Reply
Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@madrian You can't have an interface route on an ethernet network and expect the traffic to shoot out anywhere useful. Interface routes are only for point to point networks. Point to multipoint needs next-hop routes.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Member
Posts: 116
Registered: ‎06-05-2016
Kudos: 11

Re: USG, Multi-WAN, Policy-based routing.

[ Edited ]

@UBNT-jaffe

 

Thanks Jaffe, based on your help I was able to make it work.

 

configure 
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.10.1
set firewall modify LOAD_BALANCE rule 3000 action modify
set firewall modify LOAD_BALANCE rule 3000 modify table 1
set firewall modify LOAD_BALANCE rule 3000 source address !192.168.1.54-192.168.1.99
set firewall modify LOAD_BALANCE rule 3000 protocol all
commit
save
exit

One more question. I want to use source address-groups to except some IPs from the rule , but I don't know how to do this. I think it is not possible to define multiple IP's separated by commas in the set firewall....line

 

1, I created a new group in Unifi Controller: Settings -> Rounting & Firewall -> Firewall -> Groups

ExceptWAN2, type Address, added some IP's-

2, Push the changes to the USG.

3,

set firewall modify LOAD_BALANCE rule 3000 source group address-group ExceptWAN2

 

 

UniFiSecurityGateway3P# commit
[ firewall modify LOAD_BALANCE rule 3000 source group address-group !ExceptWAN2 ]
Group [ExceptWAN2] has not been defined

Commit failed
[edit]
@UniFiSecurityGateway3P#

Do you have an idea how to make this work?

 

+ If it is possible, can you show me how to revert these commands without reprovisioning USG?

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@madrian I'm not aware of any way to make that work outside of specifying a single IP, range, or mask.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Member
Posts: 116
Registered: ‎06-05-2016
Kudos: 11

Re: USG, Multi-WAN, Policy-based routing.

@UBNT-jaffe

 

Hmm, I misunderstood then what you wrote on the previous page?

 

QuertyMC:
Can you set the sourse address to a custom group? I am having issues getting that setup correctly.

 

UBNT-jaffe:
set firewall modify LOAD_BALANCE rule 3000 source group address-group <custom_group_name>

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@madrian You can do that, you just can't "invert" the group.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Member
Posts: 157
Registered: ‎05-19-2017
Kudos: 21
Solutions: 1

Re: USG, Multi-WAN, Policy-based routing.

[ Edited ]

Hi,

 

I can see how this works using static routes, but in my case I've two pppoe WAN connections with very freqently changing external IP (like twice a day or so). How can I do this?

 

Use case is pretty simple; traffic from guest vlan need to go out to WAN1, traffic from office work WAN2. WAN1&2 are currently load balanced, which should remain .

 

Thanks & regards,

 

Martijn

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@martijnjongen
Something like - 

configure
set load-balance group wan2_failover interface pppoe1
set load-balance group wan2_failover interface pppoe0 failover-only
set firewall modify LOAD_BALANCE rule 2000 description 'traffic from eth1 to x'
set firewall modify LOAD_BALANCE rule 2000 source address 192.168.x.x/24
set firewall modify LOAD_BALANCE rule 2000 modify lb-group wan2_failover
commit
Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Member
Posts: 157
Registered: ‎05-19-2017
Kudos: 21
Solutions: 1

Re: USG, Multi-WAN, Policy-based routing.

Thanks! Will try that when I'm on site again in a few weeks.
Member
Posts: 157
Registered: ‎05-19-2017
Kudos: 21
Solutions: 1

Re: USG, Multi-WAN, Policy-based routing.

Hi,

 

I run into some issues. As soon as I add the second load balance group, the pppoe2 interface on wan_failover goes inactive.

 

Any way around this?

