 3074
port 53
port 80
port 500
port 3544
port 4500
port 3075
port 55973
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify SOURCE_ROUTE {
rule 5 {
action modify
description "LAN to LAN skip PBR"
destination {
group {
network-group LAN_NETWORKS
}
}
modify {
table main
}
}
rule 10 {
action modify
description "Traffic from LAN networks to ISP"
modify {
table 1
}
source {
group {
network-group LAN_NETWORKS
}
}
}
rule 20 {
action modify
description "Traffic from secure LAN networks to VPN"
modify {
table 2
}
source {
group {
network-group VPN_LAN_NETWORKS
}
}
}
}
name HTLAN1_GUEST_IN {
default-action accept
description ""
rule 10 {
action accept
description "Allow traffic instantiated from management VLAN"
log disable
protocol all
source {
group {
address-group ADDRv4_eth1.2
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Restrict access to other networks"
destination {
group {
network-group All_Networks
}
}
log disable
protocol all
}
}
name HTLAN1_IN {
default-action accept
description ""
rule 10 {
action accept
description "Allow traffic instantiated from management VLAN"
destination {
address 172.16.0.0/24
group {
}
}
log disable
protocol all
source {
group {
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Restrict access to other networks"
destination {
group {
network-group All_Networks
}
}
log disable
protocol all
}
}
name HTWLAN_SECURE_IN {
default-action accept
description ""
rule 10 {
action accept
description "Allow traffic instantiated from management VLAN"
log disable
protocol all
source {
group {
address-group 172.16.0.0/24
}
rule 20 {
action drop
description "Restrict access to other networks"
destination {
group {
network-group All_Networks
}
}
log disable
protocol all
}
}
state {
established enable
invalid disable
new disable
related enable
}
}
}
name LAN_LOCAL {
default-action drop
description ""
}
name MANAGEMENT_OUT {
default-action drop
description ""
rule 1 {
action accept
description ESTABLISHED/RELATED
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
}
name WAN_IN {
default-action drop
description "Firewall rule for incoming connections from WAN"
rule 10 {
action drop
description "Drop Invalid State"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 20 {
action accept
description "Allow Established Sessions"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action accept
description "Xbox DMZ"
destination {
address 10.0.0.8
group {
port-group Xbox_Live_Ports
}
}
log disable
protocol all
}
rule 70 {
action accept
description ISY
destination {
address 10.0.0.5
group {
port-group ISY_Ports
}
}
log disable
protocol tcp_udp
}
}
name WAN_LOCAL {
default-action drop
description "Firewall rule for incoming connections from WAN to Router"
rule 1 {
action accept
description "Accept Established Connections"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop Invalid Conenctions"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 3 {
action drop
description ICMP
log disable
protocol icmp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description eth1
duplex auto
speed auto
vif 2 {
address 172.16.0.1/24
description Management
firewall {
in {
modify SOURCE_ROUTE
}
local {
}
out {
name MANAGEMENT_OUT
}
}
mtu 1500
}
vif 10 {
address 10.0.0.1/24
description HTLAN1
firewall {
in {
modify SOURCE_ROUTE
name HTLAN1_IN
}
local {
name LAN_LOCAL
}
}
}
vif 100 {
address 172.16.1.1/24
description "HTWLAN Secure"
firewall {
in {
modify SOURCE_ROUTE
name HTWLAN_SECURE_IN
}
local {
name LAN_LOCAL
}
}
mtu 1500
}
}
ethernet eth2 {
description eth2
duplex auto
speed auto
vif 20 {
address 192.168.0.1/24
description "HTLAN1 Guest"
firewall {
in {
modify SOURCE_ROUTE
name HTLAN1_GUEST_IN
}
local {
name LAN_LOCAL
}
}
mtu 1500
}
}
loopback lo {
}
openvpn vtun0 {
config-file "REDACTED"
}
}
port-forward {
auto-firewall disable
hairpin-nat enable
lan-interface eth1.10
wan-interface eth0
}
protocols {
static {
table 1 {
description "Routing table for LAN traffic to ISP"
interface-route 0.0.0.0/0 {
next-hop-interface eth0 {
}
}
}
table 2 {
description "Routing table for LAN traffic to VPN"
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
}
}
service {
dhcp-relay {
interface eth1.2
interface eth1.10
interface eth1.100
server 172.16.0.1
}
dhcp-server {
disabled false
hostfile-update disable
shared-network-name HTLAN1 {
authoritative disable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 208.67.222.222
dns-server 208.67.220.220
lease 86400
start 10.0.0.10 {
stop 10.0.0.254
}
static-mapping XboxOne {
ip-address 10.0.0.8
mac-address 4c:0b:be:b4:2f:60
}
}
}
shared-network-name HTLAN1_Guest {
authoritative disable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 8.8.8.8
lease 86400
start 192.168.0.10 {
stop 192.168.0.254
}
}
}
shared-network-name HTWLAN_Secure {
authoritative disable
subnet 172.16.1.0/24 {
default-router 172.16.1.1
dns-server 208.67.222.222
dns-server 208.67.220.220
lease 86400
start 172.16.1.10 {
stop 172.16.1.254
}
}
}
shared-network-name Management {
authoritative disable
subnet 172.16.0.0/24 {
default-router 172.16.0.1
dns-server 1.1.1.1
lease 86400
start 172.16.0.10 {
stop 172.16.0.254
}
unifi-controller REDACTED
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
}
}
gui {
http-port 80
https-port 443
listen-address 172.16.0.1
older-ciphers enable
}
nat {
rule 4 {
description "Xbox One DMZ"
destination {
group {
port-group Xbox_Live_Ports
}
}
disable
inbound-interface eth0
inside-address {
address 10.0.0.12
}
log disable
protocol all
type destination
}

rule 5000 {
description VPN
log disable
outbound-interface vtun0
source {
group {
network-group VPN_LAN_NETWORKS
}
}
type masquerade
}
rule 5001 {
description LAN
log disable
outbound-interface eth0
protocol all
type masquerade
}

