Reply
New Member
Posts: 38
Registered: ‎06-11-2013
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.


@UBNT-jaffe wrote:

Yes, policy routing is possible via CLI and configurable to your hearts desire, here are some examples:
If you have a WAN1/WAN2 load balanced or configured for failover, you can force vlans out WAN2 if you like:

configure
set protocols static table 1 route 0.0.0.0/0 next-hop <wan2gateway> set firewall modify LOAD_BALANCE rule 3000 action modify set firewall modify LOAD_BALANCE rule 3000 modify table 1 set firewall modify LOAD_BALANCE rule 3000 source address <vlan_network> set firewall modify LOAD_BALANCE rule 3000 protocol all
commit;exit

You can do this, or even create another LB-group with WAN2 and primary and WAN1 as failover, and policy route it that way too.

Here's an example to get a LAN/VLAN or multiple networks policy routed out a VPN tunnel (using VTI):

configure
set firewall modify VPN_Gateway rule 3000 action modify set firewall modify VPN_Gateway rule 3000 modify table 1 set firewall modify VPN_Gateway rule 3000 source address <vlan_network> set firewall modify VPN_Gateway rule 3000 protocol all set protocols static interface-route 0.0.0.0/0 next-hop-interface vtix set interfaces ethernet ethx vif x firewall in modify VPN_Gateway
commit;exit


 


This is exactly what I am looking for. But I don't use VLANs - could I create a group of IPs or MAC addresses and use that in place of <vlan_network>?

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@politby If you hit "?" or "tab" in EdgeOS, it'll give you the possible completions for the command and a description for each one:

brandonjaffe@usgpro1# set firewall modify LOAD_BALANCE rule 3000 source address
Possible completions:
  <x.x.x.x>     IP address to match
  <x.x.x.x/x>   Subnet to match
  <x.x.x.x>-<x.x.x.x>
                IP range to match
  !<x.x.x.x>    Match everything except the specified address
  !<x.x.x.x/x>  Match everything except the specified subnet
  !<x.x.x.x>-<x.x.x.x>
                Match everything except the specified range

You can throw IP ranges in here as you wish,.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 38
Registered: ‎06-11-2013
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

Okay, so would the below be correct if I  wanted to route traffic from IP addresses 192.168.2.80 - 192.168.2.90 out the VPN interface VPN_TG?

 

set firewall modify VPN_TG rule 3000 action modify
set firewall modify VPN_TG rule 3000 modify table 1
set firewall modify VPN_TG rule 3000 source address 192.168.2.80 - 192.168.2.90
set firewall modify VPN_TG rule 3000 protocol all
set protocols static interface-route 0.0.0.0/0 next-hop-interface pptpc0
set interfaces ethernet eth0 firewall in modify VPN_TG
Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@politby Looks good to me as long as you don't have LOAD_BALANCE enabled. Otherwise I would have just added the rule in the LOAD_BALANCE modify ruleset. If that's not enabled, what you have should work.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 38
Registered: ‎06-11-2013
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.


@UBNT-jaffe wrote:

@politby Looks good to me as long as you don't have LOAD_BALANCE enabled. Otherwise I would have just added the rule in the LOAD_BALANCE modify ruleset. If that's not enabled, what you have should work.


I'm afraid I have problems even getting the PPTP connection to work. I set it up in the GUI on 5.6.16 and checked "ue this connection for Internet":

 

 }
 pptp-client pptpc0 {
     default-route none
     description VPN-TG
     firewall {
         in {
             name WAN_IN
         }
         local {
             name WAN_LOCAL
         }
         out {
             name WAN_OUT
         }
     }
     name-server auto
     password xxx
     require-mppe
     server-ip yyy
     user-id zzz
 }

and the tunnel appears to be up and running:

 

admin@UniFiSecurityGateway:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         192.168.2.1/24                    u/u
eth1         -                                 A/D
eth2         xx.xxx.xxx.xxx/22                 u/u
eth3         192.168.88.105/24                 u/u
lo           127.0.0.1/8                       u/u
             ::1/128
pptpc0       10.0.0.10                         u/u  VPN-TG

admin@UniFiSecurityGateway:~$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=64 time=125 ms
64 bytes from 10.0.0.1: icmp_req=2 ttl=64 time=124 ms
64 bytes from 10.0.0.1: icmp_req=3 ttl=64 time=124 ms
64 bytes from 10.0.0.1: icmp_req=4 ttl=64 time=126 ms
64 bytes from 10.0.0.1: icmp_req=5 ttl=64 time=125 ms
64 bytes from 10.0.0.1: icmp_req=6 ttl=64 time=125 ms
^C
--- 10.0.0.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5004ms
rtt min/avg/max/mdev = 124.750/125.303/126.040/0.516 ms

But no traffic is routed via the tunnel even though I I told it to use it for Internet.