 

Thanks & kind regards,

 

Martijn

 

set load-balance group wan_failover_19 interface eth2
set load-balance group wan_failover_19 interface pppoe2 failover-only
commit
set firewall modify LOAD_BALANCE rule 1900 description 'traffic from vlan 19'
set firewall modify LOAD_BALANCE rule 1900 source address 192.168.19.0/24
set firewall modify LOAD_BALANCE rule 1900 modify lb-group wan_failover_19
commit
show load-balance status
Group wan_failover
  interface   : eth2
  carrier     : up
  status      : active
  gateway     : 192.168.2.254
  route table : 201
  weight      : 100%
  flows
      WAN Out : 41
      WAN In  : 0
    Local Out : 0

  interface   : pppoe2
  carrier     : up
  status      : inactive
  gateway     : pppoe2
  route table : 202
  weight      : 0%
  flows
      WAN Out : 324
      WAN In  : 27
    Local Out : 1

Group wan_failover_19
  interface   : eth2
  carrier     : up
  status      : active
  gateway     : 192.168.2.254
  route table : 203

 

 

Member
Posts: 157
Registered: ‎05-19-2017
Kudos: 21
Solutions: 1

Re: USG, Multi-WAN, Policy-based routing.

Quick workaround is this

set load-balance group wan_failover_19 interface eth2
set load-balance group wan_failover_19 interface eth2 weight 99
set load-balance group wan_failover_19 interface pppoe2 
set load-balance group wan_failover_19 interface pppoe2 weight 1
New Member
Posts: 1
Registered: ‎10-16-2017

Re: USG, Multi-WAN, Policy-based routing.

[ Edited ]

Sadly, this does not work for me Man Sad

 

[edit]
admin@Gateway# commit
[ firewall modify LOAD_BALANCE ]
Error: [sudo /sbin/iptables-restore -n -v 2> /tmp/iptables.out] = 512
Iptables restore OK

Commit failed


[edit]
admin@Gateway# cat /tmp/iptables.out
iptables-restore v1.4.20: Couldn't load target `UBNT_PBR_1':No such file or directory

 

[edit]
admin@Gateway# cat /tmp/fw_commit_fail
cat: can't open 'fw_commit_fail': No such file or directory

 

[edit]
admin@Gateway# cat /tmp/fw_commit_fail
*mangle

-I LOAD_BALANCE 1 -m comment --comment LOAD_BALANCE-3000 -p all --source 192.168.99.249/32 -j UBNT_PBR_1

COMMIT

 

 

This are my commands:

configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.44.1
set firewall modify LOAD_BALANCE rule 3000 action modify
set firewall modify LOAD_BALANCE rule 3000 modify table 1
set firewall modify LOAD_BALANCE rule 3000 source address 192.168.99.249/32
set firewall modify LOAD_BALANCE rule 3000 protocol all
commit
exit

 

update:

I was able to to that with the ip-util only, but i think its gone after next provisioning or reboot:

ip rule add from 192.168.99.249 lookup 202

Emerging Member
Posts: 83
Registered: ‎12-10-2015
Kudos: 10
Solutions: 5

Re: USG, Multi-WAN, Policy-based routing.


@Gary_L wrote:

YSo, I’m looking for a bit of a sanity check before I apply this configuration.

 

Capture111.JPG

I have 2 WAN connections connected to a USG with Load Balancing (Failover) configured.
While running through WAN 1, I need management access to the router on WAN 2, and same vise versa.
From what I gather, its policy routing that is required to achieve this and not a static route??

With that thought, is the following config the correct way to achieve this:

 

set protocols static table 1 route 10.11.11.0/24 next-hop 10.11.11.11
set firewall modify LOAD_BALANCE rule 3000 action modify
set firewall modify LOAD_BALANCE rule 3000 modify table 1
set firewall modify LOAD_BALANCE rule 3000 destination address 10.11.11.0/24
set firewall modify LOAD_BALANCE rule 3000 protocol all
set protocols static table 2 route 10.22.22.0/24 next-hop 10.22.22.22
set firewall modify LOAD_BALANCE rule 2999 action modify
set firewall modify LOAD_BALANCE rule 2999 modify table 2
set firewall modify LOAD_BALANCE rule 2999 destination address 10.22.22.0/24
set firewall modify LOAD_BALANCE rule 2999 protocol all

I need some help here for a configuration to one of my sites. Considering that WAN1/WAN2 are only on "failover" state and you want to route all traffic from 192.168.0.1/24 to a specific subnet (62.38.2.0/24) exclusively through WAN2, how would be the configuration?