}
ssh {
port 22
protocol-version v2
}
unms {
connection REDACTED
disable
}
}
system {
host-name ubnt
login {
REDACTED
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
vlan enable
}
ipv6 {
forwarding disable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Chicago
traffic-analysis {
dpi disable
export disable
}
}


/* Warning: Do not remove the following line. */
REDACTED
/* Release version: v1.10.1.5067571.180305.1750 */

 


Accepted Solutions
New Member
Posts: 5
Registered: ‎11-02-2016
Solutions: 1

Re: Intermittent Connectivity with PBR

Got it. I will probably just delete the unnecessary rules, but I actually got it working with my current config. I took your advice and figured out the load balancing thing. Here's what I did in case anyone else has the same issue I was:

 

  1. First configure a new load balance group that points to your dynamically assigned WAN interface
set load-balance group DHCP_GW interface eth0 route default

  2. Change your modify rule to point to the new load balance group

set firewall modify <name of PBR rule> rule <rule #> modify lb-group <name of created lb-group>

Works like a charm. It would be nice if I had a static IP from my ISP so I could avoid this headache in the first place. Or I could just get rid of the modify rule for my LAN networks since they're not needed. But, I'm just learning about PBR so what's the fun in that Ihih

 

Thanks for your help again smyers119!

View solution in original post


All Replies
Veteran Member
Posts: 5,718
Registered: ‎01-04-2017
Kudos: 810
Solutions: 290

Re: Intermittent Connectivity with PBR

You can't use a interface next-hop for a non P2P connection. utilize the load balance wizard instead to track ip.
New Member
Posts: 5
Registered: ‎11-02-2016
Solutions: 1

Re: Intermittent Connectivity with PBR

Thanks for the reply! Can you explain a little bit more on why I can’t use an interface route with the non VPN PBR rule? And how would the load balance feature fix this?

Veteran Member
Posts: 5,718
Registered: ‎01-04-2017
Kudos: 810
Solutions: 290

Re: Intermittent Connectivity with PBR

[ Edited ]

interface routes for when you have point to point connections for example a pppoe connection

 

Better explanation:

1) If you configured static route pointed to next hop IP address, for every destination forwarding 
router requires only L2 address of next hop IP address to rewrite the L2 frame.
Example: ip route 2.2.2.0 255.255.255.0 10.1.1.2
For routing packet to destination address 2.2.2.2, router requires L2 mac address of 10.1.1.2.

2) If you configured static route point to outgoing interface, forwarding router assume destination address is 
directly connected to that interface and router will try to find the L2 address of the destination by sending ARP 
request out of the interface to the destination address in case of Ethernet or looking for a static/dynamic map 
entry in the mapping table in case of frame-relay.

Conclusion:
->For point to point interfaces,  you can use static routes that point to the interface or to the next  hop address. 
There is only one possible next hop and its L2 address will be used to build L2 frame. ->For multipoint/Broadcast interfaces, it is more suitable to use static routes that point to a next hop
address to avoid the need for resolving every destination address to its L2 address. As you have seen above it
is still possible to use static routes pointing to the interface but not a scalable solution.
New Member
Posts: 5
Registered: ‎11-02-2016
Solutions: 1

Re: Intermittent Connectivity with PBR

Okay, I think I'm understanding a little bit more. So, if its not possible to assign that route as an interface route, and with my current config, then why are my connectivity issues intermittent?

Veteran Member
Posts: 5,718
Registered: ‎01-04-2017
Kudos: 810
Solutions: 290

Re: Intermittent Connectivity with PBR

If I had to guess there may be more then one device answering your ARP. Or it could be some other configuration problem. But until you fix the big glaring problem we won't know.
Veteran Member
Posts: 5,718
Registered: ‎01-04-2017
Kudos: 810
Solutions: 290

Re: Intermittent Connectivity with PBR

[ Edited ]

Looking at your config again, not even sure why you have it set up like you do.  You can just do the VPN and leave the other traffic on main, so you can delete all the rules accept the last one on your modify firewall.

New Member
Posts: 5
Registered: ‎11-02-2016
Solutions: 1

Re: Intermittent Connectivity with PBR

Got it. I will probably just delete the unnecessary rules, but I actually got it working with my current config. I took your advice and figured out the load balancing thing. Here's what I did in case anyone else has the same issue I was:

 

  1. First configure a new load balance group that points to your dynamically assigned WAN interface
set load-balance group DHCP_GW interface eth0 route default

  2. Change your modify rule to point to the new load balance group

set firewall modify <name of PBR rule> rule <rule #> modify lb-group <name of created lb-group>

Works like a charm. It would be nice if I had a static IP from my ISP so I could avoid this headache in the first place. Or I could just get rid of the modify rule for my LAN networks since they're not needed. But, I'm just learning about PBR so what's the fun in that Ihih

 

Thanks for your help again smyers119!

Reply