 

What noob mistake am I making?

New Member
Posts: 15
Registered: ‎08-24-2017
Kudos: 16

Re: USG, Multi-WAN, Policy-based routing.

Any news regarding policy based routing via the GUI?
New Member
Posts: 25
Registered: ‎06-08-2016
Kudos: 200

Re: USG, Multi-WAN, Policy-based routing.

Hey,

 

any Updates if this feature comes to de gui?

 

 

Thanks

New Member
Posts: 1
Registered: ‎02-23-2015

Re: USG, Multi-WAN, Policy-based routing.

Hi!

 

I set it up like this and it seems to work. However on using 

mca-ctrl -t dump-cfg

I seem to be getting 800+ lines of configuration, is this normal? I just want policy based routing of two ports via a gateway (on WAN1) while using weighted LB. Something that I'd like to persist across provisions.

Any idea when this is going to be build into the GUI?

 

I did the following (where 192.168.1.0/24 is my LAN & 192.168.20.254 is my WAN1 gateway):

configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.20.254
set firewall modify LOAD_BALANCESSH rule 3001 action modify
set firewall modify LOAD_BALANCESSH rule 3001 modify table 1
set firewall modify LOAD_BALANCESSH rule 3001 source address 192.168.1.0/24
set firewall modify LOAD_BALANCESSH rule 3001 destination port 22
set firewall modify LOAD_BALANCESSH rule 3001 protocol tcp
commit
set firewall modify LOAD_BALANCE rule 3001 action modify
set firewall modify LOAD_BALANCE rule 3001 modify table 1
set firewall modify LOAD_BALANCE rule 3001 source address 192.168.1.0/24
set firewall modify LOAD_BALANCE rule 3001 destination port 19999
set firewall modify LOAD_BALANCE rule 3001 protocol tcp
commit
save

Any idea how I can get this in the config.gateway.json?

 

Thanks!

 

Kind regards,

Christiaan

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@politby Try using table 2 instead of table 1. I vaguely remember having trouble when setting a VPN interface as the "next-hop-interface" for static routes. If you already made those custom policy routing changes, those would be hit first before the normal static route that gets thrown in the config when you check "use this VPN for internet".

@techwolf12 The answers to your questions for formatting etc. are here:
https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-w...

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 9
Registered: ‎10-03-2016
Kudos: 4

Re: USG, Multi-WAN, Policy-based routing.

Hi everybody,

 

sorry if this is a really stupid question, but is the same possible for certain destination addresses? Could not really locate anything on this. Our VoIP trunk server PBX is only accessible through the WAN1 uplink.

 

Wouldn't a static route suffice for this?

 

Thanks a million!

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@ottostundner If I'm understanding correctly, you have everything leaving the VPN at the moment, but you want certain traffic destined for the PBX to exit via WAN1 rather than the VPN?

If so, a static route in the GUI should suffice. 

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 25
Registered: ‎06-08-2016
Kudos: 200

Re: USG, Multi-WAN, Policy-based routing.

Hello

 

is it now possible to route traffic from ... vor example vlan80 to wan2?

 

Thank you

New Member
Posts: 9
Registered: ‎10-03-2016
Kudos: 4

Re: USG, Multi-WAN, Policy-based routing.

@UBNT-jaffe yeah similar but not quite; I currently have WAN1 as main WAN, connecting to a fiber uplink box (WAN IP and gateway is fixed there but obtained through DHCP at the moment).

 

on WAN2, I plan to attach a LTE modem, and then switch on load balancing between the uplinks in the controller. We'll get a dynamic IP through DHCP there.

 

however, the SIP trunk can only be accessed from WAN1 as external/dynamic IPs are blocked at my voip provider; thus, I would like all VLANs coming through the USG to access this one address through WAN1 only.