 

I'd really appreciate if anyone could help me on this! Man Happy

New Member
Posts: 4
Registered: ‎02-08-2016
Kudos: 17

Re: USG, Multi-WAN, Policy-based routing.

Hi All, need some basic (I Hope) advice...

 

I have 2 WAN ports connected, both receive dynamic IP from ISP

I have two LANs set up Lan1 10.0.1.XXX/24 and LAN2 10.10.10.XXX/24

 

Load balancing on failure is switched on so WAN2 takes over as needed if WAN1 fails.. This is all working fine.

 

I'd like to also specify that in general use LAN 2 can only route traffic through WAN2.. if anyone can help I'd appreciate it,, learning as I go along I'm afraid so sorry if this is basic... 

New Member
Posts: 12
Registered: ‎04-27-2014

Re: USG, Multi-WAN, Policy-based routing.

So I created this change.

 

set protocols static table 1 route 0.0.0.0/0 next-hop 10.150.1.1
set firewall modify LOAD_BALANCE rule 3000 action modify
set firewall modify LOAD_BALANCE rule 3000 modify table 1
set firewall modify LOAD_BALANCE rule 3000 destination address 10.22.0.0/16
set firewall modify LOAD_BALANCE rule 3000 protocol all

I'm now trying to setup the JSON file.  Can anyone help with this?

 

Thanks

New Member
Posts: 37
Registered: ‎08-09-2017
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

I have a PC which I RDP to 10.254.254.19 (VLAN200) from another subnet (VLAN100)

 

Added this 

configure
set protocols static table 1 route 0.0.0.0/0 next-hop 1XX.XX.XXX.1
set firewall modify LOAD_BALANCE rule 3000 action modify
set firewall modify LOAD_BALANCE rule 3000 modify table 1
set firewall modify LOAD_BALANCE rule 3000 source address 10.254.254.0/24
set firewall modify LOAD_BALANCE rule 3000 protocol all

commit

 

Since adding this I can't RDP anymore to the PC.

 

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@anthonys650 

You'll want to add 

configure
set firewall modify LOAD_BALANCE rule 2999 action accept

set firewall modify LOAD_BALANCE rule 2999 destination group network-group corporate_network
set firewall modify LOAD_BALANCE rule 2999 source group network-group corporate_network
commit;exit

That should bypass your modify rule for all intervlan corporate network traffic.

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
New Member
Posts: 37
Registered: ‎08-09-2017
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

set protocols static table 1 route 0.0.0.0/0 next-hop 1XX.XX.XXX.1

admin@USG# show protocols
static {
route 0.0.0.0/0 {
next-hop 1xx.xx.xxx.1 {
distance 1
}
}
}

I removed the configure and now everything is going thru WAN2.

Do I remove that route? Or add a route for the WAN 1 back in?

set protocols static table 1 route 0.0.0.0/0 next-hop 2XX.XX.XXX.97
New Member
Posts: 12
Registered: ‎04-27-2014

Re: USG, Multi-WAN, Policy-based routing.

Can anyone help me with the JSON file?  I put this in

 

{
"firewall":{
"modify":{
"LOAD_BALANCE":{
"description":"LOAD_BALANCE",
"rule":{
"3000":{
"action":"modify",
"modify":{
"table":"1"
},
"protocol":"all",
"destination":{
"address":"10.22.0.0/16"
}
}
}
}
},
"protocols":{
"static":{
"table":{
"1":{
"route":{
"10.22.0.0/16":{
"next-hop":{
"10.150.1.1":"''"
}
}
}
}
}
}
}
}
}

 

 

and i get the provisioning loop.