 

I have approx 10 vlans/subnet in my network; voip is only happening on one VLAN, so I guess I could always use the solution outlined above. however, if not absolutely necessary, I would certainly appreciate not having to mess with the CLI.

 

could you help me with a static route configuration? thanks a million!

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@ottostundner If you have both WAN's enabled, you have to use the CLI. When both WANs are enabled, policy routing rules are provisioned to the USG under the firewall modify name LOAD_BALANCE, and those take precedence over the kernel routing table, which is where the directly connected and static routes are. 

What you're looking for is something like:

configure
set protocols static table 1 route 0.0.0.0/0 next-hop <wangateway_ip> set firewall modify LOAD_BALANCE rule 3000 action modify
set firewall modify LOAD_BALANCE rule 3000 modify table 1 set firewall modify LOAD_BALANCE rule 3000 destination address <externalpbx_ip> set firewall modify LOAD_BALANCE rule 3000 protocol all commit;exit
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 9
Registered: ‎10-03-2016
Kudos: 4

Re: USG, Multi-WAN, Policy-based routing.

@UBNT-jaffe great, thank you very much, will give this a try!

 

Cheers!

New Member
Posts: 25
Registered: ‎06-08-2016
Kudos: 200

Re: USG, Multi-WAN, Policy-based routing.

my wan gateway hast a dynamic ip so is there a way to use a next-hop interface?
New Member
Posts: 15
Registered: ‎11-07-2017
Kudos: 8
Solutions: 1

Re: USG, Multi-WAN, Policy-based routing.


@BSR wrote:
my wan gateway hast a dynamic ip so is there a way to use a next-hop interface?

See an option using a 2nd load balance group:

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/YAPR-Yet-another-policy-routing-post-USG-routi...

New Member
Posts: 5
Registered: ‎04-16-2016
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

[ Edited ]

@UBNT-jaffewrote:

@politby If you hit "?" or "tab" in EdgeOS, it'll give you the possible completions for the command and a description for each one:

brandonjaffe@usgpro1# set firewall modify LOAD_BALANCE rule 3000 source address
Possible completions:
  <x.x.x.x>     IP address to match
  <x.x.x.x/x>   Subnet to match
  <x.x.x.x>-<x.x.x.x>
                IP range to match
  !<x.x.x.x>    Match everything except the specified address
  !<x.x.x.x/x>  Match everything except the specified subnet
  !<x.x.x.x>-<x.x.x.x>
                Match everything except the specified range

You can throw IP ranges in here as you wish,.


@UBNT-jaffe
Can you set the sourse address to a custom group?  I am having issues getting that setup correctly.

 

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@QwertyMC Yeah

set firewall modify LOAD_BALANCE rule 3000 source group address-group <custom_group_name>
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Member
Posts: 116
Registered: ‎06-05-2016
Kudos: 11

Re: USG, Multi-WAN, Policy-based routing.

@UBNT-jaffe 

 

 

I set WAN2 (DHCP, LTE connection, the gateway ip is DHCP and it's changes on each reconnect so I tried to use interface rather than gateway ip) as weighted LB 99%, but it often fails back to WAN1.  For some of clients I want to set to only use WAN2 connection.

 

I tried what you wrote:

 

@UniFiSecurityGateway3P# set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface eth2
[edit]
@UniFiSecurityGateway3P# set firewall modify LOAD_BALANCE rule 3000 action modify
[edit]
@UniFiSecurityGateway3P# set firewall modify LOAD_BALANCE rule 3000 modify table 1
[edit]
@UniFiSecurityGateway3P# set firewall modify LOAD_BALANCE rule 3000 source address 192.168.1.100
[edit]
@UniFiSecurityGateway3P# set firewall modify LOAD_BALANCE rule 3000 protocol all
[edit]
@UniFiSecurityGateway3P# commit
[edit]
@UniFiSecurityGateway3P# exit

But it doesn't work, on my client I get request timeouts and I can't access the internet.

 

I tried a slightly different firewall ruleset (SOURCE_ROUTE) too:

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/Policy-based-routing-to-WAN2-based-on-IP/m-p/2...

 

 

Internet is working like this, but it does not helped at all, it is fails back to WAN1.

 

Can you help me with this?

Reply