 

Thanks

New Member
Posts: 37
Registered: ‎08-09-2017
Kudos: 1

Re: USG, Multi-WAN, Policy-based routing.

Does it make a difference doing a save after commit?

 

configure
set firewall modify LOAD_BALANCE rule 2500 action accept
set firewall modify LOAD_BALANCE rule 2500 destination group network-group corporate_network
set firewall modify LOAD_BALANCE rule 2500 source group network-group corporate_network

set protocols static table 1 route 0.0.0.0/0 next-hop 1XX.XX.1X.9X   
set protocols static table 2 route 0.0.0.0/0 next-hop 2XX.XX.9X.XX                                          
set firewall modify LOAD_BALANCE rule 2510 action modify
set firewall modify LOAD_BALANCE rule 2510 modify table 2
set firewall modify LOAD_BALANCE rule 2510 source address 10.254.XX.1/24
set firewall modify LOAD_BALANCE rule 2510 protocol all

                                         
set firewall modify LOAD_BALANCE rule 2520 action modify
set firewall modify LOAD_BALANCE rule 2520 modify table 2
set firewall modify LOAD_BALANCE rule 2520 source address 10.210.XX.1/23
set firewall modify LOAD_BALANCE rule 2520 protocol all
commit;save;exit

Saving configuration to '/config/config.boot'...
Done
exit


mca-ctrl -t dump-cfg

The mca-ctrl -t dump-cfg show the complete configuration including what I just set.

 

I filtered out what I didn't need for the config.gateway.json

 

{
        "firewall": {
                "modify": {
                        "LOAD_BALANCE": {
                                "description": "LOAD_BALANCE",
                                "rule": {
                                        "2500": {
                                                "action": "accept",
                                                "destination": {
                                                        "group": {
                                                                "network-group": "corporate_network"
                                                        }
                                                },
                                                "source": {
                                                        "group": {
                                                                "network-group": "corporate_network"
                                                        }
                                                }
                                        },
                                        "2510": {
                                                "action": "modify",
                                                "modify": {
                                                        "table": "2"
                                                },
                                                "protocol": "all",
                                                "source": {
                                                        "address": "10.254.XX.1/24"
                                                }
                                        },
                                        "2520": {
                                                "action": "modify",
                                                "modify": {
                                                        "table": "2"
                                                },
                                                "protocol": "all",
                                                "source": {
                                                        "address": "10.210.XX.1/23"
                                                }
                                        }
                                }
                        }
                
                }
        }
}

I haven't place this into the Cloud Key.

I still can't access from the ones subnet i move to use the WAN2 from the other VLAN.  

Ubiquiti Employee
Posts: 1,125
Registered: ‎02-28-2017
Kudos: 339
Solutions: 114

Re: USG, Multi-WAN, Policy-based routing.

@smwein You need an extra closing bracket under your protocols section, you currently have protocols inside the firewall section - try this out:

{
	"firewall": {
		"modify": {
			"LOAD_BALANCE": {
				"description": "LOAD_BALANCE",
				"rule": {
					"3000": {
						"action": "modify",
						"modify": {
							"table": "1"
						},
						"protocol": "all",
						"destination": {
							"address": "10.22.0.0/16"
						}
					}
				}
			}
		}
	},
	"protocols": {
		"static": {
			"table": {
				"1": {
					"route": {
						"10.22.0.0/16": {
							"next-hop": {
								"10.150.1.1": "''"
							}
						}
					}
				}
			}
		}
	}
}


@anthonys650 Saving doesn't do anything really, it saves the config to /config/config.boot which would persist through a reboot, but only if the USG wasn't connected to the controller. On every reboot and reprovision where the USG has connectivity to the controller, /config/config.boot gets overwritten.

Are both your networks you're testing corporate networks? You're not testing a "guest" network correct? You can see if your new rule is getting hit (packet/byte counter) with "show firewall modify statistics" and see if rule 2500 is getting hit

Brandon Jaffe | UniFi Routing & Switching | Austin, TX
Reply